Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dual Internet Link load-balancing,traffic from Outside Issue

Hi All,

  We deploy Cisco Router 2921 at company edge, it has two internet link connect.

Gig0/0 was Fix Public IP:219.134.186.X

Gig0/1 was connect ADSL moden, dialer0 IP was dynamic.

TAC1.png

  Like the topology, we configure inside traffic load balance to internet, it is work well.

  But it has some issue from internet traffic to Router own interface address, If packet visit Gig0/0 Fix IP like "ping" or "ssh"

The router probable return packet from dialer0 IP.

  Router seemingly can't identify the fraffic which interface ingress and egress at the same interface. situation like this the router

can't provide some service on it own address. And idear?

  Some config file in attach.

----------

Rock.

Everyone's tags (2)
32 REPLIES
Cisco Employee

Dual Internet Link load-balancing,traffic from Outside Issue

can you elaborate wheat your wrote as I personally did not understand what your problem is

 If packet visit Gig0/0 Fix IP like "ping" or "ssh"

can you define 'visit'?

The router probable return packet from dialer0 IP.

can you elaborate giving a concrete example of the flow you are referring to (i.e. source and destination IP addresses, exit interface and interface traffic comes back from).

Router seemingly can't identify the fraffic which interface ingress and egress at the same interface.

uh?

situation like this the router can't provide some service on it own address. And idear?

sorry I did not get this either

New Member

Dual Internet Link load-balancing,traffic from Outside Issue

  Like the Topology, traffic from internet, source can be any. For example public IP A.B.C.D ping the router Gig0/0:219.134.186.X.

The router may not reply packet on same-interface, it has some percent reply using Dialer0, cuz we config dual default route.

  If we wanna "ssh" or "IPSec" connect the router Gig0/0 IP, probable fail.

  Sorry, my english not well, hope you can understand.

Cisco Employee

Dual Internet Link load-balancing,traffic from Outside Issue

As far as I know traffic coming from the CPU are always load-balanced per packets as they are necessarily process switched only .

Telent or SSH TO a router forces it to reply using IP process (process switching) hence the load balancing method will be per packets - no matter what you configure on your interface (I saw you disabled CEF switching to get fast-switching from the same interface - but this does not apply in your case).

The reply from the CPU does not come from g0/0 even though the IP address you are telnetting to is configured there, but from the RP engine (whatever model).

As a workaround I suppose you can try configure a static with longer prefix matching the Ip address range you are telnetting from; so in the RIB there will be only 1 possible path for such destination  - via g0/0 of course - and you will not have out-of-order packets.

Riccardo

New Member

Dual Internet Link load-balancing,traffic from Outside Issue

You mean these not way resolve without config static route to which public ip wanna "ping" or "ssh" router Gig0/0?

But even config static with longer prefix matching, the remote public ip is come from any where, it hard to classify.
In china many inexpensive multi-wan router can do this, Cisco router don't have solution?

Purple

Dual Internet Link load-balancing,traffic from Outside Issue

Hi,

as Riccardo already explained traffic generated by or destined to a router is always process-switched and process-switching is always doing per-packet load balancing so if you have 2 default routes with same AD, they will get both installed in the RIB and the router when generating packets will always load balance per-packet.

I don't think you can change this behaviour but if you don't need load-balancing for your data traffic then simply configure a higher AD for the second route and track first route  for failover.

Your problem will be solved as there will only be one default route installed in the RIB( the one with lower AD) and if it fails the other one will get installed.

Regards.

Alain

Don't forget to rate helpful posts.

Dual Internet Link load-balancing,traffic from Outside Issue

Hi Zhi Yu Zang,

Yes, Cisco have a Solution for your SSH and ICMP Traffic destined to the Router.

  Just follow the below configuration and you should be good to go. I will be using (PBR) Policy Based Routing for your ICMP and SSH Traffic that is destined to you router G0/0 FIxed IP Interface as below:

Configuration:

interface G0/0

ip address 219.134.186.X 255.255.255.248

IP policy route-map SSH                          ------------------------------------------- Add this Configuration

Route-map SSH Permit 10

Match IP address 100

Set ip next-hop 219.134.186.97

 

access-list 100 permit tcp host 219.134.186.x eq 22 any               ------------------------------------- Add this configuration

access-list 100 permict icmp host 219.134.186.x eq echo-reply any ------------------------------------ Add this configuration

The Above should solve your problem, let me know if you still have problem.

Regards,

Mohamed

Cisco Employee

Dual Internet Link load-balancing,traffic from Outside Issue

Mohamed, you say it works because you tried it or because you think it does?

In my opinion a PBR attach to the interface won't help as PBR is effective for traffic entering via that interface. In this case the traffic comes from the CPU.

However it would be interesting trying a local PBR for traffic sourced by the CPU.

ip local policy route-map SSH

since it is a local PBR you just enter it in global config mode (not attached to any interface).

Purple

Dual Internet Link load-balancing,traffic from Outside Issue

Hi,

local PBR should be working indeed, how didn't  I think about it ? 

Regards.

Alain

Don't forget to rate helpful posts.
Cisco Employee

Dual Internet Link load-balancing,traffic from Outside Issue

well... I did not think of that either 

Dual Internet Link load-balancing,traffic from Outside Issue

Guys, Ricardo

Its not a thinking, its a logic and awarness. My example Should work. Let me explain further.

The Original Poster indicates traffic hits G0/0 interface is not routed back through the same interface but rather subject to the RIP decision which enforces the outgoing traffic to be loadbalanced. which results in a packet being frequently succeeded and dropped. and this is of course as we all know because the Second ISP will not accept prefixes that is not originated by the ISP itself, So dialer0 which points for an ISP, this ISP willnot accept traffic originating from G0/0 interface.

Now, Let us leave the CPU Ricardo, the problem here is because the router is consulting its routing table for deciding outgoing traffic which is indeed hits the CPU and then performs lookup at its RIP.

To Solve this issue, I have Suggested to implement PBR on the G0/0 interface itself, This means any traffic from the internet (Incoming Traffic) hits Interface G0/0 (which is the situation , as the OP originates ICMP and SSH traffic to G0/0) , this Traffic is Subject to Policy Based Routing Bypassing the Routing table which forwards the Traffic back through the Same Interface and this is the Objective of what the OP is looking for. He needs to SSH and ICP to that Interface and get the Traffic back without Drops.

So, My Solution should suffice with him. You Can Lab it UP and see the Result.

Regards,

Mohamed

Cisco Employee

Dual Internet Link load-balancing,traffic from Outside Issue

i am still convinced that CPU generated traffic does not hit the standard PBR applied to any interface. this is why local PBR was introduced in the first place.

however let's see if our poster friend has some benefit out of it

Riccardo

New Member

Dual Internet Link load-balancing,traffic from Outside Issue

Hi All,

  I don't think any PBR can solve the issue, Cuz PBR can't match traffic which interface coming from, it just can determine which interface out.

I think VRF would be help. We can put interface in each VRF:

Gig0/0--VRF1                 (add route "ip route vrf 1 0.0.0.0 0.0.0.0 gigabitEthernet 0/0 219.134.186.97")

Gig0/1(dialer0)--VRF2    (add route "ip route vrf 2 0.0.0.0 0.0.0.0 dialer0")

And add route in each VRF to inside subnet, sense can be solve, but config will so complex.

Just wanna know if it have simple method.

Purple

Dual Internet Link load-balancing,traffic from Outside Issue

Hi,

PBR can ne for locally generated packets or packets entering an interface and its purpose is to not look into the RIB to forward the packet but choose either the outgoing interface or next-hop configured in the policy.

I don't understand how the vrf would solve your problem but I'd like to know why you think PBR won't and also if I understand the problem correctly you have a problem with return packets originated by your router in response to telnet, icmp or ssh ?  Is that so ?

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Dual Internet Link load-balancing,traffic from Outside Issue

Hi Alain,

  My english is crap, but i would like discuss with you. If you have time we can talk over on skype.

My accout:Rock981119.

Purple

Dual Internet Link load-balancing,traffic from Outside Issue

Hi,

This evening I can't but tomorrow evening it's possible at 9 PM brussels time, just let me know or tell me which time tomorrow will suit you.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Dual Internet Link load-balancing,traffic from Outside Issue

Hi,

If we change topo like this maybe can resolve my problem:

But i don't have test yet, theoretically i think can be done.

New Member

Dual Internet Link load-balancing,traffic from Outside Issue

Have you test it yet?

I have the same question on my network

Thanks.

Dual Internet Link load-balancing,traffic from Outside Issue

Mohamed,

If I configure both the interface PBR and also the ip local PBR which one would take priority?

HTH

Kishore

Dual Internet Link load-balancing,traffic from Outside Issue

Hi Kishore,

There is no Priority in this Context.

The Difference is that (Local Policy/PBR) as the name implies is local to the Router, Traffic originated by the router itself is policy based routed, While the (PBR) is a Policy that matches all datagrams hiting an interface (Incoming) Traffic that hits an interface is subject to the PBR.

Regards,

Mohamed

Re: Dual Internet Link load-balancing,traffic from Outside Issue

Hi Mohamed,

Thnks for the reply. I understand that. What I was asking was if I had both of them configured which of them will be used.

So, lets take this thread for eg: traffic is destined to the router so will the router use the policy on the interface or will it use the local policy PBR to reply back

Regards

Kishore

Purple

Dual Internet Link load-balancing,traffic from Outside Issue

Hi Kishore,

it will use the local PBR policy not the other one in this case.

Regards.

Alain

Don't forget to rate helpful posts.

Dual Internet Link load-balancing,traffic from Outside Issue

Thanks Alain. Any doco or link to point out what you mentioned. Not that I dont trust you but If I am asked by someone else then I can send them the same link

BTW, please check your PM

Regards

Kishore

Purple

Dual Internet Link load-balancing,traffic from Outside Issue

Hi kishore,

I'll answer you tomorrow.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Dual Internet Link load-balancing,traffic from Outside Issue

I did Lab it up...  So to speak, or needed this same function on my router, so I tested both ways:

Code :      C2900-UNIVERSALK9-M), Version 15.1(4)M3

Scenario : I have a default gateway on my 2900 router through an ASA firewall.  I need to be able to SSH to the router, on an external interface, but it uses the ASA for default traffic, so I can either VPN in, and then SSH or implement this work around.

Work Arround Implemented :

ip access-list extended External_Manager_Traffic
   permit tcp host 30.20.10.1 eq 22 any
   permit icmp host 30.20.10.1 any echo-reply

!

route-map External_Management permit 10
match ip address External_Manager_Traffic
set ip next-hop 30.20.10.2     ! ISP Gateway

!

ip route 0.0.0.0 0.0.0.0 10.31.120.254

!

interface GigabitEthernet0/1
description Sip and VPN interface
ip address 30.20.10.1 255.255.255.0
!
ip local policy route-map External_Management

I tried putting the policy-map on the gig 0/1 interface, but it didn't work.  The router hasn't yet decided the traffic needs to go anywhere when it hits the interface.  It then is sent to CPU and CPU uses routing table to lookup and send to default route.  By Adding the Local Policy route-map we tell the CPU to apply this route map to traffic exiting the CPU.  In this case we bypass the routing table and set the next hop, which triggers routing table lookup for the next hop rather than for the ultimate destination.

New Member

Dual Internet Link load-balancing,traffic from Outside Issue

Could you paste a diagram with the IPs?

I think the outbound SSH traffic (to Internet) response don´t use the 22 port, so this traffic doesn´t match the ACL and won´t be routed through the IP 30.20.10.2 necessarily.

To develop this solution is neccessary identify the outbound traffic to create an appropiate ACL/route, o set a rule to guarantee outbound traffic (ssh response) will be forwarded through que same interface/ISP it was received (ssh request).

I´ve the same problem with a pptp VPN.

New Member

Dual Internet Link load-balancing,traffic from Outside Issue

ip access-list extended External_Manager_Traffic

     permit tcp host 30.20.10.1 eq 22 any

     permit icmp host 30.20.10.1 any echo-reply

My ACL here clearly states to permit return traffic for SSH sessions towards 30.20.10.1.  It doesn't state traffic destined to 30.20.10.1 on port 22, it says RETURN Traffic

Correct version as I have it:

          permit tcp host 30.20.10.1 eq 22 any

Incorrect verion as you describe wouldn't work :

          permit tcp host 30.20.10.1 any eq 22

The port 22 I'm matching on is for the Source Host TCP port, not the destination host TCP port.

Its working in production using this config.  I really don't have time to do a drawing.  The IP addresses I've changed from production for obvious reasons.

New Member

Re: Dual Internet Link load-balancing,traffic from Outside Issue

I gather based on your answer using the configuration and schema attached, the return traffic (vpn response) should always go back through the router

2. Is that so?

VPN with load balancer.jpg

LoadBalancer#

ip access-list extended External_VPN_access

   permit tcp host 192.168.1.150 eq 1723 any

   permit icmp host 192.168.1.150 any echo-reply

!

route-map External_VPN permit 10

match ip address External_VPN_access

set ip next-hop 192.168.1.101

!

ip local policy route-map External_VPN

New Member

Re: Dual Internet Link load-balancing,traffic from Outside Issue

1. in your scheme, the traffic destination is not the router.  so a local policy map, will never match traffic sourced from another device, even if it passes through the routrer.  you would need a normal policy map on the interface. to match that traffic.  remember that ip local policy map only affects traffic from the cpu of the router itself, which is why it works from SSH, to the router, but not pptp through the router.

there are many gotcha's in your design, and it is very different than the topic here.  you should describe what you want to do, and what challenges you are facing with it.  i dont really see that the router has much of a roll there

New Member

Dual Internet Link load-balancing,traffic from Outside Issue

The scheme is the network that I have installed in my workplace, and currently is working perfectly except for the issue of outside access through the VPN, which I think can be solved with a normal policy map as you say. My problem is very similar to the topic.


The role of the Cisco router in the network is to balance the load between the 2routers "fools" of ISPs, and providing failover. It does only static routing with CEF and without Nat, and a single interface connected to the network, which makes both input and output. Behind the balancer is a server that is the gateway and dhcp server (among other things) on my local network. I need the balancer is in-same ethernet segment as the other routers and configure the server to alternate routes on the server directly to the ISP's routers

2983
Views
0
Helpful
32
Replies
CreatePlease to create content