Two providers at the same time or Dual ISP with VRF on Cisco
There is a universal solution for connecting several providers, ip sla + track. The solution is easy to understand and easy to manage. But when it comes to the simultaneous use of two or more communication channels, this technology in its pure form is not suitable.
I want to share my experience. On nodes with multiple providers, I use a configuration containing virtual routers - VRF. This configuration is taken from my practice and has worked well.
Suppose we have 2 providers with parameters:
ISP1 1.1.1.1 gateway 1.1.1.2
ISP2 2.2.2.1 gateway 2.2.2.2
And the local network:
LAN 192.168.1.1/24
Let's proceed with the configuration. First you need to create these same virtual routers, and there will be three of them. Two for providers and one for the local network.
Immediately configure the rules for exporting routes, so that it does not return to the ip vrf section. The logic is as follows - it is impossible to exchange routes between VRF providers (in fact, it is possible, but with such options the configuration will become more complicated). On the fingers: VRF providers can only receive and send routes to / from VRF local area networks. LAN VRFs can send their routes and receive routes from any other VRFs.
ip vrf isp1
rd 65000:1
route-target export 65000:1
route-target import 65000:99
ip vrf isp2
rd 65000:2
route-target export 65000:2
route-target import 65000:99
ip vrf lan
rd 65000:99
route-target export 65000:99
route-target import 65000:1
route-target import 65000:2
We enter the network data into our router, do not forget to immediately enable NAT and assign the necessary VRFs to the interfaces. One interface cannot belong to several VRFs at once. Imagine that you decided to make several from one router, having cut it into parts and each part has its own interfaces.
interface GigabitEthernet0/0/0
description === ISP 1 ===
ip vrf forwarding isp1
ip address 1.1.1.1 255.255.255.252
ip nat outside
interface GigabitEthernet0/0/1
description === ISP 2 ===
ip vrf forwarding isp2
ip address 2.2.2.1 255.255.255.252
ip nat outside
interface GigabitEthernet0/0/2
description === LAN ===
ip vrf forwarding lan
ip address 192.168.1.1 255.255.255.0
ip nat inside
That's it, now we have 3 small, but proud independent routers. Before you do the main thing - to register the gateways of providers, you need to configure the ip sla test. This is done in the same way as in the standard solution, but specifying VFR from which it is supposed to conduct an ip sla test.
ip sla auto discovery
ip sla 1
icmp-echo 4.2.2.1
vrf isp1
frequency 15
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.8.8.8
vrf isp1
frequency 15
ip sla schedule 2 life forever start-time now
track 11 ip sla 1 reachability
track 12 ip sla 2 reachability
track 123 list boolean or
object 11
object 12
We add routes to our virtual routers, which are responsible for communication with providers. Pay attention to the metric values, on the backup channel the metric is higher and then you will understand why.
ip route vrf isp1 0.0.0.0 0.0.0.0 1.1.1.2 100 track 123
ip route vrf isp2 0.0.0.0 0.0.0.0 2.2.2.2 120
In principle, this is already enough to connect to the router from outside the public address of any of the providers (unless, of course, SSH or telnet access is configured).
Next, prepare NAT, we do everything almost the same as we used to configure in a standard solution without VRF. We make an access-list that prohibits translating local addresses to local addresses:
ip access-list extended NO_NAT
deny ip any 192.168.0.0 0.0.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 10.0.0.0 0.255.255.255
permit ip any any
We make routing cards for each provider:
route-map ISP1 permit 10
match ip address NO_NAT
match interface GigabitEthernet0/0/0
route-map ISP2 permit 10
match ip address NO_NAT
match interface GigabitEthernet0/0/1
And enable NAT overload (note that the rule is configured on the vrf lan virtual router):
ip nat inside source route-map ISP1 interface GigabitEthernet0/0/0 vrf lan overload
ip nat inside source route-map ISP2 interface GigabitEthernet0/0/1 vrf lan overload
Our elegant solution is almost ready, but the final touch is needed, it is a BGP process that will deal with the redistribution of routes between VRF, given the import / export rules that we set up in each VRF.
router bgp 65000
bgp log-neighbor-changes
address-family ipv4 vrf isp1
redistribute connected
redistribute static metric 100
default-information originate
exit-address-family
address-family ipv4 vrf isp2
redistribute static metric 120
redistribute connected
default-information originate
exit-address-family
address-family ipv4 vrf lan
redistribute connected
exit-address-family
The default-information originate command allows you to pass the default route through bgp. As a result, two routes to the gateways of different providers will fall into the candidates for the default route for vrf lan, but with bgp, one will be selected with the smaller metric. Accordingly, if you suddenly need to switch NAT from one provider to another, it will be enough to change the metric in the routing table of one of the VRFs.
Conclusion This configuration allows you to organize a connection to two communication providers at the same time. The configuration is very flexible, using PBR, you can share traffic between providers, and even if one of them crashes, continue to provide service. The VRF feature allows even during complex configuration manipulations not to lose connection with the device (you cannot simultaneously edit two routing tables, though ...). The configuration is easily expandable and allows you to add new providers without problems.
Among the shortcomings, I want to note the need to insert additional text vrf <name> into almost any command. So viewing the routing table of the virtual router of the local network is called by the command:
show ip route vrf lan
Ping due to NAT:
ping vrf lan 8.8.8.8
Ping from vrf of the first provider:
ping vrf isp1 8.8.8.8
Thanks for attention. Prepared on Cisco 881 IOS version 15.5 Router