Router with 2 ISPs and VRF configuration; failover config?

Unanswered Question
Oct 5th, 2009

Hey guys,

We have a router with two ISP connections going into each of the FastEthernet ports. One port, the primary, services Internet traffic. The secondary port is assigned into the VRF instance 'isp2'.

We have two Tunnel interfaces configured for DMVPN each one going to one of our two head office DMVPN routers. The primary tunnel is configured to route out the vrf 'isp2'. The secondary tunnel only comes online if the primary tunnel fails (due to secondary ISP failure) and routes over the primary ISP. This all works lovely.

Now, if the primary ISP link fails, the primary tunnel still runs (obviously) over the secondary ISP. However, all Internet traffic is lost at this branch. Is there an easy way, using this VRF configuration so have a failover configuration in which case Internet traffic could automatically be routed over the secondary ISP?

Please let me know if you need a better description and/or diagram. Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Laurent Aubert Mon, 10/05/2009 - 19:18

Hi,

If I understand correctly, your two ISP links are in two different VRF and you want to leak traffic from the GRT to vrf isp-2 if the primary link is down ?

You could have a floating default route configured in the GRT but pointing to the secondary port and the ISP router @:

ip route 0.0.0.0 0.0.0.0 254

If it's a point-to-point interface, you don't need the router @.

For the returning traffic, you need a route in the vrf to send the traffic to your FW. In this case you can use the global keyword which will tell the router to use the GRT to resolve the next-hop.

If I missed something, please provide a diagram.

HTH

Laurent.

graham.fleming Mon, 10/05/2009 - 20:10

Thanks for the reply. I think you got it except I need to clarify a few things and I need clarification on a few things.

First to clarify, the primary ISP link connects to an ISP-provided switch so even if the service goes down, the link will almost always be up. Will the floating route work? Or I suppose I could use IP SLA to track it?

Now, to get clarification from your post. What is "ISP router @"? Is this "forwarding router's address"?

And could you clarify what you mean by the return traffic and needing a route in the vrf to send to my FW? The router is acting as the firewall device in this scenario.

Thanks!

Laurent Aubert Tue, 10/06/2009 - 05:26

Hi,

In your case, you need to track the default-route.

The returning traffic is received in a vrf but the final destination (after NAT) is in the GRT so you need to leak the traffic from the VRF to the GRT.

Also where does NAT occur ? Do you have your own public IP addresses ?

Why do you need to put your 2nd ISP in a VRF ?. Things would be much easier without the vrf.

Thanks

Laurent.

graham.fleming Tue, 10/06/2009 - 09:54

Hi Laurent, thank you for the continued assistance.

NAT occurs on this router. Traffic is translated from an inside pool and overloaded on the primary ISP interface. We have our own public IP addresses for both ISPs, yes.

We need to use a VRF because, as far as I am concerned in order to have two ISPs connected to this router and to use one for primary Internet traffic and the other for DMVPN tunnel traffic (ie using two default routes simultaneously) it wouldn't work otherwise. I can see it working without a VRF if the tunnel traffic and Internet traffic used the same ISPs. Keep in mind we have dual DMVPN tunnels on this device, one for each ISP but we want to keep the primary tunnel flowing over the secondary ISP.

Thanks!

Brent Rockburn Tue, 10/06/2009 - 10:02

you have to make sure that you put your interfaces in vrf isp1 but basically this is it. BGP will bleed the routes into the global table and everything should be right with the world. Also your crypto profiles will need to be in vrf isp1 as well .. Also your secondary int will have to be ip vrf forwarding isp2 I'm sure you get the idea here.

ip vrf isp1

rd 1:2

route-target export 1:1

route-target import 1:1

!

ip vrf isp2

rd 1:1

route-target export 1:1

route-target import 1:1

interface Tunnel10

description Primary INT for DMVPN

bandwidth 1000

ip vrf forwarding isp1

tunnel vrf isp1

interface Tunnel20

description Backup INT for DMVPN

bandwidth 1000

ip vrf forwarding isp1

tunnel vrf isp2

router eigrp 1

no auto-summary

!

address-family ipv4 vrf isp1

network X.X.X.X 0.0.0.0

network X.X.X.X 0.0.0.0

network X.X.X.X 0.0.0.0

no auto-summary

autonomous-system 100

eigrp stub connected

exit-address-family

!

router bgp 65000

no synchronization

bgp log-neighbor-changes

no auto-summary

!

address-family ipv4 vrf isp2

redistribute connected

redistribute static

default-information originate

no synchronization

exit-address-family

!

address-family ipv4 vrf isp1

redistribute connected

no synchronization

exit-address-family

ip route 0.0.0.0 0.0.0.0 x.x.x.x

ip route vrf isp1 0.0.0.0 0.0.0.0 x.x.x.x

ip nat source route-map isp1-nat interface Whatever vrf isp1 overload

ip nat source route-map isp2-nat interface whatever vrf isp1 overload

access-list 101 permit ip x.x.x.x x.x.x.x any

route-map isp1-nat permit 10

match ip address 101

match interface whatever

!

route-map isp2-nat permit 10

match ip address 101

match interface whatever

Giuseppe Larosa Tue, 10/06/2009 - 10:30

Hello Graham,

if the public ip addresses used by primary DMVPN are known and stable you can simply accept specific routes describing those endpoints in addition to receiving a default route from ISP2

At the same time you can prefer default route received by ISP1 over that of ISP2.

Most specific routes are used first.

This would allow you to remove all the VRF stuff that could be useful if you for example you were providing internet access to a guest wireless vlan to keep it separated from your intranet.

But if there are no other requirements for putting ISP2 under a VRF I would use a solution like the one described above that would give you internet access in case primary link fails without having to deal with route leaking between VRF and global routing table.

Hope to help

Giuseppe

Actions

This Discussion