Solved: Re: WAN Load Balancing / Fail Over Config query

ibs_cisco · ‎10-23-2018

Wondering if anyone could point me in the right direction on the best way to configure NAT Overload / Fail over between two ISPs.

One has a Dialer 1 interface (Gigabit 0/1 Interface) the Other is a Gigabit 0/2 interface

Many thanks.

Georg Pauwen · ‎10-24-2018

Hello,

are both ISP connections terminating on the same router ? You need an IP SLA to track the primary route, as well as an EEM script to clear your NAT translations in case of a failover. Below is a sample. See if you can adapt this to fit your config. If you need more help, post the full configuration of your router:

track 1 ip sla 1 reachability
delay down 1 up 1
!
interface GigabitEthernet0/0/0
description Primary ISP
ip address 10.10.10.1 255.255.255.252
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
description Backup ISP
ip address 10.10.20.1 255.255.255.252
ip nat outside
negotiation auto
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip nat inside source route-map PRIMARY interface GigabitEthernet0/0/0 overload
ip nat inside source route-map BACKUP interface GigabitEthernet0/0/1 overload
!
ip forward-protocol nd
no ip http server
ip http secure-server
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/0
threshold 1000
timeout 1000
frequency 5
!
ip sla schedule 1 life forever start-time now
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 track 1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 10
!
route-map PRIMARY permit 10
match ip address 1
match interface GigabitEthernet0/0/0
!
route-map BACKUP permit 10
match ip address 1
match interface GigabitEthernet0/0/1
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
event manager applet CLEAR_NAT
event track 1 state any
action 1.0 cli command “enable”
action 2.0 cli command “clear ip nat translation *”

View solution in original post

Georg Pauwen · ‎10-24-2018

Hello,

are both ISP connections terminating on the same router ? You need an IP SLA to track the primary route, as well as an EEM script to clear your NAT translations in case of a failover. Below is a sample. See if you can adapt this to fit your config. If you need more help, post the full configuration of your router:

track 1 ip sla 1 reachability
delay down 1 up 1
!
interface GigabitEthernet0/0/0
description Primary ISP
ip address 10.10.10.1 255.255.255.252
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
description Backup ISP
ip address 10.10.20.1 255.255.255.252
ip nat outside
negotiation auto
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip nat inside source route-map PRIMARY interface GigabitEthernet0/0/0 overload
ip nat inside source route-map BACKUP interface GigabitEthernet0/0/1 overload
!
ip forward-protocol nd
no ip http server
ip http secure-server
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/0
threshold 1000
timeout 1000
frequency 5
!
ip sla schedule 1 life forever start-time now
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 track 1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 10
!
route-map PRIMARY permit 10
match ip address 1
match interface GigabitEthernet0/0/0
!
route-map BACKUP permit 10
match ip address 1
match interface GigabitEthernet0/0/1
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
event manager applet CLEAR_NAT
event track 1 state any
action 1.0 cli command “enable”
action 2.0 cli command “clear ip nat translation *”

ibs_cisco · ‎10-25-2018

Excellent thanking you for this :-D I'll review and get back to you with an update.

Re: Both same router - Yes.

I kept hitting an issue with clearing NAT so I think the EEM script is what I need.

Thanks once again.

ibs_cisco · ‎10-30-2018

This has got the failover working to the backup (thanking you) but when I try to fail back over to the Primary, it gets stuck on NAT and doesn't resolve with clear ip nat translation *

To bring the Primary back to life I had to delete the following line;

ip nat inside source route-map BACKUP interface GigabitEthernet0/0/1 overload

I'm hoping an applet like the following will work; Plan to try this out after hours tonight.

event manager applet ISP_UP
event track 1 state up
action 1.0 syslog msg "Primary ISP Link Detected. Switching to Primary"
action 2.0 cli command "enable"
action 2.1 cli command "config t"
action 2.3 cli command "no ip nat inside source route-map BACKUP interface GigabitEthernet 0/1 overload"
action 2.4 cli command "Yes"
action 2.5 cli command "ip nat inside source route-map PRIMARY interface GigabitEthernet0/2 overload"
action 2.6 cli command "exit"
action 2.7 cli command "clear ip nat translation *"
action 3.0 syslog msg "Failover back to Primary ISP Complete"

If I have no joy tonight I'll be sure to post a copy of the config .

Thanks once again.

Georg Pauwen · ‎10-30-2018

Hello,

The sample config posted is fairly standard and should...work. Post what you have anyway...

ibs_cisco · ‎11-07-2018

Failing over well;

Thanks for your help :-D

track 1 ip sla 1 reachability
default-state up
delay down 1 up 1
!
!
ip sla 1
icmp-echo <icmp-echo_ip> source-interface GigabitEthernet0/2
threshold <threshold>
timeout <timeout>
frequency 10
ip sla schedule 1 life forever start-time now
!
!
!
event manager applet ISP_DOWN
event track 1 state down
action 1.0 syslog msg "PRIMARY ISP DOWN. Moving to secondary ISP. Cleaning up NAT"
action 2.0 cli command "enable"
action 2.1 cli command "clear ip nat translation force"
action 2.2 cli command "clear ip nat translation *"
action 2.3 cli command "config t"
action 2.4 cli command "no ip nat inside source route-map PRIMARY interface GigabitEthernet0/2 overload"
action 2.5 cli command "ip nat inside source route-map SECONDARY interface Dialer1 overload"
action 2.6 cli command "exit"
action 3.0 syslog msg "Secondary ISP now online. NAT Cleared. EEM ISP_DOWN completed"
event manager applet ISP_UP
event track 1 state up
action 1.0 syslog msg "PRIMARY ISP Detected. Moving back to Primary"
action 2.0 cli command "enable"
action 2.1 cli command "clear ip nat translation force"
action 2.2 cli command "clear ip nat translation *"
action 2.3 cli command "config t"
action 2.4 cli command "no ip nat inside source route-map SECONDARY interface Dialer1 overload"
action 2.5 cli command "ip nat inside source route-map PRIMARY interface GigabitEthernet0/2 overload"
action 2.6 cli command "exit"
action 3.0 syslog msg "Failover back to PRIMARY ISP Complete"
!