Thanks for the quick feedback

cco4mike1 · ‎07-05-2014

Hi everyone,

I have a customer insisting on a manual failover (2 internet links) using a Cisco 1941 using only 1 WAN port, ie Gigabit Ethernet 0/1 (GE0/0 = LAN)

Before he purchases an extra EHWIC for the 1941 to give him another L3 port he wants to manually take the Ethernet cable out of the primary NTD/NTU (fiber/Ethernet link) and plug the gig0/1 into the secondary NTU/NTD from the 2nd ISP.

When he purchases extra EHWIC for 1941 I will failover using standard IP SLA way but for now, I don't think using a ip address xxxx secondary command on Gig0/1 and a second default route using a higher metric will be enough

Is this possible and how?

if

Primary ISP WAN IP = 111.111.111.111 / Default gateway = 111.111.111.112 /30

Secondary ISP WAN IP = 222.222.222.222 / Default GW = 222.222.222.223 /30

GigabitEthernet0/1

ip address 111.111.111.111 255.255.255.252

ip nat outside

GigabitEthernet0/0

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip nat inside source list 22 interface gigabitethernet0/1 overload

access-list 22 permit 10.10.10.0 0.0.0.255

ip route 0.0.0.0 0.0.0.0 111.111.111.112

Using this basic NAT/PAT config , how can I have it so he take out connection 1 and plugs in connection 2 (ie 222.222.222.222) and everything keeps on working.

Is this kind of lazy method even feasible?

Please help, I am completely stuck for ideas.

Vasilii Mikhailovskii · ‎07-06-2014

Hello.

It's possible.

Please read http://docwiki.cisco.com/wiki/NAT_failover_with_DUAL_ISP_on_a_router_Configuration_Example first.

Here is an example for your case:

int G0/1
ip add 192.168.131.3 255.255.255.0
ip add 192.168.132.3 255.255.255.0 secondary
ip nat outside

!ISP1 - 192.168.131.1; my address 192.168.131.3 !ISP2 - 192.168.132.1; my address 192.168.132.3

!configure your SLAs (really up to you what destinations are); make sure you use correct source-ip

ip sla 1 icmp-echo 8.8.8.8 source-ip 192.168.131.3 timeout 200 threshold 150 frequency 10

ip sla 2 icmp-echo 8.8.8.8 source-ip 192.168.132.3 timeout 200 threshold 150 frequency 10

ip access-list extended SLA1 permit icmp host 192.168.131.3 host 8.8.8.8 echo ip access-list extended SLA2 permit icmp host 192.168.132.3 host 8.8.8.8 echo

route-map LOCAL_SLA permit 10 match ip address SLA1 set ip next-hop 192.168.131.1 !set interface G0/1 Null0 !might be useful, but not mandatory

route-map LOCAL_SLA permit 20 match ip address SLA2 set ip next-hop 192.168.132.1 !set interface G0/1 Null0 !might be useful, but not mandatory

ip local policy route-map LOCAL_SLA

ip sla group schedule 1 1-2 schedule-period 10 start-time now life forever

track 1 rtr 1 reachability delay down 1 up 1 track 2 rtr 2 reachability delay down 1 up 1

! Backup route with AD=10 ip route 0.0.0.0 0.0.0.0 192.168.131.1 track 1 ip route 0.0.0.0 0.0.0.0 192.168.132.1 10 track 2

!What traffic is subject to NAT ip access-list extended NAT_ALL deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 permit ip 10.0.0.0 0.255.255.255 any

!Define our next-hops for NAT route-map access-list 1 permit 192.168.131.1 access-list 2 permit 192.168.132.1

route-map NAT1 permit 10 match ip address NAT_ALL match ip next-hop 1

route-map NAT2 permit 10 match ip address NAT_ALL match ip next-hop 2

!define pool for PAT ip nat pool POOL10 192.168.131.3 192.168.131.3 netmask 255.255.255.0 ip nat pool POOL20 192.168.132.3 192.168.132.3 netmask 255.255.255.0

!configure PAT ip nat inside source route-map NAT1 pool POOL10 overload ip nat inside source route-map NAT2 pool POOL20 overload

You also may use PBR on NAT inside interface to load balance in case when both ISPs are up.

Best regards.

cco4mike1 · ‎07-07-2014

Thanks for the quick feedback! I was thinking along those line but unsure if the Secondary IP address on Gig0/1 was a valid option.

I will try this shortly

Manual Failover to 2 separate Internet services using 1 L3 port