Pages

Tuesday, July 8, 2014

CISCO Redundency ( PBR with IPSLA )


Support we have two ISP Link and Need redundency if any ISP goes down other will take UP and vice versa. Normally two private IP block will be NAT with two ISP.

ISP 1 = 100.100.100.1
ISP 2 = 200.200.200.1
Router F0/0 = 100.100.100.2
Router F0/1 = 200.200.200.2
Router F1/0.100 (LAN1) = 192.168.100.0/24
Router F1/0.200 (LAN2) = 192.168.200.0/24

Configs

track 1 ip sla 1 reachability
delay down 1 up 1

track 2 ip sla 2 reachability
delay down 1 up 1

ip sla 1
icmp-echo 100.100.100.1 source-interface FastEthernet0/0
timeout 5000
threshold 5000 (if the latency on this link goes beyond 5000ms, note that
this SLA will consider this link as failed)
frequency 5
ip sla schedule 1 life forever start-time now

ip sla 2
icmp-echo 200.200.200.1 source-interface FastEthernet0/1
timeout 5000
threshold 5000 (if the latency on this link goes beyond 5000ms, note that
this SLA will consider this link as failed)
frequency 5
ip sla schedule 2 life forever start-time now

ip access-list extended LAN1_ACL
deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 (Needed to unapply
the policy for inter-LAN traffic)
permit ip 192.168.100.0 0.0.0.255 any

ip access-list extended LAN2_ACL
deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255 (Needed to unapply
the policy for inter-LAN traffic)
permit ip 192.168.200.0 0.0.0.255 any

route-map LAN1_INTERNET_POLICY permit 10
match ip address LAN1_ACL
set ip next-hop verify-availability 100.100.100.1 1 track 1
set ip next-hop verify-availability 200.200.200.1 2 track 2

route-map LAN2_INTERNET_POLICY permit 10
match ip address LAN2_ACL
set ip next-hop verify-availability 200.200.200.1 1 track 2
set ip next-hop verify-availability 100.100.100.1 2 track 1

interface f0/0
ip nat outside

interface f0/1
ip nat outside

int f1/0.100
ip nat inside
ip policy route-map LAN1_INTERNET_POLICY

int f1/0.200
ip nat inside
ip policy route-map LAN2_INTERNET_POLICY

At this point, you have completed the Network Failover part of the config,
if one link goes down now, the router will switch to the other available
link. Notice each PBR carries double ip next-hop entries with sequence
numbering telling it which next-hop to use first, if you have 5 ISPs,
you'll have 5 entries using the sequence numbers to give priority. Also
notice we had to first deny inter-LAN traffic from being used for this
policy, this is important only if your LANs pass thru the router to
inter-communicate, without it you may have shutdown inter-LAN comms by the
Policy, if inter-LAN comms happen on an internal switch, then the deny
lines of the ACLs will not be needed
The next Agenda is to implement NAT failover; it's really not a failover,
it is called Multi-homing whereby the router automatically builds the
right NAT entry for any traffic traversing it notwithstanding the no of
ISPs available. See as follows;
ip access-list standard NAT_ACL
permit any

route-map ISP1_NAT permit 10
match ip address NAT_ACL
match interface f0/0

route-map ISP2_NAT permit 10
match ip address NAT_ACL
match interface f0/1

ip nat inside source route-map ISP1_NAT interface FastEthernet0/0 overload
ip nat inside source route-map ISP2_NAT interface FastEthernet0/1 overload

That's it! We are done. Notice our NAT ACL just matches any traffic and
it's the same ACL for both ISPs NAT route-maps. Only the matched
interfaces differ. You might as well configure your NAT ACL to permit only
both internal subnets (192.168.100.0/24 & 192.168.200.0/24) instead of
any. It will still achieve the same thing. Bottom line is your NAT ACL
must match & permit all traffic that will require NAT whether using their
primary or secondary ISPs correspondingly. What enforces which ISP each
LAN should use per time are the PBRs applied on their respective LAN
interfaces.
Optionally, if you need to test this with ICMP stateful failover (you
might need to add ip nat translation icmp-timeout 1)

========== Tayab Khan =========
============================

No comments:

Post a Comment