[c-nsp] Load balancing via 2 ISP + NAT

Osama I. Dosary oid at saudi.net.sa
Tue Dec 14 01:07:03 EST 2004


Hello,

For failover on outbound traffic the nat setup should have you covered.

Failover on your inbound traffic is another story. Have you thought of 
using DNS for failover on your inbound traffic?
Have two IP addresses per server, one from each ISP. Static NAT from one 
IP to the other, for you server traffic. Put both IPs in the DNS for the 
same server, with a low DNS-TTL.
The DNS will do a round robin between the two IPs for each server, 
(which will help load sharing.)
In case one of the two ISPs has a failure, pull out the corresponding 
record from the DNS.
There are products/script that can do this kind of solution dynamically.

Keep in mind the follwing:
    1. The failover time is: Detection time + DNS TTL
    2. Some proxy servers out there in the Internet might ignore the TTL 
(rare)
   
I hope this helps,
-Osama

Sorin CONSTANTINESCU wrote:

> Hi,
>
>I need both inbound and outbound connections. There is a proxy server
>in the LAN, and also a mail server.
>
>Do you think i still need the nat overload for the interface towards
>isp1, since the servers have ip address given by the isp1?
>
>The scenario we've used was supposed to do backup between the 2
>different connections, and also load-balancing. Maybe (actually i'm
>sure of it) the design is wrong, but does anybody see a solution for
>having 2 different ISPs, when both of them work, traffic should
>load-balance, when one of them is down, all the traffic should move to
>the other ISP. Also, there is at least a server in the LAN which is
>supposed to receive traffic from the internet.
>
>Regards,
>
>On Thu, 2 Dec 2004 16:46:11 -0500, Rodney Dunn <rodunn at cisco.com> wrote:
>  
>
>>What size network were you given to use?
>>Do you need the ability to initiate inbound
>>connections from the interenet to all
>>machines on the LAN or just some.
>>
>>Since ISP1 will no have a route back to you
>>for the ISP2 address space the only thing
>>you can do with traffic going out that way
>>is overload to the WAN ip address.
>>
>>For the in->out direction the routing
>>decision would be made first so you could
>>use a route-map I think to overload on
>>the wan interfaces for each.
>>
>>ie:
>>
>>101_(config)#ip nat inside source route-map isp1 interface e1/0 over
>>101_(config)#ip nat inside source route-map isp2 interface e2/0 over
>>
>>then define a route-map that would matc for isp1
>>the egress interface name going to isp1.
>>Do the same for isp2.
>>
>>Now this will cover your internal host that just need to get
>>out to the internet.  Since the source address will be the
>>ip address on the wan interface for each isp your return
>>traffic will always come to the right path.
>>
>>Then for the host you need to allow inbound connections
>>for you define static nat translations to map to ip addresses
>>in the pool you were given from the ISP.
>>
>>The only gotcha I see here is for this to work you will have
>>to do policy based routing on the internal LAN interface
>>coming in the router and send all traffic coming from the
>>static translated inside hosts out the ISP2 link.  That
>>means you will not have failover for those hosts between
>>the two links but that is the only possible way I can
>>think of to make this work.
>>
>>
>>
>>Rodney
>>
>>On Thu, Dec 02, 2004 at 09:39:51PM +0200, Sorin CONSTANTINESCU wrote:
>>    
>>
>>>On Thu, 2 Dec 2004 12:13:28 -0500, Rodney Dunn <rodunn at cisco.com> wrote:
>>>      
>>>
>>>>Never send out an ascii diagram that doesn't
>>>>fix in an 80 column window.
>>>>        
>>>>
>>>sorry :(
>>>
>>>      
>>>
>>>>                       /-ISP1(10.0.0.1/30)
>>>>LAN--(nat inside)Router
>>>>(10.0.2.1/24)           \
>>>>                        -ISP2 (10.0.1.1/30)(nat outside)
>>>>
>>>>
>>>>What is your ISP1 connection?
>>>>        
>>>>
>>>The ISP1 connection is an E1 connection.
>>>
>>>      
>>>
>>>>Is your interface address a global one from the provider?
>>>>
>>>>        
>>>>
>>>The global address is from ISP2
>>>
>>>      
>>>
>>>>When you put 10.x.x.x addresses everywhere in your diagram
>>>>it makes it appear as though everything is private.
>>>>
>>>>        
>>>>
>>>No, they're not private, they're all public. Sorry fot the confusion.
>>>The LAN subnet is a /29, and on both interfaces towards the ISPs there
>>>are /30s.
>>>
>>>      
>>>
>>>>Were you given some global addresses to use?
>>>>If so from what provider?
>>>>        
>>>>
>>>The global address is from ISP2, but the lan addresses are from ISP1.
>>>
>>>      
>>>
>>>>Rodney
>>>>        
>>>>
>>>--
>>>Sorin
>>>      
>>>
>
>
>  
>


More information about the cisco-nsp mailing list