01-30-2021 08:09 PM
I've setup dual ISP failover to extend support into the following situation - as opposed to the interface simply going "DOWN".
I'd appreciate feedback about the configuration below and have the following statements and question(s):
BTW, I'm sure there will be opinions on using Cloudflare and Google DNS for ip sla and I'm happy to update that. I've read that it's suggested to use the gateway's of the ISP's but since they are both dynamically assigned I'm not sure I can reliably set them?
object-group network OBJ-NETW-VLAN-DATA 10.39.99.0 255.255.255.0 ! interface Ethernet0/3/0 description ISP-PRIMARY ip dhcp client route track 3 ! MUST BE ADDED BEFORE "ip address dhcp"!!! ip address dhcp client-id Ethernet0/3/0 ip nat outside ! interface Cellular0/2/0 description ISP-BACKUP ip address negotiated ip nat outside ! interface Vlan1 ip address 10.39.99.254 255.255.255.0 ip nat inside ! ip local policy route-map POLICY-IPSLA-IFACE ! ip nat inside source route-map ISP-PRIMARY interface Ethernet0/3/0 overload ip nat inside source route-map ISP-BACKUP interface Cellular0/2/0 overload! ip route 0.0.0.0 0.0.0.0 Cellular0/2/0 128 ip route 0.0.0.0 0.0.0.0 Ethernet0/3/0 dhcp ! ip access-list extended ACL4-IPSLA-IFACE permit icmp host 123.213.132.112 host 1.1.1.1 echo permit icmp host 123.213.132.112 host 8.8.8.8 echo ip access-list extended NAT-CONTROL permit ip object-group OBJ-NETW-VLAN-DATA any ! ip sla 1 icmp-echo 8.8.8.8 source-interface Ethernet0/3/0 frequency 5 ip sla schedule 1 life forever start-time now ip sla 2 icmp-echo 1.1.1.1 source-interface Ethernet0/3/0 frequency 5 ip sla schedule 2 life forever start-time now ! track 1 ip sla 1 reachability delay down 10 up 30 ! track 2 ip sla 2 reachability delay down 10 up 30 ! track 3 list boolean or object 1 object 2 ! dialer watch-list 1 ip 1.1.1.1 255.255.255.255 ! route-map POLICY-IPSLA-IFACE permit 10 match ip address ACL4-IPSLA-IFACE set ip next-hop dynamic dhcp set interface Ethernet0/3/0 ! route-map ISP-PRIMARY permit 10 match ip address NAT-CONTROL match interface Ethernet0/3/0 ! route-map ISP-BACKUP permit 10 match ip address NAT-CONTROL match interface Cellular0/2/0
Solved! Go to Solution.
01-30-2021 09:16 PM
Hi
You have 2 default routes with different AD and that's fine.
However instead of using PBR, i will define a static route going through isp1 for its own ip sla and another static route going through isp2 for its own sla.
For example, if you use 1.1.1.1 and 8.8.8.8 for sla on isp1, i would add static routes for those 2 hosts going alway through isp1.
Then you can use 2 other IPs to test isp2 (1.0.0.1 and 8.8.4.4 for example) and add a static route for those through isp2.
If you use Google as your dns you would need to pick other IPs to avoid issues when a failover occurs.
01-31-2021 05:47 AM - edited 01-31-2021 05:50 AM
Hello
You could use ipsla tracking with embedded event manager for a possible alternative solution
Example:
int eth0/3/0
no ip dhcp client route track 3
ip route 8.8.8.8 255.255.255.255 Null0 2 < to negate tracked ip from being reached via backup isp
ip route 8.8.8.8 255.255.255.255 Ethernet0/3/0 dhcp specific static route for tracked ip via primary isp
ip sla 1
icmp-echo 8.8.8.8 source-interface Ethernet0/3/0
timeout 1000
frequency 5
ip sla schedule 1 life forever start-time now
track 10 rtr 1 reachability
event manager applet default-route-up
event track 10 state up
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 1.2 cli command "no ip route 0.0.0.0 0.0.0.0 Cellular0/2/0 dhcp 3"
action 1.3 cli command "ip route 0.0.0.0 0.0.0.0 eth0/3/0 dhcp 1"
action 1.4 cli command "end"
event manager applet default-route-down
event track 10 state down
action 2.0 cli command "enable"
action 2.1 cli command "config t"
action 2.2 cli command "no ip route 0.0.0.0 0.0.0.0 eth0/3/0 dhcp 1"
action 2.3 cli command "ip route 0.0.0.0 0.0.0.0 Cellular0/2/0 dhcp 3"
action 2.4 cli command "end"
01-30-2021 09:16 PM
Hi
You have 2 default routes with different AD and that's fine.
However instead of using PBR, i will define a static route going through isp1 for its own ip sla and another static route going through isp2 for its own sla.
For example, if you use 1.1.1.1 and 8.8.8.8 for sla on isp1, i would add static routes for those 2 hosts going alway through isp1.
Then you can use 2 other IPs to test isp2 (1.0.0.1 and 8.8.4.4 for example) and add a static route for those through isp2.
If you use Google as your dns you would need to pick other IPs to avoid issues when a failover occurs.
01-30-2021 09:53 PM
Thanks Francesco,
I'd done this previously.
ip route 1.1.1.1 255.255.255.255 Ethernet0/3/0 name CLOUDFLARE-DNS ip route 8.8.8.8 255.255.255.255 Ethernet0/3/0 name GOOGLE-DNS
As you mention, the issue here is being unable to use them from BACKUP ISP and using 1.0.0.1 and 8.8.4.4 elsewhere in the config works around that. When I use the local policy route-map it doesn't have that problem.
I'd love someone to chime in and say their is some command that simply allows the router to override routing for the IP SLA or some way to allow the router originated traffic to use both gateways similtaneously.
01-30-2021 10:00 PM
You can have both isp working at they same time if you put each of them in a dedicated front vrf.
Then you'll update the default route of your global routing table (your LAN) based on SLA results.
01-30-2021 10:44 PM
Thanks again, I think I'd be making it more difficult for myself using vrf.
So looks like using local policy route-map is the way I achieve this. Do you have anything to suggest to avoid having to set the interface IP in the ACL?
01-31-2021 05:47 AM - edited 01-31-2021 05:50 AM
Hello
You could use ipsla tracking with embedded event manager for a possible alternative solution
Example:
int eth0/3/0
no ip dhcp client route track 3
ip route 8.8.8.8 255.255.255.255 Null0 2 < to negate tracked ip from being reached via backup isp
ip route 8.8.8.8 255.255.255.255 Ethernet0/3/0 dhcp specific static route for tracked ip via primary isp
ip sla 1
icmp-echo 8.8.8.8 source-interface Ethernet0/3/0
timeout 1000
frequency 5
ip sla schedule 1 life forever start-time now
track 10 rtr 1 reachability
event manager applet default-route-up
event track 10 state up
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 1.2 cli command "no ip route 0.0.0.0 0.0.0.0 Cellular0/2/0 dhcp 3"
action 1.3 cli command "ip route 0.0.0.0 0.0.0.0 eth0/3/0 dhcp 1"
action 1.4 cli command "end"
event manager applet default-route-down
event track 10 state down
action 2.0 cli command "enable"
action 2.1 cli command "config t"
action 2.2 cli command "no ip route 0.0.0.0 0.0.0.0 eth0/3/0 dhcp 1"
action 2.3 cli command "ip route 0.0.0.0 0.0.0.0 Cellular0/2/0 dhcp 3"
action 2.4 cli command "end"
01-31-2021 10:38 PM
Thanks Paul,
I'll try this out. For now though I've marked you and Francesco's posts as the accepted solution as this looks like the only option for services that are dynamically assigned (not static via dhcp) that avoids the ip in an ACL albeit with different caveats.
Appreciate the help.
01-31-2021 11:57 PM
Dear Sir,
please help for how to configure dual ILL connection in one Cisco ISR4331/K9 router, Cisco IOS XE Software, Version 16.06.04.
Router LAN IP 192.168.14.1 (Static)
1> ISP BSNL ILL ip details:
WAN IP 172.24.159.241
NIB WAN IP (Default Gateway) 172.24.159.242
Subnet Mask-255.255.255.252
LAN IP-117.197.102.216 to 223
Subnet Mask- 255.255.255.248
2>ISp JIO ILL ip details:
WAN ip pool:136.232.82.196 (customer End WAN IP: 136.232.82.255.255.255.252 with Default Gateway-136.232.82.197)
LAN ip pool: 136.233.106.216( usable ip range136.233.106.217 to 222 with Subnet mask:255.255.255.248) DNS:49.45.0.4
Thank You
Jagannath
jagannath.cmcltd@gmail.com
02-01-2021 12:02 AM
Dear Sir,
please help for how to Auto Failover configure Dual ISP ILL connection in one Cisco ISR4331/K9 router, Cisco IOS XE Software, Version 16.06.04.
Router LAN IP 192.168.14.1 (Static)
1> ISP BSNL ILL ip details:
WAN IP 172.24.159.241
NIB WAN IP (Default Gateway) 172.24.159.242
Subnet Mask-255.255.255.252
LAN IP-117.197.102.216 to 223
Subnet Mask- 255.255.255.248
2>ISp JIO ILL ip details:
WAN ip pool:136.232.82.196 (customer End WAN IP: 136.232.82.255.255.255.252 with Default Gateway-136.232.82.197)
LAN ip pool: 136.233.106.216( usable ip range136.233.106.217 to 222 with Subnet mask:255.255.255.248) DNS:49.45.0.4
Thank You
Jagannath
jagannath.cmcltd@gmail.com
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide