cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1322
Views
10
Helpful
7
Replies

SLA failover from one ISP to another in a separate VRF

Drew T
Level 1
Level 1

I have a single 3945 which has 2 x Fibre providers terminating onto it (say Gi0/1 and Gi0/2). There are multiple VLAN's and subnets on the router, one of which is solely dedicated to Gi0/2. Gi0/2 lives in a VRF with its own DHCP/NAT/Crypto maps (and a single VLAN dot1q sub interface). Both providers are statically routed to via a default route, and there is no option for BGP here nor any other dynamic routing protocol (they are totally different ISP's). 

 

They were put on the same device after being migrated from two individual routers, and at the request of the client, they wanted one to be ISP to be totally segregated for their own discrete/private use (Gi0/2).

 

They've now requested they'd like either link to failover to the other, in the event of an outage. They're not fussed if their VPN fails, so long as internet connectivity is maintained in some form.

 

Is there an easy way to failover from a Gi0/1 in no VRF to Gi0/2 in a VRF (or vice versa)? I could potentially place Gi0/1 into another VRF if required, but it seems excessive. 

 

After advice on the best way to do this, and any possible configuration suggestions/examples. 

 

Thanks!

7 Replies 7

Hello,

 

an IP SLA and a track failover will probably work. Post the configuration you have on your router so far, so we can fill in the missing bits and pieces...

Thanks George, sorry this took a while as the router has a huge amount of config on it I had to sanitise. 

 

Building configuration...
!
hostname router1
!
boot-start-marker
boot-end-marker
!
!
vrf definition GeneralVRF
 rd 192.168.10.0:666
 !
 address-family ipv4
 exit-address-family
!
logging buffered 51200
!
no aaa new-model
memory-size iomem 10
!
!
!
ip cef
!
!
!
no ip dhcp conflict logging
ip dhcp excluded-address 10.0.0.210 10.0.0.246
ip dhcp excluded-address 10.0.0.248 10.0.0.254
ip dhcp excluded-address 10.0.0.1 10.0.0.20
ip dhcp excluded-address vrf GeneralVRF 192.168.10.15
ip dhcp excluded-address vrf GeneralVRF 192.168.10.2
ip dhcp excluded-address vrf GeneralVRF 192.168.10.25
ip dhcp excluded-address vrf GeneralVRF 192.168.10.20
!
!
ip dhcp pool work_VLAN_50
 vrf GeneralVRF
 network 192.168.10.0 255.255.254.0
 default-router 192.168.10.1 
 domain-name workdomainname.com.au
 dns-server 8.8.8.8 8.8.4.4 
!
ip dhcp pool master_10
 network 10.0.0.0 255.255.255.0
 default-router 10.0.0.254 
 domain-name host.com
 dns-server 10.0.0.3 8.8.8.8 
 lease 0 1
!
!
!
!
ip domain name workdomainname.com.au
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
!
!
!
hw-module sm 2
!
!
!
archive
 log config
  logging enable
  notify syslog contenttype plaintext
 path flash:backups
!
redundancy
!
!
!
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface GigabitEthernet0/0.10
! 
!
crypto isakmp policy 1
 encr 3des
 hash sha256
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 hash sha256
 authentication pre-share
 group 5
 lifetime 3600
!
crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 5
 lifetime 14400
crypto isakmp key <redacted> address x.x.x.x  
crypto isakmp key <redacted> address y.y.y.y 
crypto isakmp key <redacted> address z.z.z.z  
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set VPN-TRANS esp-3des esp-md5-hmac 
 mode tunnel
!
!
!
crypto map inter-office-vpn 10 ipsec-isakmp 
 description VPN to SITE1
 set peer x.x.x.x
 set transform-set VPN-TRANS 
 match address 123
crypto map inter-office-vpn 20 ipsec-isakmp 
 description VPN to SITE2
 set peer y.y.y.y
 set transform-set VPN-TRANS 
 match address 120
crypto map inter-office-vpn 30 ipsec-isakmp 
 description VPN to SITE3
 set peer z.z.z.z
 set transform-set VPN-TRANS 
 match address 122
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 no ip address
 load-interval 30
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.10
 description master Internal
 encapsulation dot1Q 10
 ip address 10.0.0.254 255.255.255.0
 ip nat inside
 no ip virtual-reassembly in
!
interface GigabitEthernet0/0.50
 description work
 encapsulation dot1Q 50
 vrf forwarding GeneralVRF
 ip address 192.168.10.1 255.255.254.0
 ip nat inside
 no ip virtual-reassembly in
!
!
interface GigabitEthernet0/1
 description General Internet
 vrf forwarding GeneralVRF
 ip address a.a.a.a 255.255.255.252
 ip nat outside
 no ip virtual-reassembly in
 load-interval 30
 media-type sfp
!
!
interface GigabitEthernet0/2
 description Private Internet
 ip address b.b.b.b 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 load-interval 30
 duplex auto
 speed auto
 crypto map inter-office-vpn
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
no ip nat service sip udp port 5060
ip nat inside source static tcp 10.0.0.4 122 interface GigabitEthernet0/2 122
ip nat inside source static tcp 10.0.0.4 443 interface GigabitEthernet0/2 443
ip nat inside source list from-master-networks interface GigabitEthernet0/2 overload
ip nat inside source list from-internal-networks interface GigabitEthernet0/2 overload
ip nat inside source list from-internal-networks interface GigabitEthernet0/1 vrf GeneralVRF overload
ip nat inside source static tcp 10.0.0.205 591 b.b.b.b 333 route-map no-nat-ipsec extendable
ip nat inside source static tcp 192.168.10.218 50001 a.a.a.a 444 vrf GeneralVRF extendable
!
ip route 0.0.0.0 0.0.0.0 b.b.b.c
ip route vrf GeneralVRF 0.0.0.0 0.0.0.0 a.a.a.b
!
ip access-list extended deny_nat_172_16
 permit ip host 10.0.0.205 10.0.0.0 0.0.255.255
ip access-list extended from-master-networks
 deny   ip 10.0.0.0 0.0.0.255 10.0.48.0 0.0.0.255
 deny   ip 10.0.0.0 0.0.0.255 10.0.16.0 0.0.0.255
 deny   ip 10.0.0.0 0.0.0.255 10.0.80.0 0.0.0.255
 permit ip 10.0.0.0 0.0.0.255 any
 permit ip 192.168.0.0 0.0.1.255 any
ip access-list extended from-internal-networks
 permit ip 192.168.0.0 0.0.1.255 any
 permit ip 192.168.2.0 0.0.1.255 any
 permit ip 192.168.10.0 0.0.1.255 any
 permit ip 10.0.1.0 0.0.0.255 any
ip access-list extended permit_any
 permit ip any any
!
logging trap debugging
logging origin-id hostname
logging facility syslog
logging host 103.13.186.97
logging host 150.107.73.147
access-list 120 permit ip 10.0.0.0 0.0.0.255 10.0.16.0 0.0.0.255
access-list 122 permit ip 10.0.0.0 0.0.0.255 10.0.80.0 0.0.0.255
access-list 123 permit ip 10.0.0.0 0.0.0.255 10.0.48.0 0.0.0.255
!
nls resp-timeout 1
cpd cr-id 1
route-map no-nat-ipsec deny 10
 match ip address deny_nat_172_16
!         
route-map no-nat-ipsec permit 20
 match ip address permit_any
!
!
!
end

i've had to remove a lot of the config, but it's working fine 'as is' so anything missing is a typo in the clean up. 

 

Gi0/1 is a.a.a.a/30, with a.a.a.b being the next hop/default gateway

Gi0/2 is b.b.b.b/30, with b.b.b.c being the next hop/default gateway

 

The VRF and non-VRF setup both have their own DHCP pools and NAT statements (There are a lot of NAT statements i've removed from this example though). 

 

Thanks again.

Hello,

 

I need to lab this. Since you need both links up at the same time, with mutual failover, a simple SLA with tracking will not be enough.

 

I'll get back with you...

Appreciate it! If you need more info, feel free to drop me a message. As a standalone setup it works great for making it two separate services, but trying to failover one link to another i'm not so sure of. 

Hello,

 

I am working on it, will get back with you asap...

Hello,

 

below is what I have come up with. It involves a series of EEM scripts that change the configuration of the router based on the status of the interfaces. Since figuring this out required a lot of cutting and pasting, check or better, test, before implementing:

 

track 1 ip sla 1 reachability
track 2 ip sla 2 reachabiity
!
ip sla 1
icmp-echo 8.8.8.8 source interface GigabitEthernet0/1
frequency 300
!
ip sla 2
icmp-echo 8.8.8.8 source interface GigabitEthernet0/2
frequency 300
!
ip sla schedule 1 life forever start-time now
ip sla schedule 2 life forever start-time now
!
event manager applet CLEAR_NAT_GeneralVRF
event track 1 state any
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
action 3.0 cli command "end"
!
event manager applet CLEAR_NAT_PRIVATE_INTERNET
event track 2 state any
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
action 3.0 cli command "end"
!
event manager applet GeneralVRF_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "no ip route vrf GeneralVRF 0.0.0.0 0.0.0.0 a.a.a.b"
action 4.0 cli command "ip route vrf GeneralVRF 0.0.0.0 0.0.0.0 b.b.b.c"
action 5.0 cli command"no ip nat inside source list from-internal-networks interface GigabitEthernet0/1 vrf GeneralVRF overload"
action 6.0 cli command "no ip nat inside source static tcp 192.168.10.218 50001 a.a.a.a 444 vrf GeneralVRF extendable"
action 7.0 cli command "ip nat inside source list from-internal-networks interface GigabitEthernet0/1 vrf GeneralVRF overload"
action 8.0 cli command "ip nat inside source static tcp 192.168.10.218 50001 b.b.b.b 444 extendable"
action 9.0 cli command "end"
action 10.0 cli command "clear ip route vrf GeneralVRF *"
!
event manager applet GeneralVRF_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "no ip route vrf GeneralVRF 0.0.0.0 0.0.0.0 b.b.b.c"
action 4.0 cli command "ip route vrf GeneralVRF 0.0.0.0 0.0.0.0 a.a.a.b"
action 5.0 cli command "no ip nat inside source list from-internal-networks interface GigabitEthernet0/1 vrf GeneralVRF overload"
action 6.0 cli command "no ip nat inside source static tcp 192.168.10.218 50001 b.b.b.b 444 extendable"
action 7.0 cli command"ip nat inside source list from-internal-networks interface GigabitEthernet0/1 vrf GeneralVRF overload"
action 8.0 cli command "ip nat inside source static tcp 192.168.10.218 50001 a.a.a.a 444 vrf GeneralVRF extendable"
action 9.0 cli command "end"
action 10.0 cli command "clear ip route vrf GeneralVRF *"
!
event manager applet PRIVATE_INTERNET_DOWN
event track 2 state down
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "no ip route 0.0.0.0 0.0.0.0 b.b.b.c"
action 4.0 cli command "ip route 0.0.0.0 0.0.0.0 a.a.a.b"
action 5.0 cli command "no ip nat inside source static tcp 10.0.0.4 122 interface GigabitEthernet0/2 122"
action 6.0 cli command "no ip nat inside source static tcp 10.0.0.4 443 interface GigabitEthernet0/2 443"
action 7.0 cli command "no ip nat inside source list from-master-networks interface GigabitEthernet0/2 overload"
action 8.0 cli command "no ip nat inside source list from-internal-networks interface GigabitEthernet0/2 overload"
action 9.0 cli command "no ip nat inside source static tcp 10.0.0.205 591 b.b.b.b 333 route-map no-nat-ipsec extendable"
action 10.0 cli command "ip nat inside source static tcp 10.0.0.4 122 interface GigabitEthernet0/1 vrf GeneralVRF 122"
action 11.0 cli command "ip nat inside source static tcp 10.0.0.4 443 interface GigabitEthernet0/1 vrf GeneralVRF 443"
action 12.0 cli command "ip nat inside source list from-master-networks interface GigabitEthernet0/1 vrf GeneralVRF overload"
action 13.0 cli command "ip nat inside source list from-internal-networks interface GigabitEthernet0/1 vrf GeneralVRF overload"
action 14.0 cli command "ip nat inside source static tcp 10.0.0.205 591 a.a.a.a 333 route-map no-nat-ipsec extendable"
action 15.0 cli command "end"
action 16.0 cli command "clear ip route *"
!
event manager applet PRIVATE_INTERNET_UP
event track 2 state up
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "no ip route 0.0.0.0 0.0.0.0 a.a.a.b"
action 4.0 cli command "ip route 0.0.0.0 0.0.0.0 b.b.b.c"
action 5.0 cli command "ip nat inside source static tcp 10.0.0.4 122 interface GigabitEthernet0/1 vrf GeneralVRF 122"
action 6.0 cli command "no ip nat inside source static tcp 10.0.0.4 443 interface GigabitEthernet0/1 vrf GeneralVRF 443"
action 7.0 cli command "no ip nat inside source list from-master-networks interface GigabitEthernet0/1 vrf GeneralVRF overload"
action 8.0 cli command "no ip nat inside source list from-internal-networks interface GigabitEthernet0/1 vrf GeneralVRF overload"
action 9.0 cli command "no ip nat inside source static tcp 10.0.0.205 591 a.a.a.a 333 route-map no-nat-ipsec extendable"
action 10.0 cli command "ip nat inside source static tcp 10.0.0.4 122 interface GigabitEthernet0/2 122"
action 11.0 cli command "ip nat inside source static tcp 10.0.0.4 443 interface GigabitEthernet0/2 443"
action 12.0 cli command "ip nat inside source list from-master-networks interface GigabitEthernet0/2 overload"
action 13.0 cli command "ip nat inside source list from-internal-networks interface GigabitEthernet0/2 overload"
action 14.0 cli command "ip nat inside source static tcp 10.0.0.205 591 b.b.b.b 333 route-map no-nat-ipsec extendable"
action 15.0 cli command "end"
action 16.0 cli command "clear ip route *"

 

Deepak Kumar
VIP Alumni
VIP Alumni

Please share the running-config. SLA will work

 

Regards,

Deepak Kumar

 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: