[c-nsp] RE: cisco-nsp Digest, Vol 34, Issue 78

Nassess, George (Contractor) George.Nassess at gmacrfc.com
Mon Sep 26 12:38:07 EDT 2005


Not sure if you guys had seen this or not, but there was a Packet
Article regardign the use of policy based routing to accomplish this
objective, which we used as a guide to setup something similar for a
client (outside of the NAT requirement, but this should not make much
difference) 

Here is a link to the original article.  

http://www.cisco.com/en/US/about/ac123/ac114/ac173/Q2-04/department_tech
tips.html

HTH, 

George "Gus" Nasses
Contract Network Analyst


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
cisco-nsp-request at puck.nether.net
Sent: Monday, September 26, 2005 11:02 AM
To: cisco-nsp at puck.nether.net
Subject: cisco-nsp Digest, Vol 34, Issue 78

Send cisco-nsp mailing list submissions to
	cisco-nsp at puck.nether.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://puck.nether.net/mailman/listinfo/cisco-nsp
or, via email, send a message with subject or body 'help' to
	cisco-nsp-request at puck.nether.net

You can reach the person managing the list at
	cisco-nsp-owner at puck.nether.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of cisco-nsp digest..."


Today's Topics:

   1. RE: Simple NAT based IOS failover between providers (Chris Moore)
   2. RE: Simple NAT based IOS failover between providers (Robert Boyle)
   3. IGMP Fallback (christian.macnevin at uk.bnpparibas.com)


----------------------------------------------------------------------

Message: 1
Date: Mon, 26 Sep 2005 09:25:46 -0600
From: "Chris Moore" <chris.moore at gmd.com>
Subject: RE: [c-nsp] Simple NAT based IOS failover between providers
To: "Robert Boyle" <robert at tellurian.com>, "cisco-nsp"
	<cisco-nsp at puck.nether.net>
Message-ID: <89FD4A6DE83AA8408D8BEF7EEDA05EA6FD3926 at gmdlwd1exchcp1a>
Content-Type: text/plain; charset="us-ascii"

Just as a "general architecture" comment:

First, understand exactly what you are trying to do. For outgoing
traffic, it's really easy. You just have two default routes out two
public interface and tell them both to NAT. Use route metrics to
determine primary/secondary. That's what your $79 consumer router is
doing. Really simple.

Incoming traffic is a different story. Sure - it's easy enough to have
two NATing interfaces and just have two sets of NAT mappings. But how
does "the world" know to go to the other set of addresses? You need DNS
for that. SO that means doing your own DNS or working with someone who
will let you run scripts to do DNS updates. Then have a script that goes
out and changes DNS when one of the links goes down. The script is
pretty simple - you should be able to find plenty of examples online.
Some ISPs and other companies (DynDNS.org comes to mind) offer managed
functionality like this.

Chris  

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Robert Boyle
Sent: Monday, September 26, 2005 9:02 AM
To: cisco-nsp
Subject: [c-nsp] Simple NAT based IOS failover between providers


Hello,

We opened a ticket with the TAC and were told this was not possible. I
don't believe it. Many $79 generic Asian routers sold at office supply
stores can do this out of the box so I have to believe that Cisco with
10+ years of IOS development and a $1500 router can do something this
simple. 
Situation details below:

Router with two "outside" interfaces - Both Ethernet in the cheap
routers or WIC-1DSU-T1 and WIC-1ADSL in our Cisco example Router has one
"inside" Ethernet interface which runs NAT with IPSEC passthrough.

The first outside interface is connected to ISP A (us in this case) The
other outside interface is connected to ISP B (the local telco or cable
company in this case)

The router is configured so ISP A is the primary Internet link and it
pings the far side of the WAN connection to determine if the link is up.
When the primary link is up, all traffic is NAT mapped and sourced from
the primary WAN IP. If the ping fails, the router changes the NAT
mappings to use the second link with ISP B and all packets after that
point are sourced from the second WAN interface IP address. Fail back
can be automatic after a timer expires or a manual process such as a
reboot. I don't really care either way, but I do need the failover from
ISP A to ISP B to be automatic based on interface state, ping, or some
other reliable method. I have seen some documentation for IOS which
enables changing routes based on a ping response, but how do I change
the NAT mappings as well? A working real config or a pointer to a
cookbook example would be great! We have Cisco PIX boxes doing IPSEC
behind these 1721s and 28xx routers at these sites and timers set to 1
minute on the PIXes so they will reconnect within a minute if the
primary link fails. I believe that there HAS to be a way to make a Cisco
IOS router do something that a $79 consumer router can do! Thanks in
advance for any assistance!

-Robert

Before anyone suggests another method such as BGP, that won't work. We
can't provide the secondary link to these locations since they are
isolated small offices in independent telephone territories or cable is
the only option as ISP B (and ISP B doesn't speak BGP.) Thanks!



Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 "Well done is
better than well said." - Benjamin Franklin

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


**********************************************************************
Confidential/Proprietary Note

The information in this email is confidential and may be legally
privileged.  Access to this email by anyone other than the intended
addressee is unauthorized.  If you are not the intended recipient of
this message, any review, disclosure, copying, distribution, retention,
or any action taken or omitted to be taken in reliance on it is
prohibited and may be unlawful.  If you are not the intended recipient,
please reply to or forward a copy of this message to the sender and
delete the message, any attachments, and any copies thereof from your
system.  Thank you. 
Guardian Mtg Documents, Inc.
225 Union Boulevard, Suite 200
Lakewood, CO 80228.
**********************************************************************




------------------------------

Message: 2
Date: Mon, 26 Sep 2005 11:44:34 -0400
From: Robert Boyle <robert at tellurian.com>
Subject: RE: [c-nsp] Simple NAT based IOS failover between providers
To: "Chris Moore" <chris.moore at gmd.com>,	"cisco-nsp"
	<cisco-nsp at puck.nether.net>
Message-ID: <6.2.1.2.2.20050926113748.0603aeb0 at mail.tellurian.com>
Content-Type: text/plain; charset="us-ascii"; format=flowed

At 11:25 AM 9/26/2005, Chris Moore wrote:
>Just as a "general architecture" comment:
>
>First, understand exactly what you are trying to do. For outgoing

Thanks. I do understand what I'm trying to do. Perhaps I haven't
expressed 
myself clearly enough.

>traffic, it's really easy. You just have two default routes out two
>public interface and tell them both to NAT. Use route metrics to
>determine primary/secondary. That's what your $79 consumer router is
>doing. Really simple.

However, it doesn't work like that with IOS. I need it to fail over from

the primary to the secondary and simply changing the routes doesn't 
accomplish that with IOS NAT in the test configs we have used. The $79 
consumer router actively monitors the primary link for end to end 
connectivity and switches when connectivity is lost. This is what I need

from the IOS based router as well.

>Incoming traffic is a different story. Sure - it's easy enough to have
>two NATing interfaces and just have two sets of NAT mappings. But how
>does "the world" know to go to the other set of addresses? You need DNS
>for that. SO that means doing your own DNS or working with someone who
>will let you run scripts to do DNS updates. Then have a script that
goes
>out and changes DNS when one of the links goes down. The script is
>pretty simple - you should be able to find plenty of examples online.
>Some ISPs and other companies (DynDNS.org comes to mind) offer managed
>functionality like this.

I don't need anything inbound. These are remote offices which simply
need 
to be up 100% of the time.

-Robert


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin



------------------------------

Message: 3
Date: Mon, 26 Sep 2005 16:49:36 +0100
From: christian.macnevin at uk.bnpparibas.com
Subject: [c-nsp] IGMP Fallback
To: cisco-nsp at puck.nether.net
Message-ID:
	
<OF69A6EDC0.C807BCDC-ON80257088.0056D2C4-80257088.0056F450 at bnpparibas.co
m>
	
Content-Type: text/plain; charset="US-ASCII"

Hi all,

I've seen IGMP Fallback described before, but it was only ever on one
page 
on CCO, and I've lost the link. Google's not returning anything. 

Anybody got a link for me?

Thanks
Christian

This message and any attachments (the "message") is 
intended solely for the addressees and is confidential. 
If you receive this message in error, please delete it and 
immediately notify the sender. Any use not in accord with
its purpose, any dissemination or disclosure, either whole 
or partial, is prohibited except formal approval. The internet 
can not guarantee the integrity of this message. 
BNP PARIBAS (and its subsidiaries) shall (will) not 
therefore be liable for the message if modified. 

************************************************************************
**********************

BNP Paribas Private Bank London Branch is authorised 
by CECEI & AMF and is regulated by the Financial Services
Authority for the conduct of its investment business in the
United Kingdom.

BNP Paribas Securities Services London Branch is authorised
by CECEI & AMF and is regulated by the Financial Services
Authority for the conduct of its investment business in the 
United Kingdom.
  
BNP Paribas Fund Services UK Limited is authorised and 
regulated by the Financial Services Authority.



------------------------------

_______________________________________________
cisco-nsp mailing list
cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp


End of cisco-nsp Digest, Vol 34, Issue 78
*****************************************



More information about the cisco-nsp mailing list