Two providers simultaneously or Dual ISP with VRF on Cisco

There is a universal solution for connecting several providers, ip sla + track. The solution is easy to understand and easy to manage. But when it comes to the simultaneous use of two or more communication channels, this technology in its pure form is not suitable.

I want to share my experience. On nodes with several providers, I use a configuration containing virtual routers - VRF. This configuration is taken from my practice and has worked well.

Suppose we have 2 providers with parameters:
')
ISP1 1.1.1.1 Gateway 1.1.1.2
ISP2 2.2.2.1 Gateway 2.2.2.2
And local network:
LAN 192.168.1.1/24

We proceed to the configuration. First you need to create these same virtual routers, and there will be 3 of them. Two for providers and one for local network.

Immediately configure the rules for export routes, that would not be returned to the section ip vrf. The logic is as follows - it is impossible to exchange routes between the VRF providers (in fact, it is possible, but with such options the configuration will be complicated). On your fingers: VRF providers can only send and receive routes to / from VRF LAN. A VRF LAN can send its routes and receive routes from any other VRF.

ip vrf isp1 rd 65000:1 route-target export 65000:1 route-target import 65000:99 ip vrf isp2 rd 65000:2 route-target export 65000:2 route-target import 65000:99 ip vrf lan rd 65000:99 route-target export 65000:99 route-target import 65000:1 route-target import 65000:2 

We enter the network data into our router, do not forget to immediately enable NAT and assign the necessary VRF to the interfaces. A single interface cannot belong to multiple VRFs at once. Imagine that you decided to make several of one router, sawing it into parts and each part has its own interfaces.

 interface GigabitEthernet0/0/0 description === ISP 1 === ip vrf forwarding isp1 ip address 1.1.1.1 255.255.255.252 ip nat outside interface GigabitEthernet0/0/1 description === ISP 2 === ip vrf forwarding isp2 ip address 2.2.2.1 255.255.255.252 ip nat outside interface GigabitEthernet0/0/2 description === LAN === ip vrf forwarding lan ip address 192.168.1.1 255.255.255.0 ip nat inside 

Everything, now we have 3 small, but proud independent routers. Before you do the main thing - to register the gateways of providers, you need to configure the ip sla test. This is done in the same way as in the standard solution, but with an indication of the VFR from which the ip sla test is supposed to be conducted.

 ip sla auto discovery ip sla 1 icmp-echo 4.2.2.1 vrf isp1 frequency 15 ip sla schedule 1 life forever start-time now ip sla 2 icmp-echo 8.8.8.8 vrf isp1 frequency 15 ip sla schedule 2 life forever start-time now track 11 ip sla 1 reachability track 12 ip sla 2 reachability track 123 list boolean or object 11 object 12 

Add routes to our virtual routers, which are responsible for communication with providers. Pay attention to the metric values, on the backup channel the metric is higher and then you will understand why.

 ip route vrf isp1 0.0.0.0 0.0.0.0 1.1.1.2 100 track 123 ip route vrf isp2 0.0.0.0 0.0.0.0 2.2.2.2 120 

In principle, this is already enough so that the router can connect from the outside to the public address of any of the providers (if, of course, SSH or telnet access is configured).

Next, let's prepare NAT, we do everything almost the same way as we used to configure in a standard solution without VRF. Make an access-list that prohibits translating local addresses to local addresses:

 ip access-list extended NO_NAT deny ip any 192.168.0.0 0.0.255.255 deny ip any 172.16.0.0 0.15.255.255 deny ip any 10.0.0.0 0.255.255.255 permit ip any any 

We make routing maps for each provider:

 route-map ISP1 permit 10 match ip address NO_NAT match interface GigabitEthernet0/0/0 route-map ISP2 permit 10 match ip address NO_NAT match interface GigabitEthernet0/0/1 

And we enable NAT overload (note that the rule is configured on the virtual vrf lan router):

 ip nat inside source route-map ISP1 interface GigabitEthernet0/0/0 vrf lan overload ip nat inside source route-map ISP2 interface GigabitEthernet0/0/1 vrf lan overload 

Our elegant solution is almost ready, but we need the final touch, this is a BGP process that will redistribute the routes between the VRF taking into account the import / export rules that we set up in each VRF.

 router bgp 65000 bgp log-neighbor-changes address-family ipv4 vrf isp1 redistribute connected redistribute static metric 100 default-information originate exit-address-family address-family ipv4 vrf isp2 redistribute static metric 120 redistribute connected default-information originate exit-address-family address-family ipv4 vrf lan redistribute connected exit-address-family 

The default-information originate command allows you to send a default route through bgp. As a result, candidates for the default route for the vrf lan will get two routes to the gateways of different providers, but with the help of bgp, the one with the lower metric will be selected. Accordingly, if you suddenly need to switch NAT from one provider to another, it will be enough to change the metric in the routing table of one of the VRFs.

Conclusion This configuration allows you to connect to two communication providers at the same time. The configuration is very flexible, using PBR, it is possible to share traffic between providers, and even if one of them falls, continue to provide the service. The VRF feature allows even during complex configuration manipulations not to lose connection with the device (you cannot edit two routing tables at the same time, though ...). The configuration easily expands and allows you to add new providers without problems.

Among the shortcomings, I want to point out the need for almost any command to insert additional text vrf <name>. So viewing the routing table of a virtual router of a local network is called with the command:

 show ip route vrf lan 

Ping for NAT:

 ping vrf lan 8.8.8.8 

Ping from vrf first provider:

 ping vrf isp1 8.8.8.8 

Thanks for attention. Prepared on Cisco 881 router IOS version 15.5