[c-nsp] Simple NAT based IOS failover between providers

Rodney Dunn rodunn at cisco.com
Mon Sep 26 17:36:08 EDT 2005 

The configuration will look similar to this:

ip sla monitor 1
 type echo protocol ipIcmpEcho 2.2.2.2 source-ipaddr 2.2.2.1
 timeout 200
 frequency 5
ip sla monitor reaction-configuration 1 react timeout threshold-type consecutive 3 action-type triggerOnly
ip sla monitor schedule 1 life forever start-time now
!
!
track 1 rtr 1
!
!
interface Ethernet0/0
 ip address 1.1.1.2 255.255.255.0
 ip nat inside
!
interface Serial2/0
 ip address 2.2.2.1 255.255.255.0
 ip nat outside
 serial restart-delay 0
!
interface Serial3/0
 ip address 3.3.3.1 255.255.255.0
 ip nat outside
 serial restart-delay 0
!
!
ip route 0.0.0.0 0.0.0.0 2.2.2.2 track 1
ip route 0.0.0.0 0.0.0.0 3.3.3.2 240
!
ip nat inside source route-map a interface Serial2/0 overload
ip nat inside source route-map b interface Serial3/0 overload
!
!
route-map a permit 10
 match interface Serial2/0
!
route-map b permit 10
 match interface Serial3/0
!


The consecutive failures to trigger the failover doesn't seem to be
working in my test. I'm checking with DE on that one now.

Rodney


On Mon, Sep 26, 2005 at 04:27:29PM -0400, Rodney Dunn wrote:
> On Mon, Sep 26, 2005 at 02:02:34PM -0400, Robert Boyle wrote:
> > At 12:32 PM 9/26/2005, Rodney Dunn wrote:
> > >Setup your NAT with route-maps to match on interface.
> > >Depending on which interface the traffic is routed out
> > >of will govern which interface your traffic gets nat'ed
> > >to (ie: overload or pool) specific to that ISP.
> > 
> > Thanks, Rodney! Do you have an article or an example? I've never seen an 
> > actual IOS config for anything this complicated before.
> 
> There may be one more similar but not sure:
> 
> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
> 
> Just use match interface in the route-map rather than match on an
> ACL and in the NAT just do "interface X overload" vs. doin it to a pool.
> 
> For the route tracking just search on "static routes object tracking" and
> there are some sample configs out there on CCO.
> 
> > 
> > >Then you implement a way to make the route failover via
> > >IP SLA (previously called SAA) to float your static route
> > >from being up on the primary to switching over to the backup.
> > >
> > >If the IP SLA object comes back the primary route will come
> > >back in and your NAT will follow.
> > 
> > Excellent. I'll search for this on CCO. Does anyone have a working config 
> > like this or is there a magic word I need need to say to TAC to get an 
> > engineer on the phone who understands this and can help come up with a 
> > working config?
> 
> "I would like help configuring NAT for two connections using
> route-maps in conjunction with NAT overload on each interface
> for failover. I would also like an IP SLA configuration to
> force the default route to failover when the ISP connection is
> down (ie: detected via ping to a destination ip address)."
> 
> > 
> > When the T1 and DSL are both on our network, we just use a private AS and 
> > BGP and it works fine because the loopback IP address (which is the 
> > overloaded outside NAT interface) is always the same. In this situation, we 
> > don't have that option.
> >
> 
> Yep..
> 
>  
> > >The gotcha I think with this is that any existing flow that
> > >is being NAT'ed will fail until it times out because
> > >a new translation on the new interface will have to be created.
> > 
> > The NAT timer can be set to a low value such as 1 minute, correct? If so, I 
> > don't think this will be a problem. A momentary 1-2 minute loss is 
> > acceptable. 
> 
> Yeah. I was gonna go way out and tell you you could have an object to
> track and when that object changes to tell you ISP A is down it would
> kick off a TCL script for an EEM policy and you could code it to do
> anything you want.  But that's pretty cutting edge that very few people
> get just yet.
> 
> Client machines will lose their connections and simply reconnect.
> > 
> 
> Yep.
> 
> 
> I'll try and cook up a config on the fly.
> 
> > -Robert
> > 
> > 
> > Tellurian Networks - The Ultimate Internet Connection
> > http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
> > "Well done is better than well said." - Benjamin Franklin

More information about the cisco-nsp mailing list