[c-nsp] Simple NAT based IOS failover between providers

Rodney Dunn rodunn at cisco.com
Mon Sep 26 16:27:29 EDT 2005


On Mon, Sep 26, 2005 at 02:02:34PM -0400, Robert Boyle wrote:
> At 12:32 PM 9/26/2005, Rodney Dunn wrote:
> >Setup your NAT with route-maps to match on interface.
> >Depending on which interface the traffic is routed out
> >of will govern which interface your traffic gets nat'ed
> >to (ie: overload or pool) specific to that ISP.
> 
> Thanks, Rodney! Do you have an article or an example? I've never seen an 
> actual IOS config for anything this complicated before.

There may be one more similar but not sure:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

Just use match interface in the route-map rather than match on an
ACL and in the NAT just do "interface X overload" vs. doin it to a pool.

For the route tracking just search on "static routes object tracking" and
there are some sample configs out there on CCO.

> 
> >Then you implement a way to make the route failover via
> >IP SLA (previously called SAA) to float your static route
> >from being up on the primary to switching over to the backup.
> >
> >If the IP SLA object comes back the primary route will come
> >back in and your NAT will follow.
> 
> Excellent. I'll search for this on CCO. Does anyone have a working config 
> like this or is there a magic word I need need to say to TAC to get an 
> engineer on the phone who understands this and can help come up with a 
> working config?

"I would like help configuring NAT for two connections using
route-maps in conjunction with NAT overload on each interface
for failover. I would also like an IP SLA configuration to
force the default route to failover when the ISP connection is
down (ie: detected via ping to a destination ip address)."

> 
> When the T1 and DSL are both on our network, we just use a private AS and 
> BGP and it works fine because the loopback IP address (which is the 
> overloaded outside NAT interface) is always the same. In this situation, we 
> don't have that option.
>

Yep..

 
> >The gotcha I think with this is that any existing flow that
> >is being NAT'ed will fail until it times out because
> >a new translation on the new interface will have to be created.
> 
> The NAT timer can be set to a low value such as 1 minute, correct? If so, I 
> don't think this will be a problem. A momentary 1-2 minute loss is 
> acceptable. 

Yeah. I was gonna go way out and tell you you could have an object to
track and when that object changes to tell you ISP A is down it would
kick off a TCL script for an EEM policy and you could code it to do
anything you want.  But that's pretty cutting edge that very few people
get just yet.

Client machines will lose their connections and simply reconnect.
> 

Yep.


I'll try and cook up a config on the fly.

> -Robert
> 
> 
> Tellurian Networks - The Ultimate Internet Connection
> http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
> "Well done is better than well said." - Benjamin Franklin


More information about the cisco-nsp mailing list