[c-nsp] Load balancing via 2 ISP + NAT

Rodney Dunn rodunn at cisco.com
Tue Dec 28 11:34:04 EST 2004


If ISP2 doesn't route ISP1 addresses back to
you then that will never work because
out on the net someone will always be
pointing at the IPS1 addresses on the servers.

Unless you do something funky with DNS.

Rodney


On Fri, Dec 03, 2004 at 07:18:26AM +0200, Sorin CONSTANTINESCU wrote:
>  Hi,
> 
> I need both inbound and outbound connections. There is a proxy server
> in the LAN, and also a mail server.
> 
> Do you think i still need the nat overload for the interface towards
> isp1, since the servers have ip address given by the isp1?
> 
> The scenario we've used was supposed to do backup between the 2
> different connections, and also load-balancing. Maybe (actually i'm
> sure of it) the design is wrong, but does anybody see a solution for
> having 2 different ISPs, when both of them work, traffic should
> load-balance, when one of them is down, all the traffic should move to
> the other ISP. Also, there is at least a server in the LAN which is
> supposed to receive traffic from the internet.
> 
> Regards,
> 
> On Thu, 2 Dec 2004 16:46:11 -0500, Rodney Dunn <rodunn at cisco.com> wrote:
> > What size network were you given to use?
> > Do you need the ability to initiate inbound
> > connections from the interenet to all
> > machines on the LAN or just some.
> > 
> > Since ISP1 will no have a route back to you
> > for the ISP2 address space the only thing
> > you can do with traffic going out that way
> > is overload to the WAN ip address.
> > 
> > For the in->out direction the routing
> > decision would be made first so you could
> > use a route-map I think to overload on
> > the wan interfaces for each.
> > 
> > ie:
> > 
> > 101_(config)#ip nat inside source route-map isp1 interface e1/0 over
> > 101_(config)#ip nat inside source route-map isp2 interface e2/0 over
> > 
> > then define a route-map that would matc for isp1
> > the egress interface name going to isp1.
> > Do the same for isp2.
> > 
> > Now this will cover your internal host that just need to get
> > out to the internet.  Since the source address will be the
> > ip address on the wan interface for each isp your return
> > traffic will always come to the right path.
> > 
> > Then for the host you need to allow inbound connections
> > for you define static nat translations to map to ip addresses
> > in the pool you were given from the ISP.
> > 
> > The only gotcha I see here is for this to work you will have
> > to do policy based routing on the internal LAN interface
> > coming in the router and send all traffic coming from the
> > static translated inside hosts out the ISP2 link.  That
> > means you will not have failover for those hosts between
> > the two links but that is the only possible way I can
> > think of to make this work.
> > 
> > 
> > 
> > Rodney
> > 
> > On Thu, Dec 02, 2004 at 09:39:51PM +0200, Sorin CONSTANTINESCU wrote:
> > > On Thu, 2 Dec 2004 12:13:28 -0500, Rodney Dunn <rodunn at cisco.com> wrote:
> > > > Never send out an ascii diagram that doesn't
> > > > fix in an 80 column window.
> > >
> > > sorry :(
> > >
> > > >
> > > >                        /-ISP1(10.0.0.1/30)
> > > > LAN--(nat inside)Router
> > > > (10.0.2.1/24)           \
> > > >                         -ISP2 (10.0.1.1/30)(nat outside)
> > > >
> > > >
> > > > What is your ISP1 connection?
> > >
> > > The ISP1 connection is an E1 connection.
> > >
> > > > Is your interface address a global one from the provider?
> > > >
> > >
> > > The global address is from ISP2
> > >
> > > > When you put 10.x.x.x addresses everywhere in your diagram
> > > > it makes it appear as though everything is private.
> > > >
> > >
> > > No, they're not private, they're all public. Sorry fot the confusion.
> > > The LAN subnet is a /29, and on both interfaces towards the ISPs there
> > > are /30s.
> > >
> > > > Were you given some global addresses to use?
> > > > If so from what provider?
> > >
> > > The global address is from ISP2, but the lan addresses are from ISP1.
> > >
> > > >
> > > > Rodney
> > >
> > > --
> > > Sorin
> > 
> 
> 
> -- 
> Sorin CONSTANTINESCU
> consta at gmail.com
> Linux Registered User #222086


More information about the cisco-nsp mailing list