05-27-2010 09:13 AM - edited 03-04-2019 08:36 AM
I have a router with connections to two different ISPs and I'm looking to have it failover should the main connection go down. Is this config going to work?
int f3
switch mode acce
switch acce vlan 5
int f4
ip add 173.220.131.10 255.255.255.248
ip nat outside
int vlan1
ip add 172.18.2.1 255.255.255.0
ip nat inside
int vlan5
ip add 64.115.219.66 255.255.255.248
ip nat outside
ip sla 1
icmp-echo 63.123.252.1
ip sla schedule 1 life forever start-time now
track 1 rtr 1 reachability
access-list 100 permit icmp any host 63.123.252.1 echo
route-map redundant permit 10
match ip add 100
set int vlan 5 null 0
ip local policy route-map redundant
ip route 0.0.0.0 0.0.0.0 173.220.131.9 track 1
ip route 0.0.0.0 0.0.0.0 64.115.219.65
ip nat inside source route-map NAT interface f4 overload
!
!
ip access-list extended NAT
deny ip 172.18.2.0 0.0.0.255 10.11.0.0 0.0.255.255
permit ip 172.18.2.0 0.0.0.255 any
route-map NAT permit 10
match ip address NAT
05-28-2010 03:13 AM
Hello Jason,
the configuration is not complete when using secondary link you need to NAT using the public address of secondary link or you will have troubles in receiving return traffic.
NAT configuration has to be modified to take in account this, more specifically the route-map needs two clauses where you will need to check if you are going to exit on primary or on secondary link and to use a different NAT pool accordingly.
or you need to add a second statement with global address = the secondary link interface
see
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
Hope to help
Giuseppe
06-01-2010 08:47 AM
A Cisco tech helped me with the config, here is what I am going to try tonight:
int f3
switch mode acce
switch acce vlan 5
int f4
ip add 173.220.131.10 255.255.255.248
ip nat outside
int vlan1
ip add 172.18.2.1 255.255.255.0
ip nat inside
int vlan5
ip add 64.115.219.66 255.255.255.248
ip nat outside
ip sla 1
icmp-echo 4.2.2.2
ip sla schedule 1 life forever start-time now
track 1 rtr 1 reachability
ip route 0.0.0.0 0.0.0.0 173.220.131.9 track 1
ip route 0.0.0.0 0.0.0.0 64.115.219.65 230
ip nat inside source route-map NAT interface f4 overload
ip nat inside source route-map NAT2 int vlan5 overload
ip access-list extended NAT
deny ip 172.18.2.0 0.0.0.255 10.11.0.0 0.0.255.255
permit ip 172.18.2.0 0.0.0.255 any
route-map NAT permit 10
match ip address NAT
route-map NAT2 permit 10
match ip add NAT
06-01-2010 11:39 AM
Hello Jason,
this last version looks like more correct. It uses object tracking for checking health of primary path/route and it has two NAT statements one for each ISP link.
You should test a failure on the primary link and the restore of the primary link to verify the behaviour of this setup.
the address target of RTR object, IP SLA, should be an IP address of ISP1
see
http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html#wp1087990
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide