Configure Cisco 2620 using 2-T1, and load balance 4

[leungr]

I have two Cisco 2620 routers with 2-T1 cards. Originally it was configured as a bridge, but we are changing it to work as a router. I have reconfigured it, but do not know how to load balance. Also the systems using the new ip addresses that need to see the server across the router, has a problem when they use their dialup for internet. It loses the network connection to the server until the dialup session s completed.
Here is my running configuration for both routers:


Router-W1
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router-W1
!
enable secret 5 $1$YzVt$Pj1OKqVsXIx1U0FholWAi1
enable password xxxxx
!
no ip subnet-zero
!
!
!
!
interface FastEthernet0/0
ip address 10.40.100.253 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
!
--More--
interface Serial0/0
ip address 10.40.101.1 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
no fair-queue
!
interface Serial0/1
ip address 10.40.101.3 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.40.100.250
ip route 10.40.200.0 255.255.255.0 10.40.101.4 10
no ip http server
!
snmp-server engineID local 000000090200003080B9B8E0
snmp-server community public RO
!
line con 0
transport input none
line aux 0
line vty 0 4
--More--
password xxxxxxxxx
login
!
end

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Router-W2
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router-W2
!
enable secret 5 $1$eTHJ$IqVnl0VZO9jnrGUb9U5311
enable password xxxxxxxx
!
no ip subnet-zero
!
!
!
!
interface FastEthernet0/0
ip address 10.40.200.253 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
!
--More--
interface Serial0/0
ip address 10.40.101.2 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
no fair-queue
!
interface Serial0/1
ip address 10.40.101.4 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.40.100.250
ip route 10.40.100.0 255.255.255.0 10.40.101.3 10
ip route 10.40.100.0 255.255.255.0 10.40.101.1 10
no ip http server
!
snmp-server engineID local 000000090200003080B9B860
snmp-server community public RO
!
line con 0
password cij1998
transport input none
line aux 0
--More--
line vty 0 4
password xxxxxxx
login
!
no scheduler allocate
end

 

[3wsparky]

great advice rtmdude

with the load balancing option , when you say your not really load balancing are you meaning that im not splitting my traffic 50/50 i just want a rough split of load , ie 10 people on one line and 15 on another , also i'm wondering if using two different isps is an option with equal cost paths , would like to put my eggs in two baskets !

many thanks

Terry

 

[rtfmdude]

3wsparky,

Yeah - if you do 'per-packet' load-balancing, you could have a situation where packets like this are queued to be sent to the internet:

1200 byte packet, sent out t1#1
700 byte packet, sent out t1#2
800 byte packet, sent out t1#1
50 byte packet, sent out t1#2
1000 byte packet, sent out t1#1

so, with just that past stream of packets, you see the byte breakdown:

t1 #1 - 3000bytes
t1 #2 - 750bytes

plus, if you do PAT/NAT on each T1, you break TCP - since, for example, you send traffic to msn.com or whatever with changing source addresses(every other packet goes out a different T1, using a different source address).

using 2 different ISPs is perfectly fine for load-balancing, just do 'per-destination.' You do per-destination load-balancing by leaving on 'ip route-cache' on the egress interfaces (is a default, you can try typing it but it won't appear in the config).

 

[3wsparky]

right i have made some progress on this as shown

do sh run
Building configuration...

Current configuration : 2083 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
username **** privilege 15 password 7 *********
memory-size iomem 25
no aaa new-model
ip subnet-zero
ip cef
!
!
ip host

http://www.google.com

216.239.59.147
ip host

http://www.sussex.police.uk

217.207.210.147
ip host

http://www.yahoo.com

68.142.226.56
!
ip audit notify log
ip audit po max-events 100
ip ssh break-string
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
interface ATM0/0
bandwidth 1000000
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface ATM0/1
bandwidth 1000000
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname ******
ppp chap password 7 *******
ppp pap sent-username ****** password 7 *********
!
interface Dialer1
ip address negotiated
ip mtu 1452
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ********
ppp chap password 7 *********
ppp pap sent-username ******* password 7 *********
!
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static 192.168.1.2 interface Dialer0
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1 50
ip route 0.0.0.0 0.0.0.0 Dialer0 50
!
line con 0
line aux 0
line vty 0 4
login
!
end

Router(config)#do ping

http://www.google.com

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.239.59.147, timeout is 2 seconds:
!.!.!
Success rate is 60 percent (3/5), round-trip min/avg/max = 24/26/28 ms
Router(config)#

i am however having issues with translating the the inside - outside addresses , i want to have two external addresses which will be dhcp , and the fast 0/0 static

the aim is to have the router apply the dhcp ip address to the packets as they leave the router - which i guess is just nat , but cant seem to find a way to nat to the inside address ?

 

[rtfmdude]

3wsparky,

ok - looks like your routing is setup correctly (though you could have left off the '50' admin distance on the end of both routes).

It appears that one of the paths is broken. Initially, I thought your NAT config might be off, but I see you're pinging from the router, and so should not be subject to NAT. (the source address of all your packets should be the interface closest to your destination, namely dialer1 and dialer2)

try this to determine which one is busted:

conf t
access-list 157 permit icmp any any
^Z
debug ip packet det 157
term mon
ping google.com

from the debug output, you should be able to determine the bad path - each icmp echo-request(and echo-reply) will generate a line of debug that should tell you the egress(or ingress) interface that the packet passes through.

Alternatively, you could just shutdown one of the interfaces, and then ping. If you get 100%, you have just shutdown the broken interface. From there you'll need to determine what's broken about it - debug ppp negotiation might be a good place to start for pppoe troubleshooting.

Once you get that worked out, I think you have to do something special to get nat to work with 2 outside interfaces and 1 inside interface - I think there's some policy routing involved. I could be wrong.

 

[3wsparky]

ok i have fixed the broken line all working great , but the issue i'm trying to get my head around the routing of the nat to the wan and back again.

currently it is \/

ip nat inside source static 192.168.1.2 interface Dialer1

or as above with dialer0 but this is not allowing for sharing , just directing to the dest.

sparky

 

[rtfmdude]

sparky,

you are not going to like this. adding pat/nat on top of the load-balancing is ...crappy.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ftnatrt.htm

basically, you have to split your traffic -somehow- (based off of source address, destination address, whatever) and statically map that to an outside interface.

which i don't think will work if that interface goes down.

I think you might be best served by investigating if you can have both dsl circuits bundled with ppp multilink or something. I've never done it with dsl (heh) but ppp shouldn't care - the provider just has to be able to support it.