Bonding with Cisco IOS: Difference between revisions
Content deleted Content added
No edit summary |
No edit summary |
||
| Line 76: | Line 76: | ||
== Configure a virtual interface for your router IP address == |
== Configure a virtual interface for your router IP address == |
||
Use the first address from your block. You could use a loopback here if you do not need to brake out the subnet to any physical interfaces, or a BVI interface for a bridge-group. As I have a switch module a Vlan is used. |
|||
Use the first address from your block |
|||
<nowiki>interface Vlan2 |
<nowiki>interface Vlan2 |
||
ip address <fromyourblock> <yoursubnet></nowiki> |
ip address <fromyourblock> <yoursubnet></nowiki> |
||
== Upstream load balancing using CEF == |
== Upstream load balancing using CEF == |
||
| Line 96: | Line 96: | ||
ip load-sharing per-packet |
ip load-sharing per-packet |
||
!</nowiki> |
!</nowiki> |
||
== Bringing it all together with NAT, bonding and upstream in a single router. == |
|||
The following is a usable configuration. You will need to update interface names for your own equipment. |
|||
A brief overview: |
|||
* The use of a VRF allows two routing domains. One for internet traffic (AISP) where the [[bonding]] is undertaken, a global domain where internal hosts are connected. |
|||
* Two Vlans are configured on my device, one for internal NAT clients, another for external internet facing clients. |
|||
* This configuration should be extended to include the use of ip filter in the AAISP vrf to block any incoming DNS requests. |
|||
Caveats: |
|||
* Routing between global and a vrf in IOS is unpleasant. This configuration relies on a use of a physical [[Ethernet]] patch between GigabitEthernet0/0 and GigabitEthernet0/1 for routing traffic between the global and AAISP donain. This should be unnecessary with the use of a BGP export between global and the vrf, but I never got this working. Similarly the use of NVI and BVI was investigated (please let me know if you have a more elegant solution!). |
|||
<nowiki>version 15.1 |
|||
no service pad |
|||
service timestamps debug datetime msec |
|||
service timestamps log datetime msec |
|||
no service password-encryption |
|||
service internal |
|||
! |
|||
hostname <yourhostname> |
|||
! |
|||
boot-start-marker |
|||
boot-end-marker |
|||
! |
|||
! |
|||
no logging buffered |
|||
enable secret 5 <mypasswordgoeshere!> |
|||
! |
|||
no aaa new-model |
|||
! |
|||
dot11 syslog |
|||
ip source-route |
|||
! |
|||
! |
|||
ip cef |
|||
! |
|||
ip vrf AAISP |
|||
! |
|||
no ip dhcp use vrf connected |
|||
no ip dhcp conflict logging |
|||
ip dhcp excluded-address 192.168.1.1 192.168.1.9 |
|||
ip dhcp excluded-address <excludeyourroutingaddresses> |
|||
! |
|||
ip dhcp pool HOME |
|||
network 192.168.1.0 255.255.255.0 |
|||
domain-name home |
|||
dns-server 192.168.1.1 |
|||
default-router 192.168.1.1 |
|||
lease 7 |
|||
! |
|||
ip dhcp pool AAISP |
|||
network <yournetworkbase> 255.255.255.248 |
|||
domain-name home-external |
|||
dns-server 217.169.20.20 |
|||
default-router 81.187.17.185 |
|||
! |
|||
ip domain name home |
|||
ip name-server 217.169.20.20 |
|||
ip name-server 217.169.20.21 |
|||
no [[IPv6|ipv6]] cef |
|||
multilink bundle-name authenticated |
|||
! |
|||
crypto pki token default removal timeout 0 |
|||
! |
|||
archive |
|||
log config |
|||
hidekeys |
|||
username Administrator privilege 0 secret 5 <anotherpassword!> |
|||
! |
|||
ip ssh version 2 |
|||
bridge irb |
|||
! |
|||
# This is our roting interface in the global domain, we NAT here |
|||
interface GigabitEthernet0/0 |
|||
description HOME-AAISP |
|||
ip address <yoursecondexternalIP> 255.255.255.248 |
|||
ip nat outside |
|||
ip virtual-reassembly in |
|||
duplex auto |
|||
speed auto |
|||
! |
|||
interface GigabitEthernet0/1 |
|||
description AAISP-HOME |
|||
ip vrf forwarding AAISP |
|||
no ip address |
|||
duplex auto |
|||
speed auto |
|||
bridge-group 2 |
|||
! |
|||
interface ATM0/0/0 |
|||
description 01234567890 |
|||
no ip address |
|||
no atm ilmi-keepalive |
|||
hold-queue 224 in |
|||
pvc 0/38 |
|||
encapsulation aal5mux ppp dialer |
|||
dialer pool-member 1 |
|||
! |
|||
! |
|||
interface ATM0/1/0 |
|||
description 01234567891 |
|||
no ip address |
|||
no atm ilmi-keepalive |
|||
hold-queue 224 in |
|||
pvc 0/38 |
|||
encapsulation aal5mux ppp dialer |
|||
dialer pool-member 2 |
|||
! |
|||
! |
|||
interface ATM0/2/0 |
|||
description 01234567892 |
|||
no ip address |
|||
no atm ilmi-keepalive |
|||
hold-queue 224 in |
|||
pvc 0/38 |
|||
encapsulation aal5mux ppp dialer |
|||
dialer pool-member 3 |
|||
! |
|||
! |
|||
interface FastEthernet1/0 |
|||
no ip address |
|||
spanning-tree portfast |
|||
! |
|||
interface FastEthernet1/1 |
|||
no ip address |
|||
spanning-tree portfast |
|||
! |
|||
interface FastEthernet1/2 |
|||
no ip address |
|||
spanning-tree portfast |
|||
! |
|||
interface FastEthernet1/3 |
|||
no ip address |
|||
spanning-tree portfast |
|||
! |
|||
interface FastEthernet1/4 |
|||
no ip address |
|||
spanning-tree portfast |
|||
! |
|||
interface FastEthernet1/5 |
|||
no ip address |
|||
spanning-tree portfast |
|||
! |
|||
interface FastEthernet1/6 |
|||
no ip address |
|||
spanning-tree portfast |
|||
! |
|||
interface FastEthernet1/7 |
|||
no ip address |
|||
spanning-tree portfast |
|||
! |
|||
interface FastEthernet1/8 |
|||
no ip address |
|||
spanning-tree portfast |
|||
! |
|||
interface FastEthernet1/9 |
|||
no ip address |
|||
spanning-tree portfast |
|||
! |
|||
interface FastEthernet1/10 |
|||
no ip address |
|||
spanning-tree portfast |
|||
! |
|||
interface FastEthernet1/11 |
|||
no ip address |
|||
spanning-tree portfast |
|||
! |
|||
interface FastEthernet1/12 |
|||
switchport access vlan 2 |
|||
no ip address |
|||
spanning-tree portfast |
|||
! |
|||
interface FastEthernet1/13 |
|||
switchport access vlan 2 |
|||
no ip address |
|||
spanning-tree portfast |
|||
! |
|||
interface FastEthernet1/14 |
|||
switchport access vlan 2 |
|||
no ip address |
|||
spanning-tree portfast |
|||
! |
|||
interface FastEthernet1/15 |
|||
switchport access vlan 2 |
|||
no ip address |
|||
spanning-tree portfast |
|||
! |
|||
interface Vlan1 |
|||
description HOME |
|||
no ip address |
|||
bridge-group 1 |
|||
! |
|||
interface Vlan2 |
|||
description AAISP |
|||
ip vrf forwarding AAISP |
|||
no ip address |
|||
ip virtual-reassembly in |
|||
no autostate |
|||
bridge-group 2 |
|||
! |
|||
interface Dialer0 |
|||
ip vrf forwarding AAISP |
|||
ip address negotiated |
|||
ip load-sharing per-packet |
|||
ip virtual-reassembly in |
|||
encapsulation ppp |
|||
dialer pool 1 |
|||
ppp chap hostname <yourAAISPuser>a.1 |
|||
ppp chap password 0 <yourpasssword> |
|||
no cdp enable |
|||
! |
|||
interface Dialer1 |
|||
ip vrf forwarding AAISP |
|||
ip address negotiated |
|||
ip load-sharing per-packet |
|||
ip virtual-reassembly in |
|||
encapsulation ppp |
|||
dialer pool 2 |
|||
ppp chap hostname <yourAAISPuser>@a.2 |
|||
ppp chap password 0 <yourpassword> |
|||
no cdp enable |
|||
! |
|||
interface Dialer2 |
|||
ip vrf forwarding AAISP |
|||
ip address negotiated |
|||
ip load-sharing per-packet |
|||
ip virtual-reassembly in |
|||
encapsulation ppp |
|||
dialer pool 3 |
|||
ppp chap hostname <yourAAISPuser>@a.3 |
|||
ppp chap password 0 <yourpassword> |
|||
no cdp enable |
|||
! |
|||
interface BVI1 |
|||
ip address 192.168.1.1 255.255.255.0 |
|||
ip nat inside |
|||
ip virtual-reassembly in |
|||
! |
|||
interface BVI2 |
|||
ip vrf forwarding AAISP |
|||
ip address <yourfirstexternalIP> 255.255.255.248 |
|||
ip nat outside |
|||
ip virtual-reassembly in |
|||
! |
|||
ip forward-protocol nd |
|||
! |
|||
no ip http server |
|||
no ip http secure-server |
|||
! |
|||
ip dns server |
|||
ip nat inside source list NatRule interface GigabitEthernet0/0 overload |
|||
ip route 0.0.0.0 0.0.0.0 <yourfirstexternalIP> |
|||
ip route vrf AAISP 0.0.0.0 0.0.0.0 Dialer0 |
|||
ip route vrf AAISP 0.0.0.0 0.0.0.0 Dialer1 |
|||
ip route vrf AAISP 0.0.0.0 0.0.0.0 Dialer2 |
|||
! |
|||
ip access-list extended NatRule |
|||
permit ip 192.168.0.0 0.0.255.255 any |
|||
ip access-list extended ssh-management |
|||
permit ip 192.168.0.0 0.0.255.255 any |
|||
! |
|||
dialer-list 1 protocol ip permit |
|||
dialer-list 2 protocol ip permit |
|||
dialer-list 3 protocol ip permit |
|||
! |
|||
control-plane |
|||
! |
|||
bridge 1 protocol ieee |
|||
bridge 1 route ip |
|||
bridge 2 protocol ieee |
|||
bridge 2 route ip |
|||
! |
|||
mgcp profile default |
|||
! |
|||
line con 0 |
|||
login local |
|||
line aux 0 |
|||
line vty 0 4 |
|||
access-class ssh-management in vrf-also |
|||
login local |
|||
transport input ssh |
|||
transport output all |
|||
! |
|||
scheduler max-task-time 5000 |
|||
scheduler allocate 20000 1000 |
|||
ntp server 37.122.210.134 source GigabitEthernet0/0 |
|||
end</nowiki> |
|||
Revision as of 20:44, 1 June 2014
After a few nights of meddling with my configuration, the following setup is working well for me. I would like to share it with the community.
Perquisites
- Ask support for a unique IP address for the dialer interface of each of your ADSL lines
- You will also need a static block for your routing IP address and any external clients, you may also use one of these addresses for NAT (more on that later).
- Configure Clueless to route your static block down each of the ADSL lines
My Setup
- Three ADSL lines provided by AAISP
- Cisco 2821 running IOS 15.1
- Three WIC1-ADSL and an NM-ESW-16 switch module.
- Internal ADSL interfaces allow me to run the setup in PPPoA mode. Modify your dialers for PPPoE if you are using external bridges.
Configuring your Dialer interfaces
interface ATM0/0/0 description 01234567890 no ip address no atm ilmi-keepalive hold-queue 224 in pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface ATM0/1/0 description 01234567891 no ip address no atm ilmi-keepalive hold-queue 224 in pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 2 ! ! interface ATM0/2/0 description 01234567892 no ip address no atm ilmi-keepalive hold-queue 224 in pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 3 ! ! interface Dialer0 ip address negotiated ip virtual-reassembly in encapsulation ppp dialer pool 1 ppp chap hostname <yourAAISPuser>@a.1 ppp chap password 0 <yourPasword> no cdp enable ! interface Dialer1 ip address negotiated ip virtual-reassembly in encapsulation ppp dialer pool 2 ppp chap hostname <yourAAISPuser>@a.2 ppp chap password 0 <yourPassword> no cdp enable ! interface Dialer2 ip address negotiated ip virtual-reassembly in encapsulation ppp dialer pool 3 ppp chap hostname <yourAAISPuser>@a.3 ppp chap password 0 <yourPassword> no cdp enable ! dialer-list 1 protocol ip permit dialer-list 2 protocol ip permit dialer-list 3 protocol ip permit !
Configure a virtual interface for your router IP address
Use the first address from your block. You could use a loopback here if you do not need to brake out the subnet to any physical interfaces, or a BVI interface for a bridge-group. As I have a switch module a Vlan is used.
interface Vlan2 ip address <fromyourblock> <yoursubnet>
Upstream load balancing using CEF
ip cef ! ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 0.0.0.0 0.0.0.0 Dialer2 ! int Dialer0 ip load-sharing per-packet ! int Dialer1 ip load-sharing per-packet ! int Dialer2 ip load-sharing per-packet !
Bringing it all together with NAT, bonding and upstream in a single router.
The following is a usable configuration. You will need to update interface names for your own equipment.
A brief overview:
- The use of a VRF allows two routing domains. One for internet traffic (AISP) where the bonding is undertaken, a global domain where internal hosts are connected.
- Two Vlans are configured on my device, one for internal NAT clients, another for external internet facing clients.
- This configuration should be extended to include the use of ip filter in the AAISP vrf to block any incoming DNS requests.
Caveats:
- Routing between global and a vrf in IOS is unpleasant. This configuration relies on a use of a physical Ethernet patch between GigabitEthernet0/0 and GigabitEthernet0/1 for routing traffic between the global and AAISP donain. This should be unnecessary with the use of a BGP export between global and the vrf, but I never got this working. Similarly the use of NVI and BVI was investigated (please let me know if you have a more elegant solution!).
version 15.1 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption service internal ! hostname <yourhostname> ! boot-start-marker boot-end-marker ! ! no logging buffered enable secret 5 <mypasswordgoeshere!> ! no aaa new-model ! dot11 syslog ip source-route ! ! ip cef ! ip vrf AAISP ! no ip dhcp use vrf connected no ip dhcp conflict logging ip dhcp excluded-address 192.168.1.1 192.168.1.9 ip dhcp excluded-address <excludeyourroutingaddresses> ! ip dhcp pool HOME network 192.168.1.0 255.255.255.0 domain-name home dns-server 192.168.1.1 default-router 192.168.1.1 lease 7 ! ip dhcp pool AAISP network <yournetworkbase> 255.255.255.248 domain-name home-external dns-server 217.169.20.20 default-router 81.187.17.185 ! ip domain name home ip name-server 217.169.20.20 ip name-server 217.169.20.21 no [[IPv6|ipv6]] cef multilink bundle-name authenticated ! crypto pki token default removal timeout 0 ! archive log config hidekeys username Administrator privilege 0 secret 5 <anotherpassword!> ! ip ssh version 2 bridge irb ! # This is our roting interface in the global domain, we NAT here interface GigabitEthernet0/0 description HOME-AAISP ip address <yoursecondexternalIP> 255.255.255.248 ip nat outside ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0/1 description AAISP-HOME ip vrf forwarding AAISP no ip address duplex auto speed auto bridge-group 2 ! interface ATM0/0/0 description 01234567890 no ip address no atm ilmi-keepalive hold-queue 224 in pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface ATM0/1/0 description 01234567891 no ip address no atm ilmi-keepalive hold-queue 224 in pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 2 ! ! interface ATM0/2/0 description 01234567892 no ip address no atm ilmi-keepalive hold-queue 224 in pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 3 ! ! interface FastEthernet1/0 no ip address spanning-tree portfast ! interface FastEthernet1/1 no ip address spanning-tree portfast ! interface FastEthernet1/2 no ip address spanning-tree portfast ! interface FastEthernet1/3 no ip address spanning-tree portfast ! interface FastEthernet1/4 no ip address spanning-tree portfast ! interface FastEthernet1/5 no ip address spanning-tree portfast ! interface FastEthernet1/6 no ip address spanning-tree portfast ! interface FastEthernet1/7 no ip address spanning-tree portfast ! interface FastEthernet1/8 no ip address spanning-tree portfast ! interface FastEthernet1/9 no ip address spanning-tree portfast ! interface FastEthernet1/10 no ip address spanning-tree portfast ! interface FastEthernet1/11 no ip address spanning-tree portfast ! interface FastEthernet1/12 switchport access vlan 2 no ip address spanning-tree portfast ! interface FastEthernet1/13 switchport access vlan 2 no ip address spanning-tree portfast ! interface FastEthernet1/14 switchport access vlan 2 no ip address spanning-tree portfast ! interface FastEthernet1/15 switchport access vlan 2 no ip address spanning-tree portfast ! interface Vlan1 description HOME no ip address bridge-group 1 ! interface Vlan2 description AAISP ip vrf forwarding AAISP no ip address ip virtual-reassembly in no autostate bridge-group 2 ! interface Dialer0 ip vrf forwarding AAISP ip address negotiated ip load-sharing per-packet ip virtual-reassembly in encapsulation ppp dialer pool 1 ppp chap hostname <yourAAISPuser>a.1 ppp chap password 0 <yourpasssword> no cdp enable ! interface Dialer1 ip vrf forwarding AAISP ip address negotiated ip load-sharing per-packet ip virtual-reassembly in encapsulation ppp dialer pool 2 ppp chap hostname <yourAAISPuser>@a.2 ppp chap password 0 <yourpassword> no cdp enable ! interface Dialer2 ip vrf forwarding AAISP ip address negotiated ip load-sharing per-packet ip virtual-reassembly in encapsulation ppp dialer pool 3 ppp chap hostname <yourAAISPuser>@a.3 ppp chap password 0 <yourpassword> no cdp enable ! interface BVI1 ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface BVI2 ip vrf forwarding AAISP ip address <yourfirstexternalIP> 255.255.255.248 ip nat outside ip virtual-reassembly in ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip dns server ip nat inside source list NatRule interface GigabitEthernet0/0 overload ip route 0.0.0.0 0.0.0.0 <yourfirstexternalIP> ip route vrf AAISP 0.0.0.0 0.0.0.0 Dialer0 ip route vrf AAISP 0.0.0.0 0.0.0.0 Dialer1 ip route vrf AAISP 0.0.0.0 0.0.0.0 Dialer2 ! ip access-list extended NatRule permit ip 192.168.0.0 0.0.255.255 any ip access-list extended ssh-management permit ip 192.168.0.0 0.0.255.255 any ! dialer-list 1 protocol ip permit dialer-list 2 protocol ip permit dialer-list 3 protocol ip permit ! control-plane ! bridge 1 protocol ieee bridge 1 route ip bridge 2 protocol ieee bridge 2 route ip ! mgcp profile default ! line con 0 login local line aux 0 line vty 0 4 access-class ssh-management in vrf-also login local transport input ssh transport output all ! scheduler max-task-time 5000 scheduler allocate 20000 1000 ntp server 37.122.210.134 source GigabitEthernet0/0 end