Cisco ip sla and track

Published on by dellpe

Question:

Today I have configured IP SLA tracking for Internet link and used PBR to route my LAN traffic as per my choice. Everything went fine and working very good without any problem, just have a question how it is working. below is my topology and configuration.

Topology:

  • Branch Router is connected to two ISPs links, on Fa0/0 and Fa0/1. Fa1/0.100 and Fa1/0.200 connected to internal LANs
  • LAN subnet LAN1: 192.168.100.0/24 and LAN2: 192.168.200.0/24
  • LAN1 reaches Internet via ISP1 and LAN2 reaches internet via ISP2
  • Routing protocol used is OSPF
  • NAT is not used since it is a LAB environment

Configuration in Cisco WS-C3750X-48T-S :

!

track 1 ip sla 1 reachibility

!

ip sla 1

icmp-echo 4.2.2.2 source-interface FastEthernet0/1

timeout 1000

threshold 100

frequency 5

ip sla schedule 1 life forever start-time now

!

ip access-list standard LAN1

permit 192.168.100.0 0.0.0.255

ip access-list standard LAN2

permit 192.168.200.0 0.0.0.255

!

route-map ISP1 permit 10

match ip address LAN1

set ip next-hop verify-availability 4.2.2.2 1 track 1

set ip next-hop 101.101.101.1

route-map ISP2 permit 10

match ip address LAN2

!

Applied the ip policy in Fa1/0.100 and Fa1/0.200 subinterfaces

!

As per the above configuration on Branch Router, the LAN1 reaches via ISP1 and LAN2 reach via ISP2.When ISP1 goes down LAN1 traffic routed through ISP2, and vice versa. When ISP1 come back again LAN1 reaches internet via ISP1 and same for LAN2.

My Question is how the LAN1 route via ISP2 when ISP1 goes down?

Need suggestion and explanation.

Answer:

There are 2 Failovers that need to happen when using 2 internet connections;

Network failover: when internet cannot be reached via one ISP network, the Router should use the other available ISP network. You configure this using Track, IP SLA, & PBR to tell the router which ISP to use and what criteria to cause the router to switch over. And you have to apply the route-map configured here to your LAN facing interface.
NAT Failover: When one link fails, the NAT entries of the failed ISP network cannot be routed via the available ISP network since they are different subnets, the router therefore needs to immediately build a fresh NAT entry for the same affected LAN subnet(s). If this is not properly setup, the router can failover to the 2nd ISP with the old NAT entry and the traffic will begin to get dropped. As per your sceenario, The following example should help;


ISP 1 = 100.100.100.1
ISP 2 = 200.200.200.1
Router F0/0 = 100.100.100.2
Router F0/1 = 200.200.200.2
Router F1/0.100 (LAN1) = 192.168.100.0/24
Router F1/0.200 (LAN2) = 192.168.200.0/24


Configs

track 1 ip sla 1 reachability
delay down 1 up 1

track 2 ip sla 2 reachability
delay down 1 up 1

ip sla 1
icmp-echo 100.100.100.1 source-interface FastEthernet0/0
timeout 5000
threshold 5000 (if the latency on this link goes beyond 5000ms, note that this SLA will consider this link as failed)
frequency 5
ip sla schedule 1 life forever start-time now

ip sla 2
icmp-echo 200.200.200.1 source-interface FastEthernet0/1
timeout 5000
threshold 5000 (if the latency on this link goes beyond 5000ms, note that this SLA will consider this link as failed)
frequency 5
ip sla schedule 2 life forever start-time now

ip access-list extended LAN1_ACL
deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 (Needed to unapply the policy for inter-LAN traffic)
permit ip 192.168.100.0 0.0.0.255 any

ip access-list extended LAN2_ACL
deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255 (Needed to unapply the policy for inter-LAN traffic)
permit ip 192.168.200.0 0.0.0.255 any

route-map LAN1_INTERNET_POLICY permit 10
match ip address LAN1_ACL
set ip next-hop verify-availability 100.100.100.1 1 track 1
set ip next-hop verify-availability 200.200.200.1 2 track 2

route-map LAN2_INTERNET_POLICY permit 10
match ip address LAN2_ACL
set ip next-hop verify-availability 200.200.200.1 1 track 2
set ip next-hop verify-availability 100.100.100.1 2 track 1

interface f0/0
ip nat outside

interface f0/1
ip nat outside

int f1/0.100
ip nat inside
ip policy route-map LAN1_INTERNET_POLICY

int f1/0.200
ip nat inside
ip policy route-map LAN2_INTERNET_POLICY

At this point, you have completed the Network Failover part of the config, if one link goes down now, the router will switch to the other available link. Notice each PBR carries double ip next-hop entries with sequence numbering telling it which next-hop to use first, if you have 5 ISPs, you'll have 5 entries using the sequence numbers to give priority. Also notice we had to first deny inter-LAN traffic from being used for this policy, this is important only if your LANs pass thru the router to inter-communicate, without it you may have shutdown inter-LAN comms by the Policy, if inter-LAN comms happen on an internal switch, then the deny lines of the ACLs will not be needed
The next Agenda is to implement NAT failover; it's really not a failover, it is called Multi-homing whereby the router automatically builds the right NAT entry for any traffic traversing it notwithstanding the no of ISPs available. See as follows;

ip access-list standard NAT_ACL
permit any

route-map ISP1_NAT permit 10
match ip address NAT_ACL
match interface f0/0

route-map ISP2_NAT permit 10
match ip address NAT_ACL
match interface f0/1

ip nat inside source route-map ISP1_NAT interface FastEthernet0/0 overload
ip nat inside source route-map ISP2_NAT interface FastEthernet0/1 overload


That's it! We are done. Notice our NAT ACL just matches any traffic and it's the same ACL for both ISPs NAT route-maps. Only the matched interfaces differ. You might as well configure your NAT ACL to permit only both internal subnets (192.168.100.0/24 & 192.168.200.0/24) instead of any. It will still achieve the same thing. Bottom line is your NAT ACL must match & permit all traffic that will require NAT whether using their primary or secondary ISPs correspondingly. What enforces which ISP each LAN should use per time are the PBRs applied on their respective LAN interfaces.

Optionally, if you need to test this with ICMP stateful failover (you might need to add ip nat translation icmp-timeout 1)

Published on Cisco 3750

To be informed of the latest articles, subscribe:
You might also like:
Cisco 3750X channel-misconfig
Cisco 3750X channel-misconfig
Assigning Multiple IP Addresses to Network Interfaces
Assigning Multiple IP Addresses to Network Interfaces
Connect Cisco 3750x to Procurve 2910
Connect Cisco 3750x to Procurve 2910
VLAN Communication Problem
VLAN Communication Problem
Cisco router and 3 layer switch
More than one subnet in a vlan
Comment on this post