9 Replies Latest reply on Jan 5, 2015 11:44 AM by comake

    How to set up load-balancing between two Adtran routers?

    comake New Member

      Hi, I've been using a test environment with two Adtran NetVanta 3448s. I found the .pdf of how to set up load balancing via per-destination, which is exactly what I want; however, it didn't quite work for my test environment. Here's what I've done:

       

      https://supportforums.adtran.com/servlet/JiveServlet/previewBody/2286-102-1-2415/Configuring%20IP%20Load%20Sharing%20in%…

       

      Created the same set up under "Dual Redundant Internet Access using a Switch/Router Product:" in that .pdf. I had to change the PPP connection to a VLAN connection, which doesn't seem like it would be an issue, but I wasn't able to connect between the two PCs.

       

      In the end I'd like to be able to do the following:

       

      PC1 --->Adtran1--->Adtran2--->PC2

       

      192.168.1.2(PC1)--->192.168.1.1(Inside Interface of R1)--->172.16.1.1(Outside Interface of R1)--->172.16.1.2(Outside Interface of R2)--->192.168.2.1(Inside Interface of R2)--->192.168.2.2(PC2)

      And then have it use round-robin onto the second link

      192.168.1.2(PC1)--->192.168.1.1(Inside Interface of R1)--->172.16.2.1(Outside Interface of R1)--->172.16.2.2(Outside Interface of R2)--->192.168.2.1(Inside Interface of R2)--->192.168.2.2(PC2)

      And then of course the other way around as well from PC2 to PC1

       

      How would I go about doing this? Sorry if it's a vague question, it's just a test environment so there aren't any set configurations that must be applied.

       

      Thank you

        • Re: How to set up load-balancing between two Adtran routers?
          comake New Member

          Just to add to this post. To simplify the question, I'd like to do load-balancing between two Adtran routers in a backbone. Is there any way to do ip load-sharing per-destination without the use of NAT?

            • Re: How to set up load-balancing between two Adtran routers?
              levi Employee

              comake:

               

              Thank you for asking this question in the support community.

               

              When you get a chance, will you provide some additional information about the nature of the application you are testing?  Are you testing between two routed ports (two different IP subnets; like what would be representative of having two Internet connections), or two switchports (which would be like creating a logical link between the two devices (Link Aggregation Control Protocol (LACP) in AOS))? 

               

              Please, let me know a little more about the application when you get a chance.  I will be happy to help in any way I can.

               

              Levi

                • Re: How to set up load-balancing between two Adtran routers?
                  comake New Member

                  Thank you for replying.

                   

                  The nature of the project will be simulating a dual WAN connection over two switchports on separate VLANs. Currently, we have a failover setup on the two routers, but we would like to start utilizing the second connection for bandwidth since only one line is active.

                   

                  Thank you for your help!

                    • Re: How to set up load-balancing between two Adtran routers?
                      levi Employee

                      comake:

                       

                      Thank you for clarifying the application.  The guide you linked is exactly what you need to configure for this application.  Load-sharing will distribute the traffic between the links, and if one of the links fails, all the traffic will use the other link.  Please, let me know what trouble you were having in your testing setup.

                       

                      Levi

                        • Re: How to set up load-balancing between two Adtran routers?
                          comake New Member

                          The trouble is is I followed the set up process for "Dual Redundant Internet Access using a Switch/Router Product" because it seemed to fit the situation the best. Though, the configuration seems incomplete (probably by design of the PDF). Since this is a test environment, I copied the configuration almost word for word, except for the PPP connection which I made it another VLAN. The issue was it seemed like it denied connections, I wasn't able to access a computer on the other side of the routers nor was I able to ping any of the interfaces (including the one I was connected. Here's the set up:


                           

                          hostname "Router1"

                          !

                          ip load-sharing per-destination

                          ip firewall

                          !

                          vlan 1

                            name "Default"

                          !

                          vlan 2

                            name "VLAN0002"

                          !

                          vlan 3

                            name "VLAN0003"

                          !

                          interface switchport 0/4

                            no shutdown

                            switchport access vlan 2

                          !

                          interface switchport 0/8

                            no shutdown

                            switchport access vlan 3

                          !

                          interface vlan 1

                            description Private LAN Connection

                            ip address  192.168.1.1  255.255.255.0

                            ip access-policy Private

                            no shutdown

                          !

                          interface vlan 2

                            description First Connection

                            ip address  172.16.2.1  255.255.255.0

                            ip access-policy Public-1

                            no shutdown

                          !

                          interface vlan 3

                            description Second Connection

                            ip address  172.16.3.1  255.255.255.0

                            ip access-policy Public-2

                            no shutdown

                          !

                          ip access-list extended TRAFFIC

                            permit ip 192.168.1.0 0.0.0.255  any

                          !

                          ip policy-class Private

                            nat source list TRAFFIC interface vlan 2 overload policy Public-1

                            nat source list TRAFFIC interface vlan 3 overload policy Public-2

                          !

                          ip policy-class Public-1

                            ! Implicit discard

                          !

                          ip policy-class Public-2

                            ! Implicit discard

                          !

                          ip route 0.0.0.0 0.0.0.0 172.16.2.2

                          ip route 0.0.0.0 0.0.0.0 172.16.3.2

                          !

                           

                          hostname "Router2"

                          !

                          ip load-sharing per-destination

                          ip firewall

                          !

                          interface switchport 0/4

                            no shutdown

                            switchport access vlan 2

                          !

                          interface switchport 0/8

                            no shutdown

                            switchport access vlan 3

                          !

                          interface vlan 1

                            description Private LAN Connection

                            ip address  192.168.2.1  255.255.255.0

                            ip access-policy Private

                            no shutdown

                          !

                          interface vlan 2

                            description First Connection

                            ip address  172.16.2.2  255.255.255.0

                            ip access-policy Public-1

                            no shutdown

                          !

                          interface vlan 3

                            description Second Connection

                            ip address  172.16.3.2  255.255.255.0

                            ip access-policy Public-2

                            no shutdown

                          !

                          ip access-list extended TRAFFIC

                            permit ip 192.168.2.0 0.0.0.255  any

                          !

                          ip policy-class Private

                            nat source list TRAFFIC interface vlan 2 overload policy Public-1

                            nat source list TRAFFIC interface vlan 3 overload policy Public-2

                          !

                          ip policy-class Public-1

                            ! Implicit discard

                          !

                          ip policy-class Public-2

                            ! Implicit discard

                          !

                          !

                          !

                          ip route 0.0.0.0 0.0.0.0 172.16.2.1

                          ip route 0.0.0.0 0.0.0.0 172.16.3.1

                          !

                           

                          Of course I removed the default settings to trim it up. Basically, the issue is I can't ping either default gateway nor can I connect with the 192.168.2.0 network from the 192.168.1.0 and vice versa. I know it has to do with the ACL set up, but quite frankly, it's been a while since I dove into troubleshooting ACLs. If you could help me figure this out I'll be very appreciative.

                           

                          Thank you

                            • Re: How to set up load-balancing between two Adtran routers?
                              levi Employee

                              comake:

                               

                              The load-sharing part of the configuration looks correct. 

                               

                              The problem you are experiencing is due to the "public" facing portions of the firewalls.  The current configuration is designed to block all uninitiated incoming traffic.  To resolve this in your lab, do the following on both routers:

                               

                              ip access-list extended MATCHALL

                              permit ip any any

                              !

                              ip policy-class Public-1

                                allow list MATCHALL stateless

                              !

                              ip policy-class Public-2

                                allow list MATCHALL stateless


                              I hope that makes sense, but please let me know what other questions you have.


                              Levi



                                • Re: How to set up load-balancing between two Adtran routers?
                                  comake New Member

                                  That works! Thank you. My only issue is how do I set up fault tolerance? As soon as I unplug one of the lines (The line my test PC is using from what I found out using the "show ip policy-session" command) it never seems to switch it over to the other line. However, it also shows other traffic using the other line. Is there any way to program it to force it to use other opposite line as soon as one of the lines go down so it doesn't just sit there trying to use the dead line? I just assumed that was how the protocol worked.

                                   

                                  Thank you for your help!

                                    • Re: How to set up load-balancing between two Adtran routers?
                                      levi Employee

                                      comake:

                                       

                                      Here is an excerpt from the Configuring IP Load Sharing in AOS - Quick Configuration Guide about the ip firewall fast-nat-failover command:

                                       

                                      Fast-NAT Failover should be used just in case one of the load balanced interfaces goes down. This will ensure that any open sessions involving NAT out the unavailable interface will be terminated properly and allowed to be recreated out the new policyclass. This is accomplished with the global configuration command ip firewall fast-nat-failover in the command line interface. For sessions that do not involve NAT but still need to be allowed (like passing public IPs through to an internal interface) the ip firewall fast-allow-failover command added in AOS 18.01.01.00 is required. Both of these commands will essentially kill the session open in the firewall and attempt to send a TCP RST to both ends for appropriate sessions when a route table change occurs. In the majority of cases the TCP RST will only make it to internal endpoint because the path to the external endpoint is gone or has changed.

                                        • Re: How to set up load-balancing between two Adtran routers?
                                          comake New Member

                                          Sorry for the late reply. I wanted to confirm a few things before replying. I got everything correctly set up, except it still wasn't doing failover. I looked into it and I found out a few things. Since I am using the switchports instead of ethernet ports, it won't cause a route table change. Because it doesn't, it wouldn't work. So I looked into it a bit deeper to see how others did it and most just use a probe/track set up and once it is unable to ping the other connection on the line, to shut down the VLAN. Which then would cause a route table change, then finally the failover will work correctly. I haven't implemented this yet, but I tested it by unplugging the connect again that the test PC is using, no failover. I then manually shut down the VLAN, and it changed over.


                                          When I initially read the paragraph describing it, I imagined it would run if it detected a port being shut down. But now that I reread it and know it's route table change instead, it makes more sense.

                                           

                                          Thank you for your help levi!