12-20-2012 04:01 AM - edited 03-04-2019 06:27 PM
Hello
i have two DSL lines and i m configured route map NAT-TO-101 to specify address which use Line 1
and route map NAT-TO-102 to use line 2 and everything is working fine .
but now i want to configure failover for both lines so i suggest to do this
route-map redirect permit 10
match ip address To-101
set interface Dialer1 Dialer2
!
route-map redirect permit 20
match ip address To-102
set interface Dialer2 Dialer1
but i dunno what to do with the NAT rules ?
if i change NAT rules
ip nat inside source route-map NAT-To-101 interface Dialer1 overload
ip nat inside source route-map NAT-To-102 interface Dialer2 overload
ip nat inside source route-map NAT-To-101 interface Dialer2 overload
ip nat inside source route-map NAT-To-102 interface Dialer1 overload
that will solve the problem
but i don't understand matching nat rules will be based on interface dialer up or down or not ?
Originial Configuration file :
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.52
encapsulation dot1Q 52
ip address 192.168.3.10 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map redirect
!
interface GigabitEthernet0/0.55
encapsulation dot1Q 55
ip address 192.168.55.10 255.255.240.0
ip access-group DNS-Guest in
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
description $ES_LAN$
ip address 10.23.200.10 255.255.255.248
ip flow ingress
ip flow egress
duplex auto
speed auto
service-policy input ETH-IN
interface ATM0/1/0
no ip address
ip mtu 1492
ip tcp adjust-mss 1452
no atm ilmi-keepalive
dsl enable-training-log delay 0
pvc 0/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
!
interface ATM0/2/0
no ip address
ip mtu 1492
ip tcp adjust-mss 1452
no atm ilmi-keepalive
dsl enable-training-log delay 0
dsl lom 200
pvc 0/35
encapsulation aal5snap
pppoe-client dial-pool-number 2
!
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xxxxx
ppp chap password 7 xxxxx
ppp pap sent-username xxxxx password 7 xxxxx
!
interface Dialer2
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 2
dialer-group 2
ppp authentication pap chap callin
ppp chap hostname xxxxx
ppp chap password 7 xxxxx
ppp pap sent-username xxxxx password 7 xxxxx
!
!ip nat inside source route-map NAT-To-101 interface Dialer1 overload
ip nat inside source route-map NAT-To-102 interface Dialer2 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 Dialer2
!
ip access-list extended To-101
permit ip host 192.168.3.8 any
ip access-list extended To-102
permit ip host 192.168.55.9 any
permit ip host 192.168.55.8 any
permit ip host 192.168.3.7 any
permit ip 10.23.251.0 0.0.0.127 any
!
route-map redirect permit 10
match ip address To-101
set interface Dialer1
!
route-map redirect permit 20
match ip address To-102
set interface Dialer2
!
route-map NAT-To-101 permit 10
match ip address To-101
set interface Dialer1
route-map NAT-To-102 permit 10
match ip address To-102
set interface Dialer2
Solved! Go to Solution.
12-24-2012 02:45 AM
Hi,
change these :
route-map To-102 permit 10
match ip address To-102
match interface Dialer2
!
route-map To-101 permit 10
match ip address To-101
match interface Dialer1
To:
route-map To-102 permit 10
match ip address NAT
match interface Dialer2
!
route-map To-101 permit 10
match ip add NAT
match interface Dialer1
ip access-list extended NAT
permit ip 192.168.3.0 0.0.0.255 any
And add an EEM applet that clears the existing NAT translation when the Dialer2 gets down:
event manager applet CLEARNAT
event syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface Dialer.*, changed state to down"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
Regards.
Alain
Don't forget to rate helpful posts.
Don't forget to rate helpful posts.
12-20-2012 04:15 AM
Hi,
you should do this for the NAT:
no route-map NAT-To-101
route-map NAT-To-101 permit 10
match ip address To-101
match interface Dialer1
no route-map NAT-To-102
route-map NAT-To-102 permit 10
match ip address To-102
match interface Dialer2
Now concerning your PBR, you should add this:
interface GigabitEthernet0/0.55
ip policy route-map redirect
interface GigabitEthernet0/1
ip policy route-map redirect
Regards.
Alain
Don't forget to rate helpful posts.
12-20-2012 04:36 AM
and i configured these as suggested or not ??
route-map redirect permit 10
match ip address To-101
set interface Dialer1 Dialer2
!
route-map redirect permit 20
match ip address To-102
set interface Dialer2 Dialer1
ip nat inside source route-map NAT-To-101 interface Dialer1 overload
ip nat inside source route-map NAT-To-102 interface Dialer2 overload
ip nat inside source route-map NAT-To-101 interface Dialer2 overload
ip nat inside source route-map NAT-To-102 interface Dialer1 overload
12-20-2012 05:07 AM
Hi,
there's no need to specify both interfaces in the PBR route-map but it shouldn't hurt doing it as far as i know.
Regards.
Alain
Don't forget to rate helpful posts.
12-22-2012 05:08 AM
nothing solve the problem
any other suggestions ?
12-22-2012 06:17 AM
Hi,
What happens? post latest config and do a failover test while having debug ip policy and debug ip routing enabled , post the output of the logs here.
Regards.
Alain
Don't forget to rate helpful posts.
12-22-2012 06:32 AM
-based on your suggestion
route-map NAT-To-101 permit 10
match ip address To-101
match interface Dialer1
route-map NAT-To-102 permit 10
match ip address To-102
match interface Dialer2
i shut down the interface dialer 2
but the traffic from NAT-To-102 is not directed toward Dialer 1 , as i see no configuration exist to make this
and also wiz this line these addresses still nating to Dialer 2
ip nat inside source route-map NAT-To-102 interface Dialer2 overload
I couldn't get how the traffic will be redirected to the working line with these configurations ?
12-22-2012 06:48 AM
ip access-list extended To-101
permit ip host 192.168.3.8 any
ip access-list extended To-102
permit ip host 192.168.3.7 any
route-map redirect permit 10
match ip address To-101
set interface Dialer1
!
route-map redirect permit 20
match ip address To-102
set interface Dialer2
!
route-map To-102 permit 10
match ip address To-102
match interface Dialer2
!
route-map To-101 permit 10
match ip address To-101
match interface Dialer1
ip nat inside source route-map To-101 interface Dialer1 overload
ip nat inside source route-map To-102 interface Dialer2 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 Dialer2
result of debug ip policy .. and i can't find this command
"debug ip routing enabled "
Dec 22 14:45:53.949: IP: s=192.168.3.7 (GigabitEthernet0/0.52), d=69.171.235.16, len 48, FIB policy match
Dec 22 14:45:53.949: IP: s=192.168.3.7 (GigabitEthernet0/0.52), d=69.171.235.16, len 48, PBR Counted
Dec 22 14:45:53.949: IP: s=192.168.3.7 (GigabitEthernet0/0.52), d=69.171.235.16, len 48, FIB policy rejected - normal forwarding
12-22-2012 08:07 AM
Hi,
the command is debug ip routing and what does a traceroute do before and after failover ?
Regards.
Alain
Don't forget to rate helpful posts.
12-23-2012 06:23 AM
before shutdown int dialer 2 everything is working fine as configured
the ips defined in route-map T0-101 use line Dialer1
and the ips defined in route-map To-102 use line Dialer2
after i disable interface Dialer 2
the route of dialer 2 is removed from the routing table
i think the problem mainly with NAT configuration
ip nat inside source route-map To-102 interface Dialer2 overload
coz this line will always nat "TO-102" route-map to dialer2
but their is no configuration tell it to nat to dialer 1 if dialer 2 is not availble.
and i dunno how to configure
12-24-2012 02:45 AM
Hi,
change these :
route-map To-102 permit 10
match ip address To-102
match interface Dialer2
!
route-map To-101 permit 10
match ip address To-101
match interface Dialer1
To:
route-map To-102 permit 10
match ip address NAT
match interface Dialer2
!
route-map To-101 permit 10
match ip add NAT
match interface Dialer1
ip access-list extended NAT
permit ip 192.168.3.0 0.0.0.255 any
And add an EEM applet that clears the existing NAT translation when the Dialer2 gets down:
event manager applet CLEARNAT
event syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface Dialer.*, changed state to down"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation *"
Regards.
Alain
Don't forget to rate helpful posts.
Don't forget to rate helpful posts.
12-24-2012 06:29 AM
TX man , u really help me a lot
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide