Cisco load balancing DSL and IPSEC Vpns

Curiosityx · 5 Dec 2007 at 21:58

Greetings, i have a client who has several sites each with 2 x 8Mb/s ADSL Max connections and one primary site with 2 x 2Mb/s SDSL connections.

Currently they use ADSL bonding devices and run two VPN's per site to every other site for redundancy which i find odd but anyhow..

They would like to load balance or bond each site and run a Cisco meshed IPSEC VPN between each remote site and the primary site.

Now if it were just a single line at each site i wouldn't have a problem but not having dealt with load balancing or bonding before im a little stuck.

Ive been looking at Cisco Optimized Edge Routing, Policy based routing and Gateway Load Balancing Protocol but am unsure as what would be the best approach, i would like to achieve this with a single Cisco 2800 at each site and an ASA at the primary site too terminate the VPN's on and provide a stronger firewall policy.

Any comments would be much appreciated

jimjamuk · 5 Dec 2007 at 22:13

My initial thoughts were.....

Load balancing - I'd use one of the dynamic routing protocols that can utilize muliple equal cost paths e.g EIGRP. Used this before at a customer site with redundant WAN links in an active - active state. Easy to set up....

To carry this routing protocol over a VPN and the fact it uses multicast you are going to have to set up GRE tunnels over IPSEC from the spokes to the hub

Now the ASA will support EIGRP and GRE so by setting up dual paths with equal costs the routing protocol will load balance across the GRE tunnels

Anyway thats my first thoughts - might be something at a closer look which might prevent this from working or there may be a nicer way of doing it!

jimjamuk

Moley · 5 Dec 2007 at 22:15

Have they been reading about MPLS or something? Full meshed ADSL network?

Crazy.

Curiosityx · 5 Dec 2007 at 22:34

jamiemoles said:
Have they been reading about MPLS or something? Full meshed ADSL network?

Crazy.

Indeed that was my first recommendation to the client but the approx cost was around the 50k mark, they weren't too happy with that.

I see what your trying to achieve aswell, would that require two tunnels, one per link configured at each site and let EIGRP calculate the routing to avoid loops?

The sites will be entirely Cisco so EIGRP is my first choice.

jimjamuk · 5 Dec 2007 at 22:50

hi - yes two gre tunnels per hub ==== site. RUn eigrp over gre tunnels and as long as the cost paths are the same (or you set the varience if they are slightly different) it will load balance across the two links. EIGRP wont see the tunnels and no routing loops will occur.

In fact I've just found a nice Cisco example at http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

check it out - it shows how to config up EIGRP over GRE (hub and spoke) and all you need to do is double up and load balancing will occur - the load balancing stuff is at http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094820.shtml

I also though MPLS but that is overkill for a hub to spoke vpn solution

Curiosityx · 5 Dec 2007 at 23:35

jimjamuk said:
hi - yes two gre tunnels per hub ==== site. RUn eigrp over gre tunnels and as long as the cost paths are the same (or you set the varience if they are slightly different) it will load balance across the two links. EIGRP wont see the tunnels and no routing loops will occur.

In fact I've just found a nice Cisco example at http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

check it out - it shows how to config up EIGRP over GRE (hub and spoke) and all you need to do is double up and load balancing will occur - the load balancing stuff is at http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094820.shtml

I also though MPLS but that is overkill for a hub to spoke vpn solution

Thank you very much for your advice, in regards to the second question they want to run a full mesh topology hence the MPLS. Im still going to try and push it as it would be much simpler and scalable in the long run.

jimjamuk · 6 Dec 2007 at 10:07

hi - yes you could run this same config out for a full mesh but this isn't very scalable at all. You could go for a hub and spoke design and route traffic through the hub to the other sites for site to site comms - just need to spec up the hub if you want to do this

your going to have to argue the cost vs requirement - full mesh is ridiculous unless there is a very good reason to have it

jimjamuk

bigredshark · 6 Dec 2007 at 10:34

I'd use ospf myself, EIGRP works but it ties you to cisco far too much for my liking.

Curiosityx · 6 Dec 2007 at 11:02

bigredshark said:
I'd use ospf myself, EIGRP works but it ties you to cisco far too much for my liking.

I do agree that in multihomed networks OSPF is the logical choice between vendors but being a Cisco house and the fact that EIGRP converges at blistering speeds it's the only choice in my opinion.

Rich · 6 Dec 2007 at 20:28

bigredshark said:
I'd use ospf myself, EIGRP works but it ties you to cisco far too much for my liking.

You can always redistribute into other protocols if needed. I hear what you are saying though, open standards are where its at. EIGRP is a robust protocol though, no doubt about that.

V-Spec · 7 Dec 2007 at 11:14

If you're going to be running DSL in a fully meshed MPLS network, you'll be running this over a provider network of some kind? BT IPclear or ntl:telewest, and not like a bunch of internet connections with ipsec tunnels to create the impression of a private WAN?
If this is the case the provider will carry all your routes within BGP and allocate you route-targets for your customer routes on the DSL gateway that your provider connects to, you can still run tunnels but unless your head office has a much bigger leased line running BGP, it probably woudn't be worth running over MPLS as its going to be no different than ipsec tunnels running over the internet, if every connection is DSL.

bigredshark · 8 Dec 2007 at 20:34

V-Spec said:
If you're going to be running DSL in a fully meshed MPLS network, you'll be running this over a provider network of some kind? BT IPclear or ntl:telewest, and not like a bunch of internet connections with ipsec tunnels to create the impression of a private WAN?
If this is the case the provider will carry all your routes within BGP and allocate you route-targets for your customer routes on the DSL gateway that your provider connects to, you can still run tunnels but unless your head office has a much bigger leased line running BGP, it probably woudn't be worth running over MPLS as its going to be no different than ipsec tunnels running over the internet, if every connection is DSL.

the problem with MPLS and small customers in a nutshell, they've heard of MPLS and think it's great so insist on it, inspite of the fact the same thing can usually be done just as well and cost a lot less using other technologies.