Solved: dual ISP using policy based routing and SLA

adel85 · ‎05-24-2023

before I post this I have checked the community for similar request, but I couldn't find something working for my situation.

I have 2 sites one of them has 1 router facing 2 ISP, I need to make them active/active for 2 LAN networks splitting them using policy based routing and same time failover for both in case any ISP goes down, also using NAT.

the LAN interface of the router configured as sub-interfaces.

each LAN is reaching the lookback on router 2 8.8.8.8 but if I shut the interface on R2 for network 1.1.1.0 for an example it doesn't failover to the other ISP (2.2.2.0) and vice versa.

here is the configuration I did (IPs changed from real one)

track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability


interface Ethernet0/0
ip address 1.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
!
interface Ethernet0/1
ip address 2.2.2.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
!
interface Ethernet0/2
no ip address
duplex auto
!
interface Ethernet0/2.10
encapsulation dot1Q 10
ip address 10.10.10.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map v10


interface Ethernet0/2.20
encapsulation dot1Q 20
ip address 10.10.20.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map v10




ip nat inside source route-map nat10 interface Ethernet0/0 overload
ip nat inside source route-map nat20 interface Ethernet0/1 overload
ip route 0.0.0.0 0.0.0.0 1.1.1.2 track 1
ip route 0.0.0.0 0.0.0.0 2.2.2.2 track 2
!
ip sla 1
icmp-echo 8.8.8.8 source-interface Ethernet0/0
frequency 5
ip sla 2
icmp-echo 8.8.8.8 source-interface Ethernet0/1
frequency 5
ip sla schedule 2 life forever start-time now
ipv6 ioam timestamp
!
route-map v10 permit 10
match ip address 110
set ip next-hop verify-availability 1.1.1.2 1 track 1

!
route-map v10 permit 20
match ip address 120
set ip next-hop verify-availability 2.2.2.2 2 track 2
!
route-map nat20 permit 20
match ip address 20
!
route-map nat10 permit 10
match ip address 10



access-list 10 permit 10.10.10.0 0.0.0.255
access-list 20 permit 10.10.20.0 0.0.0.255
access-list 110 permit ip 10.10.10.0 0.0.0.255 any
access-list 120 permit ip 10.10.20.0 0.0.0.255 any

MHM Cisco World · ‎05-24-2023

R1#show running-config
Building configuration...

Current configuration : 2309 bytes
!
! Last configuration change at 02:35:50 UTC Thu May 25 2023
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
track 1 ip sla 1 reachability
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip policy route-map ISP1
duplex full
!
interface FastEthernet1/0
ip address 100.0.0.1 255.255.255.0
ip nat outside
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 20.0.0.1 255.255.255.0
ip nat inside
ip policy route-map ISP2
speed auto
duplex auto
!
interface FastEthernet2/0
ip address 200.0.0.1 255.255.255.0
ip nat outside
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface Serial3/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/3
no ip address
shutdown
serial restart-delay 0
!
interface GigabitEthernet4/0
no ip address
shutdown
negotiation auto
!
ip nat translation icmp-timeout 1
ip nat inside source route-map ISP1-NAT interface FastEthernet1/0 overload
ip nat inside source route-map ISP2-NAT interface FastEthernet2/0 overload
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 100.0.0.4 track 1
ip route 0.0.0.0 0.0.0.0 200.0.0.4 100
ip route 4.4.4.4 255.255.255.255 100.0.0.4 permanent
!
ip sla 1
icmp-echo 4.4.4.4 source-interface FastEthernet1/0
ip sla schedule 1 life forever start-time now
!
route-map ISP1-NAT permit 10
match interface FastEthernet1/0
!
route-map ISP2-NAT permit 10
match interface FastEthernet2/0
!
route-map ISP2 permit 10
set interface FastEthernet2/0
!
route-map ISP1 permit 10
set interface FastEthernet1/0
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!

I run lab and check your case, I make some change to your config like no need two track only one is OK,
and
I share also photo of two case
I ping 1000 from R2 to R4 (Lo44.44.44.44)
then shut down one link the traffic must path through other one
the issue is icmp with 1000 repeat use same NAT entry (not change)
so I face drop in ping
then I correct the timeout to be ip nat translation icmp timeout 1 <<-sec
the ping is success with only one ping failed.
so try first my config
then if you face some drop correct the timeout OR run EEM event track state down clear ip nat,
this I hope will solve your issue
thanks
MHM

View solution in original post

MHM Cisco World · ‎05-24-2023

route-map nat20 permit 20
match ip address 10 <<- change this to match interface ISP1
!
route-map nat10 permit 10
match ip address 10 <<- change this to match interface ISP2

adel85 · ‎05-24-2023

i corrected the post i copied wrong configuration

M02@rt37 · ‎05-24-2023

Hello @adel85,

I think NAT is the problem.

You try to ping (echo-request) 8.8.8.8 from LAN 10.10.10.0/24. When you shut e0/0 on R2, then R1 delete this route to its

RIB ==ip route 0.0.0.0 0.0.0.0 1.1.1.2

track 1 ; thanks to track1 in "DOWN" state. Then the packet is going through R1-e0/1 and the source address is NAT with e0/0 IP Add.

ip nat inside source route-map nat10 interface Ethernet0/0 overload
!
route-map nat10 permit 10
match ip address 10
!
access-list 10 permit 10.10.10.0 0.0.0.255

But, problem for routing the icmp echo reply from R2, because e0/0 is DOWN and no way to route the packet back to 1.1.1.1

Then you can adjust NAT or routing on R2.

Add this static route on R2

ip route 1.1.1.0 255.255.255.252 2.2.2.1

This route will appear when interfaces R1 and/or R2-e0/0 are Down.

As concern "adjust NAT" is possible to NAT 10.10.10.0/24 with one specific IP attached to a Loopback (always UP/UP) and NAT 10.10.20.0/24 with another specific IP attached to another Loopback (always UP/UP). From R2 you have floating static IP route like this

ip route <IP_LO_v10> 255.255.255.255 e0/0

ip route <IP_LO_v10> 255.255.255.255 e0/1 10

ip route <IP_LO_v20> 255.255.255.255 e0/1

ip route <IP_LO_v20> 255.255.255.255 e0/0 10

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

adel85 · ‎05-24-2023

R2 is simulated as 2 different ISP but i combined them into 1 router for ease. i have no access over their devices.

M02@rt37 · ‎05-24-2023

Ok @adel85,

then NAT is the issue?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

adel85 · ‎05-24-2023

ok then from real world senario when i implement this, what should i do ?

another thing when i add default route with track at the end last resort default gateway disappear and i lose connectivity from PC to r2

MHM Cisco World · ‎05-24-2023

R1#show running-config
Building configuration...

Current configuration : 2309 bytes
!
! Last configuration change at 02:35:50 UTC Thu May 25 2023
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
track 1 ip sla 1 reachability
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip policy route-map ISP1
duplex full
!
interface FastEthernet1/0
ip address 100.0.0.1 255.255.255.0
ip nat outside
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 20.0.0.1 255.255.255.0
ip nat inside
ip policy route-map ISP2
speed auto
duplex auto
!
interface FastEthernet2/0
ip address 200.0.0.1 255.255.255.0
ip nat outside
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface Serial3/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/3
no ip address
shutdown
serial restart-delay 0
!
interface GigabitEthernet4/0
no ip address
shutdown
negotiation auto
!
ip nat translation icmp-timeout 1
ip nat inside source route-map ISP1-NAT interface FastEthernet1/0 overload
ip nat inside source route-map ISP2-NAT interface FastEthernet2/0 overload
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 100.0.0.4 track 1
ip route 0.0.0.0 0.0.0.0 200.0.0.4 100
ip route 4.4.4.4 255.255.255.255 100.0.0.4 permanent
!
ip sla 1
icmp-echo 4.4.4.4 source-interface FastEthernet1/0
ip sla schedule 1 life forever start-time now
!
route-map ISP1-NAT permit 10
match interface FastEthernet1/0
!
route-map ISP2-NAT permit 10
match interface FastEthernet2/0
!
route-map ISP2 permit 10
set interface FastEthernet2/0
!
route-map ISP1 permit 10
set interface FastEthernet1/0
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!

I run lab and check your case, I make some change to your config like no need two track only one is OK,
and
I share also photo of two case
I ping 1000 from R2 to R4 (Lo44.44.44.44)
then shut down one link the traffic must path through other one
the issue is icmp with 1000 repeat use same NAT entry (not change)
so I face drop in ping
then I correct the timeout to be ip nat translation icmp timeout 1 <<-sec
the ping is success with only one ping failed.
so try first my config
then if you face some drop correct the timeout OR run EEM event track state down clear ip nat,
this I hope will solve your issue
thanks
MHM

adel85 · ‎05-28-2023

thank you for your help

from your approach i realized that i was tracking 2 default route and only the 1 default i had to track and the fall over with higher metric will takeover in case of the other one fail.

but my question is what if the ISP router is up but their network is down for some reason does the tracking to 8.8.8.8 will will go down and switch to the other ISP ?