×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

2 internet lines active/active use

Unanswered Question
Apr 3rd, 2014
User Badges:

Hello Everyone.

I need some clarifications from experts.

Client has two internet lines from different ISP's (DNS is different for both internet lines) and wants use both the internet lines as active/active. For active/passive i belive SLA will be helpful but for active what should be used (is it PBR?)

Right now only single internet line is functional and second internet line need to be connected in the network.

Furthermore, ASA firewall need to be deployed between core switch and internet router.

Do i need to connect second internet line on the same router or i have to use use another router. Kindly advise.

 

Please advice. 

Many Thanks.

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ruben C Thu, 04/03/2014 - 13:47
User Badges:
  • Bronze, 100 points or more
  • Community Spotlight Award,

    Portuguese Best Publication, April 2017

both providers will give diferent public IPs, so that means you will need use PBR on router based on source address and do NAT on Firewall

Fazal E Rasool Khan Fri, 04/04/2014 - 05:15
User Badges:

Many Thanks for the reply rcochenos.

Could you please elaborate your answer if possible with simple configuration example. I am using the 192.168.X.X and 10.10.X.X subnets.

 

On core switch there one default route pointing to router. One router if i do the below configuration where 192.168.x.x traffic is forwarded on ISP A and 10.10.x.x traffic is forwarded ISP B. Will it work

access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 10.10.0.0 0.0.255.255 any

route-map test permit 10
match ip address 101 
set interface fa0/0
exit
route-map test permit 20
match ip address 102
set interface fa0/1
exit
route-map test permit 30

ip local policy route-map test

Usually we do the PAT on router where public IP is terminating in order to allow internet access to all the users. 

I did not get why you advised to do nat on router.

Additionally customer asks if ISP A is down then traffic should be forwarded be ISP B and vice versa.

Any replies in the above regard will be helpful

 

 

 

Ruben C Fri, 04/04/2014 - 14:07
User Badges:
  • Bronze, 100 points or more
  • Community Spotlight Award,

    Portuguese Best Publication, April 2017

hi

try use set ip next-hop next_hop1 next_hop2 next_hopx instead of interface, using interface require more lookups unless the IP of that particular interface is dynamic. You need to apply the policy on interface inbound.  the ip local policy is to use PBR for traffic generate by router itself.

if you have the public IPs on the router in that case the best place to do NAT is on the router.

Fazal E Rasool Khan Fri, 04/04/2014 - 14:58
User Badges:

Thanks for reply rcochenos.

Could you please have a look on the below summarized points.

1. When the traffic will come for subnet 192.168.x.x on router it will be forwarded to ISP 1 using PBR.
2. When the traffic will come for subnet 10.10.x.x on router it will be forwarded to ISP 2 using PBR.
3. Topology will be like this
                                                                                                  ISP1-------->Internet
LAN ------->Core Switch------>Firewall ------------>Router---|
                                                                                                   ISP2-------->Internet   
4.Solution Configuration
==========================
interface FastEthernet1/0
description LAN interface
ip address 172.16.1.254 255.255.255.0
ip nat inside
ip policy route-map PBR    ---- this is for policy based routing  

interface FastEthernet1/1
description To ISP 1
ip address <public IP1> 255.255.255.252
ip nat outside
!
interface FastEthernet2/0
description To ISP 2
ip address <public IP 2> 255.255.255.252
ip nat outside
exit

PBR Configuration.
========================
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 10.10.0.0 0.0.255.255 any

route-map test permit 10
match ip address 101 
set ip next-hop <ISP1 Public IP>
exit
route-map test permit 20
match ip address 102
set ip next-hop <ISP2 Public IP>
exit
route-map test permit 30

Routing
===============
ip route 0.0.0.0 0.0.0.0 ISP1-Next-Hop-IP
ip route 0.0.0.0 0.0.0.0 ISP2-Next-Hop-IP


Natting
=================
access-list 10 permit 10.10.0.0 0.0.255.255
access-list 20 permit 192.168.0.0 0.0.255.255

route-map ISP1 permit 10
match ip address 20
match interface FastEthernet1/1

route-map ISP2 permit 10
match ip address 10
match interface FastEthernet2/0
!

ip nat inside source route-map ISP1 interface FastEthernet1/1 overload
ip nat inside source route-map ISP2 interface FastEthernet2/0 overload

I can see on disadvantage in the above configuration i.e. there is not failover when ISP1 is down 192.168.x.x traffic is not switching to ISP2 and vice versa for 10.10.x.x. Additionally how can i assign dns ip address on router or clients as there are different for ISP1 and ISP2. (is it like this ip name-server x.x.x.x x.x.x.x x.x.x.x x.x.x.x).

Do i need to use IP SLA tracking with static router and PBR.
Is the above solution will work perfectly if i dont need any failover and send 192.168.x.x traffic to ISP1 and 10.10.x.x traffic to ISP2


Thanks for your continues support.
Please reply. 

 

Ruben C Sat, 04/05/2014 - 07:55
User Badges:
  • Bronze, 100 points or more
  • Community Spotlight Award,

    Portuguese Best Publication, April 2017

Hi

You don't need match the interface on route-maps

route-map ISP1 permit 10
match ip address 20
no match interface FastEthernet1/1

route-map ISP2 permit 10
match ip address 10
no match interface FastEthernet2/0

the failover is doing by using ip next-hop for both ISP or leave one like you are doing and if next-hop is not available the router will use the routing table to route the packet

failover scenarios

1)If interface fail the next-hop disappear and PBR use the routing table to forwarding

2)for some reason if next-hop stop responding and your router interface stay up you can use IP SLA + Track to Speed up

Leave the clients doing DNS queries to both ISPs

Actions

This Discussion

Related Content