How to do load-balancing with multiple uplinks

you can try allocating different users / IP addresses to the 2 routers

anything that help an individual PC is going to need session load balancing....

Hello thank you for your answer. The problem actually is that I have no control on R1 and R2. I just have my

2600 router behind them, and I would like to balance my users (in NAT, DHCP behind the 2600) to go out someone via R1 and others via R2 in a balanced manner...

"Stephen" ha scritto nel messaggio news: snipped-for-privacy@4ax.com...

you can try allocating different users / IP addresses to the 2 routers

anything that help an individual PC is going to need session load balancing....

There are cheap routers from companies like Draytek that perform this function out-of-the-box. To do it on a Cisco is possible, but quite a bit more difficult.

If you do not want to buy something else, you will need to setup the router in such a way that half of the addresses go out via one link and half via the other (you will need to setup policy routing where a different default gateway is chosen depending on the source address of the traffic).

There are solutions from Cisco that claim to do what you need, like:

While I have not tested this particular solution on recent IOS software, my experience in general with having two default routes in IOS is that it does not work in practice, because it sends internet trafic randomly over the two interfaces specified as default, without looking at the source address. Your internet provider will likely block the traffic you send on one link with the source IP address of the other. That is why the policy routing is (in my experience) always required.

Hello thank you for your detailed answer.

I have found that draytek 2910 could be a perfect solution.

I will pursue the goal to do it on the cisco router. I will do some test based on the links you gave me and I will post the results in a few days.

Hello Rob.

After well reading your message I think that this could be an idea:

R1: 192.168.27.1 R2: 192.168.27.2

R1 and R2 do NAT.

c2651XM: WAN side: 192.168.27.200/24 LAN side: 192.168.0.254/24 DHCP enabled.

I have a pool of DHCP addresses from

192.168.0.1 to 200

I would like to create a route map that does this:

route-map PBR permit 100 match ip address TO-R1 set ip next-hop 172.16.0.1

route-map PBR permit 100 match ip address TO-R2 set ip next-hop 172.16.0.2

ip access-list extended TO-R1 permit ip host 192.168.0.1 any permit ip any host 192.168.0.1 permit ip host 192.168.0.2 any permit ip any host 192.168.0.2

ip access-list extended TO-R2 permit ip host 192.168.0.100 any permit ip any host 192.168.0.100 permit ip host 192.168.0.101 any permit ip any host 192.168.0.101

The route-map PBR should be enabled to the LAN interface of the c2651XM.

My question now is how about NAT ?

How can I setup NAT ?

I thin you must mean 192.168.27.1 as your next hop...

It should be sufficient to have only the permit ip host x.x.x.x any lines.

With NAT you can use route-map as well.

Like this:

ip nat inside source route-map map-1 interface ... overload ip nat inside source route-map map-2 interface ... overload

route-map map-1 permit 10 match ip address adsl-1-overload set interface ... set ip next-hop ...

route-map map-2 permit 10 match ip address adsl-2-overload set interface ... set ip next-hop ...

ip access-list extended adsl-1-overload permit ip host 192.168.1.2 any permit ip host 192.168.1.4 any

ip access-list extended adsl-2-overload permit ip host 192.168.1.3 any permit ip host 192.168.1.5 any

Hello Rob, my answers below.

Elia S. wrote:

I thin you must mean 192.168.27.1 as your next hop...

Yes yes it is a copy-paste of an old conf.

It should be sufficient to have only the permit ip host x.x.x.x any lines.

With NAT you can use route-map as well.

Like this:

ip nat inside source route-map map-1 interface ... overload ip nat inside source route-map map-2 interface ... overload

route-map map-1 permit 10 match ip address adsl-1-overload set interface ... set ip next-hop ...

route-map map-2 permit 10 match ip address adsl-2-overload set interface ... set ip next-hop ...

ip access-list extended adsl-1-overload permit ip host 192.168.1.2 any permit ip host 192.168.1.4 any

ip access-list extended adsl-2-overload permit ip host 192.168.1.3 any permit ip host 192.168.1.5 any

I tried this:

ip nat in source route-map PBR1 int fast0/1 over ip nat in source route-map PBR2 int fast0/1 over

route-map PBR1 permit 100 match ip address TO-R1 set ip next-hop 172.16.0.1 (forget this ip, I will put the correct one)

route-map PBR2 permit 100 match ip address TO-R2 set ip next-hop 172.16.0.2 (forget this ip, I will put the correct one)

Wich default route do I put in the router? Just R1... because NAT is handled by route map.

right?

This route-map directs the traffic that you are NATting the right way. Any default route that you put in is only used for other traffic from the router. (e.g. when you have setup ntp)

When you want to balance all the traffic you can use a loopback interface and use a route-map as you have made before for traffic flowing via that loopback interface and then route default to the loopback interface.

Hello I would like to balance the traffic between R1 and R2, but my fear is that some connections go out from R1 and others via R2, and for example an HTTPS connection will be broken.

I would like to do a load balancing but source-based...

The simplest solution is to do two ACL and some hosts of the DHCP pool goes out from R1 and others via R2.

I am going to try it now

"Rob" ha scritto nel messaggio news: snipped-for-privacy@xs8.xsall.nl...

Elia S. wrote:

This route-map directs the traffic that you are NATting the right way. Any default route that you put in is only used for other traffic from the router. (e.g. when you have setup ntp)

When you want to balance all the traffic you can use a loopback interface and use a route-map as you have made before for traffic flowing via that loopback interface and then route default to the loopback interface.

When I used it some years back (the examples are cut from my config of that time) I concluded after a lot of reading that such a static mapping was the only possibility on IOS. With a Linux system it would not have been a problem to balance based on "sessions", so that each TCP or UDP session would be fixed to a single external connection, but outgoing sessions would be dynamically allocated to the two connections. (e.g. a webpage with several images would be loaded partly over one and partly over the other connection). The "out of the box" solutions also do that.

It seems that the mechanisms to do this were not present in IOS, but it looks like this has been improved later. It may well be that with a modern IOS version you can do this.

I have seen examples of configs that improve on the static mapped config in that they perform a "failover", i.e. when one of the lines is down it does not mean half your internal computers have no internet, but all the internet traffic is routed over the other line.

However, I have become wary of configs that solve it using two default routes, as my experience is that two default routes means all outgoing traffic is packet-by-packet balanced over the two outgoing interfaces. This does not work unless the two lines as sold by one ISP specifically for the purpose of balancing. And of course you buy your two lines from two different ISPs anyway.

But maybe this problem has been solved as well...

I tried with route maps and NAT and it did not worked.

this is a working config.

ip tcp ecn ip tcp selective-ack ip tcp timestamp ip tcp window-size 65535 ip tcp synwait-time 10 ip ssh time-out 90 ip ssh version 2 ! ! ! ! ! interface Null0 no ip unreachables ! interface FastEthernet0/0 description Lato LAN ip address 192.168.0.254 255.255.255.0 ip access-group 181 in no ip redirects no ip proxy-arp ip nat inside ip virtual-reassembly ip policy route-map PBR duplex auto speed auto ! interface FastEthernet0/1 description Lato WAN ip address 172.16.0.222 255.255.254.0 no ip redirects no ip proxy-arp ip nat outside ip virtual-reassembly duplex auto speed auto ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 172.16.0.1 ! ip dns server ! ip http server no ip http secure-server ip nat translation timeout 3600 ip nat translation tcp-timeout 1200 ip nat translation udp-timeout 100 ip nat translation finrst-timeout 15 ip nat translation syn-timeout 45 ip nat translation icmp-timeout 120 ip nat inside source list 102 interface FastEthernet0/1 overload ! ip access-list extended TO-R1 permit ip 192.168.0.0 0.0.0.63 any permit ip any 192.168.0.0 0.0.0.63 ip access-list extended TO-R2 permit ip 192.168.0.64 0.0.0.63 any permit ip any 192.168.0.64 0.0.0.63 ! access-list 102 permit ip 192.168.0.0 0.0.0.255 any access-list 181 deny udp 172.16.0.0 0.0.255.255 any eq tftp access-list 181 deny tcp 172.16.0.0 0.0.255.255 any eq 135 access-list 181 deny udp 172.16.0.0 0.0.255.255 any eq 135 access-list 181 deny tcp 172.16.0.0 0.0.255.255 any range 137 139 access-list 181 deny udp 172.16.0.0 0.0.255.255 any range netbios-ns netbios-ss access-list 181 deny tcp 172.16.0.0 0.0.255.255 any eq 445 access-list 181 deny udp 172.16.0.0 0.0.255.255 any eq 445 access-list 181 deny tcp 172.16.0.0 0.0.255.255 any eq 593 access-list 181 deny udp 172.16.0.0 0.0.255.255 any eq 593 access-list 181 deny tcp 172.16.0.0 0.0.255.255 any eq 4444 access-list 181 permit ip 192.168.0.0 0.0.0.255 any access-list 181 deny ip any any log ! route-map PBR permit 100 match ip address TO-R1 set ip next-hop 172.16.0.1 ! route-map PBR permit 200 match ip address TO-R2 set ip next-hop 172.16.0.2 ! ! ! control-plane ! ! ! ! mgcp behavior g729-variants static-pt ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 login local transport input ssh ! ntp clock-period 17208081 ntp server 192.43.244.18 ! end