Академический Документы
Профессиональный Документы
Культура Документы
There are 2 Failovers that need to happen when using 2 internet connections;
Network failover: when internet cannot be reached via one ISP network, the Router should
use the other available ISP network. You configure this using Track, IP SLA, & PBR to tell
the router which ISP to use and what criteria to cause the router to switch over. And you have
to apply the route-map configured here to your LAN facing interface.
NAT Failover: When one link fails, the NAT entries of the failed ISP network cannot be
routed via the available ISP network since they are different subnets, the router therefore
needs to immediately build a fresh NAT entry for the same affected LAN subnet(s). If this is
not properly setup, the router can failover to the 2nd ISP with the old NAT entry and the
traffic will begin to get dropped. As per your sceenario, The following example should help;
ISP 1 = 100.100.100.1
ISP 2 = 200.200.200.1
Router F0/0 = 100.100.100.2
Router F0/1 = 200.200.200.2
Router F1/0.100 (LAN1) = 192.168.100.0/24
Router F1/0.200 (LAN2) = 192.168.200.0/24
Configs
track 1 ip sla 1 reachability
delay down 1 up 1
track 2 ip sla 2 reachability
delay down 1 up 1
schedule (plannifier/programmer)
threshold (Seuil)
SLA (Validation du niveau service)
ip sla 1
icmp-echo 100.100.100.1 source-interface FastEthernet0/0
timeout 5000
threshold 5000 (if the latency on this link goes beyond 5000ms, note that this SLA will
consider this link as failed)
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 200.200.200.1 source-interface FastEthernet0/1
timeout 5000
threshold 5000 (if the latency on this link goes beyond 5000ms, note that this SLA will
consider this link as failed)
frequency 5
ip sla schedule 2 life forever start-time now
LAN comms by the Policy, if inter-LAN comms happen on an internal switch, then the deny
lines of the ACLs will not be needed
The next Agenda is to implement NAT failover; it's really not a failover, it is called Multihoming whereby the router automatically builds the right NAT entry for any traffic traversing
it notwithstanding the no of ISPs available. See as follows;
That's it! We are done. Notice our NAT ACL just matches any traffic and it's the same ACL
for both ISPs NAT route-maps. Only the matched interfaces differ. You might as well
configure your NAT ACL to permit only both internal subnets (192.168.100.0/24 &
192.168.200.0/24) instead of any. It will still achieve the same thing. Bottom line is your NAT
ACL must match & permit all traffic that will require NAT whether using their primary or
secondary ISPs correspondingly. What enforces which ISP each LAN should use per time are
the PBRs applied on their respective LAN interfaces.
Optionally, if you need to test this with ICMP stateful failover (you might need to add ip nat
translation icmp-timeout 1)