Cisco Router Load Balancing using CEF

This configuration uses 4 ADSL Lines

First I configured line tracking for each of the lines, I used line-protocol instead of Ip routing as I found when the line lost connection to the internet it did not recognize the line as down.

track 1 interface Dialer1 line-protocol
track 2 interface Dialer2 line-protocol
track 3 interface Dialer3 line-protocol
track 4 interface Dialer0 line-protocol

Enable CEF by adding IP CEF to global config mode
The second command enables the load balancing done on per destination. This can be done on per packet but you would need 4 identical connections with the same speed otherwise the packets will arrive out of sync and cause massive amounts of problems.

Router(Config)#IP CEF
Router(Config)# ip cef load-sharing algorithm include-ports source destination

4 x default Routes are configured

ip route 0.0.0.0 0.0.0.0 Dialer1 10 track 1
ip route 0.0.0.0 0.0.0.0 Dialer2 10 track 2
ip route 0.0.0.0 0.0.0.0 Dialer3 10 track 3
ip route 0.0.0.0 0.0.0.0 Dialer0 10 track 4

To Enable CEF on the dialer interfaces (interfaces you want to be load balanced) Use this on all interfaces

Router(Config)#int di0
Router(Config-if)#ip route-cache
Router(Config-if)#ip route-cache cef

I have 4 x separate route-maps used for NAT.

ip nat inside source route-map ADSL0 interface Dialer0 overload
ip nat inside source route-map ADSL1 interface Dialer1 overload
ip nat inside source route-map ADSL2 interface Dialer2 overload
ip nat inside source route-map ADSL3 interface Dialer3 overload

route-map ADSL2 permit 10
match ip address NAT
match interface Dialer2

route-map ADSL3 permit 10
match ip address NAT
match interface Dialer3

route-map ADSL0 permit 10
match ip address NAT
match interface Dialer0

route-map ADSL1 permit 10
match ip address NAT
match interface Dialer1

ip access-list extended NAT
permit ip 10.0.100.0 0.0.0.255 any

ip access-list extended NAT-DENY-VPN
deny   tcp 10.0.100.0 0.0.0.255 eq 3389 192.168.99.0 0.0.0.255
deny   tcp 10.0.100.0 0.0.0.255 eq 3389 192.168.12.0 0.0.0.255
deny   tcp 10.0.100.0 0.0.0.255 eq 3389 192.168.11.0 0.0.0.255
deny   tcp 10.0.100.0 0.0.0.255 eq 3389 172.16.32.0
deny   ip 10.0.100.0 0.0.0.255 10.0.0.0 0.0.0.255

Hosting/External Access

When you try and access devices externally NAT will cause an issue because of the Load Balancing. Load Balancing will cause the reply to be sent out any of the interfaces and this is where you need to use Route-Maps to bind the traffic to a specific interface.

For example if you want to RDP to a server internally then you will need something like the below:

(X.X.X.X – External IP)

ip nat inside source static tcp 10.0.100.105 3389 X.X.X.X 3396 extendable

route-map PBR permit
description **RDP
match ip address
set interface Dialer3

ip access-list
permit tcp host 10.0.100.105 eq 3389 any

This will then bind any responses from the internal ip 10.0.100.105 on port 3389 to interface Dialer 3.

Also note that if you have a VPN connection and you try and access the IP 10.0.100.105 over the VPN it will try and perform NAT and you will not get access.

To get around this you must add a deny route map so that traffic requested from an internal IP address does not go through NAT process. Example Below:

ip nat inside source static tcp 10.0.100.105 3389 81.6.202.190 3396 route-map DENY_NAT extendable

route-map DENY_NAT permit
match ip address NAT-DENY-VPN

ip accesss-list NAT-DENY-
10 deny ip 10.0.100.0 0.0.0.255 10.0.0.0 0.0.0.255 (
10 deny tcp 10.0.100.0 0.0.0.255 eq 3389 10.0.0.0 0.0.0.255

10.0.0.0 – VPN Remote
10.0.100.0 – Local LAN

4 thoughts on “Cisco Router Load Balancing using CEF

  1. I know this post is a little long in the tooth but I’ll try anyway:

    I understand that for hosted servers, the outbound load balancing my send a reply packet down a different pipe than the pipe the request packet came in on. However, CEF, especially with the algorithm set to “include-ports source destination” will pin all traffic in a given conversation/flow to the same interface. If this is true, then do you really need the policy based routing stuff at the end?

  2. The Reason the PBR is there as when I implemented the above without it and we setup a incoming RDP the machine would respond and the firewall could send it out of any of the 4 interfaces and the conversation would never complete. I had to put the PBR there to ensure that all traffic from that particular machine on port 3389 would go out the interface I wanted.

    Also this was a similar problem as we had a small remote office with a site to site VPN. When they tried to RDP to one of our servers over the VPN connection it would try and to do NAT so the DENY_NAT route map is there to basically say any traffic from the remote side trying to access the local side dont do NAT for this given translation.

    Hope this helps.

  3. Hi,

    I know this is a very very old post, congradulations for posting it.
    I have tested the configuration above and it works great!

    I have 2 questions:
    1) on hte following:
    -ip nat inside source static tcp 10.0.100.105 3389 X.X.X.X 3396 extendable

    if you want to use any IP (i.e. accessible from the internet), then what would be X.X.X.X ?

    2) With PBR, how do you manage applications need different sessions? I have in mind applications that in case they have a different source IP, then they do not work. How do you manage connections to dns-based CDNs ?

  4. I lost you on the RDP traffic. I have a site-to-site VPN connection. Site-A IP is 10.0.8.0/22 and Site-B is 20.20.0.0/16. I am able to RDP from Site-A to Site-B, but not the other way around. I tried some of your no_nat, but didn’t work. Any ideas?

Leave a Reply

Your email address will not be published. Required fields are marked *