(9 votes, average: 4.67 out of 5)
Loading ...Mon 21 Aug 2006
Cisco - Dual Internet Connections without BGP enabled ISP
Posted by Josh under Cisco , Cisco Routers -Dual-homed environments with different ISPs have usually meant that BGP must be used and that both ISPs must support BGP routing. Throughout this tutorial, I will show you how you can have mulitple ISPs without BGP or provider independant IP addresses. Tracking objects provide a means of removing static routes if the ISP cannot be contacted.
Here is a small drawing: 
hostname Router
!
ip cef
!####Establish sla monitors for use in tracking objects####!
ip sla monitor 1
type echo protocol ipIcmpEcho 12.34.45.1
threshold 3
frequency 5
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho 23.34.56.1
threshold 3
frequency 5
ip sla monitor schedule 2 life forever start-time now
!
!####Configure Tracking objects (referencing IP SLA monitor’s above)####!
track 101 rtr 1 reachability
!
track 102 rtr 2 reachability
!
!
!
!
!####Configure Interfaces with NAT####!
interface FastEthernet0
ip address 192.168.1.254 255.255.255.0
ip nat inside
!
interface s0/0
ip address 12.34.45.2 255.255.255.0
ip nat outside
!
interface s0/1
ip address 23.45.67.2 255.255.255.0
ip nat outside
!
ip classless
!####Configure gateway of last resort with tracking objects####!
ip route 0.0.0.0 0.0.0.0 12.34.45.1 track 101
ip route 0.0.0.0 0.0.0.0 23.45.67.1 track 102
!####Configure NAT statements for most outbound traffic####!
ip nat inside source route-map ISP1 interface s0/0 overload
ip nat inside source route-map ISP2 interface s0/1 overload
!####Configure NAT statements for your mail server####!
!(remember to setup dns for mail on both public IP addresses)!
ip nat inside source static tcp 192.168.1.10 25 12.34.45.2 25 route-map ISP1 extendable
ip nat inside source static tcp 192.168.1.10 25 23.45.67.2 25 route-map ISP2 extendable
!
!
access-list 10 permit 192.168.1.0 0.0.0.255
!
!####Configure route maps for reference in NAT statements####!
route-map ISP2 permit 10
match ip address 10
match interface s0/1
!
route-map ISP1 permit 10
match ip address 10
match interface s0/0
!
April 19th, 2007 at 10:39 am
This is very accurate. One detail, both exit links must be of equal cost (bandwidth) for this to make sense. Otherwise, you may be routed over the slower link. To add link management, OER can run on top of this configuration.
If you need to have a primary, and secondary only upon failure of the primary, then adding a higher metric to one of the default routes should do…
July 17th, 2007 at 10:32 am
Is there anything in addition to that configuration if you have one interface setup as DHCP? I tried that config and it works great except the traffic out of the DHCP interface is not able to get to websites. Thanks for any help.
July 17th, 2007 at 1:57 pm
There is nothing additional for dhcp addresses (that I know of). You might check your routes to make sure the dhcp default router is not over-writing the static route you have configured with a tracking object.
I have seen PPPOE configurations change the routing.
You might also make sure the address you are pinging with the “ip sla monitor” configuration is configured to go through the interface configured for DHCP. Might have to create a static route for the ip address you are monitoring…
August 19th, 2007 at 11:32 am
It looks like your access lists 101 and 102 are orphaned.
You also might want to consider a Local Policy, since your ICMP will only go over the default route like this.
Shouldn’t you weight the ip route statements, or do you get a virtual load balancing by it flopping back and forth?
I have something like this running on a 3640, with the local policy and weighted default routes (1 per provider tracked, but then 2 “fall back”) but for some REALLY UNKNOWN reason, even if track 101 is down and 102 is up, it falls over to the first untracked ip route, even though its weight is higher than the tracked route.
August 29th, 2007 at 6:58 am
You are correct, the access lists 101 and 102 are orphaned. Thanks! They need to be removed.
A local policy or static routes are a good idea if you are monitoring an ip address that is not on the same network as your router.
For this post, decided to keep it as simple as possible and simply ping the default gateways (they’re on the same network as the outside interfaces).
You could weigh the ip route statements. Again, I tried to keep it simple. By default, this setup will do a “per-destination” load balance based on CEF defaults.
Not sure what to tell you about the 3640 without actually being in the router to take a look at it.
Josh
August 29th, 2007 at 1:15 pm
Hi,
An interesting post indeed.
We had the sla monitor feature manage 2 ISPs as primary and backup ones. Both ISP’s were providing T1 lines. We then upgraded the primary ISP’s link to 5Mb/s. Problem was that when demand grew, the router (2611XM) switched from the primary (5Mb/s) to backup (1.5Mb/s).
I removed the ip sla monitor statements from the config and the problem was solved, but I obviously lost the redundancy.
Below is my original config. Topology: each ISP conencts to a separate PIX firewall and from there to the 2611 router.
What needs to be changed to allow failover with the upgraded primary link?
Is “request-data-size” causing the problem for me? Can you explain this statement?
Thanks in advance!!!
ip sla monitor 1
type echo protocol ipIcmpEcho 64.52.XXX.XXX source-ipaddr 192.168.50.2
request-data-size 500
timeout 30
threshold 5
frequency 5
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho 69.38.XXX.XXX source-ipaddr 192.168.51.2
request-data-size 1400
timeout 5
threshold 2
frequency 3
ip sla monitor schedule 2 life forever start-time now
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
August 29th, 2007 at 1:28 pm
Instead of using this command…
type echo protocol ipIcmpEcho 64.52.XXX.XXX source-ipaddr 192.168.50.2
Try this…
ip route 64.52.xxx.xxx 255.255.255.255 192.168.50.2
type echo protocol ipIcmpEcho 64.52.XXX.XXX
I am not sure that the ’source-ipaddr’ command option actually forces the packet to exit the proper interface. I think its purpose is to simply change the source ip address in the packet header. Using a static route will force the packets to exit the proper interface.
As another person already mentioned, you could also use a local policy…
September 9th, 2007 at 3:31 am
A quick question. My IOS is 12.4 but when I type IP sla the command is unrecognized not available? Any ideas?
September 9th, 2007 at 5:18 pm
Peter,
It looks like the ‘ip sla monitor’ has been replace with the ‘ip sla’ command.
“Effective with Cisco IOS Release 12.4(4)T, the ip sla monitor command is replaced by the ip sla command. See the ip sla command for more information.” - Cisco.com
Example:
ip sla monitor 99
is replaced with
ip sla 99
Josh
September 13th, 2007 at 2:33 pm
Admin,
Will this work if we have only one interface with secondary ip address configured. My ISP is going to shift its pools to verisona and they are giving me another ip add(s) pool. Now I have dual pool to do NAT with one link and route reachability problem. Although the setup will temporary but there is uncertainty when there first pool expires. We cannot afford any down time.
Need advice.
Regards,
Syed Khalid Ali
September 13th, 2007 at 7:02 pm
I’ve never tried this scenario. My recommendation would be to install dynamips and test this in a lab scenario.
If you are not familiar with dynamips, here are some tutorials to get you started.
http://www.blindhog.net/category/dynamips/
Josh
October 31st, 2007 at 10:33 pm
Hi !
A related query..i guess
I hv a internet connection for a server which is assigned public IP address from ISP 1 and the server is accessed through internet. Now Im looking for backup to this link. The link is also used for browsing.
Needed to know how my server will be accessible after the ISP 1 is down….how should I configure the IPs from ISP 2 on the LAN so that I have automatic failover.
November 1st, 2007 at 1:56 pm
You can use the configuration above to setup a primary / secondary setup. You will probably want to add redundant DNS records for the ip address of the backup link.
Just set a higher administrative distance on the backup route…
ip route 0.0.0.0 0.0.0.0 23.45.67.1 track 102 200
Also, set the policy based static nat
ip nat inside source static tcp 12.34.45.2 25 192.168.1.10 25 route-map ISP2 extendable
ip nat inside source static tcp 23.45.67.2 25 192.168.1.10 25 route-map ISP1 extendable
!
November 8th, 2007 at 7:25 am
Hi!
I’ve got a Cisco 3845 with IOS 12.4 on it and I don’t have the IP SLA command available… or the rtr command. Does anyone know why not? Do I need a different version of IOS? Again, from config t, no rtr. From config t, no IP SLA… No command.
Thanks!
November 8th, 2007 at 8:20 am
Please post the output of the ’show version’ command
November 27th, 2007 at 8:16 am
You and your many reader’s may have fixed this without thinking about it but I got snagged for a while trying to make it work using the format listed:
ip nat inside source static tcp 12.34.45.2 25 192.168.1.10 25 route-map ISP2 extendable
ip nat inside source static tcp 23.45.67.2 25 192.168.1.10 25 route-map ISP1 extendable
This is of course incorrect. The inside addresses should be listed first in the commands. This would be the correct form:
ip nat inside source static tcp 192.168.1.10 25 12.34.45.2 25 route-map ISP2 extendable
ip nat inside source static tcp 192.168.1.10 25 23.45.67.2 25 route-map ISP1 extendable
Thanks for the work. This detail corrected I am up and running.
November 27th, 2007 at 10:46 am
* Embarassing *
Good job Miles…it has been corrected. I also noticed the route-map references in the ip nat statements were wrong. Geez…I wasn’t concentrating very well when I did this tutorial
Thanks for the help.
Josh
January 25th, 2008 at 2:21 pm
Hi,
Wonderful tutorial. Seriously easy to implement after the way you described it. I have a slight change in my requirement, and I’m having troubles. Can you help?
Everything’s the same except that I would like my mail server to be available on only one public IP address. Is this what I do?
ip route 0.0.0.0 0.0.0.0 12.34.45.1 track 101
ip route 0.0.0.0 0.0.0.0 23.45.67.1 100
ip route 192.168.1.10 255.255.255.255 12.34.45.1 track 101
ip nat inside source route-map ISP1 interface s0/0 overload
ip nat inside source route-map ISP2 interface s0/1 overload
ip nat inside source static 192.168.1.10 12.34.45.2 route-map ISP1 extendable
OR
ip nat inside source static tcp 192.168.1.10 25 12.34.45.2 25 route-map ISP1 extendable
Please help. Thanks.
January 25th, 2008 at 3:08 pm
The easy way to do this is to simply leave out the ‘ip nat inside source static …. ‘ statement for the second public address and only reference the primary public address with DNS and your MX record.
If you want to make sure that the mail server only uses one ISP for inbound and outbound traffic, then you would need to use policy based routing.
January 28th, 2008 at 12:27 am
Hi,
How to extend this configuration if I have the following requirement:
1. System A should go through ISP1 till it is alive else fall back to ISP2
2. System B should go through ISP2 till it is alive else fall back to ISP1
Both Systems are connected to FastEthernet Interface.
Thanks in advance
March 18th, 2008 at 2:44 pm
Hi,
I successfully configured the above config on a cisco 1811 router. I have ISA behind the router and am using the router just to load balance two cable connections.
My problem is that I want to pass PPTP traffic to the ISA from the outside, and you cannot specify the gre port in the static nat route-map statements…
Do you have a workaround for this issue?
Thanks
March 18th, 2008 at 4:06 pm
Alex,
Have you considered terminating the pptp on the router or using a Cisco IPSec vpn?
Josh
April 11th, 2008 at 9:39 am
The above config works fine, but i have a small issue, i need to execute “clear ip nat translation *” before the traffic switches to another interface. Had tried tinkering with “ip nat translation timeouts”, but nothing seems to work. Hope somebody can help
Thanks
April 15th, 2008 at 2:17 pm
@Amandeep, I have not had this particular issue. If you find an answer, please post in case someone else runs into the same problem. - Josh
July 20th, 2008 at 4:59 pm
Nice tutorial, Is this posible with
the same ISP(2 separate adsl modem)? Myrouter has two NAT interface inside.
Thanks,
Jack
July 23rd, 2008 at 9:25 am
JJ,
I don’t know the complete scope of your situation, but I don’t see why it wouldn’t work.
Josh
August 10th, 2008 at 2:49 pm
Hi, I am trying to feed the dhcp assigned IP address in to the ip nat inside source static tcp 192.168.1.10 25 12.34.45.2 25 route-map ISP1 extendable statment I have 1811 and it dosen’t want to take route-map command if I substite 12.34.45.2 with interface FastEthernet0 25. What should i do? Thx
August 10th, 2008 at 8:28 pm
@serg.tor,
Hmmmm…I have not tried this setup with dhcp yet. I will try to take a look if I get a chance.
Josh
August 11th, 2008 at 7:02 am
Hi,
If I have something like this, it will work?
ISP 1 - mpls vpn and internet
ISP 2 - only internet.
Now, the route for internet is:
ip route vrf Internet 0.0.0.0 0.0.0.0 192.168.10.56 (which is for ISP 1)
How can I route the internet traffic to the secondary ISP ?
Thanks
August 11th, 2008 at 8:52 pm
Hi, Good info.
I want to do same except for the ISP1 I don’t need NAT. So:
ISP1 —- allow public IPs from LAN
ISP2 —- NAT IPs from LAN
My computers have public IPs Addresses; in case the IPS1 fail I want to be able to get internet. How I can do this?
August 12th, 2008 at 10:41 pm
@Adrian,
I am not familiar with vrf configurations. Sorry.
Josh
August 12th, 2008 at 10:43 pm
@Leo,
In your scenario, you will need to configure your lan with public ip addresses from ISP1.
Then translate the public addresses to the single public ip address on the ISP2 interface in the event of failure on the connection to ISP1.
Make sense?
Josh
September 12th, 2008 at 12:35 am
Hi — Great article. I’m having some trouble accessing both of my public interfaces from the outside. I seem to only be able to get to the primary one. Any help would be greatly appreciated !!
track 123 ip sla 1 reachability
track 345 ip sla 2 reachability
ip route 0.0.0.0 0.0.0.0 GigabitEthernet 0/0 [ISP GATEWAY 1] track 123
ip route 0.0.0.0 0.0.0.0 GigabitEthernet 0/1 [ISP GATEWAY 2] track 345 10
ip nat inside source route-map isp1-map interface GigabitEthernet0/0 overload
ip nat inside source route-map isp2-map interface GigabitEthernet0/1 overload
ip sla 1
icmp-echo [TEST IP 1] source-interface GigabitEthernet0/0
timeout 1000
threshold 2
frequency 1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo [TEST IP 2] source-interface GigabitEthernet0/1
timeout 1000
threshold 2
frequency 1
ip sla schedule 2 life forever start-time now
route-map isp2-map permit 10
match ip address nat-list
match interface GigabitEthernet0/1
!
route-map isp1-map permit 10
match ip address nat-list
match interface GigabitEthernet0/0
Hope I included all the relevant info. When the failover link goes on, I can ssh into it. But never when the primary link is up. Thanks again.
October 16th, 2008 at 11:08 am
Will this work using S0 and FastE? Leased line and pppoe/dsl?
October 20th, 2008 at 6:37 pm
jdm,
Yes, it will work with the interfaces you mentioned.
Josh
November 18th, 2008 at 9:52 am
Hi -
I’m french, sorry for my english
Your configuration works for fail over, but for a simetric load balancing ?
If two ISPs is up, only the ISP n°1 is used ?
Thx
February 11th, 2009 at 2:47 pm
I am trying to do this on a 1751 running 12.2(15)T11. I dont have ip sla command. Is there a min version I need to be running?
Thanks
March 22nd, 2009 at 9:22 am
Hi Josh,
Great tutorial, I learned a lot. My scenario is little bit diferent: I have two ISP connections (2 x G703-E1, same ISP) and in the LAN interface I have several VLANs (Vlan 3 for link 1 vlan 4 for link 2) The ISP provide me in the link 1 3 public IP subnets (64, 32 and 8 IPs) and 1 public IP subnet (8 IPs) in the link 2. When I applied your config with some changes I have problems because some webpages open and answers ping others no. For instance I can open yahoo.com, but i cannot open google.com. I´m appreciate if you can take look of my config:
ip sla monitor 1
type echo protocol ipIcmpEcho 190.202.70.157
threshold 3
frequency 5
ip sla monitor schedule 1 life forever start-time now
ip sla monitor 2
type echo protocol ipIcmpEcho 190.202.72.185
threshold 3
frequency 5
ip sla monitor schedule 2 life forever start-time now
track 101 rtr 1 reachability
!
track 102 rtr 2 reachability
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
ip access-group 2000 in
ip access-group 2000 out
speed auto
full-duplex
interface FastEthernet0/0.3
encapsulation dot1Q 3
ip address 192.168.30.10 255.255.255.0 secondary
ip address 190.202.127.1 255.255.255.192 secondary
ip address 190.202.108.57 255.255.255.248 secondary
ip address 190.202.126.193 255.255.255.224 secondary
ip address 172.40.0.1 255.255.0.0
ip access-group 103 in
ip access-group 103 out
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip mroute-cache
no snmp trap link-status
no cdp enable
interface FastEthernet0/0.4
encapsulation dot1Q 4
ip address 190.202.112.105 255.255.255.248 secondary
ip address 172.41.0.1 255.255.0.0
ip access-group 104 in
ip access-group 104 out
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip mroute-cache
no snmp trap link-status
no cdp enable
!
interface Serial0/0/0:0
bandwidth 1920
ip address 190.202.70.158 255.255.255.252
ip nat outside
ip virtual-reassembly
encapsulation frame-relay IETF
frame-relay interface-dlci 487
frame-relay lmi-type ansi
!
interface Serial0/0/1:0
bandwidth 1920
ip address 190.202.72.186 255.255.255.252
ip nat outside
ip virtual-reassembly
encapsulation frame-relay IETF
frame-relay interface-dlci 590
frame-relay lmi-type ansi
!
ip route profile
ip route 0.0.0.0 0.0.0.0 190.202.70.157 track 101
ip route 0.0.0.0 0.0.0.0 190.202.72.185 track 102
ip nat inside source route-map enlace1 interface Serial0/0/0:0 overload
ip nat inside source route-map enlace2 interface Serial0/0/1:0 overload
access-list 103 permit ip 172.40.0.0 0.0.255.255 any
access-list 103 permit ip any 172.40.0.0 0.0.255.255
access-list 103 permit ip 190.202.127.0 0.0.0.63 any
access-list 103 permit ip any 190.202.127.0 0.0.0.63
access-list 103 permit ip 190.202.126.192 0.0.0.31 any
access-list 103 permit ip any 190.202.126.192 0.0.0.31
access-list 103 permit ip 190.202.108.56 0.0.0.7 any
access-list 103 permit ip any 190.202.108.56 0.0.0.7
access-list 103 permit ip 192.168.10.8 0.0.0.7 any
access-list 103 permit icmp any any
access-list 103 permit udp any any eq bootps
access-list 103 deny ip any any
access-list 104 permit ip 172.41.0.0 0.0.255.255 any
access-list 104 permit ip any 172.41.0.0 0.0.255.255
access-list 104 permit udp any any eq bootps
access-list 104 permit ip 190.202.112.104 0.0.0.7 any
access-list 104 permit ip any 190.202.112.104 0.0.0.7
access-list 104 permit icmp any any
access-list 104 deny ip any any
route-map enlace1 permit 10
match ip address 103
match interface Serial0/0/0:0
!
route-map enlace2 permit 10
match ip address 104
set interface Serial0/0/1:0
set ip next-hop 190.202.72.185
!
The test was done with subnets 172.40.0.0 and 172.41.0.0 (DHCP asigned by router)
April 19th, 2009 at 7:55 am
Joaquin,
The first thing i notice is that Fa0/0 is referencing access-list 2000 but access-list 2000 does not exist.
Josh