cflcrosland
IS-IT--Management
- Apr 3, 2012
- 35
- 0
- 0
Hi, I have been experimenting with load balancing with mixed results.
What works:
I have a server with the ip 192.168.70.1 setup with loopback address A:192.168.64.1 and B:192.168.64.9
the route maps make sure that the incoming requests to the loopback addresses always reply out the right interface (even when there is no default route through the wan interface)
What doesnt:
Cef load balancing
When I install both default routes into the routing table the internet grinds to a halt and sometimes works, sometimes doesnt. I think CEF is working how it should but I think it is due to the fact that most websites open connections to multipul external IP's so all the traffic doesnt match up when it gets back to our end. Not a problem I dont mind using the primary connection for all taffic and having it fail over using the IP sla tracked default routes.
When we only have one default route installed we can only VPN intp one of our external IP's, I would like to be able to pass VPN into both external connections while only having one default route for all the internal traffic. If CEF is enabled the internet is bust but we can VPN in on both connections.
Heres the config below, all suggestions welcome (this is a lab set-up so if I need to change the whole approach and re config everything thats not a problem)
HO-RTR01#sh run
Building configuration...
Current configuration : 7292 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HO-RTR01
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxx
!
aaa new-model
!
!
aaa authentication login VPN_AUTHEN local
aaa authorization network VPN_AUTHOR local
!
aaa session-id common
clock timezone GMT 0
clock summer-time GMT+1 recurring last Sun Mar 1:00 last Sun Oct 2:00
ip cef
!
!
ip inspect name FIREWALL-INSP ftp
ip inspect name FIREWALL-INSP icmp
ip inspect name FIREWALL-INSP tcp
ip inspect name FIREWALL-INSP udp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip domain lookup
ip domain name ashprojects.local
ip sla monitor 1
type echo protocol ipIcmpEcho 194.145.148.188 source-ipaddr 92.237.119.115
request-data-size 32
timeout 1500
frequency 5
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho 212.74.102.15 source-ipaddr 195.137.6.6
request-data-size 32
timeout 1500
frequency 5
ip sla monitor schedule 2 life forever start-time now
!
!
!
username admin privilege 15 password 0 xxxxx
!
!
ip ssh version 2
!
track 10 rtr 1 reachability
delay down 15 up 30
!
track 20 rtr 2 reachability
delay down 15 up 30
!
policy-map FAIR_QUEUE_CHILD
class class-default
fair-queue 128
policy-map QOS
class class-default
shape average 5240000
service-policy FAIR_QUEUE_CHILD
!
!
crypto keyring REMOTE_OFFICE
pre-shared-key address 0.0.0.0 0.0.0.0 key xxxxxx
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 30 periodic
!
crypto isakmp client configuration group VPN_USERS
key xxxxx
dns 192.168.70.1
domain ASHPROJECTS.LOCAL
pool VPN_USR_IP_POOL
acl VPN_ROUTES_ACL
max-users 10
max-logins 5
netmask 255.255.255.192
crypto isakmp profile VPNClients
match identity group VPN_USERS
client authentication list VPN_AUTHEN
isakmp authorization list VPN_AUTHOR
client configuration address respond
virtual-template 2
crypto isakmp profile REMOTE_OFFICE
keyring REMOTE_OFFICE
match identity address 0.0.0.0
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SECURE
set transform-set ESP-3DES-SHA
!
!
!
!
interface Loopback0
description VPN TUNNEL ADDRESS
ip address 192.168.222.100 255.255.255.255
!
interface FastEthernet0/0
description TRUSTED (Local LAN)
ip address 192.168.70.254 255.255.255.0
ip access-group ACL-VLAN20-IN in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1420
ip policy route-map SERVERS
duplex auto
speed auto
!
interface FastEthernet0/1
description WAN LINK (VIRGIN MEDIA)
ip address 92.237.119.115 255.255.255.248
ip access-group WAN_INTERFACE_ACL in
no ip proxy-arp
ip mtu 1460
ip inspect FIREWALL-INSP out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
service-policy output QOS
!
interface ATM0/1/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
pvc 0/38
oam-pvc 0
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Virtual-Template1 type tunnel
description REMOTE OFFICE TUNNEL TEMPLATE
ip unnumbered Loopback0
ip mtu 1360
ip summary-address eigrp 1 192.168.64.0 255.255.248.0 5
qos pre-classify
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile SECURE
!
interface Virtual-Template2 type tunnel
description VPN USER TUNNEL TEMPLATE
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SECURE
!
interface Dialer1
description WAN LINK (TALK TALK)
ip address negotiated
ip access-group WAN_INTERFACE_ACL in
no ip proxy-arp
ip mtu 1492
ip inspect FIREWALL-INSP out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname adsl01484666680@f2s.gw5
ppp chap password 7 121F1712160D1E012E7976
!
router eigrp 1
passive-interface default
no passive-interface Virtual-Template1
network 192.168.70.0
network 192.168.71.1 0.0.0.0
network 192.168.71.65 0.0.0.0
network 192.168.222.100 0.0.0.0
no auto-summary
!
ip local policy route-map ROUTER_GEN_TRAFFIC
ip local pool VPN_USR_IP_POOL 192.168.71.129 192.168.71.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 92.237.119.113 10 track 10
ip route 0.0.0.0 0.0.0.0 Dialer1 212.74.102.14 20 track 20
ip route 192.168.64.1 255.255.255.255 192.168.70.1
ip route 192.168.64.9 255.255.255.255 192.168.70.1
!
ip http server
no ip http secure-server
ip nat inside source static tcp 192.168.64.1 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.64.9 80 interface Dialer1 80
ip nat inside source static tcp 192.168.64.9 25 interface Dialer1 25
ip nat inside source static tcp 192.168.64.1 25 interface FastEthernet0/1 25
ip nat inside source route-map NAT_DI1 interface Dialer1 overload
ip nat inside source route-map NAT_FA0/1 interface FastEthernet0/1 overload
!
ip access-list standard NAT_ACL
permit 192.168.70.0 0.0.0.255
permit 192.168.64.0 0.0.0.7
ip access-list standard SERVER_ADAPTER_A
permit 192.168.64.0 0.0.0.7
ip access-list standard SERVER_ADAPTER_B
permit 192.168.64.8 0.0.0.7
!
ip access-list extended IP_SLA_1
permit icmp host 92.237.119.115 host 194.145.148.188
ip access-list extended IP_SLA_2
permit icmp host 195.137.6.6 host 212.74.102.15
ip access-list extended VPN_ROUTES_ACL
permit ip 192.168.64.0 0.0.7.255 any
ip access-list extended WAN_INTERFACE_ACL
permit udp any eq bootps any eq bootpc log
remark DENY LOCAL SUBNETS
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip host 255.255.255.255 any log
remark PERMIT PING
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
remark PERMIT VPN
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
remark PERMIT INTERNAL SERVICES
permit tcp any host 92.237.119.115 eq 443
permit tcp any host 92.237.119.115 eq smtp
permit tcp any host 92.237.119.115 eq 22
permit tcp any host 92.237.119.115 eq www
permit tcp any host 195.137.6.6 eq 443
permit tcp any host 195.137.6.6 eq smtp
permit tcp any host 195.137.6.6 eq 22
permit tcp any host 195.137.6.6 eq www
remark DENY EVERYTHING ELSE
!
route-map ROUTER_GEN_TRAFFIC permit 10
match ip address IP_SLA_1
set ip next-hop 92.237.119.113
!
route-map ROUTER_GEN_TRAFFIC permit 20
match ip address IP_SLA_2
set interface Dialer1 Null0
!
route-map NAT_FA0/1 permit 10
match ip address NAT_ACL
match interface FastEthernet0/1
!
route-map NAT_DI1 permit 10
match ip address NAT_ACL
match interface Dialer1
!
route-map SERVERS permit 10
match ip address SERVER_ADAPTER_A
set ip next-hop 92.237.119.113
!
route-map SERVERS permit 20
match ip address SERVER_ADAPTER_B
set interface Dialer1 Null0
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
scheduler allocate 20000 1000
end
What works:
I have a server with the ip 192.168.70.1 setup with loopback address A:192.168.64.1 and B:192.168.64.9
the route maps make sure that the incoming requests to the loopback addresses always reply out the right interface (even when there is no default route through the wan interface)
What doesnt:
Cef load balancing
When I install both default routes into the routing table the internet grinds to a halt and sometimes works, sometimes doesnt. I think CEF is working how it should but I think it is due to the fact that most websites open connections to multipul external IP's so all the traffic doesnt match up when it gets back to our end. Not a problem I dont mind using the primary connection for all taffic and having it fail over using the IP sla tracked default routes.
When we only have one default route installed we can only VPN intp one of our external IP's, I would like to be able to pass VPN into both external connections while only having one default route for all the internal traffic. If CEF is enabled the internet is bust but we can VPN in on both connections.
Heres the config below, all suggestions welcome (this is a lab set-up so if I need to change the whole approach and re config everything thats not a problem)
HO-RTR01#sh run
Building configuration...
Current configuration : 7292 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HO-RTR01
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxx
!
aaa new-model
!
!
aaa authentication login VPN_AUTHEN local
aaa authorization network VPN_AUTHOR local
!
aaa session-id common
clock timezone GMT 0
clock summer-time GMT+1 recurring last Sun Mar 1:00 last Sun Oct 2:00
ip cef
!
!
ip inspect name FIREWALL-INSP ftp
ip inspect name FIREWALL-INSP icmp
ip inspect name FIREWALL-INSP tcp
ip inspect name FIREWALL-INSP udp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip domain lookup
ip domain name ashprojects.local
ip sla monitor 1
type echo protocol ipIcmpEcho 194.145.148.188 source-ipaddr 92.237.119.115
request-data-size 32
timeout 1500
frequency 5
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho 212.74.102.15 source-ipaddr 195.137.6.6
request-data-size 32
timeout 1500
frequency 5
ip sla monitor schedule 2 life forever start-time now
!
!
!
username admin privilege 15 password 0 xxxxx
!
!
ip ssh version 2
!
track 10 rtr 1 reachability
delay down 15 up 30
!
track 20 rtr 2 reachability
delay down 15 up 30
!
policy-map FAIR_QUEUE_CHILD
class class-default
fair-queue 128
policy-map QOS
class class-default
shape average 5240000
service-policy FAIR_QUEUE_CHILD
!
!
crypto keyring REMOTE_OFFICE
pre-shared-key address 0.0.0.0 0.0.0.0 key xxxxxx
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 30 periodic
!
crypto isakmp client configuration group VPN_USERS
key xxxxx
dns 192.168.70.1
domain ASHPROJECTS.LOCAL
pool VPN_USR_IP_POOL
acl VPN_ROUTES_ACL
max-users 10
max-logins 5
netmask 255.255.255.192
crypto isakmp profile VPNClients
match identity group VPN_USERS
client authentication list VPN_AUTHEN
isakmp authorization list VPN_AUTHOR
client configuration address respond
virtual-template 2
crypto isakmp profile REMOTE_OFFICE
keyring REMOTE_OFFICE
match identity address 0.0.0.0
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SECURE
set transform-set ESP-3DES-SHA
!
!
!
!
interface Loopback0
description VPN TUNNEL ADDRESS
ip address 192.168.222.100 255.255.255.255
!
interface FastEthernet0/0
description TRUSTED (Local LAN)
ip address 192.168.70.254 255.255.255.0
ip access-group ACL-VLAN20-IN in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1420
ip policy route-map SERVERS
duplex auto
speed auto
!
interface FastEthernet0/1
description WAN LINK (VIRGIN MEDIA)
ip address 92.237.119.115 255.255.255.248
ip access-group WAN_INTERFACE_ACL in
no ip proxy-arp
ip mtu 1460
ip inspect FIREWALL-INSP out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
service-policy output QOS
!
interface ATM0/1/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
pvc 0/38
oam-pvc 0
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Virtual-Template1 type tunnel
description REMOTE OFFICE TUNNEL TEMPLATE
ip unnumbered Loopback0
ip mtu 1360
ip summary-address eigrp 1 192.168.64.0 255.255.248.0 5
qos pre-classify
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile SECURE
!
interface Virtual-Template2 type tunnel
description VPN USER TUNNEL TEMPLATE
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SECURE
!
interface Dialer1
description WAN LINK (TALK TALK)
ip address negotiated
ip access-group WAN_INTERFACE_ACL in
no ip proxy-arp
ip mtu 1492
ip inspect FIREWALL-INSP out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname adsl01484666680@f2s.gw5
ppp chap password 7 121F1712160D1E012E7976
!
router eigrp 1
passive-interface default
no passive-interface Virtual-Template1
network 192.168.70.0
network 192.168.71.1 0.0.0.0
network 192.168.71.65 0.0.0.0
network 192.168.222.100 0.0.0.0
no auto-summary
!
ip local policy route-map ROUTER_GEN_TRAFFIC
ip local pool VPN_USR_IP_POOL 192.168.71.129 192.168.71.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 92.237.119.113 10 track 10
ip route 0.0.0.0 0.0.0.0 Dialer1 212.74.102.14 20 track 20
ip route 192.168.64.1 255.255.255.255 192.168.70.1
ip route 192.168.64.9 255.255.255.255 192.168.70.1
!
ip http server
no ip http secure-server
ip nat inside source static tcp 192.168.64.1 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.64.9 80 interface Dialer1 80
ip nat inside source static tcp 192.168.64.9 25 interface Dialer1 25
ip nat inside source static tcp 192.168.64.1 25 interface FastEthernet0/1 25
ip nat inside source route-map NAT_DI1 interface Dialer1 overload
ip nat inside source route-map NAT_FA0/1 interface FastEthernet0/1 overload
!
ip access-list standard NAT_ACL
permit 192.168.70.0 0.0.0.255
permit 192.168.64.0 0.0.0.7
ip access-list standard SERVER_ADAPTER_A
permit 192.168.64.0 0.0.0.7
ip access-list standard SERVER_ADAPTER_B
permit 192.168.64.8 0.0.0.7
!
ip access-list extended IP_SLA_1
permit icmp host 92.237.119.115 host 194.145.148.188
ip access-list extended IP_SLA_2
permit icmp host 195.137.6.6 host 212.74.102.15
ip access-list extended VPN_ROUTES_ACL
permit ip 192.168.64.0 0.0.7.255 any
ip access-list extended WAN_INTERFACE_ACL
permit udp any eq bootps any eq bootpc log
remark DENY LOCAL SUBNETS
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip host 255.255.255.255 any log
remark PERMIT PING
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
remark PERMIT VPN
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
remark PERMIT INTERNAL SERVICES
permit tcp any host 92.237.119.115 eq 443
permit tcp any host 92.237.119.115 eq smtp
permit tcp any host 92.237.119.115 eq 22
permit tcp any host 92.237.119.115 eq www
permit tcp any host 195.137.6.6 eq 443
permit tcp any host 195.137.6.6 eq smtp
permit tcp any host 195.137.6.6 eq 22
permit tcp any host 195.137.6.6 eq www
remark DENY EVERYTHING ELSE
!
route-map ROUTER_GEN_TRAFFIC permit 10
match ip address IP_SLA_1
set ip next-hop 92.237.119.113
!
route-map ROUTER_GEN_TRAFFIC permit 20
match ip address IP_SLA_2
set interface Dialer1 Null0
!
route-map NAT_FA0/1 permit 10
match ip address NAT_ACL
match interface FastEthernet0/1
!
route-map NAT_DI1 permit 10
match ip address NAT_ACL
match interface Dialer1
!
route-map SERVERS permit 10
match ip address SERVER_ADAPTER_A
set ip next-hop 92.237.119.113
!
route-map SERVERS permit 20
match ip address SERVER_ADAPTER_B
set interface Dialer1 Null0
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
scheduler allocate 20000 1000
end
