[c-nsp] Simple NAT based IOS failover between providers

Rodney Dunn rodunn at cisco.com
Wed Sep 28 15:20:41 EDT 2005 

Ok..I learned something and to me it's counterintuitive but it's
how it works today.

Each time a probe runs it updates a mib value saaCommonStats.latestReturnCode.

Now the tracking code checks that value. Therefore since the tracking
code checks a value that is changed after each probe execution the
reaction-configuration that specifies a threshold doesn't hold true.

Therefore, to get the delay to work you should set that under the track
option.

ie:

track 1 rtr 1
 delay down 10

So with this the first time the track code sees the object down
it will start a 10 second timer and check it again. If after
the 10 seconds the probe still has it marked down the route will
be removed. If it comes back up within the 10 seconds the route is
not modified.

The default delay for the track is 0 so on an up event the route
is reinstalled immediately by default.

Rodney


On Mon, Sep 26, 2005 at 05:36:08PM -0400, Rodney Dunn wrote:
> The configuration will look similar to this:
> 
> ip sla monitor 1
>  type echo protocol ipIcmpEcho 2.2.2.2 source-ipaddr 2.2.2.1
>  timeout 200
>  frequency 5
> ip sla monitor reaction-configuration 1 react timeout threshold-type consecutive 3 action-type triggerOnly
> ip sla monitor schedule 1 life forever start-time now
> !
> !
> track 1 rtr 1
> !
> !
> interface Ethernet0/0
>  ip address 1.1.1.2 255.255.255.0
>  ip nat inside
> !
> interface Serial2/0
>  ip address 2.2.2.1 255.255.255.0
>  ip nat outside
>  serial restart-delay 0
> !
> interface Serial3/0
>  ip address 3.3.3.1 255.255.255.0
>  ip nat outside
>  serial restart-delay 0
> !
> !
> ip route 0.0.0.0 0.0.0.0 2.2.2.2 track 1
> ip route 0.0.0.0 0.0.0.0 3.3.3.2 240
> !
> ip nat inside source route-map a interface Serial2/0 overload
> ip nat inside source route-map b interface Serial3/0 overload
> !
> !
> route-map a permit 10
>  match interface Serial2/0
> !
> route-map b permit 10
>  match interface Serial3/0
> !
> 
> 
> The consecutive failures to trigger the failover doesn't seem to be
> working in my test. I'm checking with DE on that one now.
> 
> Rodney
> 
> 
> On Mon, Sep 26, 2005 at 04:27:29PM -0400, Rodney Dunn wrote:
> > On Mon, Sep 26, 2005 at 02:02:34PM -0400, Robert Boyle wrote:
> > > At 12:32 PM 9/26/2005, Rodney Dunn wrote:
> > > >Setup your NAT with route-maps to match on interface.
> > > >Depending on which interface the traffic is routed out
> > > >of will govern which interface your traffic gets nat'ed
> > > >to (ie: overload or pool) specific to that ISP.
> > > 
> > > Thanks, Rodney! Do you have an article or an example? I've never seen an 
> > > actual IOS config for anything this complicated before.
> > 
> > There may be one more similar but not sure:
> > 
> > http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
> > 
> > Just use match interface in the route-map rather than match on an
> > ACL and in the NAT just do "interface X overload" vs. doin it to a pool.
> > 
> > For the route tracking just search on "static routes object tracking" and
> > there are some sample configs out there on CCO.
> > 
> > > 
> > > >Then you implement a way to make the route failover via
> > > >IP SLA (previously called SAA) to float your static route
> > > >from being up on the primary to switching over to the backup.
> > > >
> > > >If the IP SLA object comes back the primary route will come
> > > >back in and your NAT will follow.
> > > 
> > > Excellent. I'll search for this on CCO. Does anyone have a working config 
> > > like this or is there a magic word I need need to say to TAC to get an 
> > > engineer on the phone who understands this and can help come up with a 
> > > working config?
> > 
> > "I would like help configuring NAT for two connections using
> > route-maps in conjunction with NAT overload on each interface
> > for failover. I would also like an IP SLA configuration to
> > force the default route to failover when the ISP connection is
> > down (ie: detected via ping to a destination ip address)."
> > 
> > > 
> > > When the T1 and DSL are both on our network, we just use a private AS and 
> > > BGP and it works fine because the loopback IP address (which is the 
> > > overloaded outside NAT interface) is always the same. In this situation, we 
> > > don't have that option.
> > >
> > 
> > Yep..
> > 
> >  
> > > >The gotcha I think with this is that any existing flow that
> > > >is being NAT'ed will fail until it times out because
> > > >a new translation on the new interface will have to be created.
> > > 
> > > The NAT timer can be set to a low value such as 1 minute, correct? If so, I 
> > > don't think this will be a problem. A momentary 1-2 minute loss is 
> > > acceptable. 
> > 
> > Yeah. I was gonna go way out and tell you you could have an object to
> > track and when that object changes to tell you ISP A is down it would
> > kick off a TCL script for an EEM policy and you could code it to do
> > anything you want.  But that's pretty cutting edge that very few people
> > get just yet.
> > 
> > Client machines will lose their connections and simply reconnect.
> > > 
> > 
> > Yep.
> > 
> > 
> > I'll try and cook up a config on the fly.
> > 
> > > -Robert
> > > 
> > > 
> > > Tellurian Networks - The Ultimate Internet Connection
> > > http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
> > > "Well done is better than well said." - Benjamin Franklin

More information about the cisco-nsp mailing list