Allied Telesis Support Portal

WAN Load Balancing with Policy-based routing (PBR) on NGFW

How to use load balancing for two ISPs?

Introduction


Policy-based routing (PBR) provides a means to route particular packets to their destination via a specific next-hop.

It is useful to implement load balancing when you have 2 internet links and you want to use both at the same time, thus increasing the available bandwidth for the network and taking advantage of the cost of having redundant links.

Using policy-based routing you can control which packets follow which path through the network, since it is likely that both links do not have the same bandwidth. The specific path that these packets will take can be based on configurable parameters such as priority, address, protocol, or VLAN membership.
 

Configuring Policy-based Routing on an AR-Series Firewall

First, policy-based routing needs to be globally enabled;

AR4050S#configure terminal
AR4050S(config)#policy-based-routing
AR4050S(config-pbr)#policy-based-routing enable
AR4050S(config-pbr)#
 

Then a set of policy-routing rules are created.
The rules are of the form:

ip policy-route <ID> match <application> from <entity> to <entity> nexthop <list of nexthops>
 

Where:
The <ID> is a identifier for the rule. Packets are matched against the rules in order of ascending ID. Whether you specify the ID number for a rule is optional. If an ID number is not specified, then they are automatically allocated in intervals of 10.
The <application> is optional. It can be any predefined application, or application created by using the application command to enter application configuration mode. If the application parameter is not specified, then the rule matches any traffic type.
The to and from <entities> are optional. They can be any entities that have been defined by the zone, network or host commands. If the 'from' entity is not specified, then the rule matches traffic from any source. Similarly, if the 'to' entity is not specified, the rule matches traffic to any destination.

The list of nexthops can be up to eight nexthops. The nexthops can be any one of:
 IPv4 addresses
 IPv6 addresses
 Interfaces

All the entries in the list must be of the same type - they can't be a mixture of the three types.
 

Example configuration

If you have 2 links, you can choose the path that the packets are going to take to each link, separating by protocols or applications defined in the Router.
 

User-added image


Step1. Create the VLAN for the LAN.

awplus(config)#vlan database
awplus(config-vlan)#vlan 10 name LAN
 

Step 2. Assign IP addresses to interfaces.

awplus(config)# interface vlan10
awplus(config-if)# ip address 10.10.10.1/24
#eth1 connects to the Internet high bandwidth
awplus(config)# interface eth1
awplus(config-if)# ip address 200.0.0.1/30
#eth2 connects to the Internet low bandwidth
awplus(config)# interface eth2
awplus(config-if)# ip address 186.0.0.1/30
 

Step 3. Configure the default route. This is the route to the Internet.

awplus(config)# ip route 0.0.0.0/0 200.0.0.2
 

Step 4. Create the application which will match on traffic.

awplus(config)# application APP
awplus(config-application)# protocol tcp
awplus(config-application)# sport 80
Note: You can use the applications that are already predefined within the Routers database.
Use the command: 
awplus#show application

To show the custom and predefined applications currently configured.

 

Step 5. Create zones define the sources and destinations of the traffic.

awplus(config)# zone Private
awplus(config-zone)# network LAN
awplus(config-zone-network)# ip subnet 10.10.10.0/24
awplus(config)# zone Internet1
awplus(config-zone)# network Primary
awplus(config-network)# ip subnet 200.0.0.0/30
awplus(config)# zone Internet2
awplus(config-zone)# network Secondary
awplus(config-network)# ip subnet 186.0.0.0/30
 

Step 6. Enable policy-based routing.

awplus(config)# policy-based-routing
awplus(config-PBR)# policy-based-routing enable
 

Step 7. Add the rule to direct the traffic via the Secondary link.

awplus(config-PBR)# ip policy-route 10 match APP from Private nexthop 186.0.0.2
 

Additionally a ping poll can be configured that will regularly check that the Policy Route next-hop is reachable. If the ping poll  fails to get a response from the next-hop, a trigger will be run which removes the policy from the ingress port. This will ensure that if the Policy Route next-hop fails, the configured default route will be used, ensuring no loss of connectivity. Once the next-hop is reachable again, another trigger adds the policy back onto the ingress port.

Step 8. Configure the ping poll which will regularly check that the next-hop is reachable.

awplus(config)# ping-poll 1
awplus(config-ping-poll)# description “check policy route next hop”
awplus(config-ping-poll)# ip 186.0.0.2
awplus(config-ping-poll)# source-ip 186.0.0.1
awplus(config-ping-poll)# active
 

Step 9. Create the script which will enable PBR when trigger 1 is up.

awplus#Edit policy-on.scp
  
enable
conf t
policy-based-routing
policy-based-routing enable
 

Step 10. Create the script which will disable PBR when trigger 1 is down.

awplus#Edit policy-off.scp
  
enable
conf t
policy-based-routing
no policy-based-routing enable
 

Step 11. Configure the trigger which will be activated when the ping poll fails.

awplus(config)# trigger 1
awplus(config-trigger)# type ping-poll 1 down
awplus(config-trigger)# script 1 policy-off.scp
awplus(config-trigger)# active
 

Step 12. Configure the trigger which will be activated when the next-hop is reachable.

awplus(config)# trigger 2
awplus(config-trigger)# type ping-poll 1 up
awplus(config-trigger)# script 1 policy-on.scp
awplus(config-trigger)# active
 

Show Commands

awplus# show pbr rules
This command displays a list of the rules that have been configured

 

awplus# show ip pbr route <1-255>
This will show the routes that are created by the rules. You can also narrow the display by specifying the PBR rule ID.


For more information and limitations about PBR, check the Feature Guide.
 

Work around

Alternatively, 2 default routes can be configured pointing to the Internet Service Provider (ISP)´s gateways.

awplus# ip route 0.0.0.0/0 200.0.0.2
awplus# ip route 0.0.0.0/0 186.0.0.2
 

The difference is that in this way, the traffic cannot be determined, you will not have control over the bandwidth utilization of each link, but when customers make a connection to one of the ISPs, they will stay with it until the connection is terminated.

This route selection will be completely random, but both links will be used at the same time.