&
nbsp;
Outbound LLB integrates with NAT Port(Dynamic NAT) to route traffic from internal network(s) to external network(s) through 2 or more external links.
Internal clients push traffic to the inside NIC and LLB routes the traffic out accordingly base on the preset method(rr
, wrr, dd, or sr
).
Example:
C1 -> xyz.com LLB routes traffic to the isp1 link using NAT VIP 10.7.9.41 - 42.
C2 -> abc.com LLB routes traffic to the isp2 link using NAT VIP 10.7.7.41 - 42.
LLB is implemented at L3 (the IP layer), connection persistence is based on src:dst IP pair. Default persistence timeout
is 60 second. Timeout value can be changed using "nat port" command.
|
|
For each ISP link, a physical interface or vlan interface is required.
1. Create the interfaces
interface name "port2" "isp1"
interface name "port3" "isp2"
interface name "port4" "inside"
#Assign IP address to each interface.
ip address "isp1" 10.7.9.40 255.255.255.0
ip address "isp2" 10.7.7.40 255.255.255.0
ip address "inside" 10.7.139.40 255.255.255.0
2. Set routes
iperoute "inside2ISP1_any" 1001 10.7.139.0 255.255.255.0 0 0.0.0.0 0.0.0.0 0 any 10.7.9.1 1
iperoute "inside2ISP2_any" 1001 10.7.139.0 255.255.255.0 0 0.0.0.0 0.0.0.0 0 any 10.7.7.1 1
3. Create the NAT vips with “ip pool”
ip pool "ip-pool-natISP1" 10.7.9.41 10.7.9.42
ip pool "ip-pool-natISP2" 10.7.7.41 10.7.7.42
4. Set up Dynamic NAT to translate internal traffic to outside world(one for each link).
#60 is the connection persistence timeout
nat port "ip-pool-natISP1" 10.7.139.0 255.255.255.0 60
nat port "ip-pool-natISP2" 10.7.139.0 255.255.255.0 60
5. LLB Setup
# Enable statistic
llb link statistics on
# Enable health check
llb link health on
# Create and enable the links to ISP gateways 10.7.9.1 and 10.7.7.1
#Notice that the gateways also used for icmp healthcheck.
llb link route "ISP1_net9" 10.7.9.1
llb link enable "ISP1_net9"
llb link health checker icmp "ISP1_net9" "10.7.9.1"
llb link route "ISP2_net7" 10.7.7.1
llb link enable "ISP2_net7"
llb link health checker icmp "ISP2_net7" "10.7.7.1"
# Method (rr , wrr, sr , or dd)
#by default, method is rr .
# if llb method is rr, it won’t show in config.
# to change method sr, use “llb method outbound sr”
6. Check statistic
LLB-APV2600-40(config)#show llb link status
status statistics:
Link "ISP1_net9":
Gateway Weight
Resp_time Status Up Time Down Latest Down Event Down Time
10.7.9.1 1 0.000ms Up 01:18:30 0
Health Checkers:
Remote Host Type Status Up Time Down Latest Down Event Down Time
10.7.9.1 ICMP Up 01:18:00 0
Link "ISP2_net7":
Gateway Weight Resp_time Status Up Time Down Latest Down Event Down Time
10.7.7.1 1 0.000ms Up 01:18:30 0
Health Checkers:
Remote Host Type Status Up Time Down Latest Down Event Down Time
10.7.7.1 ICMP Up 01:18:00 0
7. Test Results
APV2600-30(config)#ping 10.1.231.29
PING 10.1.231.29 (10.1.231.29): 56 data bytes
64 bytes from 10.1.231.29: icmp_seq=0 ttl=125 time=1.660 ms
64 bytes from 10.1.231.29: icmp_seq=1 ttl=125 time=1.832 ms
LLB-APV2600-40#debug trace live tcp isp1 "-n host 10.2.1.11 or host 10.1.231.2$
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 50000 bytes
04:42:44.904537 IP 10.7.9.41 > 10.2.1.11: ICMP echo request, id 51010, seq 0, l ength 64
04:42:44.905065 IP 10.2.1.11 > 10.7.9.41: ICMP echo reply, id 51010, seq 0, len gth 64
04:42:45.906552 IP 10.7.9.41 > 10.2.1.11: ICMP echo request, id 51010, seq 1, l ength 64
04:42:45.906946 IP 10.2.1.11 > 10.7.9.41: ICMP echo reply, id 51010, seq 1, len gth 64
APV2600-30(config)#ping 10.2.1.11
PING 10.2.1.11 (10.2.1.11): 56 data bytes
64 bytes from 10.2.1.11: icmp_seq=0 ttl=61 time=0.841 ms
64 bytes from 10.2.1.11: icmp_seq=1 ttl=61 time=1.681 ms
LLB-APV2600-40#debug trace live tcp isp2 "-n host 10.2.1.11 or host 10.1.231.2$
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em2, link-type EN10MB (Ethernet), capture size 50000 bytes
04:42:30.135486 IP 10.7.7.41 > 10.1.231.29: ICMP echo request, id 51010, seq 0, length 64
04:42:30.136310 IP 10.1.231.29 > 10.7.7.41: ICMP echo reply, id 51010, seq 0, length 64
04:42:31.137470 IP 10.7.7.41 > 10.1.231.29: ICMP echo request, id 51010, seq 1, length 64
04:42:31.137996 IP 10.1.231.29 > 10.7.7.41: ICMP echo reply, id 51010, seq 1, length 64