Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
6805
Views
0
Helpful
8
Replies

Dual ISP Failover - IP SLA - Route-maps and Static Routes - Problems and Suggestions Please

Go to solution
jelloir
Level 1
Level 1

‎01-30-2021 08:09 PM

I've setup dual ISP failover to extend support into the following situation - as opposed to the interface simply going "DOWN".

  • If ISP-PRIMARY is having issues but the primary interface Ethernet0/3/0 is still "UP" use IP SLA and tracking to perform failover and failback once ISP-PRIMARY resolves their issue.

I'd appreciate feedback about the configuration below and have the following statements and question(s):

  1. When PRIMARY is active I cannot ping from BACKUP as a source interface and visa versa due to static routing (I think).
  2. Because of point 1, when the PRIMARY is down and comes back online, ip sla ping from the source interface Ethernet0/3/0 doesn't work and therefore failback never happens... That was until I added ip local policy route-map POLICY-IPSLA-IFACE to force icmp echo to the monitored IP's via Ethernet0/3/0.
  3. Is there a better way to allow the router to source pings from both WAN interfaces all the time or is using the local policy map the only option here? Ideally since the PRIMARY link is DHCP I'd prefer not to have ACL4-IPSLA-IFACE which references hard coded source IP addresses (123.213.132.112) - obviously if the WAN IP ever changed it would break failover.
  4. I have dialer watch-list which suffers the same issue - presumably I'd have to set-up another local policy map to help the celluar0/2/0 maintain its online state since it loses connectivity (presumably on purpose by the ISP when it's idle) - this is not a huge problem since the interface activates quickly when interesting traffic traverses it, but it would be good to reduce the configuration.

BTW, I'm sure there will be opinions on using Cloudflare and Google DNS for ip sla and I'm happy to update that. I've read that it's suggested to use the gateway's of the ISP's but since they are both dynamically assigned I'm not sure I can reliably set them?

 

object-group network OBJ-NETW-VLAN-DATA
10.39.99.0 255.255.255.0
!
interface Ethernet0/3/0
description ISP-PRIMARY
ip dhcp client route track 3 ! MUST BE ADDED BEFORE "ip address dhcp"!!!
ip address dhcp client-id Ethernet0/3/0
ip nat outside
!
interface Cellular0/2/0
description ISP-BACKUP
ip address negotiated
ip nat outside
!
interface Vlan1
ip address 10.39.99.254 255.255.255.0
ip nat inside
!
ip local policy route-map POLICY-IPSLA-IFACE
!
ip nat inside source route-map ISP-PRIMARY interface Ethernet0/3/0 overload
ip nat inside source route-map ISP-BACKUP interface Cellular0/2/0 overload!
ip route 0.0.0.0 0.0.0.0 Cellular0/2/0 128
ip route 0.0.0.0 0.0.0.0 Ethernet0/3/0 dhcp
!
ip access-list extended ACL4-IPSLA-IFACE
 permit icmp host 123.213.132.112 host 1.1.1.1 echo
 permit icmp host 123.213.132.112 host 8.8.8.8 echo
ip access-list extended NAT-CONTROL
 permit ip object-group OBJ-NETW-VLAN-DATA any
!
ip sla 1
icmp-echo 8.8.8.8 source-interface Ethernet0/3/0
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 1.1.1.1 source-interface Ethernet0/3/0
frequency 5
ip sla schedule 2 life forever start-time now
!
track 1 ip sla 1 reachability
delay down 10 up 30
!
track 2 ip sla 2 reachability
delay down 10 up 30
!
track 3 list boolean or
object 1
object 2
!
dialer watch-list 1 ip 1.1.1.1 255.255.255.255
!
route-map POLICY-IPSLA-IFACE permit 10
 match ip address ACL4-IPSLA-IFACE
 set ip next-hop dynamic dhcp
 set interface Ethernet0/3/0
!
route-map ISP-PRIMARY permit 10
 match ip address NAT-CONTROL
 match interface Ethernet0/3/0
!
route-map ISP-BACKUP permit 10
 match ip address NAT-CONTROL
 match interface Cellular0/2/0

 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎01-30-2021 09:16 PM

Hi

You have 2 default routes with different AD and that's fine.
However instead of using PBR, i will define a static route going through isp1 for its own ip sla and another static route going through isp2 for its own sla.
For example, if you use 1.1.1.1 and 8.8.8.8 for sla on isp1, i would add static routes for those 2 hosts going alway through isp1.
Then you can use 2 other IPs to test isp2 (1.0.0.1 and 8.8.4.4 for example) and add a static route for those through isp2.

If you use Google as your dns you would need to pick other IPs to avoid issues when a failover occurs.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to jelloir

‎01-31-2021 05:47 AM - edited ‎01-31-2021 05:50 AM

Hello
You could use ipsla tracking with embedded event manager for a possible alternative solution

Example:
int eth0/3/0
no ip dhcp client route track 3

ip route 8.8.8.8 255.255.255.255 Null0 2 < to negate tracked ip from being reached via backup isp 
ip route 8.8.8.8 255.255.255.255 Ethernet0/3/0 dhcp specific static route for tracked ip via primary isp

ip sla 1
icmp-echo 8.8.8.8 source-interface Ethernet0/3/0
timeout 1000
frequency 5
ip sla schedule 1 life forever start-time now

track 10 rtr 1 reachability

 

event manager applet default-route-up
event track 10 state up
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 1.2 cli command "no ip route 0.0.0.0 0.0.0.0 Cellular0/2/0 dhcp 3"
action 1.3 cli command "ip route 0.0.0.0 0.0.0.0 eth0/3/0 dhcp 1"
action 1.4 cli command "end"

 

event manager applet default-route-down
event track 10 state down
action 2.0 cli command "enable"
action 2.1 cli command "config t"
action 2.2 cli command "no ip route 0.0.0.0 0.0.0.0 eth0/3/0 dhcp 1"
action 2.3 cli command "ip route 0.0.0.0 0.0.0.0 Cellular0/2/0 dhcp 3"
action 2.4 cli command "end"


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎01-30-2021 09:16 PM

Hi

You have 2 default routes with different AD and that's fine.
However instead of using PBR, i will define a static route going through isp1 for its own ip sla and another static route going through isp2 for its own sla.
For example, if you use 1.1.1.1 and 8.8.8.8 for sla on isp1, i would add static routes for those 2 hosts going alway through isp1.
Then you can use 2 other IPs to test isp2 (1.0.0.1 and 8.8.4.4 for example) and add a static route for those through isp2.

If you use Google as your dns you would need to pick other IPs to avoid issues when a failover occurs.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
jelloir
Level 1
Level 1
In response to Francesco Molino

‎01-30-2021 09:53 PM

Thanks Francesco,

I'd done this previously.

ip route 1.1.1.1 255.255.255.255 Ethernet0/3/0 name CLOUDFLARE-DNS
ip route 8.8.8.8 255.255.255.255 Ethernet0/3/0 name GOOGLE-DNS

As you mention, the issue here is being unable to use them from BACKUP ISP and using 1.0.0.1 and 8.8.4.4 elsewhere in the config works around that.  When I use the local policy route-map it doesn't have that problem.

I'd love someone to chime in and say their is some command that simply allows the router to override routing for the IP SLA or some way to allow the router originated traffic to use both gateways similtaneously.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to jelloir

‎01-30-2021 10:00 PM

You can have both isp working at they same time if you put each of them in a dedicated front vrf.

Then you'll update the default route of your global routing table (your LAN) based on SLA results.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
jelloir
Level 1
Level 1
In response to Francesco Molino

‎01-30-2021 10:44 PM

Thanks again, I think I'd be making it more difficult for myself using vrf.

So looks like using local policy route-map is the way I achieve this.  Do you have anything to suggest to avoid having to set the interface IP in the ACL?

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to jelloir

‎01-31-2021 05:47 AM - edited ‎01-31-2021 05:50 AM

Hello
You could use ipsla tracking with embedded event manager for a possible alternative solution

Example:
int eth0/3/0
no ip dhcp client route track 3

ip route 8.8.8.8 255.255.255.255 Null0 2 < to negate tracked ip from being reached via backup isp 
ip route 8.8.8.8 255.255.255.255 Ethernet0/3/0 dhcp specific static route for tracked ip via primary isp

ip sla 1
icmp-echo 8.8.8.8 source-interface Ethernet0/3/0
timeout 1000
frequency 5
ip sla schedule 1 life forever start-time now

track 10 rtr 1 reachability

 

event manager applet default-route-up
event track 10 state up
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 1.2 cli command "no ip route 0.0.0.0 0.0.0.0 Cellular0/2/0 dhcp 3"
action 1.3 cli command "ip route 0.0.0.0 0.0.0.0 eth0/3/0 dhcp 1"
action 1.4 cli command "end"

 

event manager applet default-route-down
event track 10 state down
action 2.0 cli command "enable"
action 2.1 cli command "config t"
action 2.2 cli command "no ip route 0.0.0.0 0.0.0.0 eth0/3/0 dhcp 1"
action 2.3 cli command "ip route 0.0.0.0 0.0.0.0 Cellular0/2/0 dhcp 3"
action 2.4 cli command "end"


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
jelloir
Level 1
Level 1
In response to paul driver

‎01-31-2021 10:38 PM

Thanks Paul,

I'll try this out.  For now though I've marked you and Francesco's posts as the accepted solution as this looks like the only option for services that are dynamically assigned (not static via dhcp) that avoids the ip in an ACL albeit with different caveats.

Appreciate the help.

0 Helpful

Go to solution
jagannath.cmcltd
Level 1
Level 1
In response to paul driver

‎01-31-2021 11:57 PM

Dear Sir,

             please help for how to configure dual ILL connection in one Cisco ISR4331/K9 router, Cisco IOS XE Software, Version 16.06.04.

Router LAN IP 192.168.14.1 (Static)

1> ISP BSNL ILL ip details:

WAN IP 172.24.159.241

NIB WAN  IP (Default Gateway) 172.24.159.242

Subnet Mask-255.255.255.252

LAN IP-117.197.102.216 to 223

Subnet Mask- 255.255.255.248

2>ISp JIO ILL ip details:

WAN ip pool:136.232.82.196 (customer End WAN IP: 136.232.82.255.255.255.252 with Default Gateway-136.232.82.197)

LAN ip pool: 136.233.106.216( usable ip range136.233.106.217 to 222 with Subnet mask:255.255.255.248) DNS:49.45.0.4

 

Thank You 

Jagannath

jagannath.cmcltd@gmail.com

 

0 Helpful

Go to solution
jagannath.cmcltd
Level 1
Level 1

‎02-01-2021 12:02 AM

Dear Sir,

             please help for how to  Auto Failover configure Dual ISP ILL connection in one Cisco ISR4331/K9 router, Cisco IOS XE Software, Version 16.06.04.

Router LAN IP 192.168.14.1 (Static)

1> ISP BSNL ILL ip details:

WAN IP 172.24.159.241

NIB WAN  IP (Default Gateway) 172.24.159.242

Subnet Mask-255.255.255.252

LAN IP-117.197.102.216 to 223

Subnet Mask- 255.255.255.248

2>ISp JIO ILL ip details:

WAN ip pool:136.232.82.196 (customer End WAN IP: 136.232.82.255.255.255.252 with Default Gateway-136.232.82.197)

LAN ip pool: 136.233.106.216( usable ip range136.233.106.217 to 222 with Subnet mask:255.255.255.248) DNS:49.45.0.4

 

Thank You 

Jagannath

jagannath.cmcltd@gmail.com

 

0 Helpful
Customers Also Viewed These Support Documents
Top