[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Failover with two ISP's and two VLans

Posted on 2007-10-20
9
Medium Priority
?
425 Views
Last Modified: 2011-10-03
Hi All,

I have ordered a Cisco 1811 with promising specs for my situation and very little documentation to support configuration.  I could use SDM but since I'm striving for CCNA (someday) I would like to take a shot at the CLI.  I have seen configs for elaborate (elaborate for me) load-balancing and failovers.  I just a need a simple failover to second ISP if ISP 1 fails, while still supporting static NAT  through ISP2.

Okay here it goes:

Have two different ISP's Fa0 & Fa1

Have two private subnets (2Vlans)

Need NAT from both VLANs to use Fa0, if Fa0 fails reroute all traffic to Fa1

Sounds simple enough right?  Why can't I figure it out?  I am tinkering w/ route maps for PAT.  But still can't get the failover part with route maps (I think you use route maps as well)

Any familiarity on the topic.  I will post semi-config below, which I pretty much reversed engineered from another router using SDM:
________________________________________________________________

Globals
ip cef

ACLs

access-list 100 remark VLAN 1 Route Map
access-list 100 deny   ip 192.168.200.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.200.0 0.0.0.255 any
access-list 101 remark VLAN 2 Route Map
access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any

NAT

ip nat inside source static tcp 192.168.0.54 80 interface FastEthernet0 80
ip nat inside source static tcp 192.168.0.54 80 interface FastEthernet1 80
ip nat inside source static tcp 192.168.0.54 443 interface FastEthernet0 443
ip nat inside source static tcp 192.168.0.54 443 interface FastEthernet1 443
ip nat inside source static tcp 192.168.0.54 25 interface FastEthernet0 25
ip nat inside source static tcp 192.168.0.54 25 interface FastEthernet1 25
ip nat inside source static tcp 192.168.0.54 32000 interface FastEthernet0 32000
ip nat inside source static tcp 192.168.0.54 32000 interface FastEthernet1 32000
ip nat inside source static tcp 192.168.0.54 32001 interface FastEthernet0 32001
ip nat inside source static tcp 192.168.0.54 32001 interface FastEthernet1 32001
ip nat inside source static tcp 192.168.0.44 1494 interface FastEthernet0 1494
ip nat inside source static tcp 192.168.0.44 1494 interface FastEthernet1 1494
ip nat inside source static tcp 192.168.0.52 1723 interface FastEthernet0 1723
ip nat inside source static tcp 192.168.0.52 1723 interface FastEthernet1 1723
ip nat inside source PRIM_VLAN1_Natting interface FastEthernet0 overload
ip nat inside source PRIM_VLAN2_Natting interface FastEthernet1 overload

Route Maps

route-map PRIM_VLAN1_Natting permit 10
 match ip address 100

route-map PRIM_VLAN2_Natting permit 10
 match ip address 101

Routing

ip route 0.0.0.0 0.0.0.0 1.1.1.1 permanent
ip route 0.0.0.0 0.0.0.0 2.2.2.2 10 permanent

_________________________________________________

Would appreciate any direction of how's and why's on this.  I would settle for a how your time is short.

Thanx everyone
0
Comment
Question by:vihunter
  • 4
  • 3
  • 2
9 Comments
 
LVL 14

Accepted Solution

by:
bfason earned 750 total points
ID: 20114910
You are on the right track just need to tune it a little bit. You only need 1 access list to define interesting traffice from both vlans. You have already determined routing by setting up 2 routes with different metrics. So now all you have to do is match the traffic to the interface and let the route-map take care of directing it.  I've outlined the changes below but if something doesn't make sense I'll do my best to explain.

ACLs
access-list 100 remark NAT
access-list 100 deny   ip 192.168.200.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.200.0 0.0.0.255 any
access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any

NAT
ip nat inside source route-map ISP1 interface FastEthernet0/0 overload
ip nat inside source route-map ISP2 interface FastEthernet0/1 overload

Route Maps
route-map ISP1 permit
 match ip address 100
 match interface FastEthernet0/0

route-map ISP2 permit
 match ip address 100
 match interface FastEthernet0/1

Hope this helps
B
0
 

Author Comment

by:vihunter
ID: 20117332
First of All,

Thanx for the ACL tip.

After troubleshooting for the first few minutes when nothing worked, I finally remembered to apply nat to the appropriate interfaces.  Pinging Heaven!!!

Then I unplugged Fa0 to test failover, but unfortunately nothing happened again and after an hour of troubleshooting still no resolve.

And one more thing.  When I applied my static NATs it replaced all of Fa0 with Fa1 nats, like it doesn't support Incoming NATs to two different interfaces.  Can I use route maps on statics as well with two different WAN/IP addresses going to the same internal private IP?  I heard route maps were supposed to save the world with its high uses of application methods.  I would like to delve into this alot more.  But then business hours starting creeping up on me so I had to quit till tomorrow.

here is the post below of appropriate config sections.  If you need to see Firewall as well , let me know.



ACLs
access-list 100 remark -------------------------------------------------------------------------------
access-list 100 remark VLAN 1 and 2 Route Map and Natting
access-list 100 deny   ip 192.168.200.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.200.0 0.0.0.255 any
access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 remark -------------------------------------------------------------------------------

NAT

ip nat inside source static tcp 192.168.0.54 80 interface FastEthernet0 80
ip nat inside source static tcp 192.168.0.54 80 interface FastEthernet1 80
ip nat inside source static tcp 192.168.0.54 443 interface FastEthernet0 443
ip nat inside source static tcp 192.168.0.54 443 interface FastEthernet1 443
ip nat inside source static tcp 192.168.0.54 25 interface FastEthernet0 25
ip nat inside source static tcp 192.168.0.54 25 interface FastEthernet1 25
ip nat inside source static tcp 192.168.0.54 32000 interface FastEthernet0 32000
ip nat inside source static tcp 192.168.0.54 32000 interface FastEthernet1 32000
ip nat inside source static tcp 192.168.0.54 32001 interface FastEthernet0 32001
ip nat inside source static tcp 192.168.0.54 32001 interface FastEthernet1 32001
ip nat inside source static tcp 192.168.0.44 1494 interface FastEthernet0 1494
ip nat inside source static tcp 192.168.0.44 1494 interface FastEthernet1 1494
ip nat inside source static tcp 192.168.0.52 1723 interface FastEthernet0 1723
ip nat inside source static tcp 192.168.0.52 1723 interface FastEthernet1 1723
ip nat inside source route-map ISP1 interface FastEthernet0 overload
ip nat inside source route-map ISP2 interface FastEthernet1 overload

Route Maps

route-map ISP1 permit
 match ip address 100
 match interface FastEthernet0

route-map ISP2 permit
 match ip address 100
 match interface FastEthernet1

Routing

ip route 0.0.0.0 0.0.0.0 1.1.1.1 permanent
ip route 0.0.0.0 0.0.0.0 2.2.2.2 10 permanent


Thanx so far,
D
0
 
LVL 15

Expert Comment

by:wingatesl
ID: 20128444
Normally we put a secondary IP address on each server and nat the fa1 interface to the other IP address. Then the router doesn't complain.
Make the server .54 and .55 and then
ip nat inside source static tcp 192.168.0.54 80 interface FastEthernet0 80
ip nat inside source static tcp 192.168.0.55 80 interface FastEthernet1 80
 We have may sites configured like this and have OER running. Once OER is in place you can receive inbound connections on both ISPs to the same server.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 15

Expert Comment

by:wingatesl
ID: 20128463
Sorry For the failover

ip sla 53
icmp-echo 4.2.2.2   <make this whatever you can ping on the outside>
timeout 500
freq 3
exit
track 13 rtr 53 reach
ip sla schedule 53 start now life forever
no ip route 0.0.0.0 0.0.0.0 1.1.1.1 permanent
ip route 0.0.0.0 0.0.0.0 1.1.1.1 track 13
ip route 4.2.2.2 255.255.255.255 1.1.1.1 1

then when the ping to 4.2.2.2 fails the route to 1.1.1.1 is removed.


0
 

Author Comment

by:vihunter
ID: 20129044
Haven't been able to test successfully because it seems ISP 2 has some sort of filter that disallows use besides existing router now in place.  So I haven't been able to test failover effectively.  Until RF technician comes onsite tomorrow it has given me some time to reevaluate.

First, NAT - I have researched a command using route maps that will allow the dual ISP config.  Don't know if it will work as yet, but I'm giving it a shot.  I will post the config and see if it makes sense to you:

NAT

conf t
ip nat inside source static tcp 192.168.0.54 80 x.x.x.x 80 route-map isp1-static-nat extendable
ip nat inside source static tcp 192.168.0.54 80 y.y.y.y 80 route-map isp2-static-nat extendable
ip nat inside source static tcp 192.168.0.54 443 x.x.x.x 443 route-map isp1-static-nat extendable
ip nat inside source static tcp 192.168.0.54 443 y.y.y.y 443 route-map isp2-static-nat extendable
ip nat inside source static tcp 192.168.0.54 25 x.x.x.x 25 route-map isp1-static-nat extendable
ip nat inside source static tcp 192.168.0.54 25 y.y.y.y 25 route-map isp2-static-nat extendable
ip nat inside source static tcp 192.168.0.54 32000 x.x.x.x 32000 route-map isp1-static-nat extendable
ip nat inside source static tcp 192.168.0.54 32000 y.y.y.y 32000 route-map isp2-static-nat extendable
ip nat inside source static tcp 192.168.0.54 32001 x.x.x.x 32001 route-map isp1-static-nat extendable
ip nat inside source static tcp 192.168.0.54 32001 y.y.y.y 32001 route-map isp2-static-nat extendable
ip nat inside source static tcp 192.168.0.44 1494 x.x.x.x 1494 route-map isp1-static-nat extendable
ip nat inside source static tcp 192.168.0.44 1494 y.y.y.y 1494 route-map isp2-static-nat extendable
ip nat inside source static tcp 192.168.0.52 1723 x.x.x.x 1723 route-map isp1-static-nat extendable
ip nat inside source static tcp 192.168.0.52 1723 y.y.y.y 1723 route-map isp2-static-nat extendable
ip nat inside source route-map isp1-failover interface FastEthernet0 overload
ip nat inside source route-map isp2-failover interface FastEthernet1 overload
exit

Route Maps

conf t
route-map isp1-failover permit 10
match ip address 100
match interface FastEthernet0
exit
exit
conf t
route-map isp2-failover permit 10
match ip address 100
match interface FastEthernet1
exit
exit
conf t
route-map isp1-static-nat permit 10
match interface FastEthernet0
exit
exit
conf t
route-map isp2-static-nat permit 10
match interface FastEthernet1
exit
exit


Second, routing - I know routers have a hard time telling if a Ethernet connection is down unless if it physically (power) goes down.  I like what I see so far with SLA, and I will try it.  My questions are, can the outside interface be a gateway or DNS server of ISP 1?  And how will the ISP 1 interface know when to come back online?  Because it will be able to ping, let's say, ISP 1 dns server while using ISP 2?  

My questions may sound rhetorical to you, but please be patient.  It's been over ten years since I configured a cisco router from scratch and I am learning again.  But I am a fast learner and the CLI is coming back to me post haste.  GUI (SDM) is nothing compared to CLI, you already knew that, I'm sure:)

Thanx again in advance...
0
 
LVL 15

Assisted Solution

by:wingatesl
wingatesl earned 750 total points
ID: 20130410
You can easily leave that second connection behind another NAT. just put a Private IP on the FA1 interface and forward all ports through the DSL modem. Tracking the DNS of the other ISP is fine, but I prefer to pick something out in the wild blue. The ping attempt will continue as long as the SLA is running so when it succeeds, the route is reinstated. We can also add OER to the mix and use both connections at the same time. As for the SDM, we do the base configuration for all routers from the SDM for consistency. It just works first time every time and they are all the same. Then we go CLI to put in the advanced commands. The route-maps to get around the overlapping NAT look like they would work, but I have never used them
0
 

Author Comment

by:vihunter
ID: 20142907
I did a bit more research, and everything is working fine.  I would have not explored these avenues if it wasn't for you guys guidance.  Thanks a million!!!  I will post config for future use of other users:

NAT

conf t
ip nat inside source static tcp 192.168.0.54 80 x.x.x.x 80 route-map isp1-static-nat extendable
ip nat inside source static tcp 192.168.0.54 80 y.y.y.y 80 route-map isp2-static-nat extendable
ip nat inside source static tcp 192.168.0.54 443 x.x.x.x 443 route-map isp1-static-nat extendable
ip nat inside source static tcp 192.168.0.54 443 y.y.y.y 443 route-map isp2-static-nat extendable
ip nat inside source static tcp 192.168.0.54 25 x.x.x.x 25 route-map isp1-static-nat extendable
ip nat inside source static tcp 192.168.0.54 25 y.y.y.y 25 route-map isp2-static-nat extendable
ip nat inside source static tcp 192.168.0.54 32000 x.x.x.x 32000 route-map isp1-static-nat extendable
ip nat inside source static tcp 192.168.0.54 32000 y.y.y.y 32000 route-map isp2-static-nat extendable
ip nat inside source static tcp 192.168.0.54 32001 x.x.x.x 32001 route-map isp1-static-nat extendable
ip nat inside source static tcp 192.168.0.54 32001 y.y.y.y 32001 route-map isp2-static-nat extendable
ip nat inside source static tcp 192.168.0.44 1494 x.x.x.x 1494 route-map isp1-static-nat extendable
ip nat inside source static tcp 192.168.0.44 1494 y.y.y.y 1494 route-map isp2-static-nat extendable
ip nat inside source static tcp 192.168.0.52 1723 x.x.x.x 1723 route-map isp1-static-nat extendable
ip nat inside source static tcp 192.168.0.52 1723 x.x.x.x 1701 route-map isp1-static-nat extendable
ip nat inside source static tcp 192.168.0.52 1723 y.y.y.y 1723 route-map isp2-static-nat extendable
ip nat inside source static tcp 192.168.0.52 1723 y.y.y.y 1701 route-map isp2-static-nat extendable
ip nat inside source route-map isp1-failover interface FastEthernet0 overload
ip nat inside source route-map isp2-failover interface FastEthernet1 overload
exit

Route Maps

conf t
route-map isp1-failover permit 10
match ip address 100
match interface FastEthernet0
exit
exit
conf t
route-map isp2-failover permit 10
match ip address 100
match interface FastEthernet1
exit
exit
conf t
route-map isp1-static-nat permit 10
match interface FastEthernet0
exit
exit
conf t
route-map isp2-static-nat permit 10
match interface FastEthernet1
exit
exit

Routing

conf t
ip route 0.0.0.0 0.0.0.0 FastEthernet0 x.x.x.x track 100
ip route 0.0.0.0 0.0.0.0 FastEthernet1 y.y.y.y 10
exit

ip sla 100
icmp-echo 204.8.65.97 source-interface Fastethernet0
timeout 500
frequency 3

ip sla schedule 100 life forever start-time now

track 100 rtr 100 reachability
delay down 10 up 20
0
 
LVL 14

Expert Comment

by:bfason
ID: 20142985
Great!
0
 

Author Comment

by:vihunter
ID: 20897455
WINGATEST, If you are still available for comment, may I ask you a follow question?
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this article, we’ll look at how to deploy ProxySQL.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question