“:::Load-Balancing With Two Different ISP Connections and Backup with Policy Based Routing (PBR) and IP SLA:::”

 Este me encanta: ideasnet

The above figure shows the infrastructure that I’ve used to realize the Load-Balancing and the Backup of two ADSL lines with the PBR solution.

ROUTER-A

ip cef

!

track 1 rtr 1 reachability

 delay down 24 up 48

!

track 2 rtr 2 reachability

 delay down 12 up 24

!

interface FastEthernet0/0

 description *** INTERNAL LINK DATA LAN ***

 ip address 192.168.10.254 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 ip route-cache policy

 ip policy route-map PBR

 duplex auto

 speed auto

 no cdp enable

!

interface ATM0/0/0

 description *** MAIN ADSL LINE ***

 no ip address

 load-interval 30

 no atm ilmi-keepalive

 dsl operating-mode auto 

 hold-queue 224 in

!         

interface ATM0/0/0.1 point-to-point

 description *** EXTERNAL LINK DATA FOR MAIN ADSL ***

 pvc 8/35 

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

interface Dialer1

 description *** BANDWIDTH FOR MAIN ADSL LINE ***

 ip address negotiated

 ip access-group ACL_FIREWALL_IN in

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 dialer pool 1

 no cdp enable

 no ppp chap wait

 ppp pap sent-username XXXXUSER1 password 7 XXXXPWD1

 no ppp pap wait

!

interface ATM1/0/0

 description *** BACK-UP ADSL LINE ***

 no ip address

 load-interval 30

 no atm ilmi-keepalive

 dsl operating-mode auto 

 hold-queue 224 in

!         

interface ATM1/0/0.1 point-to-point

 description *** EXTERNAL LINK DATA FOR BACK-UP ADSL ***

 pvc 8/35 

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

interface Dialer2

 description *** BANDWIDTH FOR BACK-UP ADSL LINE ***

 ip address negotiated

 ip access-group ACL_FIREWALL_IN in

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 dialer pool 2

 no cdp enable

 no ppp chap wait

 ppp pap sent-username XXXXUSER2 password 7 XXXXPWD2

 no ppp pap wait

!

ip sla responder

!

ip sla 1

 icmp-echo 100.0.0.1 source-interface Dialer1

 timeout 500

 frequency 6

!

!

ip sla 2

 icmp-echo 200.0.0.1 source-interface Dialer2

 timeout 200

 frequency 3

!

ip sla schedule 1 life forever start-time now

ip sla schedule 2 life forever start-time now

!

dialer-list 1 protocol ip permit

!

ip route 0.0.0.0 0.0.0.0 Dialer1 track 1

ip route 0.0.0.0 0.0.0.0 Dialer2 track 2

!

ip nat inside source route-map NAT1 interface Dialer1 overload

ip nat inside source route-map NAT2 interface Dialer2 overload

!

ip access-list extended NAT1

 remark *** ACL FOR NAT ON DIALER1 ***

 permit ip 192.168.10.0 0.0.0.255 any

!

ip access-list extended NAT2

 remark *** ACL FOR NAT ON DIALER2 ***

 permit ip 192.168.10.0 0.0.0.255 any

!

ip access-list extended PBR_NAT_CONTROL_MAIN_ADSL

 remark *** ACL FOR ROUTE_MAP PBR ***

 remark *** PERMIT VPN,SMTP,POP3,RDP,SSH,HTTPS TRAFFIC COMING FROM INTERNAL NETWORK GO TO MAIN ADSL ***

 permit udp 192.168.10.0 0.0.0.255 any eq isakmp

 permit udp 192.168.10.0 0.0.0.255 any eq non500-isakmp

 permit tcp 192.168.10.0 0.0.0.255 any eq 25

 permit tcp 192.168.10.0 0.0.0.255 any eq 110

 permit tcp 192.168.10.0 0.0.0.255 any eq 3389

 permit tcp 192.168.10.0 0.0.0.255 any eq 22

 permit tcp 192.168.10.0 0.0.0.255 any eq 443

!

ip access-list extended PBR_NAT_CONTROL_BACK-UP_ADSL

 remark *** ACL FOR ROUTE_MAP PBR ***

 remark *** PERMIT ALL TRAFFIC COMING FROM INTERNAL NETWORK GO TO BACK-UP ADSL ***

 permit ip 192.168.10.0 0.0.0.255 any

!

ip access-list extended ACL_FIREWALL_IN

 description *** FIREWALL FOR INBOUND TRAFFIC ***

 remark ************************************************

 remark *** STARTUP ACL FIREWALL FOR INBOUND TRAFFIC ***

 remark ************************************************

 remark 

 remark ************************************************

 remark *** PERMIT VPN SITE-TO-SITE INBOUND TRAFFIC ***

 permit udp any any eq non500-isakmp

 permit udp any any eq isakmp

 permit esp any any

 permit ahp any any

 remark ************************************************

 remark *** PERMIT SSH AND TELNET INBOUND TRAFFIC ***

 permit tcp any any eq 22

 permit tcp any any eq telnet

 permit tcp any any eq 443

 remark ************************************************

 remark *** PERMIT DNS INBOUND TRAFFIC ***

 permit udp host 82.x.x.1 eq domain any

 permit udp host 82.x.x.2 eq domain any

 remark ************************************************

 remark *** PERMIT ICMP INBOUND TRAFFIC ***

 permit icmp any any echo

 permit icmp any any echo-reply

 permit icmp any any time-exceeded

 permit icmp any any unreachable

 permit icmp any any administratively-prohibited

 permit icmp any any packet-too-big

 permit icmp any any traceroute

 deny   icmp any any

 remark ************************************************

 remark *** DENY ANTI-SPOOFING INBOUND TRAFFIC ***

 deny   ip host 0.0.0.0 any log

 deny   ip 127.0.0.0 0.255.255.255 any log

 deny   ip 192.0.2.0 0.0.0.255 any log

 deny   ip 224.0.0.0 31.255.255.255 any log

 deny   ip 10.0.0.0 0.255.255.255 any log

 deny   ip 172.16.0.0 0.15.255.255 any log

 deny   ip 192.168.0.0 0.0.255.255 any log

 remark ************************************************

 remark *** DENY VIRUS AND WORM INBOUND TRAFFIC ***

 deny   tcp any any eq 135

 deny   udp any any eq 135

 deny   udp any any eq netbios-ns

 deny   udp any any eq netbios-dgm

 deny   tcp any any eq 139

 deny   udp any any eq netbios-ss

 deny   tcp any any eq 445

 deny   tcp any any eq 593

 deny   tcp any any eq 2049

 deny   tcp any any range 6000 6010

 deny   udp any any eq 1433

 deny   udp any any eq 1434

 deny   udp any any eq 5554

 deny   udp any any eq 9996

 deny   udp any any eq 113

 deny   udp any any eq 3067

 remark ************************************************

 remark *** DENY UNAUTHORIZED ACCESS ***

 deny   ip any any log

 remark

 remark ********************************************

 remark *** END ACL FIREWALL FOR INBOUND TRAFFIC ***

 remark ********************************************

!

route-map NAT1 permit 10

 description ***  ***

 match ip address NAT1

 match interface Dialer1

!

route-map NAT2 permit 10

 description ***  ***

 match ip address NAT2

 match interface Dialer2

!

route-map PBR permit 10

 description *** MAP THE TRAFFIC FROM LAN TO MAIN ADSL WITH PRIORITY ***

 match ip address PBR_NAT_CONTROL_MAIN_ADSL

 set ip next-hop verify-availability 100.0.0.1 1 track 2

!

route-map PBR permit 20

 description *** MAP THE TRAFFIC FROM LAN TO MAIN ADSL WITH NO PRIORITY ***

 match ip address PBR_NAT_CONTROL_BACK-UP_ADSL

 set ip next-hop verify-availability 200.0.0.1 1 track 1

note: I’m not sure about the right configuration of the above router, one of these days I’ll have to try it!