December 23, 2015 at 14:58Balancing traffic between two NATs on different providers on the same cisco physical router
With the classical scheme of connecting two ISPs to one router, it is possible to use two channels at once for NATing internal clients with load balancing, and not only for the failover when one of the providers fails.
This is done as follows:
using vrf:
Interface Settings:
To verify that route balancing has happened, we will use the traceroute command:
as can be seen from the incoming answers, two providers respond.
The NAT table after these answers confirms the created matches:
The routing table for client vrf is as follows:
without using vrf:
!
Thank you all for your attention, I'm waiting for your comments.
PS
ecmp file (thanks to Vasilevkirill for paying attention) does not happen thanks to the hash algorithm used in cef,
more about this on the official
cisco website www.cisco.com/c/en/us/support/docs/ip/express-forwarding-cef/ 116376-technote-cef-00.html
This is done as follows:
using vrf:
vrf description for the first provider:
export our label “100: 0”,
import the label from vrf of the second provider “100: 1”
import the label from vrf of the second provider “100: 1”
ip vrf ISPA
rd 100:0
route-target export 100:0
route-target import 100:1
vrf description for the second provider:
export our label “100: 1”,
import the label from vrf of the first provider “100: 0”
import the label from vrf of the first provider “100: 0”
ip vrf ISPB
rd 100:1
route-target export 100:1
route-target import 100:0
vrf description for client network:
we import both marks from vrf of two providers "100: 0" and "100: 1"
ip vrf LAN
rd 100:100
route-target import 100:0
route-target import 100:1
Interface Settings:
to the first provider:
configure the correct vrf
turn on nat
ip vrf forwarding ISPAturn on nat
ip nat outsideinterface FastEthernet0/0
ip vrf forwarding ISPA
ip address 50.0.0.1 255.0.0.0
ip nat outside
to the second provider:
configure the correct vrf
turn on nat
ip vrf forwarding ISPBturn on nat
ip nat outsideinterface FastEthernet1/0
ip vrf forwarding ISPB
ip address 60.0.0.1 255.0.0.0
ip nat outside
interface looking at the local network:
configure the correct vrf
turn on nat
ip vrf forwarding LANturn on nat
ip nat insideinterface FastEthernet1/1
ip vrf forwarding LAN
ip address 192.168.0.1 255.255.255.0
ip nat inside
Default routes to providers:
showing vrf for each route
ip route vrf ISPA 0.0.0.0 0.0.0.0 50.0.0.2
ip route vrf ISPB 0.0.0.0 0.0.0.0 60.0.0.2
Configuring BGP for mutual redistribution of routes between vrf:
we distribute connected networks from the interfaces:
we distribute static default routes to providers:
in client vrf we allow load balancing:
redistribute connectedwe distribute static default routes to providers:
redistribute static
default-information originatein client vrf we allow load balancing:
maximum-paths 2router bgp 65000
address-family ipv4 vrf ISPA
redistribute connected
redistribute static
default-information originate
address-family ipv4 vrf ISPB
redistribute connected
redistribute static
default-information originate
address-family ipv4 vrf LAN
redistribute connected
maximum-paths 2
Rules for NAT:
enable NAT on both external interfaces in client vrf
ip nat inside source route-map A interface FastEthernet0/0 vrf LAN overload
ip nat inside source route-map B interface FastEthernet1/0 vrf LAN overload
Access list and route-map for NAT rules:
we use route-map for two purposes:
- IOS would not allow creating two different NAT rules for one access-list
- identification by the outgoing interface
- IOS would not allow creating two different NAT rules for one access-list
- identification by the outgoing interface
route-map A permit 10
match ip address 1
match interface FastEthernet0/0
route-map B permit 10
match ip address 1
match interface FastEthernet1/0
access-list 1 permit 192.168.0.0 0.0.0.255
To verify that route balancing has happened, we will use the traceroute command:
R1#traceroute vrf LAN 8.8.8.8 source fa 1/1
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 50.0.0.2 132 msec
60.0.0.2 44 msec
50.0.0.2 24 msec
as can be seen from the incoming answers, two providers respond.
The NAT table after these answers confirms the created matches:
R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 50.0.0.1:49162 192.168.0.1:49162 8.8.8.8:33434 8.8.8.8:33434
udp 60.0.0.1:49163 192.168.0.1:49163 8.8.8.8:33435 8.8.8.8:33435
udp 50.0.0.1:49164 192.168.0.1:49164 8.8.8.8:33436 8.8.8.8:33436
The routing table for client vrf is as follows:
R1#show ip route vrf LAN
B* 0.0.0.0/0 [20/0] via 60.0.0.2 (ISPB), 00:00:20
[20/0] via 50.0.0.2 (ISPA), 00:00:20
50.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
B 50.0.0.0/8 is directly connected (ISPA), 00:00:22, FastEthernet0/0
L 50.0.0.1/32 is directly connected, FastEthernet0/0
60.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
B 60.0.0.0/8 is directly connected (ISPB), 00:00:20, FastEthernet1/0
L 60.0.0.1/32 is directly connected, FastEthernet1/0
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/24 is directly connected, FastEthernet1/1
L 192.168.0.1/32 is directly connected, FastEthernet1/1
without using vrf:
#интерфейс к первому провайдеру
interface FastEthernet0/0
ip address 50.0.0.1 255.0.0.0
ip nat outside
#интерфейс ко второму провайдеру
interface FastEthernet1/0
ip address 60.0.0.1 255.0.0.0
ip nat outside
#интерфейс к клиентской сети
interface FastEthernet1/1
ip address 192.168.0.1 255.255.255.0
ip nat inside
#PBR для того чтобы при запросах снаружи наш роутер не путался куда отдавать пакеты
ip local policy route-map PBR
#NAT правила и маршруты по умолчанию с одинаковыми метриками
ip nat inside source route-map A interface FastEthernet0/0 overload
ip nat inside source route-map B interface FastEthernet1/0 overload
ip route 0.0.0.0 0.0.0.0 50.0.0.2
ip route 0.0.0.0 0.0.0.0 60.0.0.2
#PBR если пакеты должны уйти через первый провайдер
route-map PBR permit 10
match ip address 10
set ip next-hop 50.0.0.2
#PBR если пакеты должны уйти через второй провайдер
route-map PBR permit 20
match ip address 11
set ip next-hop 60.0.0.2
#для NAT через первого провайдера
route-map A permit 10
match ip address 1
match interface FastEthernet0/0
#для NAT через второго провайдера
route-map B permit 10
match ip address 1
match interface FastEthernet1/0
#сопутствующие acl
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 10 permit 50.0.0.1
access-list 11 permit 60.0.0.1
!
ip cef обязателен в обоих случаяхThank you all for your attention, I'm waiting for your comments.
PS
ecmp file (thanks to Vasilevkirill for paying attention) does not happen thanks to the hash algorithm used in cef,
more about this on the official
cisco website www.cisco.com/c/en/us/support/docs/ip/express-forwarding-cef/ 116376-technote-cef-00.html