At the request of workers: Dual ISP on cisco routers without BGP
A typical task, which nevertheless continues to raise a lot of questions.
I will try to briefly describe the essence of technology and pitfalls.
So, let us have one cisco border router with one internal port (g0 / 0) and two external (f0 / 0, f0 / 1) ports. There is a connection to two providers, each of which has its own pool of addresses Pool (ISP1) and Pool (ISP2) (these are some networks belonging to a particular provider). Let, for simplicity, the addresses of the f0 / 0 and f0 / 1 interfaces from the same pools. And the addresses of the gateways from the same pools (Gate (ISP1) and Gate (ISP2), respectively).
Since we do not have the opportunity to raise BGP, then we must prescribe a default route for each of the providers. And here comes the first question: what problem do we want to solve? Redundancy or simultaneous work with two providers?
')
Reservation.
In this topology, only one provider is working at a time. That is, we must organize the ISP1 provider check and if it is alive, walk through it, and if it is “dead”, then switch to the ISP2 backup provider. There is a pitfall: NAT. We can write several translation rules, but we need to somehow indicate that when we exit through ISP1 we use Pool (ISP1), and when we exit through ISP2, we use Pool (ISP2), otherwise the router will always use the translation that was first written in the configuration. It is clear that if you go through ISP2, and the source addresses are from Pool (ISP1), then at best we will get asymmetric routing, at worst, the packages will not get anywhere, for example, because providers fulfill the requirement to use RFC2827 filtering, which means Receive packets with source addresses from outside your network.
So, we have 2 subtasks: checking the provider (route) for "liveliness" and address translation with regard to the output interface.
Cisco routers have a great technology called SLA. With it, you can not only ping a certain address, but also check the liveliness of certain services (ftp-connect, tcp-connect) or a parameter of the communication channel (icmp-jitter, udp-jitter). Here we consider the easiest and most common way - ping a specific host. For simplicity, we will ping the Gateway Provider Gateway (ISPX) address. If you need to ping another address, you must explicitly register the route to this address through a specific provider, which we check.
Note: in old IOS, the command to bind track to sla is so
If the host is pinged, the track will be in the UP state and the route will be in the routing table. BUT
if the ping disappears, then after a configured period of time (by default 3 * 10 seconds) track
will change the state to DOWN and the route will be deleted until the track changes again
state.
Example:
ISP2 can not be checked, so as not to create excess service traffic to the channel, because we have it spare and can be expensive (satellite channel, for example, or dial-up channel, paid for the time of work). We will write the route to the second provider with a larger administrative distance and thus make it work only if the main one disappears.
Here, in fact, there are also 2 tasks: dynamic translation and static translation of addresses. The first we need to go outside, and the second - for the announcement of services. In this and in another case, we will need a construction called the route-map (we will need to create one by route-map for each provider)
There is a subtle point: when you specify the word interface, the hint is written
Those. generally speaking, it is not clear what the parameter is. Plus, depending on what is written on the interface itself, this criterion can mean both the incoming interface and the outgoing one! And it depends on what is written in the ip nat command on the interface:
ip nat inside - criterion will mean the incoming interface
ip nat outside - criterion will mean outgoing interface
Next, we need an address pool from each provider.
And you can already write the rules of NAT for each provider
overload - a keyword meaning to use PAT (Port Address Translation, translation based on the source port)
If you need to add static broadcasts, then we do almost the same (let the server reserve the Srv address (ISPX) from each provider, and the local address at the server - Srv (LAN).)
____________
UPD ATTENTION: TOP UPPER!
Must be
____________
In this case, of course, you need to take care that both addresses (Srv (ISP1) and Srv (ISP2)) on the DNS servers are registered and point to the same name.
So we got:
Simultaneous use of two providers
If in the first case everything is clear and unambiguous, then in the case of simultaneous use of two providers, problems arise.
Is this topic interesting? What thoughts and problems are there?
Write: compile with your thoughts and post if you want.
I will try to briefly describe the essence of technology and pitfalls.
So, let us have one cisco border router with one internal port (g0 / 0) and two external (f0 / 0, f0 / 1) ports. There is a connection to two providers, each of which has its own pool of addresses Pool (ISP1) and Pool (ISP2) (these are some networks belonging to a particular provider). Let, for simplicity, the addresses of the f0 / 0 and f0 / 1 interfaces from the same pools. And the addresses of the gateways from the same pools (Gate (ISP1) and Gate (ISP2), respectively).
Since we do not have the opportunity to raise BGP, then we must prescribe a default route for each of the providers. And here comes the first question: what problem do we want to solve? Redundancy or simultaneous work with two providers?
')
Reservation.
In this topology, only one provider is working at a time. That is, we must organize the ISP1 provider check and if it is alive, walk through it, and if it is “dead”, then switch to the ISP2 backup provider. There is a pitfall: NAT. We can write several translation rules, but we need to somehow indicate that when we exit through ISP1 we use Pool (ISP1), and when we exit through ISP2, we use Pool (ISP2), otherwise the router will always use the translation that was first written in the configuration. It is clear that if you go through ISP2, and the source addresses are from Pool (ISP1), then at best we will get asymmetric routing, at worst, the packages will not get anywhere, for example, because providers fulfill the requirement to use RFC2827 filtering, which means Receive packets with source addresses from outside your network.
So, we have 2 subtasks: checking the provider (route) for "liveliness" and address translation with regard to the output interface.
Check for "liveliness."
Cisco routers have a great technology called SLA. With it, you can not only ping a certain address, but also check the liveliness of certain services (ftp-connect, tcp-connect) or a parameter of the communication channel (icmp-jitter, udp-jitter). Here we consider the easiest and most common way - ping a specific host. For simplicity, we will ping the Gateway Provider Gateway (ISPX) address. If you need to ping another address, you must explicitly register the route to this address through a specific provider, which we check.
! Set the parameters of "pingalis"
ip sla {#}
icmp-echo {ip} [source-interface {int}]
!
! We start pingovalku
ip sla schedule {#} start now life forever
!
! We set up a “switch” (track) on which the route will depend
track {#} ip sla {#} reachability
!
! Customize the default route with tracking
ip route 0.0.0.0 0.0.0.0 {next-hop} track {#}
Note: in old IOS, the command to bind track to sla is so
track {#} rtr {sla #} reachability
If the host is pinged, the track will be in the UP state and the route will be in the routing table. BUT
if the ping disappears, then after a configured period of time (by default 3 * 10 seconds) track
will change the state to DOWN and the route will be deleted until the track changes again
state.
Example:
ip sla 1 icmp-echo Gate (ISP1) ip sla schedule 1 start now life forever track 11 ip sla 1 reachability ip route 0.0.0.0 0.0.0.0 Gate (ISP1) track 11
ISP2 can not be checked, so as not to create excess service traffic to the channel, because we have it spare and can be expensive (satellite channel, for example, or dial-up channel, paid for the time of work). We will write the route to the second provider with a larger administrative distance and thus make it work only if the main one disappears.
Setting the address translation rules based on the outgoing interface.
Here, in fact, there are also 2 tasks: dynamic translation and static translation of addresses. The first we need to go outside, and the second - for the announcement of services. In this and in another case, we will need a construction called the route-map (we will need to create one by route-map for each provider)
! Create a route-map
route-map ISPX permit {#}
! Specify the criterion for entering this paragraph of the route-map
match interface {outgoing interface}
There is a subtle point: when you specify the word interface, the hint is written
interface match first hop interface of route
Those. generally speaking, it is not clear what the parameter is. Plus, depending on what is written on the interface itself, this criterion can mean both the incoming interface and the outgoing one! And it depends on what is written in the ip nat command on the interface:
ip nat inside - criterion will mean the incoming interface
ip nat outside - criterion will mean outgoing interface
Next, we need an address pool from each provider.
ip nat pool PoolX {start-ip (ISPX)} {end-ip (ISPX)}
And you can already write the rules of NAT for each provider
ip nat inside source route-map ISPX poolX overload
overload - a keyword meaning to use PAT (Port Address Translation, translation based on the source port)
If you need to add static broadcasts, then we do almost the same (let the server reserve the Srv address (ISPX) from each provider, and the local address at the server - Srv (LAN).)
ip nat inside source static Srv (ISPX) Srv (LAN) route-map ISPX
____________
UPD ATTENTION: TOP UPPER!
Must be
ip nat inside source static Srv (LAN) Srv (ISPX) route-map ISPX
____________
In this case, of course, you need to take care that both addresses (Srv (ISP1) and Srv (ISP2)) on the DNS servers are registered and point to the same name.
So we got:
!
! interfaces
int g0 / 0
ip address [LAN]
ip nat inside
!
int f0 / 0
ip address Address (ISP1)
ip nat outside
!
int f0 / 1
ip address Address (ISP2)
ip nat outside
!
! Routing
ip sla 1
icmp-echo Gate (ISP1)
ip sla schedule 1 start now life forever
track 11 ip sla 1 reachability
ip route 0.0.0.0 0.0.0.0 Gate (ISP1) track 11
ip route 0.0.0.0 0.0.0.0 Gate (ISP2) 50
!
! NAT pools
ip nat pool POOL1 {start-ip (ISP1)} {end-ip (ISP1)}
ip nat pool POOL2 {start-ip (ISP2)} {end-ip (ISP2)}
!
! route-map for NATa
route-map ISP1 permit 10
match interface f0 / 0
!
route-map ISP2 permit 10
match interface f0 / 1
!
! NATa rules
ip nat inside source route-map ISP1 POOL1 overload
ip nat inside source route-map ISP2 POOL2 overload
ip nat inside source static Srv (LAN) Srv (ISP1) route-map ISP1
ip nat inside source static Srv (LAN) Srv (ISP2) route-map ISP2
Simultaneous use of two providers
If in the first case everything is clear and unambiguous, then in the case of simultaneous use of two providers, problems arise.
Is this topic interesting? What thoughts and problems are there?
Write: compile with your thoughts and post if you want.
Source: https://habr.com/ru/post/80555/
All Articles