[c-nsp] What is wrong with this config? (nat load sharing)

Brian Feeny signal at shreve.net
Tue Sep 21 19:26:13 EDT 2004


I have a customer who has 2 Internet providers.  They wish to do load 
balancing and BGP is not an option for them.  All of their machines are 
on private IP's.  So I came up with a config where I run NAT behind 
both providers, and in theory it should work no problems, but I am 
seeing where it will load half a web site, like amazon, or apple.com, 
etc.  And then just stall.  Its not DNS, because they are using the one 
provider for DNS, who is in turn allowing both NAT ip's to recursive 
lookup off their servers.

A few observances:

1) with ip route-cache or ip route-cache flow I was seeing the problem 
with sites stalling out.
2) with ip cef enabled it actually works, although the traffic pattern 
is a bit wierd.  It goes between high input/low output on Serial0, and 
low input/high output on s1.1, and  then it will flip flop in time.  I 
am going to graph this to make sure its actually got some pattern to 
it.

What I don't understand:

1) Why with fast or flow switching, it would not work.  I liked the 
idea of setting up flow switching, so that their is a 0.0.0.0 coin toss 
done for each flow.

The config is below.  If anyone has any suggestions, please let me 
know, as I am interested in making the sharing as ideal as it can be.  
Turning off route-caching entirely is not an option however :)


interface FastEthernet0
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  speed auto
!
interface Serial0
  description ShreveNet T1
  ip address 207.254.221.150 255.255.255.252
  ip nat outside
!
interface Serial1
  no ip address
  encapsulation frame-relay IETF
  frame-relay lmi-type ansi
!
interface Serial1.1 point-to-point
  description ITCDeltaComm
  ip address 10.20.18.166 255.255.255.252
  ip nat outside
  frame-relay interface-dlci 100
!
ip nat pool deltacom 66.0.102.177 66.0.102.177 netmask 255.255.255.248
ip nat inside source route-map ToDeltacom pool deltacom overload
ip nat inside source route-map ToShreveNet interface Serial0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 0.0.0.0 0.0.0.0 Serial1.1
ip route 207.254.192.0 255.255.224.0 Serial0
!
access-list 1 deny   192.168.1.2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 deny   192.168.1.2
access-list 2 permit 192.168.1.0 0.0.0.255
!
route-map ToDeltacom permit 10
  match ip address 1
  match interface Serial1.1
!
route-map ToShreveNet permit 10
  match ip address 2
  match interface Serial0
!


Brian Feeny

---------------------------------------------
Brian Feeny, CCIE #8036, CISSP
Network Engineer
ShreveNet Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20040921/266fadf3/PGP.bin


More information about the cisco-nsp mailing list