09-03-2020 06:11 AM
Hi,
Need your Suggestions/Guidance/Best Practices on the following requirement.
Two ISP Terminated on Single Cisco router 4431 with /30 Subnet masks on WAN interfaces (Public IP address)
Single VLAN sunbet 192.168.11.0/24 for local lan
No routing protocols between ISR router and ISP, just static Default route pointing to next-hop.
Requirement:
>Need to configure ISP load balancing (Active-Active)
>PAT will be configured for NAT
> One of the internal server should have port forwarding on port 8080,
Challenges:
How to achieve ISP Active-Active load balancing (Please suggest Best practices)
Port forwarding, can we do it on both ISPs?, if we can, how do we address the return route issue.
Thanks
Solved! Go to Solution.
09-03-2020 07:24 AM
Hello,
the below config would split the subnet and allow for both ISP connections to be active at the same time. In case either one ISP fails, a series of EEM scripts will take care of the failover, including the static NAT for the server:
track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
!
interface GigabitEthernet0/0
description LAN
ip address 192.168.11.1 255.255.255.0
ip nat inside
ip policy route-map ISP_LB
!
interface GigabitEthernet0/1
description ISP_1
ip address 100.100.100.1 255.255.255.252
ip nat outside
!
interface GigabitEthernet0/1
description ISP_2
ip address 200.200.200.1 255.255.255.252
ip nat outside
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source list 2 interface GigabitEthernet0/2 overload
ip nat inside source static 192.168.11.100 100.100.100.1
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/1
timeout 1000
threshold 2
frequency 3
!
ip sla schedule 1 life forever start-time now
!
ip sla 2
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/1
timeout 1000
threshold 2
frequency 3
!
ip sla schedule 2 life forever start-time now
!
ip route 0.0.0.0 0.0.0.0 100.100.100.2
ip route 0.0.0.0 0.0.0.0 200.200.200.2
!
access-list 1 deny host 192.168.11.100
access-list 1 permit 192.168.11.0 0.0.0.127
!
access-list 2 permit 192.168.11.128 0.0.0.127
!
access-list 3 permit 192.168.11.0 0.0.0.255
!
route-map ISP_LB permit 10
match ip address 1
set ip next-hop 100.100.100.2
!
route-map ISP_LB permit 20
match ip address 2
set ip next-hop 200.200.200.2
!
event manager applet ISP_1_FAILOVER_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface GigabitEthernet0/1"
action 4.0 cli command "no ip policy route-map ISP_LB"
action 5.0 cli command "exit"
action 6.0 cli command "no ip nat inside source list 1 interface GigabitEthernet0/1 overload"
action 7.0 cli command "no ip nat inside source list 2 interface GigabitEthernet0/2 overload
action 8.0 cli command "ip nat inside source list 3 interface GigabitEthernet0/2 overload"
action 9.0 cli command "no ip nat inside source static 192.168.11.100 100.100.100.1"
action 10.0 cli command "ip nat inside source static 192.168.11.100 200.200.200.1"
action 11.0 cli command "end"
action 12.0 cli command "clear ip nat translation *"
!
event manager applet ISP_1_FAILOVER_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface GigabitEthernet0/1"
action 4.0 cli command "ip policy route-map ISP_LB"
action 5.0 cli command "exit"
action 6.0 cli command "ip nat inside source list 1 interface GigabitEthernet0/1 overload"
action 7.0 cli command "ip nat inside source list 2 interface GigabitEthernet0/2 overload
action 8.0 cli command "no ip nat inside source list 3 interface GigabitEthernet0/2 overload"
action 9.0 cli command "ip nat inside source static 192.168.11.100 100.100.100.1"
action 10.0 cli command "no ip nat inside source static 192.168.11.100 200.200.200.1"
action 11.0 cli command "end"
action 12.0 cli command "clear ip nat translation *"
!
event manager applet ISP_2_FAILOVER_DOWN
event track 2 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface GigabitEthernet0/1"
action 4.0 cli command "no ip policy route-map ISP_LB"
action 5.0 cli command "exit"
action 6.0 cli command "no ip nat inside source list 1 interface GigabitEthernet0/1 overload"
action 7.0 cli command "no ip nat inside source list 2 interface GigabitEthernet0/2 overload
action 8.0 cli command "ip nat inside source list 3 interface GigabitEthernet0/1 overload"
action 9.0 cli command "end"
action 10.0 cli command "clear ip nat translation *"
!
event manager applet ISP_2_FAILOVER_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface GigabitEthernet0/1"
action 4.0 cli command "ip policy route-map ISP_LB"
action 5.0 cli command "exit"
action 6.0 cli command "ip nat inside source list 1 interface GigabitEthernet0/1 overload"
action 7.0 cli command "ip nat inside source list 2 interface GigabitEthernet0/2 overload
action 8.0 cli command "no ip nat inside source list 3 interface GigabitEthernet0/2 overload"
action 9.0 cli command "end"
action 10.0 cli command "clear ip nat translation *"
09-03-2020 06:25 AM
You can not have active / active LB as per my knowledge, instead you can have PBR - like 50% of user traffic towards ISP1 and 50% user to ISP2 , if ISP 1 fails move all traffic to ISP2 likewise you can do, is that works ?
Good thread :
https://community.cisco.com/t5/routing/pbr-and-nat-dual-isp/m-p/2423180
09-03-2020 06:27 AM
You mean something like this
09-03-2020 07:24 AM
Hello,
the below config would split the subnet and allow for both ISP connections to be active at the same time. In case either one ISP fails, a series of EEM scripts will take care of the failover, including the static NAT for the server:
track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
!
interface GigabitEthernet0/0
description LAN
ip address 192.168.11.1 255.255.255.0
ip nat inside
ip policy route-map ISP_LB
!
interface GigabitEthernet0/1
description ISP_1
ip address 100.100.100.1 255.255.255.252
ip nat outside
!
interface GigabitEthernet0/1
description ISP_2
ip address 200.200.200.1 255.255.255.252
ip nat outside
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source list 2 interface GigabitEthernet0/2 overload
ip nat inside source static 192.168.11.100 100.100.100.1
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/1
timeout 1000
threshold 2
frequency 3
!
ip sla schedule 1 life forever start-time now
!
ip sla 2
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/1
timeout 1000
threshold 2
frequency 3
!
ip sla schedule 2 life forever start-time now
!
ip route 0.0.0.0 0.0.0.0 100.100.100.2
ip route 0.0.0.0 0.0.0.0 200.200.200.2
!
access-list 1 deny host 192.168.11.100
access-list 1 permit 192.168.11.0 0.0.0.127
!
access-list 2 permit 192.168.11.128 0.0.0.127
!
access-list 3 permit 192.168.11.0 0.0.0.255
!
route-map ISP_LB permit 10
match ip address 1
set ip next-hop 100.100.100.2
!
route-map ISP_LB permit 20
match ip address 2
set ip next-hop 200.200.200.2
!
event manager applet ISP_1_FAILOVER_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface GigabitEthernet0/1"
action 4.0 cli command "no ip policy route-map ISP_LB"
action 5.0 cli command "exit"
action 6.0 cli command "no ip nat inside source list 1 interface GigabitEthernet0/1 overload"
action 7.0 cli command "no ip nat inside source list 2 interface GigabitEthernet0/2 overload
action 8.0 cli command "ip nat inside source list 3 interface GigabitEthernet0/2 overload"
action 9.0 cli command "no ip nat inside source static 192.168.11.100 100.100.100.1"
action 10.0 cli command "ip nat inside source static 192.168.11.100 200.200.200.1"
action 11.0 cli command "end"
action 12.0 cli command "clear ip nat translation *"
!
event manager applet ISP_1_FAILOVER_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface GigabitEthernet0/1"
action 4.0 cli command "ip policy route-map ISP_LB"
action 5.0 cli command "exit"
action 6.0 cli command "ip nat inside source list 1 interface GigabitEthernet0/1 overload"
action 7.0 cli command "ip nat inside source list 2 interface GigabitEthernet0/2 overload
action 8.0 cli command "no ip nat inside source list 3 interface GigabitEthernet0/2 overload"
action 9.0 cli command "ip nat inside source static 192.168.11.100 100.100.100.1"
action 10.0 cli command "no ip nat inside source static 192.168.11.100 200.200.200.1"
action 11.0 cli command "end"
action 12.0 cli command "clear ip nat translation *"
!
event manager applet ISP_2_FAILOVER_DOWN
event track 2 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface GigabitEthernet0/1"
action 4.0 cli command "no ip policy route-map ISP_LB"
action 5.0 cli command "exit"
action 6.0 cli command "no ip nat inside source list 1 interface GigabitEthernet0/1 overload"
action 7.0 cli command "no ip nat inside source list 2 interface GigabitEthernet0/2 overload
action 8.0 cli command "ip nat inside source list 3 interface GigabitEthernet0/1 overload"
action 9.0 cli command "end"
action 10.0 cli command "clear ip nat translation *"
!
event manager applet ISP_2_FAILOVER_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface GigabitEthernet0/1"
action 4.0 cli command "ip policy route-map ISP_LB"
action 5.0 cli command "exit"
action 6.0 cli command "ip nat inside source list 1 interface GigabitEthernet0/1 overload"
action 7.0 cli command "ip nat inside source list 2 interface GigabitEthernet0/2 overload
action 8.0 cli command "no ip nat inside source list 3 interface GigabitEthernet0/2 overload"
action 9.0 cli command "end"
action 10.0 cli command "clear ip nat translation *"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide