Geekly Articles each Day
⬆️ ⬇️

Balancing traffic between two NATs on different providers on the same cisco physical router

With the classical scheme of connecting two ISPs to one router, it is possible to use two channels at once for the NATRation of internal clients with load balancing, and not just for a faylover if one of the providers fails.



This is done as follows:

using vrf:

vrf description for the first provider:
we export our tag “100: 0”,

import label from vrf of second provider “100: 1” 



ip vrf ISPA rd 100:0 route-target export 100:0 route-target import 100:1


vrf description for the second provider:
export our 100: 1 label,

import the label from the vrf of the first provider “100: 0” 



 ip vrf ISPB rd 100:1 route-target export 100:1 route-target import 100:0


vrf description for client network:
we import both tags from vrf of two providers "100: 0" and "100: 1" 



 ip vrf LAN rd 100:100 route-target import 100:0 route-target import 100:1




Interface configuration:

to the first provider:
configure the correct vrf
 ip vrf forwarding ISPA


include nat
 ip nat outside 




 interface FastEthernet0/0 ip vrf forwarding ISPA ip address 50.0.0.1 255.0.0.0 ip nat outside


to the second provider:
configure the correct vrf
 ip vrf forwarding ISPB


include nat
 ip nat outside 




 interface FastEthernet1/0 ip vrf forwarding ISPB ip address 60.0.0.1 255.0.0.0 ip nat outside


interface looking to the local network:
configure the correct vrf
 ip vrf forwarding LAN


include nat
  ip nat inside 




 interface FastEthernet1/1 ip vrf forwarding LAN ip address 192.168.0.1 255.255.255.0 ip nat inside




Default routes to providers:
showing vrf for each route 



 ip route vrf ISPA 0.0.0.0 0.0.0.0 50.0.0.2 ip route vrf ISPB 0.0.0.0 0.0.0.0 60.0.0.2


')

Setting up BGP for mutual redistribution of routes between vrf:
distribute connected networks from interfaces:
 redistribute connected


distribute static default routes to providers:
  redistribute static default-information originate


in client vrf we allow load sharing:
 maximum-paths 2 




 router bgp 65000 address-family ipv4 vrf ISPA redistribute connected redistribute static default-information originate address-family ipv4 vrf ISPB redistribute connected redistribute static default-information originate address-family ipv4 vrf LAN redistribute connected maximum-paths 2




Rules for NAT:
we include NAT on both external interfaces in client vrf 



 ip nat inside source route-map A interface FastEthernet0/0 vrf LAN overload ip nat inside source route-map B interface FastEthernet1/0 vrf LAN overload




Access list and route-map for NAT rules:
we use route-map for two purposes:

- IOS would not allow to create two different NAT rules for one access-list

- identification by the outgoing interface 



 route-map A permit 10 match ip address 1 match interface FastEthernet0/0 route-map B permit 10 match ip address 1 match interface FastEthernet1/0 access-list 1 permit 192.168.0.0 0.0.0.255




To verify that route balancing has happened, we will use the traceroute command: 

 R1#traceroute vrf LAN 8.8.8.8 source fa 1/1 Type escape sequence to abort. Tracing the route to 8.8.8.8 VRF info: (vrf in name/id, vrf out name/id) 1 50.0.0.2 132 msec 60.0.0.2 44 msec 50.0.0.2 24 msec


as can be seen from the incoming responses, two providers respond.



The NAT table after these responses confirms the generated matches: 

 R1#show ip nat translations Pro Inside global Inside local Outside local Outside global udp 50.0.0.1:49162 192.168.0.1:49162 8.8.8.8:33434 8.8.8.8:33434 udp 60.0.0.1:49163 192.168.0.1:49163 8.8.8.8:33435 8.8.8.8:33435 udp 50.0.0.1:49164 192.168.0.1:49164 8.8.8.8:33436 8.8.8.8:33436




The routing table for client vrf looks like this: 

 R1#show ip route vrf LAN B* 0.0.0.0/0 [20/0] via 60.0.0.2 (ISPB), 00:00:20 [20/0] via 50.0.0.2 (ISPA), 00:00:20 50.0.0.0/8 is variably subnetted, 2 subnets, 2 masks B 50.0.0.0/8 is directly connected (ISPA), 00:00:22, FastEthernet0/0 L 50.0.0.1/32 is directly connected, FastEthernet0/0 60.0.0.0/8 is variably subnetted, 2 subnets, 2 masks B 60.0.0.0/8 is directly connected (ISPB), 00:00:20, FastEthernet1/0 L 60.0.0.1/32 is directly connected, FastEthernet1/0 192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.0.0/24 is directly connected, FastEthernet1/1 L 192.168.0.1/32 is directly connected, FastEthernet1/1




without using vrf: 

 #    interface FastEthernet0/0 ip address 50.0.0.1 255.0.0.0 ip nat outside #    interface FastEthernet1/0 ip address 60.0.0.1 255.0.0.0 ip nat outside #    interface FastEthernet1/1 ip address 192.168.0.1 255.255.255.0 ip nat inside #PBR              ip local policy route-map PBR #NAT         ip nat inside source route-map A interface FastEthernet0/0 overload ip nat inside source route-map B interface FastEthernet1/0 overload ip route 0.0.0.0 0.0.0.0 50.0.0.2 ip route 0.0.0.0 0.0.0.0 60.0.0.2 #PBR        route-map PBR permit 10 match ip address 10 set ip next-hop 50.0.0.2 #PBR        route-map PBR permit 20 match ip address 11 set ip next-hop 60.0.0.2 # NAT    route-map A permit 10 match ip address 1 match interface FastEthernet0/0 # NAT    route-map B permit 10 match ip address 1 match interface FastEthernet1/0 # acl access-list 1 permit 192.168.0.0 0.0.0.255 access-list 10 permit 50.0.0.1 access-list 11 permit 60.0.0.1




! 

 ip cef


Thank you all for your attention, waiting for your comments.



PS

The ecmp file (thanks to vasilevkirill for noticing ) does not happen thanks to the hash algorithm used in cef,

more about this on the official website

www.isisco.com/c/en/us/support/docs/ip/express-forwarding-cef/116376-technote-cef-00.html

Source: https://habr.com/ru/post/273813/

More articles:



All Articles