Bonding with Cisco IOS

From AAISP Support Site
Revision as of 21:04, 1 Haziran 2014 by AA-Andrew (talk | contribs)

After a few nights of meddling with my configuration, the following setup is working well for me. I would like to share it with the community.

Perquisites

  • Ask support for a unique IP address for the dialer interface of each of your ADSL lines
  • You will also need a static block for your routing IP address and any external clients, you may also use one of these addresses for NAT (more on that later).
  • Configure Clueless to route your static block down each of the ADSL lines

My Setup

  • Three ADSL lines provided by AAISP
  • Cisco 2821 running IOS 15.1
  • Three WIC1-ADSL and an NM-ESW-16 switch module.
  • Internal ADSL interfaces allow me to run the setup in PPPoA mode. Modify your dialers for PPPoE if you are using external bridges.

Configuring your Dialer interfaces

interface ATM0/0/0
 description 01234567890
 no ip address
 no atm ilmi-keepalive
 hold-queue 224 in
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface ATM0/1/0
 description 01234567891
 no ip address
 no atm ilmi-keepalive
 hold-queue 224 in
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 2
 !
!
interface ATM0/2/0
 description 01234567892
 no ip address
 no atm ilmi-keepalive
 hold-queue 224 in
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 3
 !
!
interface Dialer0
 ip address negotiated
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp chap hostname <yourAAISPuser>@a.1
 ppp chap password 0 <yourPasword>
 no cdp enable
!
interface Dialer1
 ip address negotiated
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 2
 ppp chap hostname <yourAAISPuser>@a.2
 ppp chap password 0 <yourPassword>
 no cdp enable
!
interface Dialer2
 ip address negotiated
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 3
 ppp chap hostname <yourAAISPuser>@a.3
 ppp chap password 0 <yourPassword>
 no cdp enable
!
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
dialer-list 3 protocol ip permit
!

Configure a virtual interface for your router IP address

Use the first address from your block. You could use a loopback here if you do not need to brake out the subnet to any physical interfaces, or a BVI interface for a bridge-group. As I have a switch module a Vlan is used.

interface Vlan2
 ip address <fromyourblock> <yoursubnet>

Upstream load balancing using CEF

ip cef
!
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 Dialer2
!
int Dialer0
 ip load-sharing per-packet
!
int Dialer1
 ip load-sharing per-packet
!
int Dialer2
 ip load-sharing per-packet
!

Bringing it all together with NAT, bonding and upstream load balancing in a single router.

The following is a usable configuration. You will need to update interface names for your own equipment.

A brief overview:

  • The use of a VRF allows two routing domains. One for internet traffic (AAISP) where the bonding is undertaken, a global domain where internal hosts are connected.
  • Two Vlans are configured on my device, one for internal NAT clients, another for external internet facing clients.
  • This configuration should be extended to include the use of ip filter in the AAISP vrf to block any incoming DNS requests.

Caveats:

  • Routing between global and a vrf in IOS is unpleasant. This configuration relies on a use of a physical Ethernet patch between GigabitEthernet0/0 and GigabitEthernet0/1 for routing traffic between the global and AAISP donain. This should be unnecessary with the use of a BGP export between global and the vrf, but I never got this working. Similarly the use of NVI and BVI was investigated (please let me know if you have a more elegant solution!).
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname <yourhostname>
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 <mypasswordgoeshere!>
!
no aaa new-model
!
dot11 syslog
ip source-route
!
ip cef
!
ip vrf AAISP
!
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.1 192.168.1.9
ip dhcp excluded-address <excludeyourroutingaddresses>
!
# DHCP for our internal network
ip dhcp pool HOME
 network 192.168.1.0 255.255.255.0
 domain-name home
 dns-server 192.168.1.1 
 default-router 192.168.1.1 
 lease 7
!
# DHCP for our external network
ip dhcp pool AAISP
 network <yourexternalnetworkbase> 255.255.255.248
 domain-name home-external
 dns-server 217.169.20.20 
 default-router 81.187.17.185 
!
ip domain name home
ip name-server 217.169.20.20
ip name-server 217.169.20.21
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
archive
 log config
  hidekeys
username Administrator privilege 0 secret 5 <anotherpassword!>
!
ip ssh version 2
bridge irb
!
# This is our routing interface in the global domain, we NAT here
interface GigabitEthernet0/0
 description HOME-AAISP
 ip address <yoursecondexternalIP> 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
# This is our routing interface in the AAISP domain, you need a patch between GigabitEthernet0/0 and GigabitEthernet0/1
interface GigabitEthernet0/1
 description AAISP-HOME
 ip vrf forwarding AAISP
 no ip address
 duplex auto
 speed auto
 bridge-group 2
!
interface ATM0/0/0
 description 01234567890
 no ip address
 no atm ilmi-keepalive
 hold-queue 224 in
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface ATM0/1/0
 description 01234567891
 no ip address
 no atm ilmi-keepalive
 hold-queue 224 in
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 2
 !
!
interface ATM0/2/0
 description 01234567892
 no ip address
 no atm ilmi-keepalive
 hold-queue 224 in
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 3
 !
!
# spanning-tree portfast gets rid of the annoying forwarding delay on PHY up
interface FastEthernet1/0
 no ip address
 spanning-tree portfast
!
interface FastEthernet1/1
 no ip address
 spanning-tree portfast
!
interface FastEthernet1/2
 no ip address
 spanning-tree portfast
!
interface FastEthernet1/3
 no ip address
 spanning-tree portfast
!
interface FastEthernet1/4
 no ip address
 spanning-tree portfast
!
interface FastEthernet1/5
 no ip address
 spanning-tree portfast
!
interface FastEthernet1/6
 no ip address
 spanning-tree portfast
!
interface FastEthernet1/7
 no ip address
 spanning-tree portfast
!
interface FastEthernet1/8
 no ip address
 spanning-tree portfast
!
interface FastEthernet1/9
 no ip address
 spanning-tree portfast
!
interface FastEthernet1/10
 no ip address
 spanning-tree portfast
!
interface FastEthernet1/11
 no ip address
 spanning-tree portfast
!
interface FastEthernet1/12
 switchport access vlan 2
 no ip address
 spanning-tree portfast
!
interface FastEthernet1/13
 switchport access vlan 2
 no ip address
 spanning-tree portfast
!
interface FastEthernet1/14
 switchport access vlan 2
 no ip address
 spanning-tree portfast
!
interface FastEthernet1/15
 switchport access vlan 2
 no ip address
 spanning-tree portfast
!
interface Vlan1
 description HOME
 no ip address
 bridge-group 1
!
interface Vlan2
 description AAISP
 ip vrf forwarding AAISP
 no ip address
 ip virtual-reassembly in
 no autostate
 bridge-group 2
!
interface Dialer0
 ip vrf forwarding AAISP
 ip address negotiated
 ip load-sharing per-packet
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp chap hostname <yourAAISPuser>a.1
 ppp chap password 0 <yourpasssword>
 no cdp enable
!
interface Dialer1
 ip vrf forwarding AAISP
 ip address negotiated
 ip load-sharing per-packet
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 2
 ppp chap hostname <yourAAISPuser>@a.2
 ppp chap password 0 <yourpassword>
 no cdp enable
!
interface Dialer2
 ip vrf forwarding AAISP
 ip address negotiated
 ip load-sharing per-packet
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 3
 ppp chap hostname <yourAAISPuser>@a.3
 ppp chap password 0 <yourpassword>
 no cdp enable
!
interface BVI1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface BVI2
 ip vrf forwarding AAISP
 ip address <yourfirstexternalIP> 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list NatRule interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 <yourfirstexternalIP>
ip route vrf AAISP 0.0.0.0 0.0.0.0 Dialer0
ip route vrf AAISP 0.0.0.0 0.0.0.0 Dialer1
ip route vrf AAISP 0.0.0.0 0.0.0.0 Dialer2
!
ip access-list extended NatRule
 permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended ssh-management
 permit ip 192.168.0.0 0.0.255.255 any
!
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
dialer-list 3 protocol ip permit
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
!
mgcp profile default
!
line con 0
 login local
line aux 0
line vty 0 4
 access-class ssh-management in vrf-also
 login local
 transport input ssh
 transport output all
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
ntp server 37.122.210.134 source GigabitEthernet0/0
end

Changing target DSL noise margin within IOS

A little known trick, be careful as this can affect your line stability.

<nowiki>service internal

! int ATM0/0/0

  1. Replace <num> with the desired offset in db
dsl-noisemargin -<num> 

!