NAT failover with DUAL ISP on a router with Policy Based Routing

INTRODUCTION:-

WAN Failover and Load Balancing allows you to designate the Router interface or one of the user-assigned interfaces as a Secondary or backup WAN port. The  secondary WAN port can be used in a simple active/passive setup, where traffic is only routed through the secondary WAN port if the primary WAN port is down and/or unavailable.

This is an generic example of how to configure NAT when there are multiple ISP’s for internet connectivity and we want proper Failover we can say that when Primary ISP goes down then Secondary takes over with correct NAT happening using the secondary ISP’s public ip address.  For dia-gram please go through this url http://www.2shared.com/photo/FYF4kN6X/DRAW.html.

Concept:
Small business with a single router (i.e Cisco 1900/2800/2900 ISR), has two ISPs, and would like to use one ISP as the main provider, and the second ISP as a backup in case the first one fails.

Configuration

Here i am going to post only Home Router confiugation which is used in Lab invironment as HOME.RTR for detail click on mentioned url.

1) Configure each WAN interface to connect to each ISP, respectively:

interface FastEthernet0/0
description Primary-Wan
ip address 101.1.1.1 255.255.255.252
ip nat outside

interface FastEthernet0/1
description backup-Wan
ip address 102.1.1.1 255.255.255.252
ip nat outside

2) Create the Route Maps that will be used for NATting traffic:

route-map backup permit 20
match ip address internet
match interface FastEthernet0/1
route-map primary permit 10
match ip address internet
match interface FastEthernet0/0

3) Configure Lan interface

interface FastEthernet1/0
ip address 192.168.1.1 255.255.255.0
ip nat inside

Note: ACL internet allows traffic from the LAN.

ip access-list extended internet
permit ip any any

 

4) Configure the two NAT statements required so that either interface can provide NATting, out each respective WAN interface:

ip nat inside source route-map backup interface FastEthernet0/1 overload
ip nat inside source route-map primary interface FastEthernet0/0 overload

5) Update your static routes:

ip route 0.0.0.0 0.0.0.0 101.1.1.2 10
ip route 0.0.0.0 0.0.0.0 102.1.1.2 20

6) Create an EEM Script for automatically clear ip nat translatoin :

Introduction Embedded Event Manager

Cisco IOS Embedded Event Manager (EEM) is a powerful tool integrated with Cisco IOS Software for system management from within the device itself. EEM offers the ability to monitor events and take informational, corrective, or any desired action when the monitored events occur or when a threshold is reached. Capturing the state of the router during such situations can be invaluable in taking immediate recovery actions and gathering information to perform root-cause analysis. Network availability is also improved if automatic recovery actions are performed without the need to fully reboot the routing device.

For example if we talk about our topology there are two ISPs which configured on router as f0/0 and f0/1 these are natted suppose traffic is going through f0/0 (primary) if it becomes down or unavialable so our router will take much time to switch over to another interface f0/1 (secondary) to avoid this we have to configure EEM and have to specify when interface will goes down this EEM script will automatically run a command “clear ip nat translation *”

Commands will be

event manager applet CLEARNAT1
event syslog pattern “LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down”
action 1.0 cli command “enable”
action 2.0 cli command “clear ip nat translation *”
event manager applet CLEARNAT2
event syslog pattern “LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down”
action 1.0 cli command “enable”
action 2.0 cli command “clear ip nat translation *”

 

 

 

 

This entry was posted in Networks and Communication and tagged . Bookmark the permalink.

6 Responses to NAT failover with DUAL ISP on a router with Policy Based Routing

  1. ashish says:

    Good details shared…..
    Which router you are recommending?

  2. Frank says:

    Great write up, I would also suggest that if you can add the ip sla to this configuration…but what you have above is great and works perfect, thank you!!!

  3. Leras Ioannis says:

    Hello there and congrats for your great post!
    In the last few days I am trying to implement a wan fail-over using ip sla and track reachability and the problem is that when primary connection is restored the ping of ip sla don’t get reply so the router gets stuck on secondary ISP. So I am thinking of trying your solution, but how exactly will this work when we have a failure on ISP side and the router’s interface that the cable modem is connected stays up?

    • Hi Leras,
      First of all i would like to thank you for your interest in my blog i will be glad to respond to your query.
      There are many ways to accomplish the Wan Fail-over task but in my blog i demonstrated the use of EEM in terms of When Primary Link will be down (either physically down by interface or down from back-end from ISP side) Secondary will be take charge.Its a normal case you can only switch switch to the other interface (back-up interface) when the first one is down. There would be some script which we need to run on router so that if our interface is down it will automatically run the desired script. I would suggest you to use mentioned EEM script along with IP SLA.

      event manager applet CLEARNAT1
      event syslog pattern “%TRACK-6-STATE: 2 ip sla 2 reachability Up -> Down”
      action 1.0 cli command “enable”
      action 2.0 cli command “clear ip nat translation *”
      event manager applet CLEARNAT2
      event syslog pattern “%TRACK-6-STATE: 2 ip sla 2 reachability Down -> Up”
      action 1.0 cli command “enable”
      action 2.0 cli command “clear ip nat translation *”
      !
      For IP SLA Use the below command –
      ip sla 2
      icmp-echo X.X.X.X (gateway of your public ip) source-interface g0/1 (your wan interface)
      frequency 5
      ip sla schedule 2 life forever start-time now

      ip route 0.0.0.0 0.0.0.0 X.X.X.X (gateway of your public ip) track 2.

      Looking Forward to hear from you. Thank You.

      Warm Regards
      Saurabh

Leave a Reply

Your email address will not be published. Required fields are marked *