Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
987
Views
0
Helpful
3
Replies

Three ISP scenario with some split traffic

Go to solution
luchonat1
Level 1
Level 1

‎06-17-2018 02:01 PM - edited ‎03-08-2019 03:23 PM

Hello everybody! I have this scenario:

My main router is a 1921 ISR

Multiple local networks assigned to multiple VLAN's, and connected to three Internet Providers. This providers are just standard services (three different cable providers), so I have one public IP address for each provider.

What I want to achieve is to have two of this services (ISP1 and ISP2) to provide general internet access for the local networks, and the third one (ISP3 which is more reliable but has less bandwith) to provide internet access for selected hosts in theese LAN's.

Also, If ISP1 ---AND--- ISP2 go down, use ISP3 for all internet traffic. All internet access is driven with NAT overloaded, of course.

 

My config goes something like this (only relevant parts!)

 

!

track 1 ip sla 1
delay down 90 up 90
!
track 2 ip sla 2
delay down 90 up 90
!
track 3 ip sla 3
delay down 90 up 90

!

interface GigabitEthernet0/0
description ISP1
ip address A.B.C.D 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
!

interface GigabitEthernet0/1
description ISP2
ip address E.F.G.H 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto

!

interface GigabitEthernet0/0/3
description ISP3
switchport access vlan 100
no ip address

!

interface Vlan100
description ISP3
ip address I.J.K.L 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
zone-member security outside

!
ip local policy route-map router-local

!

ip nat pool ISP1-pool A.B.C.D A.B.C.D prefix-length 24
ip nat pool ISP2-pool E.F.G.H E.F.G.H prefix-length 24
ip nat pool ISP3-pool I.J.K.L I.J.K.L prefix-length 29
ip nat source route-map AlwaysISP3-nat pool ISP3-pool overload
ip nat source route-map ISP1-nat pool ISP1-pool overload
ip nat source route-map ISP2-nat pool ISP2-pool overload
!

ip route 0.0.0.0 0.0.0.0 ISP1GW 10 track 1
ip route 0.0.0.0 0.0.0.0 ISP2GW 10 track 2
ip route 0.0.0.0 0.0.0.0 ISP3GW 10 track 3

!

ip access-list extended ISP1_Local
permit ip host A.B.C.D any
permit icmp host A.B.C.D any

ip access-list extended ISP2_Local
permit ip host E.F.G.H any
permit icmp host E.F.G.H any
ip access-list extended ISP3_Local
permit ip host I.J.K.L any
permit icmp host I.J.K.L any

ip access-list extended navigation-always-ISP3-nat
permit ip host w.x.y.z any
permit icmp host w.x.y.z any
deny icmp any any
deny ip any any
ip access-list extended navigation-nat
remark CCP_ACL Category=18
deny ip host w.x.y.z any
deny icmp host w.x.y.z any
deny ip vlanAIP vlanAMask vlanBIP vlanBMask
deny ip vlanAIP vlanAMask vlanCIP vlanCMask

deny ip vlanBIP vlanBMask vlanAIP vlanAMask

deny ip vlanBIP vlanBMask vlanCIP vlanCMask

deny ip vlanCIP vlanCMask vlanAIP vlanAMask

deny ip vlanCIP vlanCMask vlanBIP vlanBMask

deny icmp vlanAIP vlanAMask vlanBIP vlanBMask
deny icmp vlanAIP vlanAMask vlanCIP vlanCMask

deny icmp vlanBIP vlanBMask vlanAIP vlanAMask

deny icmp vlanBIP vlanBMask vlanCIP vlanCMask

deny icmp vlanCIP vlanCMask vlanAIP vlanAMask

deny icmp vlanCIP vlanCMask vlanBIP vlanBMask

permit ip vlanAIP vlanAMask any
permit icmp vlanAIP vlanAMask any

permit ip vlanBIP vlanBMask any
permit icmp vlanBIP vlanBMask any

permit ip vlanCIP vlanCMask any
permit icmp vlanCIP vlanCMask any
deny icmp any any
deny ip any any

!

ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0
threshold 40
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/1
threshold 40
timeout 1000
frequency 3
ip sla schedule 2 life forever start-time now
ip sla 3
icmp-echo 8.8.8.8 source-interface Vlan100
threshold 40
timeout 1000
frequency 3
ip sla schedule 3 life forever start-time now

!
route-map ISP3-nat permit 10
match ip address navigation-nat
match interface Vlan100
!
route-map ISP1-nat permit 10
match ip address navigation-nat
match interface GigabitEthernet0/0
!
route-map AlwaysISP3-nat permit 10
match ip address navigation-always-ISP3-nat
match interface Vlan100
!
route-map router-local permit 10
match ip address ISP1_Local
set ip next-hop ISP1GW
!
route-map router-local permit 20
match ip address ISP2_Local
set ip next-hop ISP2GW
!
route-map router-local permit 30
match ip address ISP3_Local
set ip next-hop ISP3GW
!
route-map ISP2-nat permit 10
match ip address navigation-nat
match interface GigabitEthernet0/1
!

event manager applet CLEAR_NAT_ISP1_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat nvi translation forced"
event manager applet CLEAR_NAT_ISP1_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat nvi translation forced"
event manager applet CLEAR_NAT_ISP2_DOWN
event track 2 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat nvi translation forced"
event manager applet CLEAR_NAT_ISP2_UP
event track 2 state up
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat nvi translation forced"
event manager applet FORCE_ISP3
event tag 1.0 track 1 state down
event tag 1.1 track 2 state down
trigger
correlate event 1.0 and event 1.1
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 2.0 cli command "ip nat source route-map ISP3-nat pool ISP3-pool overload"
action 3.0 cli command "exit"
action 3.1 cli command "clear ip nat nvi translation forced"
event manager applet UNFORCE_TELECOM
event tag 1.0 track 1 state up
event tag 1.1 track 2 state up
trigger
correlate event 1.0 or event 1.1
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 2.0 cli command "no ip nat source route-map ISP3-nat pool ISP3-pool overload"
action 3.0 cli command "exit"
action 3.1 cli command "clear ip nat nvi translation forced"
event manager applet CLEAR_NAT_ISP3_DOWN
event track 3 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat nvi translation forced"
event manager applet CLEAR_NAT_ISP3_UP
event track 3 state up
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat nvi translation forced"
!
end

 

With ISP1 and ISP2 up and ISP3 down (doing a shutdown in vlan 100), everything goes fine. Problem arises when turning on ISP3... I don't know why, router starts to stop natting some (random) traffic. Seems to me that general traffic starts to be routed through the three interfaces (I think CEF does that) and, because there's no "ip nat source route-map ISP3-nat pool ISP3-pool overload" traffic that is routed through ISP3 does not get translated. I think that I have read that first routing is applied and then NAT. So how can I force general traffic not to be routed through ISP3 before even reaching NAT.

 

Thanks!!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎06-17-2018 06:27 PM

Hi

 

Your static routes towards ISPs have the same AD and the router will do a load balancing.

 

My suggestions are:

- increase AD for static route towards ISP3 like 20 instead is 10

- create a route-map calling an acl denying inter lan subnet and allowing specific subnet to do through IPS3 for internet.

- use this route-map for PBR on the specific subnet that needs to go though ISP3. On this pbr use verify-availability to make sure it will use the routing table in case ISP3 goes down. You can check this documentation for help: https://www.cisco.com/c/en/us/support/docs/ip/ip-routed-protocols/48003-pbrtracking.html

 

Last but not least, keep tracking on routes going to isp1 and 2 to be able to get out through isp3. 

 

Let me know if you need some help on configuration, I'll give you config samples tomorrow after work.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎06-17-2018 06:27 PM

Hi

 

Your static routes towards ISPs have the same AD and the router will do a load balancing.

 

My suggestions are:

- increase AD for static route towards ISP3 like 20 instead is 10

- create a route-map calling an acl denying inter lan subnet and allowing specific subnet to do through IPS3 for internet.

- use this route-map for PBR on the specific subnet that needs to go though ISP3. On this pbr use verify-availability to make sure it will use the routing table in case ISP3 goes down. You can check this documentation for help: https://www.cisco.com/c/en/us/support/docs/ip/ip-routed-protocols/48003-pbrtracking.html

 

Last but not least, keep tracking on routes going to isp1 and 2 to be able to get out through isp3. 

 

Let me know if you need some help on configuration, I'll give you config samples tomorrow after work.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
luchonat1
Level 1
Level 1
In response to Francesco Molino

‎06-17-2018 10:30 PM

Your answer was just perfect!!! Thanks a Lot!!

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to luchonat1

‎06-18-2018 08:47 PM

You're welcome!

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card