[nsp] cisco load balancing

ivac+cisco-nsp@iskon.hr ivac+cisco-nsp@iskon.hr
Thu, 12 Sep 2002 13:11:00 +0200 

On Thu, Sep 12, 2002 at 12:05:09PM +0200, Arie J. Gerszt wrote:
> 
> Radware makes a product called Linkproof. It basically does load balancing
> and automagical failover
> for multiple isp's for outgoing connection. it states it using something as
> smart nat. without the use
> of any (i/eBGP)
> 
> as i understand it basically nat's traffic in a way that load is balanced
> and in the case of a fail of one
> link it just uses the other one the full extent.

It has builtin DNS server which maps names to IP addresses (from
ISP 1 and ISP 2) to obtain load balancing and fail over.
It uses small TTL (zero?) for replies and when link to ISP 1
fails it returns only address from ISP 2 for www.somedomain.com.

> What I was wondering is, if I can accomplish the same behavior with a
> multiple ethernet router, say a 2621
> with 3 FE for example.
> 
> basically I'd like to:
> 
>                       +--------- ISP 1 (static)
>                       |
>               /--------\
> [firewall]----| CISCO  |
>               \--------/
>                       +--------- ISP 2 (static)
> 
> without using any BGP. Any suggestion of you "gurus"? :)

Can be done with same DNS trick.
What you need is DNS server with two IP addresses (one from ISP 1 and
other from ISP 2) which are both NS for yourdomain.com (server is
behind router which does NAT for those two addresses).

On that server, with use of SNMP (traps and/or snmpget) you can
verify state of links and in case when one fails, script removes
dead addresses (from ISP which link is down) from configuration file
of DNS server.

Basically you have this:
(x.x.x.x address from ISP 1, y.y.y.y address from ISP 2
- both links up:

$ host -v www.yourdomain.com
www.yourdomain.com             10     IN      A   x.x.x.x
www.yourdomain.com             10     IN      A   y.y.y.y

- link to ISP 2 fails:

$ host -v www.yourdomain.com
www.yourdomain.com             10     IN      A   x.x.x.x

Important thing is to use small TTL (zero is best, but it DNS
will get more requests).

Also with SNMP you can monitor utilisation of both links and when
one of the links becomes saturated, script removes address associated
with that link from configuration (like when link fails) for shorter
period to offload that link.

Maybe there are tools which automate this process (scripts for BIND,
djbdns, ...) but I'm not aware of any.