[c-nsp] Backup/redundant internet connection
Paul Stewart
pstewart at nexicomgroup.net
Tue Dec 12 10:37:05 EST 2006
In most situations we have a 2811 for example:
interface Loopback0
description OSPF Loopback
ip address XXX.XXX.XXX.175 255.255.255.255
interface FastEthernet0/0
description HSA-VLAN108
ip address XXX.XXX.XXX.2 255.255.255.248
ip nat outside
ip virtual-reassembly
ip ospf cost 100
load-interval 30
duplex auto
speed auto
!
interface FastEthernet0/1
description HSA-VLAN228
ip address XXX.XXX.XXX.10 255.255.255.248
ip nat outside
ip virtual-reassembly
ip ospf cost 100
load-interval 30
duplex auto
speed auto
interface Vlan10
description NAT Network
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
For some reason, we got uneven costs on OSPF but manually set them both
to 100 even though they terminate on the same equipment through the same
paths on our side....
Paul
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of VCI Help Desk
Sent: Tuesday, December 12, 2006 10:10 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Backup/redundant internet connection
Yes, I could ping the loopback interface. Are you using IP
unnumbered with the physical interfaces and the loopback interface? I'm
not understanding how you get the traffic to pass thru the loopback for
NAT'ing instead of it passing directly thru to the physical interfaces.
Bill
----- Original Message -----
From: Paul Stewart
To: VCI Help Desk ; cisco-nsp at puck.nether.net
Sent: Tuesday, December 12, 2006 8:54 AM
Subject: RE: [c-nsp] Backup/redundant internet connection
We do loopback natting at several sites... make sure you are
redistributing "connected" via OSPF so that your loopback is seen on the
ISP backbone (presuming you have control over the CPE router)....
Can you ping the loopback address from outside the customer network?
Take care,
Paul
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of VCI Help Desk
Sent: Tuesday, December 12, 2006 9:31 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Backup/redundant internet connection
Let me try and explain the reason for using a Loopback.
When I tried this with a single router I needed three ethernet
interfaces 1) fiber connection, 2) DSL connection, 3) customer's LAN. We
wanted the customer's outbound NAT address to remain the same regardless
of the status of their fiber or DSL connection status. The 3rd interface
mentioned had an address of 192.168.1.1 for the customer's LAN gateway.
So I was hoping to use a Loopback interface to do the NAT'ing so it
would remain up regardless of the customer's internet connections. The
problem I had was I couldn't get the Loopback to do the NAT'ing. The
traffic never passed thru the Loopback interface. All outbound traffic
went directly to the fiber or DSL WAN interface.
Basically, I believe I can get the network described at
http://www.vci.net/Images/net.gif to work but I'd prefer a single router
version of this.
Bill
----- Original Message -----
From: Shakeel Ahmad
To: Joseph Jackson
Cc: Bill ; cisco-nsp at puck.nether.net
Sent: Tuesday, December 12, 2006 1:17 AM
Subject: Re: [c-nsp] Backup/redundant internet connection
Um isn't it possible to assign seperate /30's to both fiber & DSL
connections and move the original /30 (which customer wants) to
customer's
router's outside interface so that he can overload the NAT on its own
router
...
basically i am confuse why we are natting on Loopback ? Using loopback
in
OSPF is reasonably understandable but for NAT in this scenario .. if
someone
can explain ?
On 12/12/06, Joseph Jackson <JJackson at aninetworks.com> wrote:
Yes you are going to have to accept their netblock and then send it out
to their peers. I would check that they have atleast a /24 from
bellsouth.net before doing this as a lot of people filter anything
smaller than a /24 and sometimes even /24's.
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Bill
Sent: Monday, December 11, 2006 6:44 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Backup/redundant internet connection
At my first attempt at this I connected the fiber and DSL as they
normally connect to anyone. This required a static /30 on the fiber and
a
static DHCP address on the DSL. I then put a loopback address on the
customers router. This method used only one router so it's not exactly
like
the diagram referred to.
After that I setup NAT to use the loopback as the outside interface.
The
problem here was the outgoing packets didn't seem to use the loopback
interface. Nothing was ever NAT'd, traffic didn't flow until I setup NAT
normally on the fiber interface. How can I get the traffic to utilize a
loopback interface for NAT'ing?
Also, can someone explain the BGP setup a little more? I manage the
BGP
on our edge routers with route-maps and ACLs but I've never used it in
this
fashion. Would the BGP routes on the ISP router redistribute the BGP
routes
into the ISP's OSPF routes?
Related, I have another customer that is wanting this type of setup
but
they want two internet connections on two different ISPs. Since this is
a
small company with existing Bellsouth.net IP addresses wouldn't I need
to
redistribute their Bellsouth IP addresses out my BGP?
Bill
----- Original Message -----
From: Alex Campbell
To: 'Bill'
Sent: Monday, December 11, 2006 5:02 PM
Subject: RE: [c-nsp] Backup/redundant internet connection
Give them a /30 on each link, a /29 of their own, and a private AS
number.
Have them send you the /29 (or whatever) via BGP, and send them 2
default
routes via BGP. (of course, you could do the same with OSPF but I think
using IGPs for talking to external parties - even customers - is a scary
idea).
How did you setup NAT? Was the outside NAT address one of the /30s that
are
in the diagram? This would explain the problem you were having. I
would
use an address from the /29 as the NAT outside address.
Load balancing between a fibre circuit and a DSL line seems pretty
insane.
If they need more capacity then why not just increase the speed on the
fibre
circuit?
100% uptime with only one transit provider is close to impossible.
Hope this helps...
Alex
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net ] On Behalf Of Bill
Sent: Tuesday, 12 December 2006 9:48 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Backup/redundant internet connection
I have a customer who wants a backup internet connection. Right now
they
have a fiber circuit. We can offer them a DSL line to serve as a backup.
The
fiber and DSL line would terminate on two seperate OSPF capable on the
ISP
side (all in the same OSPF backbone). The customer has VPN as well as
mail
and a web site. They want their IP address to remain the same regardless
of
which internet connection is being used. I have a diagram demonstrating
a
proposal I've made to my boss but I am wondering if there is a simpler
method - http://www.vci.net/Images/net.gif
I've tried a similar method using a single router (not two routers
as
shown in the diagram) that I couldn't get to work. This alternate method
used a loopback interface that would perform the NAT functions. The
problem
was I couldn't get the outbound traffic to be NAT'd. It went directly to
the
physical outbound interface.
This method, with one or two routers, is based on using two seperate
internet connections tied to the same ISP but using another IP address
that
would represent the customer's public IP address and do the NAT'ing.
This
way either internet connection could be down without interrupting
service to
the customer. Load balancing might be nice but not required. 100% uptime
is
the goal.
Anyone have experience with this? Is there a simpler way to set this
up?
Any recommendations?
Bill
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list