Recently, we switched ISP and migrated 3 x ADSL links for an Internet LAN. The above diagram is a simplistic diagram The route to the Internet was load-balancing among the 3 links. We were happy about the result until some users complained of slow Internet access at peak hours. I investigated (sh ip nat translation on EXEC mode) and realised that all the PAT (Port Address Translation) entries were only overloading on the first outside interface (Dialer 1) instead of all 3 dialer interfaces. In other words, all traffics were taking on the public IP of the first link, which the return traffic must be returned via that link only (main bottleneck).
To workaround this, I used route-map classification instead of just ACL for NAT target. After configurating, the "sh ip nat translation" would show that the entries were taking on the 3 different public IP addresses evenly.
#load balancing default routes
ip route 0.0.0.0 0.0.0.0 dialer 1
ip route 0.0.0.0 0.0.0.0 dialer 2
ip route 0.0.0.0 0.0.0.0 dialer 3
#cause outgoing packets to overload on its outgoing interface
route-map d1-nat permit 10
match ip address 88
match interface Dialer1
route-map d2-nat permit 10
match ip address 88
match interface Dialer2
route-map d3-nat permit 10
match ip address 88
match interface Dialer3
# User LAN inside address
access-list 88 permit 192.168.1.0 0.0.0.255
# NAT operations
ip nat inside source route-map d1-nat interface Dialer1 overload
ip nat inside source route-map d2-nat interface Dialer2 overload
ip nat inside source route-map d3-nat interface Dialer3 overload
#Bringing load-balancing PAT to effect
interface fa0/0
ip nat inside
interface dialer 1
ip nat outside
interface dialer 2
ip nat outside
interface dialer 3
ip nat outside
Reference: IOS NAT Load-Balancing for Two ISP Connections
Short questions:
ReplyDelete1) How do you manage connections for Web-Banking sites that if they get connections from 2 different IPs they block the connections ?
2) How do you manage traffic from dns-based CDNs ?