03-26-2019 06:54 AM
I have a single 3945 which has 2 x Fibre providers terminating onto it (say Gi0/1 and Gi0/2). There are multiple VLAN's and subnets on the router, one of which is solely dedicated to Gi0/2. Gi0/2 lives in a VRF with its own DHCP/NAT/Crypto maps (and a single VLAN dot1q sub interface). Both providers are statically routed to via a default route, and there is no option for BGP here nor any other dynamic routing protocol (they are totally different ISP's).
They were put on the same device after being migrated from two individual routers, and at the request of the client, they wanted one to be ISP to be totally segregated for their own discrete/private use (Gi0/2).
They've now requested they'd like either link to failover to the other, in the event of an outage. They're not fussed if their VPN fails, so long as internet connectivity is maintained in some form.
Is there an easy way to failover from a Gi0/1 in no VRF to Gi0/2 in a VRF (or vice versa)? I could potentially place Gi0/1 into another VRF if required, but it seems excessive.
After advice on the best way to do this, and any possible configuration suggestions/examples.
Thanks!
03-26-2019 07:41 AM
Hello,
an IP SLA and a track failover will probably work. Post the configuration you have on your router so far, so we can fill in the missing bits and pieces...
03-27-2019 02:24 AM
Thanks George, sorry this took a while as the router has a huge amount of config on it I had to sanitise.
Building configuration... ! hostname router1 ! boot-start-marker boot-end-marker ! ! vrf definition GeneralVRF rd 192.168.10.0:666 ! address-family ipv4 exit-address-family ! logging buffered 51200 ! no aaa new-model memory-size iomem 10 ! ! ! ip cef ! ! ! no ip dhcp conflict logging ip dhcp excluded-address 10.0.0.210 10.0.0.246 ip dhcp excluded-address 10.0.0.248 10.0.0.254 ip dhcp excluded-address 10.0.0.1 10.0.0.20 ip dhcp excluded-address vrf GeneralVRF 192.168.10.15 ip dhcp excluded-address vrf GeneralVRF 192.168.10.2 ip dhcp excluded-address vrf GeneralVRF 192.168.10.25 ip dhcp excluded-address vrf GeneralVRF 192.168.10.20 ! ! ip dhcp pool work_VLAN_50 vrf GeneralVRF network 192.168.10.0 255.255.254.0 default-router 192.168.10.1 domain-name workdomainname.com.au dns-server 8.8.8.8 8.8.4.4 ! ip dhcp pool master_10 network 10.0.0.0 255.255.255.0 default-router 10.0.0.254 domain-name host.com dns-server 10.0.0.3 8.8.8.8 lease 0 1 ! ! ! ! ip domain name workdomainname.com.au ip name-server 8.8.8.8 ip name-server 8.8.4.4 no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! voice-card 0 ! ! ! ! ! ! ! ! ! hw-module sm 2 ! ! ! archive log config logging enable notify syslog contenttype plaintext path flash:backups ! redundancy ! ! ! ! ! ip ssh time-out 60 ip ssh authentication-retries 2 ip ssh source-interface GigabitEthernet0/0.10 ! ! crypto isakmp policy 1 encr 3des hash sha256 authentication pre-share group 2 ! crypto isakmp policy 2 encr 3des hash sha256 authentication pre-share group 5 lifetime 3600 ! crypto isakmp policy 10 encr aes hash sha256 authentication pre-share group 5 lifetime 14400 crypto isakmp key <redacted> address x.x.x.x crypto isakmp key <redacted> address y.y.y.y crypto isakmp key <redacted> address z.z.z.z crypto isakmp invalid-spi-recovery ! ! crypto ipsec transform-set VPN-TRANS esp-3des esp-md5-hmac mode tunnel ! ! ! crypto map inter-office-vpn 10 ipsec-isakmp description VPN to SITE1 set peer x.x.x.x set transform-set VPN-TRANS match address 123 crypto map inter-office-vpn 20 ipsec-isakmp description VPN to SITE2 set peer y.y.y.y set transform-set VPN-TRANS match address 120 crypto map inter-office-vpn 30 ipsec-isakmp description VPN to SITE3 set peer z.z.z.z set transform-set VPN-TRANS match address 122 ! ! ! ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 no ip address load-interval 30 duplex auto speed auto ! interface GigabitEthernet0/0.10 description master Internal encapsulation dot1Q 10 ip address 10.0.0.254 255.255.255.0 ip nat inside no ip virtual-reassembly in ! interface GigabitEthernet0/0.50 description work encapsulation dot1Q 50 vrf forwarding GeneralVRF ip address 192.168.10.1 255.255.254.0 ip nat inside no ip virtual-reassembly in ! ! interface GigabitEthernet0/1 description General Internet vrf forwarding GeneralVRF ip address a.a.a.a 255.255.255.252 ip nat outside no ip virtual-reassembly in load-interval 30 media-type sfp ! ! interface GigabitEthernet0/2 description Private Internet ip address b.b.b.b 255.255.255.252 ip nat outside ip virtual-reassembly in load-interval 30 duplex auto speed auto crypto map inter-office-vpn ! ip forward-protocol nd ! no ip http server no ip http secure-server ! no ip nat service sip udp port 5060 ip nat inside source static tcp 10.0.0.4 122 interface GigabitEthernet0/2 122 ip nat inside source static tcp 10.0.0.4 443 interface GigabitEthernet0/2 443 ip nat inside source list from-master-networks interface GigabitEthernet0/2 overload ip nat inside source list from-internal-networks interface GigabitEthernet0/2 overload ip nat inside source list from-internal-networks interface GigabitEthernet0/1 vrf GeneralVRF overload ip nat inside source static tcp 10.0.0.205 591 b.b.b.b 333 route-map no-nat-ipsec extendable ip nat inside source static tcp 192.168.10.218 50001 a.a.a.a 444 vrf GeneralVRF extendable ! ip route 0.0.0.0 0.0.0.0 b.b.b.c ip route vrf GeneralVRF 0.0.0.0 0.0.0.0 a.a.a.b ! ip access-list extended deny_nat_172_16 permit ip host 10.0.0.205 10.0.0.0 0.0.255.255 ip access-list extended from-master-networks deny ip 10.0.0.0 0.0.0.255 10.0.48.0 0.0.0.255 deny ip 10.0.0.0 0.0.0.255 10.0.16.0 0.0.0.255 deny ip 10.0.0.0 0.0.0.255 10.0.80.0 0.0.0.255 permit ip 10.0.0.0 0.0.0.255 any permit ip 192.168.0.0 0.0.1.255 any ip access-list extended from-internal-networks permit ip 192.168.0.0 0.0.1.255 any permit ip 192.168.2.0 0.0.1.255 any permit ip 192.168.10.0 0.0.1.255 any permit ip 10.0.1.0 0.0.0.255 any ip access-list extended permit_any permit ip any any ! logging trap debugging logging origin-id hostname logging facility syslog logging host 103.13.186.97 logging host 150.107.73.147 access-list 120 permit ip 10.0.0.0 0.0.0.255 10.0.16.0 0.0.0.255 access-list 122 permit ip 10.0.0.0 0.0.0.255 10.0.80.0 0.0.0.255 access-list 123 permit ip 10.0.0.0 0.0.0.255 10.0.48.0 0.0.0.255 ! nls resp-timeout 1 cpd cr-id 1 route-map no-nat-ipsec deny 10 match ip address deny_nat_172_16 ! route-map no-nat-ipsec permit 20 match ip address permit_any ! ! ! end
i've had to remove a lot of the config, but it's working fine 'as is' so anything missing is a typo in the clean up.
Gi0/1 is a.a.a.a/30, with a.a.a.b being the next hop/default gateway
Gi0/2 is b.b.b.b/30, with b.b.b.c being the next hop/default gateway
The VRF and non-VRF setup both have their own DHCP pools and NAT statements (There are a lot of NAT statements i've removed from this example though).
Thanks again.
03-27-2019 03:08 AM
Hello,
I need to lab this. Since you need both links up at the same time, with mutual failover, a simple SLA with tracking will not be enough.
I'll get back with you...
03-27-2019 03:21 AM
Appreciate it! If you need more info, feel free to drop me a message. As a standalone setup it works great for making it two separate services, but trying to failover one link to another i'm not so sure of.
03-27-2019 03:53 AM
Hello,
I am working on it, will get back with you asap...
03-27-2019 06:07 AM - edited 03-27-2019 06:09 AM
Hello,
below is what I have come up with. It involves a series of EEM scripts that change the configuration of the router based on the status of the interfaces. Since figuring this out required a lot of cutting and pasting, check or better, test, before implementing:
track 1 ip sla 1 reachability
track 2 ip sla 2 reachabiity
!
ip sla 1
icmp-echo 8.8.8.8 source interface GigabitEthernet0/1
frequency 300
!
ip sla 2
icmp-echo 8.8.8.8 source interface GigabitEthernet0/2
frequency 300
!
ip sla schedule 1 life forever start-time now
ip sla schedule 2 life forever start-time now
!
event manager applet CLEAR_NAT_GeneralVRF
event track 1 state any
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
action 3.0 cli command "end"
!
event manager applet CLEAR_NAT_PRIVATE_INTERNET
event track 2 state any
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
action 3.0 cli command "end"
!
event manager applet GeneralVRF_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "no ip route vrf GeneralVRF 0.0.0.0 0.0.0.0 a.a.a.b"
action 4.0 cli command "ip route vrf GeneralVRF 0.0.0.0 0.0.0.0 b.b.b.c"
action 5.0 cli command"no ip nat inside source list from-internal-networks interface GigabitEthernet0/1 vrf GeneralVRF overload"
action 6.0 cli command "no ip nat inside source static tcp 192.168.10.218 50001 a.a.a.a 444 vrf GeneralVRF extendable"
action 7.0 cli command "ip nat inside source list from-internal-networks interface GigabitEthernet0/1 vrf GeneralVRF overload"
action 8.0 cli command "ip nat inside source static tcp 192.168.10.218 50001 b.b.b.b 444 extendable"
action 9.0 cli command "end"
action 10.0 cli command "clear ip route vrf GeneralVRF *"
!
event manager applet GeneralVRF_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "no ip route vrf GeneralVRF 0.0.0.0 0.0.0.0 b.b.b.c"
action 4.0 cli command "ip route vrf GeneralVRF 0.0.0.0 0.0.0.0 a.a.a.b"
action 5.0 cli command "no ip nat inside source list from-internal-networks interface GigabitEthernet0/1 vrf GeneralVRF overload"
action 6.0 cli command "no ip nat inside source static tcp 192.168.10.218 50001 b.b.b.b 444 extendable"
action 7.0 cli command"ip nat inside source list from-internal-networks interface GigabitEthernet0/1 vrf GeneralVRF overload"
action 8.0 cli command "ip nat inside source static tcp 192.168.10.218 50001 a.a.a.a 444 vrf GeneralVRF extendable"
action 9.0 cli command "end"
action 10.0 cli command "clear ip route vrf GeneralVRF *"
!
event manager applet PRIVATE_INTERNET_DOWN
event track 2 state down
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "no ip route 0.0.0.0 0.0.0.0 b.b.b.c"
action 4.0 cli command "ip route 0.0.0.0 0.0.0.0 a.a.a.b"
action 5.0 cli command "no ip nat inside source static tcp 10.0.0.4 122 interface GigabitEthernet0/2 122"
action 6.0 cli command "no ip nat inside source static tcp 10.0.0.4 443 interface GigabitEthernet0/2 443"
action 7.0 cli command "no ip nat inside source list from-master-networks interface GigabitEthernet0/2 overload"
action 8.0 cli command "no ip nat inside source list from-internal-networks interface GigabitEthernet0/2 overload"
action 9.0 cli command "no ip nat inside source static tcp 10.0.0.205 591 b.b.b.b 333 route-map no-nat-ipsec extendable"
action 10.0 cli command "ip nat inside source static tcp 10.0.0.4 122 interface GigabitEthernet0/1 vrf GeneralVRF 122"
action 11.0 cli command "ip nat inside source static tcp 10.0.0.4 443 interface GigabitEthernet0/1 vrf GeneralVRF 443"
action 12.0 cli command "ip nat inside source list from-master-networks interface GigabitEthernet0/1 vrf GeneralVRF overload"
action 13.0 cli command "ip nat inside source list from-internal-networks interface GigabitEthernet0/1 vrf GeneralVRF overload"
action 14.0 cli command "ip nat inside source static tcp 10.0.0.205 591 a.a.a.a 333 route-map no-nat-ipsec extendable"
action 15.0 cli command "end"
action 16.0 cli command "clear ip route *"
!
event manager applet PRIVATE_INTERNET_UP
event track 2 state up
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "no ip route 0.0.0.0 0.0.0.0 a.a.a.b"
action 4.0 cli command "ip route 0.0.0.0 0.0.0.0 b.b.b.c"
action 5.0 cli command "ip nat inside source static tcp 10.0.0.4 122 interface GigabitEthernet0/1 vrf GeneralVRF 122"
action 6.0 cli command "no ip nat inside source static tcp 10.0.0.4 443 interface GigabitEthernet0/1 vrf GeneralVRF 443"
action 7.0 cli command "no ip nat inside source list from-master-networks interface GigabitEthernet0/1 vrf GeneralVRF overload"
action 8.0 cli command "no ip nat inside source list from-internal-networks interface GigabitEthernet0/1 vrf GeneralVRF overload"
action 9.0 cli command "no ip nat inside source static tcp 10.0.0.205 591 a.a.a.a 333 route-map no-nat-ipsec extendable"
action 10.0 cli command "ip nat inside source static tcp 10.0.0.4 122 interface GigabitEthernet0/2 122"
action 11.0 cli command "ip nat inside source static tcp 10.0.0.4 443 interface GigabitEthernet0/2 443"
action 12.0 cli command "ip nat inside source list from-master-networks interface GigabitEthernet0/2 overload"
action 13.0 cli command "ip nat inside source list from-internal-networks interface GigabitEthernet0/2 overload"
action 14.0 cli command "ip nat inside source static tcp 10.0.0.205 591 b.b.b.b 333 route-map no-nat-ipsec extendable"
action 15.0 cli command "end"
action 16.0 cli command "clear ip route *"
03-26-2019 08:15 AM
Please share the running-config. SLA will work
Regards,
Deepak Kumar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide