[c-nsp] Dual ISP NAT Failover using PBR and Object Tracking

Nick Hilliard nick at foobar.org
Fri Jul 15 09:29:29 EDT 2011 

I would add a delay in to both of the SLA definitions, slightly larger than
the frequency of the ip sla definition above:

> track 1 rtr 1 reachability ! track 2 rtr 2 reachability

track 1 rtr 1 reachability
 delay down 7 up 7
track 2 rtr 2 reachability
 delay down 7 up 7

That means that if you miss two pings, the link won't flap.  Otherwise, you
will end up with flaps all over the place.  However, this isn't critical
for getting it working.

The rest of the configuration looks roughly correct except for two things:

1.  you need to implement traffic policy for ip traffic which is sourced on
the actual router (i.e. NAT traffic and pings to the box).  What you're
trying to do won't work properly without it.  So add the following:

--
ip local policy route-map LOCAL_TRAFFIC

access-list 50 permit X.X.X.your-end
access-list 51 permit W.W.W.your-end

route-map LOCAL_TRAFFIC permit 10
 match ip address 50
 set ip next-hop X.X.X.their-end
!
route-map LOCAL_TRAFFIC permit 20
 match ip address 51
 set ip next-hop W.W.W.their-end
--

2. You need both policy routing and default routes.  If you don't have
this, your IP SLA will fail during policy startup.  So:

remove these lines:
--
ip route 0.0.0.0 0.0.0.0 X.X.X.X track 2
ip nat inside source list LAN interface FastEthernet0/0 overload
ip nat inside source list LAN interface FastEthernet0/1.15 overload
--

insert these ones:
--
ip nat inside source route-map X-fail interface FastEthernet0/0 overload
ip nat inside source route-map W-fail interface FastEthernet0/1.15 overload

route-map X-fail permit 10
 match ip address LAN
 match interface FastEthernet0/0
 set ip next-hop X.X.X.their-end

route-map W-fail permit 10
 match ip address LAN
 match interface FastEthernet0/1.15
 set ip next-hop W.W.W.their-end
--

This is really messy to do right in IOS, but it does work - took ages to
get my configuration working correctly.  Now that it's there, it works very
well and my office users don't even notice when there's a DSL failover.

Nick

More information about the cisco-nsp mailing list