Failover internet connection

Unanswered Question
May 27th, 2010
User Badges:

I have a router with connections to two different ISPs and I'm looking to have it failover should the main connection go down. Is this config going to work?



int f3
switch mode acce
switch acce vlan 5


int f4
ip add 173.220.131.10 255.255.255.248
ip nat outside


int vlan1
ip add 172.18.2.1 255.255.255.0
ip nat inside


int vlan5
ip add 64.115.219.66 255.255.255.248
ip nat outside



ip sla 1
icmp-echo 63.123.252.1




ip sla schedule 1 life forever start-time now


track 1 rtr 1 reachability




access-list 100 permit icmp any host 63.123.252.1 echo




route-map redundant permit 10


match ip add 100


set int vlan 5 null 0




ip local policy route-map redundant




ip route 0.0.0.0 0.0.0.0 173.220.131.9 track 1


ip route 0.0.0.0 0.0.0.0 64.115.219.65


ip nat inside source route-map NAT interface f4 overload


!


!


ip access-list extended NAT


deny   ip 172.18.2.0 0.0.0.255 10.11.0.0 0.0.255.255


permit ip 172.18.2.0 0.0.0.255 any




route-map NAT permit 10


match ip address NAT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Fri, 05/28/2010 - 03:13
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Jason,

the configuration is not complete when using secondary link you need to NAT using the public address of secondary link or you will have troubles in receiving return traffic.


NAT configuration has to be modified to take in account this, more specifically the route-map needs two clauses where you will need to check if you are going to exit on primary or on secondary link and to use a different NAT pool accordingly.


or you need to add a second statement with global address =  the secondary link interface


see


http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml


Hope to help

Giuseppe

jasonww04 Tue, 06/01/2010 - 08:47
User Badges:

A Cisco tech helped me with the config, here is what I am going to try tonight:


int f3
switch mode acce
switch acce vlan 5


int f4
ip add 173.220.131.10 255.255.255.248
ip nat outside


int vlan1
ip add 172.18.2.1 255.255.255.0
ip nat inside


int vlan5
ip add 64.115.219.66 255.255.255.248
ip nat outside


ip sla 1
icmp-echo 4.2.2.2
ip sla schedule 1 life forever start-time now


track 1 rtr 1 reachability



ip route 0.0.0.0 0.0.0.0 173.220.131.9 track 1
ip route 0.0.0.0 0.0.0.0 64.115.219.65 230

ip nat inside source route-map NAT interface f4 overload
ip nat inside source route-map NAT2 int vlan5 overload

ip access-list extended NAT
deny   ip 172.18.2.0 0.0.0.255 10.11.0.0 0.0.255.255
permit ip 172.18.2.0 0.0.0.255 any



route-map NAT permit 10
match ip address NAT


route-map NAT2 permit 10
match ip add NAT

Giuseppe Larosa Tue, 06/01/2010 - 11:39
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Jason,

this last version looks like more correct. It  uses object tracking for checking health of primary path/route and it has two NAT statements one for each ISP link.


You should test a failure on the primary link and the restore of the primary link to verify the behaviour of this setup.


the address target of RTR object, IP SLA,  should be an IP address of ISP1


see


http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html#wp1087990



Hope to help

Giuseppe

Actions

This Discussion