Dual ISP Load Balancing Configuration

Security involves authentication, authorization, confidentiality, data integrity and availability. This document involves network availability. In this example we explore a high availability, load balancing solution for Internet redundancy. Although the example here is for dual Internet service providers the principles of this configuration could be applied in other situations where dual gateways are needed.

In a topology where dual ISP’s customer premise equipment provides an Ethernet port for connection to their service, configuring two static routes with or without metric won’t have the desired effect. Since your equipment connects to an Ethernet port, that connection will always appear to be up as long as you have a link light indicating layer one connectivity. Ethernet ports won’t lose the carrier signal typical with a serial connection so your data path will never fail over to the other configured static route.

In Cisco IOS versions 12.3T and 12.4 mainline object tracking features have been greatly improved and can now be applied to monitor the up/down status of interfaces. The solution contemplated in this article monitors ISP reachability by pinging a host on each of the ISPs networks that is only reachable through that ISPs interface. The ability to ping a host in the core of the ISPs network as opposed to pinging the ISPs gateway provides a means of monitoring that ISPs network health and not just the status of your local connection. The configuration presented here requires a Cisco IOS version of 12.3T or above.

In my own research I found many examples of solutions to this problem. Many of them I dismissed immediately because they were just plain flawed, others were not flexible or provided only failover capabilities without load balancing or were not compatible with the way I needed to provide address translation services. If you prefer just failover without load balancing add a metric to tracked default route for your backup ISP in the configuration below like this “ip route 0.0.0.0 0.0.0.0 10.10.10.1 200 track 123”.

The following configuration is in part the work of Josh Horton at blindhog,net and the original configuration can be seen here, http://www.blindhog.net/cisco-dual-internet-connections-without-bgp/. I’ve am making a similar configuration available here due the difficulty of finding this information on the Internet.

I have made some enhancements and at the expense of failover have provided a way to force certain traffic out a particular interface. I’ve also added a host specific route to the ping monitored host on each network. This assures that the host will be reachable when the router is powered up or service is reestablished and forces the ICMP ping packet out the interface we want to monitor. A host specific route also assures that the monitored host is only reachable through it’s network gateway.

version 12.4
!
hostname Router_Name
!
ip cef
!
!#### Establish sla monitors for use in tracking objects. These objects ####!
!#### are used to track reachability of a host on each ISPs network ####!
!
ip sla monitor 1
type echo protocol ipIcmpEcho 10.10.10.10
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho 10.20.20.10
ip sla monitor schedule 2 life forever start-time now
!
!#### Configure Tracking objects (referencing IP SLA monitor’s above) ####!
!
track 123 rtr 1 reachability
delay down 5 up 5
!
track 124 rtr 2 reachability
delay down 5 up 5
!
!#### Configure Interfaces for NAT, 'ip nat inside' and 'ip nat outside '####!
!
interface GigabitEthernet0/1
description Connect to firewall outside interface or inside networks
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/2
description ISP1 Internet Interface
ip address 10.10.10.2 255.255.255.252
ip nat outside
!
interface GigabitEthernet0/3
description ISP2 Internet Interface
ip address 10.20.20.2 255.255.255.252
ip nat outside
!
!#### Configure gateway of last resort with tracking objects ####!
!
ip route 0.0.0.0 0.0.0.0 10.10.10.1 track 123
ip route 0.0.0.0 0.0.0.0 10.20.20.1 track 124

!#### Configure host specific routes for sla monitors. Without ####!
!#### these, tracking objects cannot recover after full failure. note ####!
!#### the ‘permanent’ keyword installed the route into the RIB ####!
!#### regardless of reachability ####!
!
ip route 10.10.10.10 255.255.255.255 10.10.10.1 permanent
ip route 10.20.20.10 255.255.255.255 10.20.20.1 permanent
!
!#### Configure additional routes for inside subnets not directly connected ####!
!
ip route [inside subnet / mask] GigabitEthernet0/1
ip route [inside subnet / mask] GigabitEthernet0/1
!
!#### Outbound dynamic NAT for each interface with overload parameter ####!
!
ip nat inside source route-map ISP1_MAP interface GigabitEthernet0/2 overload
ip nat inside source route-map ISP2_MAP interface GigabitEthernet0/3 overload
!
!#### Additional static NAT for dedicated one to one NAT addresses and /or ####!
!#### tcp/udp port translations. Note first two statements translate SMTP (25) ####!
!
ip nat inside source static tcp 192.168.1.5 25 10.10.10.5 25 route-map ISP1_MAP extendable
ip nat inside source static tcp 192.168.1.5 25 10.20.20..5 25 route-map ISP1_MAP extendable
ip nat inside source static 192.168.226.5 71.151.39.129 route-map ISP2_MAP extendable
ip nat inside source static 192.168.226.6 71.151.39.130 route-map ISP2_MAP extendable
!
!####Configure a single ACL or an ACL for each interface if####!
!####needed to direct specific traffic to a specific interface####!
!####Both ACLs have the same permit statement but other####!
!####permit or deny statements can be added as required####!
!
ip access-list extended ISP1_ACL
remark ACL for ISP1 interface - permit or deny specific traffic on this interface / ISP
permit ip 192.168.226.0 0.0.0.255 any
!
ip access-list extended ISP2_ACL
remark ACL for Comacst interface - permit or deny specific traffic on this interface / ISP
permit ip 192.168.226.0 0.0.0.255 any
!
!####Configure route maps for reference in NAT statements####!
!####These route-maps direct NATs to appropriate interface####!
!
route-map ISP1_MAP permit 10
description associates outside NAT addresses with the correct interface
match ip address ISP1_ACL
match interface GigabitEthernet0/2
!
route-map ISP2_MAP permit 10
description associates outside NAT addresses with the correct interface
match ip address ISP2_ACL
match interface GigabitEthernet0/3
!
banner motd ^C
********************************************

SECURITY NOTICE

********************************************
This is a private secured computer system.
It is for authorized use only.
Users (authorized or unauthorized) have no
explicit or implicit expectation of privacy.
Any or all uses of this system and all
files on this system may be intercepted,
monitored, recorded, copied, audited,
inspected, and disclosed to authorized
site, law enforcement personnel, as well
as authorized officials of other agencies,
both domestic and foreign. By using this
system, the user consents to such
interception, monitoring, recording,
copying, auditing, inspection, and
disclosure at the discretion of site
personnel. All activity is logged
with your host name and IP address.
Unauthorized or improper use of this
system may result in civil and criminal
penalties. By continuing to use this
system you indicate your awareness of and
consent to these terms and conditions of
use. LOG OFF IMMEDIATELY if you do not
agree to the conditions stated in this
warning.


********************************************
^C