Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Dual ISP load balancing with 2 routers and 2 FW without using BGP

Hi all,

Based on the attachment diagram, is the design viable?

Do anyone has a similar deployment before and can you share with me the config guide to this because I'm at lost on a few configs:

1. On core switch A and B, I understood we need to have a default route pointing to the firewall interface. For this case, I have different IPs for the same context on both the firewalls.

So, how should the config be?

CoreSW_A(config)#ip route

CoreSW_A(config)#ip route

I don't think the above will work as the core switch will load balance the traffic to both firewalls even if one of the context is on standby mode?

2. The area from the firewall to the internet would all be public IP. Thus, if i put a switch in between the firewall and the router, then i would waste some public IP addresses but if i remove the switch, I would not have enough ports on the ASA firewall. What is the best recommended solution for this?

3. How do I load balance traffic to both R1 and R2 to their respective ISPs without using BGP? I may be using only a 2811 router.

Thanks alot!!.. really much looking forward for some guidance and tips on this as I havent found any guides on this deployment yet.. mostly are LAN HA.


Re: Dual ISP load balancing with 2 routers and 2 FW without usin

Your biggest issue with load balancing is NAT. You have to ensure that traffic follows the same path. Many servers on the internet use the source address for security. If your IP address appears to change the server will drop your session. It is made even more complex in that many time you will be handed from server to server and you must keep the same ip address. You must in effect force traffic from a particular user to always use one connection and other users to use the other.

This does not really lead to load balancing since you are manually doing it but it can be done to a point.

The simplist way I can see to do it is to put a connection between the outside routers. You could then send traffic to one of them using HSRP/VRRP. It would then for example send all the even numbered source addresses over to the other router. And send all the odd traffic out to the internet. The other router would do the reverse. You would use policy routing to do this. This allows you to use primary/backup behind the firewalls and use load balancing on the outside. The only issue I can see is that the firewall may complain if it sees traffic being sent to one router and returning via the other routers mac.

Now this will work fine until you get a failure and need all the traffic to use a single ISP. You will most likely have to use the track option on both the policy based routing and the HSRP/VRRP. This would allow you to send all the traffic out to the conencted ISP when you get a failure.

CreatePlease to create content