January 12, 2010 at 15:04At the request of workers: Dual ISP on cisco routers without BGP
A typical task, which nonetheless continues to raise questions.
I’ll try to briefly describe the essence of technology and pitfalls.
So, let us have one cisco border router with one internal port (g0 / 0) and two external (f0 / 0, f0 / 1). There is a connection to two providers, each of which issued its own pool of addresses Pool (ISP1) and Pool (ISP2) (these are some networks belonging to a particular provider). For simplicity, let the addresses of the interfaces f0 / 0 and f0 / 1 from the same pools. And the gateway addresses from the same pools (Gate (ISP1) and Gate (ISP2), respectively).
Since we do not have the ability to raise BGP, then we must register a default route for each of the providers. And here the first question arises: what problem do we want to solve? Reservation or simultaneous work with two providers?
Reservation.
In this topology, only one provider works at a time. That is, we must arrange for the ISP1 provider to be checked, and if it is alive, go through it, and if it is “dead”, then switch to the ISP2 backup provider. There is a pitfall: NAT. We can write several translation rules, but we must somehow indicate that when we exit through ISP1 we use Pool (ISP1), and when we exit through ISP2 we use Pool (ISP2), otherwise the router will always use the translation that was first written in the configuration. It is clear that if you go through ISP2, and the source addresses will be from Pool (ISP1), then in the best case we will get asymmetric routing, in the worst packets will not reach anywhere, for example, because the providers fulfill the requirement to use RFC2827 filtering, which means that Receive packets with source addresses not from your network.
So, we have 2 subtasks: checking the provider (route) for liveliness and address translation taking into account the output interface.
Cisco routers have a wonderful technology called SLA. Using it, you can not only ping a certain address, but also check the liveliness of certain services (ftp-connect, tcp-connect) or the communication channel parameter (icmp-jitter, udp-jitter). Here we consider the simplest and most common way - ping a specific host. For simplicity, we will ping the gateway address of the Gate Provider (ISPX). If you need to ping another address, then you must explicitly register the route to this address through the specific provider that we are checking.
Note: in old iOS, the binding command track to sla looked like this
If the host responds, then track will be in the UP state and the route will be in the routing table. And
if the ping disappears, then after a configured period of time (by default 3 * 10 seconds) track
will change its state to DOWN and the route will be deleted until track again changes its
state.
Example:
ISP2 can not be checked so as not to create unnecessary service traffic in the channel, because we have it spare and can be expensive (a satellite channel, for example, or a dial-up channel, paid for by the time of work). We will write a route to the second provider with a greater administrative distance and thereby make it work only when the main one disappears.
There are actually 2 tasks here: dynamic translation and static address translation. We need the first to go out, and the second - for the announcement of services. In both cases, we need a construct called route-map (you will need to create a route-map for each provider)
There is a subtlety: when you specify the word interface in the tooltip is written
Those. generally speaking, it is not clear what this parameter is. Plus, depending on what is written on the interface itself, this criterion can mean both an incoming interface and an outgoing one! But it depends on what is written in the ip nat command on the interface:
ip nat inside - the criterion will mean the incoming interface
ip nat outside - the criterion will mean the outgoing interface
Next, we need a pool of addresses from each provider
And you can already write NAT rules for each provider
overload is a keyword meaning to use PAT (Port Address Translation, translation taking into account the source port)
If we need to add static translations, then we do almost the same (let the server reserve the Srv address (ISPX) from each provider, and the local address from the server - Srv (LAN).)
____________
UPD ATTENTION: UPPER ERROR!
Must be
____________
In this case, of course, you need to make sure that both addresses (Srv (ISP1) and Srv (ISP2)) on the DNS servers are registered and point to the same name.
Total, we got:
The simultaneous use of two providers
If in the first case everything is clear and unambiguous, then in the case of the simultaneous use of two providers, problems arise.
Is this topic interesting? What thoughts and problems are there?
Write: I will compile with my thoughts and lay out if you want.
I’ll try to briefly describe the essence of technology and pitfalls.
So, let us have one cisco border router with one internal port (g0 / 0) and two external (f0 / 0, f0 / 1). There is a connection to two providers, each of which issued its own pool of addresses Pool (ISP1) and Pool (ISP2) (these are some networks belonging to a particular provider). For simplicity, let the addresses of the interfaces f0 / 0 and f0 / 1 from the same pools. And the gateway addresses from the same pools (Gate (ISP1) and Gate (ISP2), respectively).
Since we do not have the ability to raise BGP, then we must register a default route for each of the providers. And here the first question arises: what problem do we want to solve? Reservation or simultaneous work with two providers?
Reservation.
In this topology, only one provider works at a time. That is, we must arrange for the ISP1 provider to be checked, and if it is alive, go through it, and if it is “dead”, then switch to the ISP2 backup provider. There is a pitfall: NAT. We can write several translation rules, but we must somehow indicate that when we exit through ISP1 we use Pool (ISP1), and when we exit through ISP2 we use Pool (ISP2), otherwise the router will always use the translation that was first written in the configuration. It is clear that if you go through ISP2, and the source addresses will be from Pool (ISP1), then in the best case we will get asymmetric routing, in the worst packets will not reach anywhere, for example, because the providers fulfill the requirement to use RFC2827 filtering, which means that Receive packets with source addresses not from your network.
So, we have 2 subtasks: checking the provider (route) for liveliness and address translation taking into account the output interface.
Check for liveliness.
Cisco routers have a wonderful technology called SLA. Using it, you can not only ping a certain address, but also check the liveliness of certain services (ftp-connect, tcp-connect) or the communication channel parameter (icmp-jitter, udp-jitter). Here we consider the simplest and most common way - ping a specific host. For simplicity, we will ping the gateway address of the Gate Provider (ISPX). If you need to ping another address, then you must explicitly register the route to this address through the specific provider that we are checking.
! We set the parameters of the “pingoval”
ip sla {#}
icmp-echo {ip} [source-interface {int}]
!
! We start pingovalku
ip sla schedule {#} start now life forever
!
! We configure the "switch" (track), on which the route will depend
track {#} ip sla {#} reachability
!
! Set up a default route with tracking
ip route 0.0.0.0 0.0.0.0 {next-hop} track {#}
Note: in old iOS, the binding command track to sla looked like this
track {#} rtr {sla #} reachability
If the host responds, then track will be in the UP state and the route will be in the routing table. And
if the ping disappears, then after a configured period of time (by default 3 * 10 seconds) track
will change its state to DOWN and the route will be deleted until track again changes its
state.
Example:
ip sla 1 icmp-echo Gate (ISP1) ip sla schedule 1 start now life forever track 11 ip sla 1 reachability ip route 0.0.0.0 0.0.0.0 Gate (ISP1) track 11
ISP2 can not be checked so as not to create unnecessary service traffic in the channel, because we have it spare and can be expensive (a satellite channel, for example, or a dial-up channel, paid for by the time of work). We will write a route to the second provider with a greater administrative distance and thereby make it work only when the main one disappears.
Setting address translation rules based on the outgoing interface.
There are actually 2 tasks here: dynamic translation and static address translation. We need the first to go out, and the second - for the announcement of services. In both cases, we need a construct called route-map (you will need to create a route-map for each provider)
! Create route-map
route-map ISPX permit {#}
! Specify the criterion for getting into this paragraph route-map
match interface {outbound interface}
There is a subtlety: when you specify the word interface in the tooltip is written
interface Match first hop interface of route
Those. generally speaking, it is not clear what this parameter is. Plus, depending on what is written on the interface itself, this criterion can mean both an incoming interface and an outgoing one! But it depends on what is written in the ip nat command on the interface:
ip nat inside - the criterion will mean the incoming interface
ip nat outside - the criterion will mean the outgoing interface
Next, we need a pool of addresses from each provider
ip nat pool PoolX {start-ip (ISPX)} {end-ip (ISPX)}
And you can already write NAT rules for each provider
ip nat inside source route-map ISPX poolX overload
overload is a keyword meaning to use PAT (Port Address Translation, translation taking into account the source port)
If we need to add static translations, then we do almost the same (let the server reserve the Srv address (ISPX) from each provider, and the local address from the server - Srv (LAN).)
ip nat inside source static Srv (ISPX) Srv (LAN) route-map ISPX
____________
UPD ATTENTION: UPPER ERROR!
Must be
ip nat inside source static Srv (LAN) Srv (ISPX) route-map ISPX
____________
In this case, of course, you need to make sure that both addresses (Srv (ISP1) and Srv (ISP2)) on the DNS servers are registered and point to the same name.
Total, we got:
!
! interfaces
int g0 / 0
ip address [LAN]
ip nat inside
!
int f0 / 0
ip address Address (ISP1)
ip nat outside
!
int f0 / 1
ip address Address (ISP2)
ip nat outside
!
! Routing
ip sla 1
icmp-echo Gate (ISP1)
ip sla schedule 1 start now life forever
track 11 ip sla 1 reachability
ip route 0.0.0.0 0.0.0.0 Gate (ISP1) track 11
ip route 0.0.0.0 0.0.0.0 Gate (ISP2) 50
!
! Pools for NAT
ip nat pool POOL1 {start-ip (ISP1)} {end-ip (ISP1)}
ip nat pool POOL2 {start-ip (ISP2)} {end-ip (ISP2)}
!
! route-map for NATa
route-map ISP1 permit 10
match interface f0 / 0
!
route-map ISP2 permit 10
match interface f0 / 1
!
! NATa Rules
ip nat inside source route-map ISP1 POOL1 overload
ip nat inside source route-map ISP2 POOL2 overload
ip nat inside source static Srv (LAN) Srv (ISP1) route-map ISP1
ip nat inside source static Srv (LAN) Srv (ISP2) route-map ISP2
The simultaneous use of two providers
If in the first case everything is clear and unambiguous, then in the case of the simultaneous use of two providers, problems arise.
Is this topic interesting? What thoughts and problems are there?
Write: I will compile with my thoughts and lay out if you want.