RE: Load Balancing and NAT [7:64904]
First big question, are your T1's from the same provider, or from a different provider, and thus different "public" ip address space? If it is from a different provider, you may well run into some problems with NAT. Say for example, client A connects to your webserver (via ISP A's public IP address that is assigned to you, say x.x.x.x) which is then Nat'd to your internal RFC1918 address That will work all fine and dandy, but what about if your default gateway is ISP B's T1. Outbound packets, returning to Client A, will be NAT'd to ISB B's outside address, say y.y.y.y. If Client A is behind a stateful firewall, return packets will be dropped, as it will have ISP B's SRC address, and it will be expecting ISP A's. There are a number of ways around this, but I will wait for more detauls before going on. Presumably you are not / will not be running BGP, and have your own AS? Terry Oldham wrote: > > Hello all, > > I am attempting to setup a Cisco 1721 Router with load > balancing and > NAT so that we can provide a dual T1 connection to the network. > This is the > first time I have done anything like this and I was wanting to > know if > anyone had any good pointers they could give me or any commands > that I > should beware of or add. > > Thanks, > > Terry O > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64906&t=64904 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load Balancing and NAT [7:64904]
The T1's are from different providers, Qwest and Sprint. And no we will not be running BGP... ""Troy Leliard"" wrote in message news:[EMAIL PROTECTED] > First big question, are your T1's from the same provider, or from a > different provider, and thus different "public" ip address space? If it is > from a different provider, you may well run into some problems with NAT. > > Say for example, client A connects to your webserver (via ISP A's public IP > address that is assigned to you, say x.x.x.x) which is then Nat'd to your > internal RFC1918 address That will work all fine and dandy, but what about > if your default gateway is ISP B's T1. Outbound packets, returning to > Client A, will be NAT'd to ISB B's outside address, say y.y.y.y. If Client > A is behind a stateful firewall, return packets will be dropped, as it will > have ISP B's SRC address, and it will be expecting ISP A's. > > There are a number of ways around this, but I will wait for more detauls > before going on. Presumably you are not / will not be running BGP, and have > your own AS? > > Terry Oldham wrote: > > > > Hello all, > > > > I am attempting to setup a Cisco 1721 Router with load > > balancing and > > NAT so that we can provide a dual T1 connection to the network. > > This is the > > first time I have done anything like this and I was wanting to > > know if > > anyone had any good pointers they could give me or any commands > > that I > > should beware of or add. > > > > Thanks, > > > > Terry O Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64910&t=64904 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load Balancing and NAT [7:64904]
could u give us more info pls, as far as the IP's that you will be using. wasn't it u that wanted to assign 2 ip's for each server you have? if that is so,u can do the following: creat 2 VLAN's on ur switch. creat 2 subinterfaces on the router(must have fast ether) for the vlans. PBR every thing from ISP A to VLAN A, both ways. PBR every thing from ISP B to VLAN B, both ways. make sure the servers don't symetrically route the packets. with the above, u will have control over traffic that crosses ur router, but then which IP will the clients use, depends on the DNS config, wether it will load balance on DNS queries is also another issue, so more or less u will have no control over traffic coming to ur network. if you had ur own net block, it would be easy to load balance, u'd have to call ur ISP's they will give u a community that u will joing from which they will load balance, but you will need BGP, of courrse. but please give more information to further think it out. ""Terry Oldham"" a icrit dans le message de news: [EMAIL PROTECTED] > The T1's are from different providers, Qwest and Sprint. And no we will not > be running BGP... > > > ""Troy Leliard"" wrote in message > news:[EMAIL PROTECTED] > > First big question, are your T1's from the same provider, or from a > > different provider, and thus different "public" ip address space? If it > is > > from a different provider, you may well run into some problems with NAT. > > > > Say for example, client A connects to your webserver (via ISP A's public > IP > > address that is assigned to you, say x.x.x.x) which is then Nat'd to your > > internal RFC1918 address That will work all fine and dandy, but what > about > > if your default gateway is ISP B's T1. Outbound packets, returning to > > Client A, will be NAT'd to ISB B's outside address, say y.y.y.y. If > Client > > A is behind a stateful firewall, return packets will be dropped, as it > will > > have ISP B's SRC address, and it will be expecting ISP A's. > > > > There are a number of ways around this, but I will wait for more detauls > > before going on. Presumably you are not / will not be running BGP, and > have > > your own AS? > > > > Terry Oldham wrote: > > > > > > Hello all, > > > > > > I am attempting to setup a Cisco 1721 Router with load > > > balancing and > > > NAT so that we can provide a dual T1 connection to the network. > > > This is the > > > first time I have done anything like this and I was wanting to > > > know if > > > anyone had any good pointers they could give me or any commands > > > that I > > > should beware of or add. > > > > > > Thanks, > > > > > > Terry O Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64912&t=64904 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load Balancing and NAT [7:64904]
Hi Terry, I think I have already responded to a similar, if not the same question. You wont be able to use NAT, as you can have a many-to-one NAT statement on your router. IE Qwest IP and Sprint IP, both NAT to the same server. The only way I can see you getting this working is if you get a /30 or use ip unumbered between yourself and the providers, and then have both public IP ranges on your insider ethernet segment. (Thus your server will have two public IP addresses configured on them). Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64914&t=64904 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load Balancing and NAT [7:64904]
More Info: FastEthernet Int0 172.16.100.2/24 Serial0144.228.52.114 255.255.255.252 Sprint IP Block 65.160.124.193 -65.160.124.222 Serial1 65.123.132.166 255.255.255.252 Qwest IP Block 65.120.161.161 - 65.120.161.190 Honestly I have bitten off a little more than I can chew on this one, however I really need to make it work so all and any advice will be taken. I have been talking with Cisco a little and here is the example they sent me: Current configuration : 1941 bytes version 12.2 service timestamps debug uptime service timestamps log datetime msec localtime show-timezone service password-encryption hostname Inet_Router logging buffered 4096 debugging enable secret 5 $1$L3f5$owQH/giYdx/Gui/nASA9F1 enable password 7 13041200045D51 ip subnet-zero ip cef ip name-server 198.6.1.122 interface FastEthernet0/0 ip address 10.30.25.201 255.255.255.0 ip nat inside speed 100 full-duplex interface Serial0/0 description Verio ip address 165.254.203.110 255.255.255.252 ip nat outside interface Serial0/1 description Cable&Wireless ip address 166.63.156.102 255.255.255.252 ip nat outsid ip nat pool Verio 209.139.11.98 209.139.11.98 netmask 255.255.255.224 ip nat pool Cable 208.168.204.2 208.168.204.2 netmask 255.255.255.0 ip nat inside source route-map Cable1 pool Cable overload ip nat inside source route-map Verio1 pool Verio overload ip nat inside source static 10.30.25.27 209.139.11.122 ip nat inside source static 10.30.25.25 209.139.11.120 ip nat inside source static 10.30.25.63 209.139.11.111 ip nat inside source static 10.30.25.62 209.139.11.110 ip nat inside source static 10.30.25.33 208.168.204.6 ip nat inside source static 10.30.25.32 208.168.204.5 ip nat inside source static 10.30.25.31 209.139.11.101 ip nat inside source static 10.30.25.30 209.139.11.100 ip nat inside source static 10.30.25.137 209.139.11.105 ip classless ip route 0.0.0.0 0.0.0.0 165.254.203.109 ip route 0.0.0.0 0.0.0.0 166.63.156.101 ip route 10.0.0.0 255.0.0.0 FastEthernet0/0 ip http server ip pim bidir-enable access-list 10 permit 10.30.25.0 0.0.0.255 route-map Verio1 permit 10 match ip address 10 match interface Serial0/0 route-map Cable1 permit 10 match ip address 10 match interface Serial0/1 line con 0 login line aux 0 line vty 0 3 login line vty 4 login no scheduler allocate end ""Amar KHELIFI"" wrote in message news:[EMAIL PROTECTED] > could u give us more info pls, as far as the IP's that you will be using. > wasn't it u that wanted to assign 2 ip's for each server you have? > if that is so,u can do the following: > creat 2 VLAN's on ur switch. > creat 2 subinterfaces on the router(must have fast ether) for the vlans. > PBR every thing from ISP A to VLAN A, both ways. > PBR every thing from ISP B to VLAN B, both ways. > make sure the servers don't symetrically route the packets. > with the above, u will have control over traffic that crosses ur router, but > then which IP will the clients use, depends on the DNS config, wether it > will load balance on DNS queries is also another issue, so more or less u > will have no control over traffic coming to ur network. > > if you had ur own net block, it would be easy to load balance, u'd have to > call ur ISP's they will give u a community that u will joing from which they > will load balance, but you will need BGP, of courrse. > > but please give more information to further think it out. > > > ""Terry Oldham"" a icrit dans le message de news: > [EMAIL PROTECTED] > > The T1's are from different providers, Qwest and Sprint. And no we will > not > > be running BGP... > > > > > > ""Troy Leliard"" wrote in message > > news:[EMAIL PROTECTED] > > > First big question, are your T1's from the same provider, or from a > > > different provider, and thus different "public" ip address space? If it > > is > > > from a different provider, you may well run into some problems with NAT. > > > > > > Say for example, client A connects to your webserver (via ISP A's public > > IP > > > address that is assigned to you, say x.x.x.x) which is then Nat'd to > your > > > internal RFC1918 address That will work all fine and dandy, but what > > about > > > if your default gateway is ISP B's T1. Outbound packets, returning to > > > Client A, will be NAT'd to ISB B's outside address, say y.y.y.y. If > > Client > > > A is behind a stateful firewall, return packets will be dropped, as it > > will > > > have ISP B's SRC address, and it will be expecting ISP A's. > > > > > > There are a number of ways around this, but I will wait for more detauls > > > before going on. Presumably you are not / will not be running BGP, and > > have > > > your own AS? > > > > > > Terry Oldham wrote: > > > > > > > > Hello all, > > > > > > > > I am attempting to setup a Cisco 1721 Router with load > > > > balancing and > > > > NAT so that we can provide a dual T1 connection to the network. > > > > This is the
RE: Load Balancing and NAT [7:64904]
I have a question about this setup, but it's more deisgn-oriented than configuration. What's the benefit of having redundant ISPs if they both connect to one router? I realize that a WAN circuit is more likely to have problems than the router hardware is, but it seems like both the configuration problem and the single point of failure can be addressed by adding a second router. From there, I see two options. #1, break up the LAN into two DHCP scopes (if DHCP is used) and assign the IP's of both routers as the default gateway, but alternate them. Scope 1 would have R1's IP as the primary default gateway, and R2's as the secondary, and vice versa for scope 2. #2, Use a layer 3 switch at the core of the LAN, and configure routed ports. Give the switch two default routes with the same AD, and it will load balance between the two routers. Does either of these sound feasible? Hal > -Original Message- > From: Terry Oldham [mailto:[EMAIL PROTECTED] > Sent: Monday, March 10, 2003 11:07 AM > To: [EMAIL PROTECTED] > Subject: Re: Load Balancing and NAT [7:64904] > > > The T1's are from different providers, Qwest and Sprint. And > no we will not > be running BGP... > > > ""Troy Leliard"" wrote in message > news:[EMAIL PROTECTED] > > First big question, are your T1's from the same provider, or from a > > different provider, and thus different "public" ip address > space? If it > is > > from a different provider, you may well run into some > problems with NAT. > > > > Say for example, client A connects to your webserver (via > ISP A's public > IP > > address that is assigned to you, say x.x.x.x) which is then > Nat'd to your > > internal RFC1918 address That will work all fine and > dandy, but what > about > > if your default gateway is ISP B's T1. Outbound packets, > returning to > > Client A, will be NAT'd to ISB B's outside address, say y.y.y.y. If > Client > > A is behind a stateful firewall, return packets will be > dropped, as it > will > > have ISP B's SRC address, and it will be expecting ISP A's. > > > > There are a number of ways around this, but I will wait for > more detauls > > before going on. Presumably you are not / will not be > running BGP, and > have > > your own AS? > > > > Terry Oldham wrote: > > > > > > Hello all, > > > > > > I am attempting to setup a Cisco 1721 Router with load > > > balancing and > > > NAT so that we can provide a dual T1 connection to the network. > > > This is the > > > first time I have done anything like this and I was wanting to > > > know if > > > anyone had any good pointers they could give me or any commands > > > that I > > > should beware of or add. > > > > > > Thanks, > > > > > > Terry O Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64930&t=64904 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load Balancing and NAT [7:64904]
that will work. every thing going out will overloaded. and an inverse NAT is done for the packets coming in. u will have controll over the traffic getting out, that is on a round robin fashion, one packet out se0 the next out se1. the traffic coming in the links will depend on the IP's u use on the NAT statements(the static ones)thereby giving some sort of control, if you see a link being over utilized, u could use more IP's from the other POOL giving by the seconf ISP, to balance it some what. ""Terry Oldham"" a icrit dans le message de news: [EMAIL PROTECTED] > More Info: > > FastEthernet Int0 172.16.100.2/24 > Serial0144.228.52.114 255.255.255.252 Sprint > IP Block 65.160.124.193 -65.160.124.222 > > Serial1 65.123.132.166 255.255.255.252 Qwest > IP Block 65.120.161.161 - 65.120.161.190 > > Honestly I have bitten off a little more than I can chew on this one, > however I really need to make it work so all and > any advice will be taken. > > I have been talking with Cisco a little and here is the example they sent > me: > > Current configuration : 1941 bytes > > version 12.2 > > service timestamps debug uptime > > service timestamps log datetime msec localtime show-timezone > > service password-encryption > > hostname Inet_Router > > logging buffered 4096 debugging > > enable secret 5 $1$L3f5$owQH/giYdx/Gui/nASA9F1 > > enable password 7 13041200045D51 > > ip subnet-zero > > ip cef > > ip name-server 198.6.1.122 > > interface FastEthernet0/0 > > ip address 10.30.25.201 255.255.255.0 > > ip nat inside > > speed 100 > > full-duplex > > interface Serial0/0 > > description Verio > > ip address 165.254.203.110 255.255.255.252 > > ip nat outside > > interface Serial0/1 > > description Cable&Wireless > > ip address 166.63.156.102 255.255.255.252 > > ip nat outsid > > ip nat pool Verio 209.139.11.98 209.139.11.98 netmask 255.255.255.224 > > ip nat pool Cable 208.168.204.2 208.168.204.2 netmask 255.255.255.0 > > ip nat inside source route-map Cable1 pool Cable overload > > ip nat inside source route-map Verio1 pool Verio overload > > ip nat inside source static 10.30.25.27 209.139.11.122 > > ip nat inside source static 10.30.25.25 209.139.11.120 > > ip nat inside source static 10.30.25.63 209.139.11.111 > > ip nat inside source static 10.30.25.62 209.139.11.110 > > ip nat inside source static 10.30.25.33 208.168.204.6 > > ip nat inside source static 10.30.25.32 208.168.204.5 > > ip nat inside source static 10.30.25.31 209.139.11.101 > > ip nat inside source static 10.30.25.30 209.139.11.100 > > ip nat inside source static 10.30.25.137 209.139.11.105 > > ip classless > > ip route 0.0.0.0 0.0.0.0 165.254.203.109 > > ip route 0.0.0.0 0.0.0.0 166.63.156.101 > > ip route 10.0.0.0 255.0.0.0 FastEthernet0/0 > > ip http server > > ip pim bidir-enable > > access-list 10 permit 10.30.25.0 0.0.0.255 > > route-map Verio1 permit 10 > > match ip address 10 > > match interface Serial0/0 > > route-map Cable1 permit 10 > > match ip address 10 > > match interface Serial0/1 > > line con 0 > > login > > line aux 0 > > line vty 0 3 > > login > > line vty 4 > > login > > no scheduler allocate > > end > > > > ""Amar KHELIFI"" wrote in message > news:[EMAIL PROTECTED] > > could u give us more info pls, as far as the IP's that you will be using. > > wasn't it u that wanted to assign 2 ip's for each server you have? > > if that is so,u can do the following: > > creat 2 VLAN's on ur switch. > > creat 2 subinterfaces on the router(must have fast ether) for the vlans. > > PBR every thing from ISP A to VLAN A, both ways. > > PBR every thing from ISP B to VLAN B, both ways. > > make sure the servers don't symetrically route the packets. > > with the above, u will have control over traffic that crosses ur router, > but > > then which IP will the clients use, depends on the DNS config, wether it > > will load balance on DNS queries is also another issue, so more or less u > > will have no control over traffic coming to ur network. > > > > if you had ur own net block, it would be easy to load balance, u'd have to > > call ur ISP's they will give u a community that u will joing from which > they > > will load balance, but you will need BGP, of courrse. > > > > but please give more information to further think it out. > > > > > > ""Terry Oldham"" a icrit dans le message de news: > > [EMAIL PROTECTED] > > > The T1's are from different providers, Qwest and Sprint. And no we will > > not > > > be running BGP... > > > > > > > > > ""Troy Leliard"" wrote in message > > > news:[EMAIL PROTECTED] > > > > First big question, are your T1's from the same provider, or from a > > > > different provider, and thus different "public" ip address space? If > it > > > is > > > > from a different provider, you may well run into some problems with > NAT. > > > > > > > > Say for example, client A connects to your webserver (via ISP A's > public > > > IP > > > > address that is assigned to you, say x.x.x.x) whi
RE: Load Balancing and NAT [7:64904]
At 5:41 PM + 3/10/03, Logan, Harold wrote: >I have a question about this setup, but it's more deisgn-oriented than >configuration. What's the benefit of having redundant ISPs if they both >connect to one router? Single router with multiple ISPs: Protects you against failure in the ISP routing system. Both ISPs still may get bad routing data. No guard against router or local loop failure. Multiple routers to different POPs of the same ISP: Protects you against local loop failure, lets you contract for physical route diversity within the ISP. No guard against ISP-wide routing failure. You may be able to negotiate multiple upstreams. Multiple routers to different ISPs: may or may not protect against local loop failure, depending on how far apart you place the routers. Potentially decent protection against routing failure. Still vulnerable if there is a common upstream. >I realize that a WAN circuit is more likely to have >problems than the router hardware is, but it seems like both the >configuration problem and the single point of failure can be addressed by >adding a second router. From there, I see two options. #1, break up the LAN >into two DHCP scopes (if DHCP is used) and assign the IP's of both routers >as the default gateway, but alternate them. Scope 1 would have R1's IP as >the primary default gateway, and R2's as the secondary, and vice versa for >scope 2. #2, Use a layer 3 switch at the core of the LAN, and configure >routed ports. Give the switch two default routes with the same AD, and it >will load balance between the two routers. > >Does either of these sound feasible? > >Hal > >> -Original Message- >> From: Terry Oldham [mailto:[EMAIL PROTECTED] >> Sent: Monday, March 10, 2003 11:07 AM >> To: [EMAIL PROTECTED] >> Subject: Re: Load Balancing and NAT [7:64904] >> >> >> The T1's are from different providers, Qwest and Sprint. And >> no we will not >> be running BGP... >> >> >> ""Troy Leliard"" wrote in message >> news:[EMAIL PROTECTED] >> > First big question, are your T1's from the same provider, or from a >> > different provider, and thus different "public" ip address >> space? If it >> is >> > from a different provider, you may well run into some >> problems with NAT. >> > >> > Say for example, client A connects to your webserver (via >> ISP A's public >> IP >> > address that is assigned to you, say x.x.x.x) which is then >> Nat'd to your >> > internal RFC1918 address That will work all fine and >> dandy, but what >> about >> > if your default gateway is ISP B's T1. Outbound packets, >> returning to >> > Client A, will be NAT'd to ISB B's outside address, say y.y.y.y. If >> Client >> > A is behind a stateful firewall, return packets will be >> dropped, as it >> will >> > have ISP B's SRC address, and it will be expecting ISP A's. >> > >> > There are a number of ways around this, but I will wait for >> more detauls >> > before going on. Presumably you are not / will not be >> running BGP, and >> have > > > your own AS? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64989&t=64904 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load Balancing and NAT [7:64904]
Interesting. I am looking at doing the same thing after my Sprint circuit was down three times in three business days for ~4 hours each time. Something that makes my situation difficult is I have control of the 1700 on my quest circuit but not the sprint router, it is owned by sprint. So I have to leave the sprint router in place and run its eth0 to an ethernet wic in the 1700 and let it hadle the load balancing. I'm thinking of trying to let the 1700 do NAT as well so the ip blocks of both quest and sprint circuits to appear within the same NAT'ed block inside. The other part of the design I have is a vpn established between the firewall behind the router and a firewall in my co-lo. I'm thinking of trying to establish the vpn with an ip on each isp's block for redundancy there then start settign up all traffic in and out of my site to go through the vpn so I shouldn't have to worry about the different ip blocks. ""Terry Oldham"" wrote in message news:[EMAIL PROTECTED] > Hello all, > > I am attempting to setup a Cisco 1721 Router with load balancing and > NAT so that we can provide a dual T1 connection to the network. This is the > first time I have done anything like this and I was wanting to know if > anyone had any good pointers they could give me or any commands that I > should beware of or add. > > Thanks, > > Terry O Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65247&t=64904 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]