[c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup

ben.steele at internode.on.net ben.steele at internode.on.net
Mon Aug 18 23:56:54 EDT 2008 

  BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; } 

	Hi Scott, 
	Try this: 
	Seeing as you are working statics over your wireless cloud to
simplify things a little setup a GRE tunnel from your 7200 over the
wireless to the 1841 (don’t forget to subtract 24 bytes off the MTU,
ie if it's a 1500 path put ip mtu 1476 in the tunnel interface and
also add keepalives so it will actually go down if it is down), and I
assume your T1 is point to point from the other 1841 to the 7200. 
	Now assuming this is going to be a redundant configuration as well
as load-balanced you need to have a subnet that can float between the
2 links that your customer can NAT against (which by the way will
happen on the ASA they got sold), there are 2 ways you can achieve
this, 1 is by using ip sla to monitor the next hop of each of the
customer links from your 7200 with statics, the other is private BGP,
you sure as hell don't want to start running an IGP to your
customers(unless it's MPLS VPN). 
	Lets say you assign your customer 1.0.0.0/27 as their usable
floating subnet and the T1 is 2.0.0.1/30 at your end and your GRE
tunnel(wireless) is 2.0.0.5/30 at your end. 
	Setup ip sla with icmp echo to 2.0.0.2 and 2.0.0.6 (each in their
own rtr group of course, say 1 and 2 respectively). 
	Ip route 1.0.0.0 255.255.255.224 2.0.0.2 track 1 Ip route 1.0.0.0
255.255.255.224 2.0.0.6 track 2 
	Hope that makes sense, essentially traffic will only route to your
customer if your 7200 can ping their respective 1841, the other
private BGP option I am going to assume you are already familiar with
being in an ISP. 
	Now for the customer to you. 
	AFAIK the ASA cannot load balance it can only forward out 1
interface at a time. 
	So what you need to do is put the ASA and the 2 1841 interfaces into
a switch so they can all see each other at layer2, now setup hsrp on
your 1841 interfaces for redundant gateways lets say you use
1.0.0.1(t1),1.0.0.2(wireless),1.0.0.3(hsrp), now the next part is a
little trickier, I am going to assume your T1 is your primary link for
this example but you can switch it around if you want. 
	On your T1 1841 add a static route for the wireless /30 to go via
the LAN interface of the Wireless 1841(ip route 2.0.0.4
255.255.255.252 1.0.0.2, you should now be able to ping the ISP end of
the wireless link from your T1 1841, you want to setup ip sla to
monitor the ISP end of the wireless link from your T1 router(ie the T1
router is monitoring 2.0.0.5) and you also want to monitor its end of
the T1 link aswell 2.0.0.1 
	What this does is let your primary gateway know that it has a
complete and valid path for both gateways for redundancy. 
	Now you add 2 static routes with tracking on your primary 1841 
	Ip route 0.0.0.0 0.0.0.0 2.0.0.1 track 1 Ip route 0.0.0.0 0.0.0.0
1.0.0.2 track 2 
	Your wireless 1841 need only have the 1 gateway via its wireless
tunnel as it should only ever fall over to that router if there is a
serious problem on the primary side so you don't want it routing back
that way anyway, however make sure you enable pre-empt so it fails
back to the primary once it is back up. 
	You can optimise this a little further with the global command "ip
cef load-sharing algorithm include-ports destination source" or if
your game you can even do per-packet load sharing however i wouldn't
recommend it as your 2 paths are going to have different
characteristics, id probably just try the method i listed first. 
	As mentioned previously the ASA config will just be straightforward,
NAT/PAT against some pool in 1.0.0.0/27 with a default route to
1.0.0.3(hsrp), nothing more to it, the 1841's will do all the
redundancy and load balancing. 
	Hope at least some of that made sense, if you need clarification on
anything let me know. 
	Cheers 
	Ben
 On Tue 19/08/08 9:06 AM , Scott Lambert lambert at lambertfam.org sent:
  I have a customer who went directly to cisco to ask about how to
load 
 balance two WAN connections to their Cisco PIX 515E. Cisco sold them
an 
 ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with
the 
 ASA and 1841s. Apparantly, the customer didn't even mention that the

 two connections were to the same ISP, me. The customer just ordered
the 
 equipment and said "Make it work." 
 The WANs are T1 (existing) and 4Mbps ethernet delivered via a
wireless 
 network. 
 Cisco sales tech guy said: 
 > What we discussed was the ASA having a default route to the
virtual 
 > IP address of the routers and they would be running either VRRP or

 > GLBP (whatever they decided they wanted to do) going out to the 
 > service provider. Then the routers would simply have a default
route 
 > going out to the service provider to hit the 'Net. 
 The network design is supposed to be something like : 
 Cisco 7204VXR NPE G1 (ISP) 
 | | 
 T1 Wireless network cloud 
 | | 
 Cisco 1841 Cisco 1841 
 | | 
 -+-------+--------+- 
 | 
 Cisco ASA 5510 (Customer) 
 The wireless network cloud is creating logistical issues for me. The

 wireless ethernet makes multiple hops through StarOS based routers 
 which do not speak OSPF, yet. I have to staticly route traffic to
the 
 wireless cloud. The wireless network is handled by a different group

 here and I don't have much influence over how they run it. 
 I've been running ISP routers for 10 years, but have not had this 
 configuration come up before. 99.9999% of my customers have been
single 
 homed to me. Also, ASA/PIX devices haven't been common for me until
the 
 past couple of years and I keep running into areas where they seem
to 
 try very hard to avoid having common routing features. I'm primarily
a 
 servers guy but when you work in small ISPs, you get to do
everything. 
 I could use some guidence in the best way to make these links load 
 balance with graceful degradation if one link should fall down. 
 I've been considering bringing up an IPSec VPN from the 7204VXR to
the 
 1841 handling the wireless ethernet connection, just to bypass the
need 
 for dynamic routing in the wireless network. Then I could run OSPF
or 
 other magic between the 1841s and my 7204. 
 Is OSPF going to be enough to load balance the links, or will I need

 something else? 
 If not, could an MLPPP bundle be brought up which uses the T1 and an

 IPSec tunnel? But then, how would I use the 1841s redundantly? 
 To keep the 1841s redundant, do I need to use their existing router
to 
 act as a T1 to ethernet bridge? 
 Also, on the VRRP front, the customer currently has a /29 LAN subnet

 outside their ASA. The current T1 router has one IP and the rest of 
 the IPs are in use on the ASA. Will we need to renumber them to a
/28 
 subnet? Or, can the virtual router address be from their current
subnet 
 with the individual routers having their primary IPs from another,
RFC 
 1918, subnet? 
 The 7204VXR is running at 55% CPU load handling about 1800 PPPo(A|E)

 connections. 
 If I configure the VirtualTemplates to permit CEF, which lowers CPU 
 utilization to about 30%, the router hangs in an ininite loop at
random 
 intervals, at least with c7200-ik91s-mz.122-28.SB5.bin. Any of the
12.2 
 SB series images at the time I last tried CEF did the same thing and
I 
 haven't had enough nerve to try again since. 
 Hopefully, that is not important right now. The only reason I
mention 
 it is in case an IPSec tunnel, or whatever the necessary magic ends
up 
 being, might make a significant impact on the CPU. 
 -- 
 Scott Lambert KC5MLE Unix SysAdmin 
 _______________________________________________ 
 cisco-nsp mailing list  
 https://puck.nether.net/mailman/listinfo/cisco-nsp [3] 
 archive at http://puck.nether.net/pipermail/cisco-nsp/ [4] 


Links:
------
[3]
http://webmail.internode.on.net/parse.php?redirect=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-nsp
[4]
http://webmail.internode.on.net/parse.php?redirect=http%3A%2F%2Fpuck.nether.net%2Fpipermail%2Fcisco-nsp%2F

More information about the cisco-nsp mailing list