Re: Dual active ISPs failover question

Alkemyst71 · ‎11-22-2019

We would like 10.0.1.0 to go out over ISP1 and fail to ISP2

We would like 10.0.2.0 to go out over ISP2 and fail to ISP1

This simplified, there are a ton of networks for each.

Is this the right method?

object network obj_10.0.1.0_PRIMARY
subnet 10.0.1.0 255.255.255.0
description OFFICE_SUBNET
!
object network obj_10.0.2.0_PRIMARY
subnet 10.0.2.0 255.255.255.0
description VOICE_SUBNET
!
object network obj_10.0.1.0_SECONDARY
subnet 10.0.1.0 255.255.255.0
description OFFICE_SUBNET
!
object network obj_10.0.2.0_SECONDARY
subnet 10.0.2.0 255.255.255.0
description VOICE_SUBNET
!
route-map priorityISP2 permit 20
match ip address priority-ISP2
set ip next-hop verify-availability [ISP2 IP] 1 track 1
set ip next-hop verify-availability [ISP1 IP] 2 track 2
!
access-list priority-ISP2 extended permit ip object obj_10.0.1.0_SECONDARY any
access-list priority-ISP2 extended permit ip object obj_10.0.2.0_PRIMARY any
!
route ISP1 0.0.0.0 0.0.0.0 [ISP1 IP] 1 track 1
route ISP2 0.0.0.0 0.0.0.0 [ISP2 IP] 60 track 2
!
object-group network ISP1Primary
network-object obj_10.0.1.0_PRIMARY
network-object obj_10.0.2.0_SECONDARY
nat (any,ISP1) after-auto source dynamic ISP1Primary interface
!
object-group network ISP2Primary
network-object obj_10.0.2.0_PRIMARY
network-object obj_10.0.1.0_SECONDARY
nat (any,ISP2) after-auto source dynamic ISP2Primary interface

balaji.bandi · ‎11-22-2019

High level looks ok, when you failover to another provider you need to use EEM Script to clear NAT

Example :

event manager applet CLEAR_NAT

event track 1 state any

action 1.0 cli command “enable”

action 2.0 cli command “clear ip nat translation *”

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎11-23-2019

Hello,

what you have posted has a lot of syntax errors and won't work. Also, you need two route maps and apply them to the inside interfaces.

Try the below (interfaces and IP addressing used are arbitrary obviously):

interface GigabitEthernet0/0
description ISP1
nameif ISP1
security-level 0
ip address 100.100.100.1 255.255.255.252
!
interface GigabitEthernet0/1
description ISP2
nameif ISP2
security-level 0
ip address 200.200.200. 1 255.255.255.252

!

interface GigabitEthernet0/2
description OFFICE
nameif office
security-level 100
ip address 10.0.1.1 255.255.255.0
policy-route route-map PRIORITY_ISP1_RM
!
interface GigabitEthernet0/3
description VOICE
nameif voice
security-level 100
ip address 10.0.2.1 255.255.255.0
policy-route route-map PRIORITY_ISP2_RM
!

bject network obj_10.0.1.0
subnet 10.0.1.0 255.255.255.0
description OFFICE_SUBNET

!
object network obj_10.0.2.0
subnet 10.0.2.0 255.255.255.0
description VOICE_SUBNET
!
route-map PRIORITY_ISP1_RM permit 10
match ip address PRIORITY_ISP1_ACL
set ip next-hop verify-availability 100.100.100.2 1 track 1
!
route-map PRIORITY_ISP2_RM permit 10
match ip address PRIORITY_ISP2_ACL
set ip next-hop verify-availability 200.200.200.2 2 track 2
!
access-list PRIORITY_ISP1_ACL extended permit ip object obj_10.0.1.0 any
access-list PRIORITY_ISP2_ACL extended permit ip object obj_10.0.2.0 any
!
route ISP1 0.0.0.0 0.0.0.0 100.100.100.2 1 track 1
route ISP2 0.0.0.0 0.0.0.0 200.200.200.2 2 track 2
!
object-group network ISP1_NAT
network-object obj_10.0.1.0
network-object obj_10.0.2.0
nat (any,ISP1) ISP1_NAT interface
!
object-group network ISP2_NAT
network-object obj_10.0.2.0
network-object obj_10.0.1.0
nat (any,ISP2) dynamic ISP2_NAT

!

event manager applet CLEAR_NAT_ISP1
event track 1 state down
action 1.0 cli command “enable”
action 2.0 cli command “clear xlate interface ISP1 *”
!
event manager applet CLEAR_NAT_ISP2
event track 2 state down
action 1.0 cli command “enable”
action 2.0 cli command “clear xlate interface ISP2 *”

Alkemyst71 · ‎11-23-2019

Thanks, I will give it a try. I have a 5500 to test with but somehow the adapter is missing in the lab.

This was working with a ton of object and nats, but I stumbled upon the object group command and thought I'd give it a go.

Georg Pauwen · ‎11-23-2019

Hello,

if the object groups are the problem, what you have posted contains syntax and spelling errors, that might simply be the problem then. I have highlighted (marked in bold) the non-existing groups you are referencing...

object network obj_10.0.1.0_PRIMARY
subnet 10.0.1.0 255.255.255.0
description OFFICE_SUBNET
!
object network obj_10.0.2.0_PRIMARY
subnet 10.0.2.0 255.255.255.0
description VOICE_SUBNET
!
object network obj_10.0.1.0_SECONDARY
subnet 10.0.1.0 255.255.255.0
description OFFICE_SUBNET
!
object network obj_10.0.2.0_SECONDARY
subnet 10.0.2.0 255.255.255.0
description VOICE_SUBNET
!
route-map priorityISP2 permit 20
match ip address priority-ISP2
set ip next-hop verify-availability [ISP2 IP] 1 track 1
set ip next-hop verify-availability [ISP1 IP] 2 track 2
!
access-list priority-ISP2 extended permit ip object obj_10.0.1.0 any --> doesn't exist
access-list priority-ISP2 extended permit ip object obj_10.0.2.0 any --> doesn't exist
!
route ISP1 0.0.0.0 0.0.0.0 [ISP1 IP] 1 track 1
route ISP2 0.0.0.0 0.0.0.0 [ISP2 IP] 60 track 2
!
object-group network ISP1Primary
network-object obj_10.0.1.0_Primary --> doesn't exist
network-object obj_10.0.2.0_Secondary --> doesn't exist
nat (any,ISP1) after-auto source dynamic ISP1Primary interface
!
object-group network ISP2Primary
network-object obj_10.0.2.0_Primary
network-object obj_10.0.1.0_Secondary
nat (any,ISP2) after-auto source dynamic ISP2Primary interface

The objects you created are 'obj_10.0.1.0_PRIMARY' and 'obj_10.0.2.0_PRIMARY', they need to be referenced using the exact same spelling including small and large caps...

Alkemyst71 · ‎11-23-2019

I am not sure if I needed the _primary and _secondary groups.

paul driver · ‎11-23-2019

Hello

Your nearly there with that config - what you need is to policy route for the 10.0.2.x subnet - also you shouldn’t have to the clear the xlate table if you have a interface failure but you can test it by a manual clearing if it doesn’t work but having a low sla frequency for your tacking should be okay.

Anyway i dont think you need the secondary object networks or the o network groups for this just the primary’s object networks for will do.

1)apply the nat to each primary object network relating to your internal subnets

2) append ip sla track to the primary default route (ISP1) and have the secondary default (ISP) just with a higher admin value

3)create an standard acl for the 10.0.2.x subnet-

4) create a route-map and append the news acl to it and set up nexthop to the point to ISP2 then ISP1

Example:
sla monitor 1 & 2
frequency 5
num-packets 2

object network Lan1
nat (lan1,ISP1) after-auto source dynamic any interface
nat (lan1,ISP2) after-auto source dynamic any interface

object network Lan2
nat (lan2,ISP1) after-auto source dynamic any interface
nat (lan2,ISP2) after-auto source dynamic any interface

ip route ISP 0.0.0.0 0.0.0.0 x.x.x.x track x
ip route ISP2 0.0.0.0 0.0.0.0 x.x.x.x 200

access-list 1 permit 10.0.20.0 255.255.255.0
route-map PBR
match ip address 1
set ip next hop verify-avail (ISP2) track 2

route-map PBR 99
set ip next hop (ISP1)

interface xxx
description lan inside
policy-route route-map PBR

Test and see how you get on-

Apologies for the context of this post but I’m travelling and posting on the phone app

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Alkemyst71 · ‎12-09-2019

I edited my original config to reflect some of the changes.

Without the object groups and some of the other tweaks to clean it up, it's working 100%. It's just a mess of a config.

Does the configuration in the original post now look like a match?

balaji.bandi · ‎12-09-2019

Glad working as expected, now mark as solution so usefull for other members to review.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Alkemyst71 · ‎12-09-2019

Not yet working, it's working without all the new groups and NAT simplification. I am looking for one last sanity check prior to scheduling a maintenance window to test.

This is the config that is in place now we are trying to clean up:

!
interface GigabitEthernet1/1.225
vlan 225
nameif isp2-outside
security-level 0
ip address [isp2-outside IP] 255.255.255.252
!
interface GigabitEthernet1/1.227
vlan 227
nameif isp3-outside
security-level 0
ip address [isp3-outside IP] 255.255.255.248
!
object network obj_10.20.0.0
subnet 10.20.0.0 255.255.254.0
description A_SUBNET
object network obj_10.20.3.0
subnet 10.20.3.0 255.255.255.0
description B_SUBNET
object network obj_10.20.4.0
subnet 10.20.4.0 255.255.255.0
description C_SUBNET
object network obj_10.20.5.0
subnet 10.20.5.0 255.255.255.0
description D_SUBNET
object network obj_10.20.6.0
subnet 10.20.6.0 255.255.255.0
description E_SUBNET
object network obj_10.20.7.0
subnet 10.20.7.0 255.255.255.0
description H_SUBNET
object network obj_10.20.2.0
subnet 10.20.2.0 255.255.255.0
description I_SUBNET
object network obj_10.20.8.0
subnet 10.20.8.0 255.255.254.0
description J_SUBNET
object network 10.20.0.0_16
subnet 10.20.0.0 255.255.0.0
object network obj_10.0.40.0
subnet 10.0.40.0 255.255.255.0
object network obj_10.20.0.0_bckupISP3
subnet 10.20.0.0 255.255.254.0
object network obj_10.20.5.0_ISP2
subnet 10.20.5.0 255.255.255.0
object network obj_10.20.7.0_ISP2
subnet 10.20.7.0 255.255.255.0
object network obj_10.20.2.0_bckupISP3
subnet 10.20.2.0 255.255.255.0
object network obj_10.20.8.0_bckupISP3
object network 10.20.0.0_16_bckupISP3
subnet 10.20.0.0 255.255.0.0

access-list priority-ISP3 extended permit ip object obj_10.20.5.0 any
access-list priority-ISP3 extended permit ip object obj_10.20.7.0 any
!
object network obj_10.20.5.0
nat (inside,isp3-outside) dynamic interface
object network obj_10.20.7.0
nat (inside,isp3-outside) dynamic interface
object network obj_10.20.0.0_bckupISP3
nat (inside,isp3-outside) dynamic interface
object network obj_10.20.2.0_bckupISP3
nat (inside,isp3-outside) dynamic interface
object network 10.20.0.0_16_bckupISP3
nat (inside,isp3-outside) dynamic interface
access-group outside_access_in in interface isp2-outside
access-group outside_access_in in interface isp3-outside
!
route-map priority2ISP2 permit 20
match ip address priority-ISP3
set ip next-hop verify-availability [isp3-outside NEXT HOP IP] 1 track 2

!
route outside 0.0.0.0 0.0.0.0 [OUTSIDE NEXT HOP IP] 1 track 1
route isp3-outside 0.0.0.0 0.0.0.0 [isp3-outside NEXT HOP IP] 60
route isp3-outside [COLO IP1] 255.255.255.255 [isp3-outside NEXT HOP IP] 1
route isp3-outside [COLO IP2] 255.255.255.255 [isp3-outside NEXT HOP IP] 1
!
sla monitor 100
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
timeout 3000
frequency 3
sla monitor schedule 100 life forever start-time now
sla monitor 200
type echo protocol ipIcmpEcho 216.239.35.1 interface isp3-outside
timeout 3000
frequency 3
sla monitor schedule 200 life forever start-time now
!
track 1 rtr 100 reachability
!
track 2 rtr 200 reachability