Category:Cisco Systems -> Routing and Switching
1. Using WAN interfaces
int Gi0/1
ip address x.y.z.q
ip nat outside
int Gi0/2
ip address x.y.z.w
ip nat outside
int Gi0/3
ip nat inside
ip access-list extended nat-traffic
10 permit ___
20 permit ___
30 permit ___
exit
route-map isp1 permit 10
match ip address nat-traffic
match interface GigabitEthernet0/1
exit
route-map isp2 permit 10
match ip address nat-traffic
match interface GigabitEthernet0/2
exit
ip nat inside source route-map isp1 interface GigabitEthernet0/1 overload
ip nat inside source route-map isp2 interface GigabitEthernet0/2 overload
2. Using both a WAN and a VLAN interface
In case of WAN interface shortage but having several switched ports (e.g. Cisco 881 router) you can try the following configuration:
int Gi0/1
ip address x.y.z.q
ip nat outside
int Gi1/1
switchport mode access
switchport access vlan 100
spanning-tree portfast
no cdp enable
int vlan 100
ip address x.y.z.w
ip nat outside
int vlan 5
ip nat inside
ip access-list extended nat-traffic
10 permit ___
20 permit ___
30 permit ___
exit
route-map isp1 permit 10
match ip address nat-traffic
match interface GigabitEthernet0/1
exit
route-map isp2 permit 10
match ip address nat-traffic
match interface vlan 100
exit
ip nat inside source route-map isp1 interface GigabitEthernet0/1 overload
ip nat inside source route-map isp2 interface vlan 100 overload
3. Using Subinterfaces
In this configuration a switch is usually used to provide physical connection to ISPs like in the example below:
The appropriate configuration would be something similar to the following:
int Gi0/0.50
encapsulation dot1Q 50
ip address r.x.w.q
ip nat inside
int Gi0/0.100
encapsulation dot1Q 100
ip address z.x.y.q
ip nat outside
int Gi0/0.200
encapsulation dot1Q 200
ip address z.x.y.w
ip nat outside
ip access-list extended nat-traffic
10 permit ___
20 permit ___
30 permit ___
exit
route-map isp1 permit 10
match ip address nat-traffic
match interface GigabitEthernet0/0.100
exit
route-map isp2 permit 10
match ip address nat-traffic
match interface GigabitEthernet0/0.200
exit
ip nat inside source route-map isp1 interface GigabitEthernet0/0.100 overload
ip nat inside source route-map isp2 interface GigabitEthernet0/0.200 overload
To provide intelligent switching between ISPs in case if one of them fails SLA could help.
IP SLA configuration on older IOS
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1 track 1
ip route 0.0.0.0 0.0.0.0 11.0.0.1 20 track 2
ip route 4.2.2.2 255.255.255.255 11.0.0.1
ip route 8.8.8.8 255.255.255.255 10.0.0.1
!
ip sla 1
icmp-echo 8.8.8.8 source-interface FastEthernet0/1
threshold 500
frequency 15
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 4.2.2.2 source-interface FastEthernet1/0
threshold 500
frequency 15
ip sla schedule 2 life forever start-time now
!
// Additionally use the following commands to provide automatic function of IP NAT translations table wiping if an ISP failure happens:
event manager applet track-1-isp
event track 1 state any
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat trans forced"
event manager applet track-2-isp
event track 2 state any
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat trans forced"
Let’s do a little testing and check the current routing table:
Gateway#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.0.0.1 to network 0.0.0.0
4.0.0.0/32 is subnetted, 1 subnets
S 4.2.2.2 [1/0] via 11.0.0.1
8.0.0.0/32 is subnetted, 1 subnets
S 8.8.8.8 [1/0] via 10.0.0.1
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, FastEthernet0/1
11.0.0.0/24 is subnetted, 1 subnets
C 11.0.0.0 is directly connected, FastEthernet1/0
C 192.168.0.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 10.0.0.1
Now turn off 8.8.8.8 router imitating ISP1 failure and see the routing table again for default route change from 10.0.0.1 to 11.0.0.1:
Gateway#
*Mar 1 00:48:14.343: %TRACKING-5-STATE: 1 rtr 1 reachability Up->Down
Gateway#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 11.0.0.1 to network 0.0.0.0
4.0.0.0/32 is subnetted, 1 subnets
S 4.2.2.2 [1/0] via 11.0.0.1
8.0.0.0/32 is subnetted, 1 subnets
S 8.8.8.8 [1/0] via 10.0.0.1
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, FastEthernet0/1
11.0.0.0/24 is subnetted, 1 subnets
C 11.0.0.0 is directly connected, FastEthernet1/0
C 192.168.0.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [20/0] via 11.0.0.1
Now turn the 8.8.8.8 router back on imitating that ISP1 is functioning again and check if 11.0.0.1 GW was changed to 10.0.0.1:
Gateway#
*Mar 1 00:48:54.347: %TRACKING-5-STATE: 1 rtr 1 reachability Down->Up
Gateway#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.0.0.1 to network 0.0.0.0
4.0.0.0/32 is subnetted, 1 subnets
S 4.2.2.2 [1/0] via 11.0.0.1
8.0.0.0/32 is subnetted, 1 subnets
S 8.8.8.8 [1/0] via 10.0.0.1
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, FastEthernet0/1
11.0.0.0/24 is subnetted, 1 subnets
C 11.0.0.0 is directly connected, FastEthernet1/0
C 192.168.0.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 10.0.0.1
IP SLA configuration on newer IOS
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1 track 1
ip route 0.0.0.0 0.0.0.0 11.0.0.1 20 track 2
ip route 4.2.2.2 255.255.255.255 11.0.0.1
ip route 8.8.8.8 255.255.255.255 10.0.0.1
!
ip sla 1
icmp-echo 8.8.8.8 source-interface FastEthernet0/1
threshold 500
frequency 15
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 4.2.2.2 source-interface FastEthernet1/0
threshold 500
frequency 15
ip sla schedule 2 life forever start-time now
!
// Additionally use the following commands to provide automatic function of IP NAT translations table wiping if an ISP failure happens:
event manager applet track-1-isp
event track 1 state any
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat trans forced"
event manager applet track-2-isp
event track 2 state any
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat trans forced"
