I have a 2811 router with 2 FastEthernet interfaces connected to two ISPs.
FA0 / 1 is connected to ISP-1
FA0 / 2 is connected to ISP-2,
I created two access-list ACL1 (for isp1) and ACL2 (for isp2) for 2 to nat differents range of two network connection.
Now, I plan configration for a PBR to automatically switch network ACL1 to isp2 out when the ISP-1 is down and vis-versa.
problem is how to configure the "ip nat inside source list .. .." That
when the PBR selected next-hop ISP-2, may also be ACL1 by nat in
interface FA0 / 2 of the ISP-2.
do I configure nat for that when the automatic failover to perform, the
different network are accept in the "ip nat inside ..."?
Or it is there another way to do it?
This is a sample of initial config :
interface fastethernet 0/1 description ISP-1 ip address X.X.X.X 255.255.255.252 ip nat outside
interface fastethernet 0/2 description ISP-2 ip address X.X.X.X 255.255.255.252 ip nat outside
ip access-list standart ACL1 permit 192.168.1.0 0.0.0.255
ip access-list standart ACL2 permit 192.168.2.0 0.0.0.255
ip nat inside source list ACL1 interface fastethernet 0/1 overload
ip nat inside source list ACL2 interface fastethernet 0/2 overload
Thanks in advance.
Jose for your requirement with natting and PBR to workin single router create a route map permmitting those specific source and mark their destination as next hop interface in route map,check out the below sample config hope that clear out your query !!
ip policy route-map Nat-loop
ip nat inside source list 10 interface fastethernet 0/1 overload
ip nat inside source list 10 interface fastethernet 0/2 overload
access-list 102 permit ip any 192.168.2.0 0.0.0.255
route-map Nat-loop permit 10 match ip address 102 set ip next-hop first link ip
route-map Nat-loop permit 20 match ip address 102 set ip next-hop second link ip
The configuration is for active/active use for ISP's.Route maps are executed in the order of the lowest sequence number to the highest. You can edit or modify maps by using the sequence number.If a match is found within a route map instance, execution of further route map instances stops.
So what i would suggest you to change the set criterea in route map and match only two route maps for you acls,check out the below sample config with explanation.
route-map PBR_LAN permit 10 match ip address ACL1 set interface Serial2/1 Serial2/0
in the same fashion create for acl2 and set next hop first as seril2/o (i mean secondary link first then primary link)
then we apply it to the LAN facing interface:
interface FastEthernet0/0 description LAN ip policy route-map PBR_LAN
Note that we used two interface names in the set interface command: if S2/1 is down, IOS will use S2/0, so we have a small level of redundancy and WAN side fault-tolerance for Mission Critical Traffic. We can achieve fault-tolerance for LAN to WAN traffic too by adding an higher metric default route:
Indeed, I would like to make the dual homing with 2 ISP1 and my local area network divide in 2 and making automatic fallover when one isp failed.
My current confi:
ip sla 1 icmp-echo ISP1-IP source-ip 192.168.10.1 frequency 10 ip sla schedule 1 life forever start-time now ip sla 2 icmp-echo ISP2-IP source-ip 192.168.20.1 frequency 10 ip sla schedule 2 life forever start-time now
track 122 rtr 2 reachability delay down 10 up 30 ! track 111 rtr 1 reachability delay down 10 up 30
interface GigabitEthernet0/0 description LAN ip address 10.10.10.1 255.255.255.0 ip nat inside ip policy route-map test ! interface GigabitEthernet0/1 no ip address duplex auto speed auto ! interface GigabitEthernet0/1.10 description ISP1 encapsulation dot1Q 10 ip address 192.168.10.1 255.255.255.0 ip nat outside ! interface GigabitEthernet0/1.20 description ISP2 encapsulation dot1Q 20 ip address 192.168.20.1 255.255.255.0 ip nat outside ! ip route 0.0.0.0 0.0.0.0 192.168.10.2 ip route 0.0.0.0 0.0.0.0 192.168.20.2
! ! ip nat inside source list ISP1 interface GigabitEthernet0/1.10 overload ip nat inside source list ISP2 interface GigabitEthernet0/1.20 overload ! ip access-list standard ISP1 permit 10.10.10.5 permit 10.10.10.6 permit 10.10.10.10 permit 10.10.10.11 ip access-list standard ISP2 permit 10.10.10.100 permit 10.10.10.101
! route-map test permit 10 match ip address ISP1 set ip next-hop verify-availability 192.168.10.2 10 track 111 set ip next-hop verify-availability 192.168.20.2 15 track 122 ! route-map test permit 20 match ip address ISP2 set ip next-hop verify-availability 192.168.20.2 10 track 122 set ip next-hop verify-availability 192.168.10.2 15 track 111
I explain : Some ip of the lan network goes out by the ISP1 and of the other one by the ISP2. When the isp1 connection does not work (the isp1-ip become unavailable ) any more, I would like that those going out by the ISP1 can automatically begin to go out by the ISP2
The problem is that when isp1 is not reachable, the traffic of the access list ISP1 does not manage to be to nat to pass on the connection ISP2. The failover does not work. What is wrong in the config and what can i do please?
The ProblemEnter EVCsHow It Works (Ingress)How It Works
(Egress)Step-by-Step ExampleFinal Thoughts The ProblemOn traditional
switches whenever we have a trunk interface we use the VLAN tag to
demultiplex the VLANs. The switch needs to determine which MAC ...
The ProblemEnter EVCsHow It Works (Ingress)How It Works
(Egress)Step-by-Step ExampleFinal Thoughts Introduction: Netdr is a tool
available on a RSP720, Sup720 or Sup32 that allows one to capture
packets on the RP or SP inband. The netdr command can be use...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...