Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Load Balance Internet & VPN Traffic via 2 links

Hi Pros,

My Network is as seen in the diagram attached.

I have a HQ in Bombay, where all users & servers are located. I have a firewall to inspect traffic as it enters the HQ & also where IPSEC VPN Terminates.

Besides, I have 2 IPLC Circuits connecting to routers in London & Chicago. These routers serve 2 purposes. 1) Act as PSTN Voice Gateways 2) Internet Gateways.

Right now, the Chicago router is not set up.

Business uses the single link to the internet (London) & remote clients connect to our network servers via Site to Site VPNs via internet (London).

Now that Chicago is coming up with Internet connectivity, we want to load balance Internet on Bombay router.

We have 200.200.200.x/27 assigned by London ISP, 2 IPs are used by router & firewall interface. Rest are Natted to Private IPs of servers which need to have global IPs.

The problem is -

1) New ISP in Chicago will provide /27 Public IP Range

2) I dont know whether new ISP in Chicago can advertise 200.200.200.x/27 assigned to us by London ISP.

3) If they can, a dynamic routing protocol will be needed to update link changes. Should I use BGP? If yes, how should I configure it?

4) If I dont use BGP, are there any alternatives. Like I could use the second Public range by Chicago ISP & NAT it to my servers similar to what is done to London, right?

5) If I follow that way, I presume I wont have to run BGP inbetween my 3 routers & the ISPs. But then how can I achieve proper load balancing for outgoing as well as incoming traffic.

Thoughts please...

Pratik

5 REPLIES
Gold

Re: Load Balance Internet & VPN Traffic via 2 links

With only a /27 it is unlikely that you will use the same address range in both location.

The smallest a ISP will advertise into the internet is a /24. Now if it is the same ISP for both links maybe they will do it. Since the main purpose of not advertising a /27 is to allow for route summerization it is unlikely that your ISP does not have different summary boundries between london and chicago.

If your ISP will allow the same range then you can do many of this things you discuss. You will need some kinda of routing protocol between the routers to detect availability to the internet and to tell your ISP which connection since they have no way to tell the status of your connection to bombay. You will also need to use something like stateful nat to allow for failover.

If you must use different ranges then the problem becomes more of a application issue rather than a network issue. Some are easy like mail has no issues with multiple MX records. Normal DNS does not do so well since its primary purpose is to resolve a name to a single IP but there are some work arounds. Things like end user VPN depends on the client many can take multiple gateways and are smart enough to mesuare the latency and choice the closet one.

Your only true solution is to get your own /24 block and a AS number and run a full BGP implemtation between your routers and your ISP's

New Member

Re: Load Balance Internet & VPN Traffic via 2 links

What if the client agrees on a additional PIX as secondary firewall to be deployed on the network & that one caters to the other /27 given by Chicago ISP.

Then I could also have the VPN peers have an second IP which could be used to connect to secondary fireall in case Primary Firewall is not reachable.

Gold

Re: Load Balance Internet & VPN Traffic via 2 links

That should work. You should be able to make some users use one site as their primary and others use the other. So far I have not found a way to make the cisco client check the latency to the gate and select the best one.

New Member

Re: Load Balance Internet & VPN Traffic via 2 links

Hi Pratik,

You can use a device called Radware Linkproof which functions as a internet load balancer excluding VPN traffic.

-Sai.

Re: Load Balance Internet & VPN Traffic via 2 links

Hi Pratik,

In a nutshell, I brief your issue something like this (please correct me whereever you feel like)

1. You have 2 Internet Access points (i.e. Internet Routers / Internet Gateways)

2. You want to Load Balance the traffic for Internet (Outgoing and Incoming)

Now, if you just want to Load Balance the Outgoing traffic for Internet same could be done with the help of Static Routes.

However if you want Incoming traffic also to be load balanced, then there is a little complexity, which would entirely depend upon the nature of the Application i.e Webservers / Mail Servers could be easily takcled with the help of DNS i.e. multiple CNAME records for a single entry.

Please revert back with your response on the aspect.

Hope it helps.

Kind Regards,

Wilson Samuel

PS: Please rate if it helps.

215
Views
15
Helpful
5
Replies
CreatePlease login to create content