03-18-2024 03:57 PM
I have an ISR 1K with DUAL ISPs (Dialer0 & Cellular) My intention was to implement something similar to this article: https://learningnetwork.cisco.com/s/question/0D53i00000Kt1XYCAZ/nat-failover-with-dual-isp-on-a-router-configuration-example?t=1710370069373
In the case the main ISP goes down (e.g. indirect link failure has been noticed by IP SLA), traffic starts going out of ISP2 interface (due to either floating static route or policy-based routing).
Since NAT translations are still valid traffic might be natted using ISP1 IP address, which means that return traffic will not come back since link to ISP1 is not available. The article suggest using something like this (where the route-map at the end will ensure there is an exit path available on either interface, no matter which one is currently active.
ip nat inside source static 172.168.60.2 12.x.x.x route-map PRI
ip nat inside source static 172.168.60.2 76.x.x.x route-map SEC
route-map PRI permit 10
match ip address LAN
match interface Dialer0
route-map SEC permit 10
match ip address LAN
match interface Cellular0/2/0
What I have learnt is IOS XE does not allow 'route-map PRI' at the end of the NAT statement, since it handles NAT differently to IOS.
My question is - is there a way to do something similar in IOS XE?
I have a working EEM script to remove and re-add NAT translations in case of ISP1's availability change, but I have had mixed results and would rather get away from using EEM if possible. Thank you in advance.
03-19-2024 12:58 AM
I have a working EEM script to remove and re-add NAT translations in case of ISP1's availability change, but I have had mixed results and would rather get away from using EEM if possible.
what kind of mixed results you have - can you post examples - most case as per my learning that should as expected
until you have cellular interface having some issue around some checks.
not that i am aware you can get away from EEM Script to fix this issue - since you dialer and cellular connection. (in case of failure scenarios)
03-19-2024 03:03 AM
Hi BB, yes for sure...
I caveat this with the issue I had was on IOS and not on IOS XE....
Sometimes 1 of the 6 or so individual NAT translations would get 'stuck',. This was evident because you would have 5 for the dialler and 1 still sitting on cellular for example. The second issue (and I admit this might be easily overcome if I had more knowledge on the topic) was that a 'quick' outage on the main ISP of say a few seconds would potentially interrupt NATTING for up to 30 seconds while it first made the detection, switched over then switched back.
03-19-2024 12:11 PM
Can you post full configuration removing password and other information.
what is the Device Model, what IOS code was having issue, what IOS XE you planning to use.
This was evident because you would have 5 for the dialler and 1 still sitting on cellular for example.
depends on the config, if you clear the NAT table and failover based on scenario it should work as expected.
example :
https://www.balajibandi.com/?p=1643
outage on the main ISP of say a few seconds would potentially interrupt NATTING for up to 30 seconds while it first made the detection, switched over then switched back.
This we need to see Log you may delay failover based on the stability of the connection.
03-19-2024 01:40 PM
you must slow down the traffic change from both ISP
you can use IP SLA with track and threshold
MHM
03-19-2024 03:26 AM - edited 03-19-2024 03:27 AM
Hello
@NotJustANumber3693785723975738 wrote:
In the case the main ISP goes down (e.g. indirect link failure has been noticed by IP SLA), traffic starts going out of ISP2 interface (due to either floating static route or policy-based routing).
What I have learnt is IOS XE does not allow 'route-map PRI' at the end of the NAT statement, since it handles NAT differently to IOS.
My understanding IOS-XE does support NAT L/B using route-maps, Looking at your OP and the NAT statements at this time they do not look correct.
Do you wish for ALL NAT translations to use "primary ISP" and ONLY use "secondary ISP" in case of upstream failure on ISP1?
Are you receiving dynamic ip address allocation on those cellular interfaces and also default routes?
sh ip route
sh ip int brief
03-19-2024 03:55 AM
the cisco Doc. show that IOS XE support add route-map in end of NAT command
but I think this route-map match only the egress interface not the ACL
MHM
03-19-2024 03:14 PM
Hello
I would say the OP needs to elaborate on what is the requirement, I know for sure NAT RMs are supported in XE as we have them running presently.
If this is a active/active NAT solution, Conditional PBR/Default static routes along with IPSLA tracking would be appropriate
EEM may not be applicable depending on the iplsa/tracking values.
03-21-2024 05:18 AM
Thanks for all the interest! Great to see the responses, just to focus on the route map question... I have provided the intended config below (just the relevant parts). The text in Bold cannot be entered as it gives "% Invalid input detected at '^' marker."
interface GigabitEthernet0/0/0
description -- HFC --
no ip address
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface Cellular0/2/0
description -- CELLL --
ip address negotiated
ip nat outside
ip tcp adjust-mss 1318
dialer in-band
dialer idle-timeout 0
dialer enable-timeout 6
dialer-group 1
ipv6 enable
pulse-time 1
ip virtual-reassembly
interface Cellular0/2/1
no ip address
interface Vlan1
description -- LAN --
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
ip virtual-reassembly
interface Dialer0
description -- HFC --
mtu 1492
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname abcdefg
ppp chap password 0 xxxxxxxx
ip virtual-reassembly
ip sla 1
icmp-echo 9.9.9.9 source-interface Dialer0
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
ip nat inside source static tcp 192.168.5.7 8000 interface Dialer0 8000 route-map PRI
ip nat inside source static tcp 192.168.5.7 8000 interface Cellular0/2/0 8000 route-map SEC
ip nat inside source static tcp 192.168.5.2 80 interface Dialer0 80 route-map PRI
ip nat inside source static tcp 192.168.5.2 80 interface Cellular0/2/0 80 route-map SEC
ip nat inside source static tcp 192.168.5.3 443 interface Dialer0 443 route-map PRI
ip nat inside source static tcp 192.168.5.3 443 interface Cellular0/2/0 443 route-map SEC
ip nat inside source static tcp 192.168.5.4 2222 interface Dialer0 2222 route-map PRI
ip nat inside source static tcp 192.168.5.4 2222 interface Cellular0/2/0 2222 route-map SEC
ip nat inside source route-map PRI interface Dialer0 overload
ip nat inside source route-map SEC interface Cellular0/2/0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0/2/0 10
ip route 9.9.9.9 255.255.255.255 Dialer0
ip access-list extended LAN
10 permit ip 192.168.5.0 0.0.0.255 any
route-map PRI permit 10
match ip address LAN
match interface Dialer0
route-map SEC permit 10
match ip address LAN
match interface Cellular0/2/0
dialer-list 1 protocol ip permit
03-24-2024 03:56 AM - edited 03-24-2024 04:08 AM
Hello
Thank for the additional information, its clear now what you mean regards the RMs are not being applicable when stating the physical interface of a static nat statement in IOS-XE, and given you are using dynamic address allocation on your cellular interfaces you cannot specify a specific next hop ip address either?
Please see attached for a possible solution - It DOES involve EEM scripting/iplsa/object tracking to dynamically remove the "OLD" static nat statements as/when reachability from your primary ISP has failed.
03-25-2024 02:53 AM
Thank you Paul, this looks quite similar to the EEM setup I have previously used, however those tweaks to the sensitivity and clearing translation I expect will make it run a lot better than what I had setup before. Really appreciate your help with this
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide