NAT for internet traffic once Primary Internet fails

rec stalmaski · ‎11-23-2015

Hello,

I would like to ask if someone seen this kind of scenario. This is kinda new to me. Primary router is homed to Internet and backup is connected to Private IP MPLS. (most of the setup i seen is the other way around). One of the requirements is incase primary link fails (Internet), traffic should be routed to backup router via HSRP. To prevent assymentric routing for return traffic, they said we need to implement NAT into secondary router. This puzzled me a lot and might need someone to guide on how to understand this scenario.

Many thanks

Masoud Pourshabanian · ‎11-23-2015

Hello,

Do you have BGP AS number or you have two ranges of different public IPs from two different service provider?

I do not have your configuration and topology so my answer is just based on guess.

On Primary router you have one range of ip addresses. If your primary link goes wan and you use the secondry router for internet connection while the source IP is still from your primary ISP, the return traffic will be routed to primary ISP. Since primary ISP is down, you will not receive that traffic, so you need to do NAT using the IP addresses provided by MPLS connection.

Masoud

rec stalmaski · ‎11-25-2015

Thank you for checking my post.. Currently I haven't have any configuration yet that's why i'm seeking higher level opinion prior in doing so.. Sorry for my bad english.

Below is depicited diagram.. R1 and R2 will share lan via same HSRP group (say HSRP group 1).. R3 and R4 will be connected to internet clould and will be in separate HSRP however since R4 hasn't arrived, R3 will be connected to R2 and they will form separate HSRP (let say group 2)..
In a failure of R3, traffic should take R2 then MPLS then R5 wherein R5 has separate connection to Internet..

Now based from my understanding above, NAT should be implemented in R2 so the return traffic will know how to get back to MPLS instead of taking down internet link.. Would be ok to see a sample script on how the NAT configs would look like to achieve this? or I may missed and details? thanks

Ganesh Hariharan · ‎11-23-2015

Hello,

Could you clarify few query below ..

Do you have two routers with primary and secondary connection ?

Is services like internet and mpls are provided by same provider ?

and what is the current configuration on both the routers ?

Hope it Help..

-GI

Jon Marshall · ‎11-23-2015

We would need to understand your topology a bit better to be precise.

NAT can be used to make sure the traffic is not asymmetric.

However I'm not sure it is being used here specifically for that purpose.

I think what is happening is you have private IPs within your site and you are using VPN tunnels over the internet.

I also suspect you are not exchanging routes over the VPN tunnel.

So if the internet connection fails traffic goes out over MPLS and no NAT is needed. But the other end does not know the VPN is not useable so it would try and send the traffic via the VPN instead of the MPLS connection.

I think the idea is that you use NAT for the MPLS connection and then have a route to the NAT subnet pointing to the MPLS connection at the other end so that return traffic is routed back over the MPLS connection.

So in a way it is more to do with making sure packets are not dropped than asymmetric routing.

The obvious solution to this would be to pass routing updates across the VPN, something like DMVPN so if the internet connection failed then the other sites no longer receive the routes via VPN and always use the MPLS connection to send return traffic.

Or perhaps I have got it all wrong :-)

Jon

Philip D'Ath · ‎11-26-2015

You would also consider using EIGRP with LISP encapsulation and create an OTP network.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/xe-3s/ire-xe-3s-book/ire-eigrp-over-the-top.html