Cisco 1811with two ISPs over two outside interfaces

Answered Question
Apr 21st, 2007

I have a Cisco 1811 with an internal network of 192.168.0.0/23. The addresses are currently NAT out of interface FE0 to ISP1. We have had a number of problems with ISP1, so we have installed a DSL modem and connected it to FE1 using PPPoE and the interface comes up correctly and works from the router only.

I have looked on here for a configuration that will allow me to do automatic failover using a floating static route that will NAT from the internal 192.168.0.0/23 addresses to either ISP1 (Primary) and to ISP2 (Secondary) when ISP1 is down. I have been unsuccessful at getting a good example config.

The connection to ISP1 needs to be overloaded because we only get one static IP address and that is assigned to FE0. The conenction to ISP2 has a subnet mask of 255.255.255.248 and so we can use several addresses from a pool or just overload on the address assigned to Dialer0 (Associated with FE1).

Can someone provide me a NAT configuration that will do this with either access-lists or route maps?

Thank you in advance.

I have this problem too.
0 votes
Correct Answer by jerrytozhang about 9 years 7 months ago

Try this example, which is working well in my enviroment, but one thing you need to know is this solution just give you a standby internet connection, no load balance.

!

int f0

description Connect to ISP1

ip nat outside

int f1

description Connect to ISP2

ip nat outside

int f2

description Connect to your LAN

ip nat inside

ip nat inside source route-map isp1 interface f0 overload

ip nat inside source route-map isp2 interface f1 overload

ip route 0.0.0.0 0.0.0.0 a.b.c.d

ip route 0.0.0.0 0.0.0.0 e.f.g.h 200

!! a.b.c.d is your next hop to your ISP1

!! e.f.g.h is your next hop to your ISP2

access-list 10 permit 192.168.0.0 0.0.254.255

!

route-map isp2 permit 10

match ip address 10

match interface f1

!

!

route-map isp1 permit 10

match ip address 10

match interface f0

!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.6 (7 ratings)
Loading.
Paolo Bevilacqua Sat, 04/21/2007 - 16:22

Hi, do you want a primary link only ? You can also do pseudo-balancing, like 0.0.0.0/2 goes to secondary, 0.0.0.0/0 to primary.

Then as you said one single floating static will do the backup. You just need one IP per link. and will be fine PAT, the pool can come useful in you have servers inside, with a sattic nat.

lleecklesdafer Sat, 04/21/2007 - 18:18

Hello, thank you for your reply. I would like to have a primary link to ISP1, but the balancing is interesting as well. The main objective is to provide automatic failover. There are no servers at the location. The co-lo is at another location and I need to always be connected to the co-lo where all the servers are.

Do you have an example configuration for what I have described? Like I said, I have one NAT working, but I cannot find an example configuration that allows me to do this with two ISPs from one router with two outside interfaces.

Paolo Bevilacqua Sat, 04/21/2007 - 18:49

Hi,

just configure nat as per documentation, but twice. In the aCL you only permit the inside network, then apply to "nat inside ..." statement twice, one time per outside interface.

Start with two default static routes only. That will do backup and load balancing. Then you have time to fine tune it as you whish. Note that on both links, if the interface stays up, but provider drops packet, this type of failure won't be detected by the static routes. If you want to avoid this possibility, you can congure IP SLA, tracked objects and policy routing to monitor the actual status f links. This is a more advanced configuration.

Please remember to rate all useful posts!

lleecklesdafer Sun, 04/22/2007 - 05:30

Hello again,

I am not sure I totally understand your answer. I am not understanding how the router will know which translation rule to use if they have the same source-list.

Can you or someone provide an example configuration showing what you are describing here?

Paolo Bevilacqua Tue, 04/24/2007 - 05:04

Hi,

the source access-list only defines what is allowed to be natted and what is not.

Because you have two default routes of equal weight, packets going out will choose alternatively one or another link. Actually the load balancing will not be per-packet but per-destination. So once a conversation starts going out on an interface, it will stick on it. This is automatic.

There is really no configuration to take as example. Just two "ip nat inside" statements, pinting to the two interfaces or IP address used for nat. That's it.

Correct Answer
jerrytozhang Tue, 04/24/2007 - 06:55

Try this example, which is working well in my enviroment, but one thing you need to know is this solution just give you a standby internet connection, no load balance.

!

int f0

description Connect to ISP1

ip nat outside

int f1

description Connect to ISP2

ip nat outside

int f2

description Connect to your LAN

ip nat inside

ip nat inside source route-map isp1 interface f0 overload

ip nat inside source route-map isp2 interface f1 overload

ip route 0.0.0.0 0.0.0.0 a.b.c.d

ip route 0.0.0.0 0.0.0.0 e.f.g.h 200

!! a.b.c.d is your next hop to your ISP1

!! e.f.g.h is your next hop to your ISP2

access-list 10 permit 192.168.0.0 0.0.254.255

!

route-map isp2 permit 10

match ip address 10

match interface f1

!

!

route-map isp1 permit 10

match ip address 10

match interface f0

!

Paolo Bevilacqua Tue, 04/24/2007 - 07:58

The configuration above can be simplified and made to load-balance over two ISP by:

- use access-list instead of route-map in "ip nat inside source"

- do no specify a weight for any of the static routes.

lleecklesdafer Tue, 04/24/2007 - 08:03

Hello again,

Both of these solutions solve the problem nicely. I think if we have a requirement to load balance, we will use this solution as well.

Thanks for the help, it is much appreciated.

jerrytozhang Tue, 04/24/2007 - 09:36

Hi,p.bevilacqua:

According my knowledge, if you input two or more default static route without different administrive distances specified, just only one of these default static routes will enter routing table and take effect. that's the reason I have to specify a 200 as administrative distance.

regards.

Paolo Bevilacqua Tue, 04/24/2007 - 09:48

Hi Jer,

no that's not correct. When multiple routes have same administrative distance (does not matter if static or by protcol), the router will begin distributing traffic in load sharing, up to maximum of 6 paths.

The algorithm used to decide with path to take depends if you are using CEF (three algos available), fast switching, or the most brutal per-packet load balancing.

This has been the key for routers to use multiple links to the same destination for many years before the advent ot MLPPP.

jerrytozhang Tue, 04/24/2007 - 12:15

excellent, you're right, i jut tested what you said, see the following, two default static routes in routing table.

Regards

Jerry

--

Gateway of last resort is 2.2.2.2 to network 0.0.0.0

1.0.0.0/24 is subnetted, 1 subnets

C 1.1.1.0 is directly connected, Ethernet0

2.0.0.0/24 is subnetted, 1 subnets

C 2.2.2.0 is directly connected, Ethernet1

S* 0.0.0.0/0 [1/0] via 2.2.2.2

[1/0] via 1.1.1.1

Paolo Bevilacqua Tue, 04/24/2007 - 12:22

Yes. One more correction: the numeric parameter in static routes like 200, commonly called "weight", is not the "administrative distance", but more correctly a "metric". Administrative distance is something else, but let's not digress.

lleecklesdafer Tue, 04/24/2007 - 08:02

Hi,

This works for me very well. I really did not need to load balance, so this should not be an issue at all.

Thank you.

Actions

This Discussion