From: fferrer10@vodafone.es
Date: Mon Jan 10 2005 - 06:48:54 GMT-3
Hi Geert:
Maybe i have not properly explained my working scenario:
I only have 1 router with 2 adsl interfaces and 2 public ip addresses.
These public ip address are negotiated with the other end, and both
are /32 (i only have one isp provider, but i would like to load balance
between these 2 adsls having the security that if one of these 2 go
down, all the traffic will go trough the another one).
Solution for load balancing is not difficult using PBR, for example,
however you must consider that in case one adsl goes down, 2 thinghs
must me done: (correct if i am wrong)
-Move all this traffic (previously going out through the adsl 1) to the
other adsl. This is a "problem" easy to solve using PBR.
-Nat all this traffic (previously natted with the ip address of the
adsl 1, that now is down) to the ip address of the other adsl (adsl 2).
Here, i think you need some type of route-map on the NAT to acomodote
all this.
Then, i think you need to apply to the NAT a ROUTE-MAP matching each
output interface (to achieve the traffic be natted properly) like this
one:
route-map NATTING1 permit 10
match interface dialer1
match access-group 100
route-map NATTING2 permit 10
match interface dialer2
match access-group 100
ip nat inside source route-map NATTING1 interface dialer1 overload
ip nat inside source route-map NATTING2 interface dialer2 overload
I see weel your suggestion about "how to track the output interface is
alive" (however it seems a bit difficult on my case because maybe the
remote end of both adsls is the same ip address, i need to talk with
our isp provider, but (correct if i am wrong), i think you need a route-
map on the nat to be able to change the ip address you are translating
to).
The problem on my case, where i am using dialer interfaces , is that
the route map used on the nat ever match, no matters the adsl is up or
down, because the dialer will be eve up/up (spooofing).
Comments? Maybe all this is impossible if i use dialer interfaces...
Regards
----- Mensaje Original -----
De: "Geert Nijs" <geert.nijs@simac.be>
Fecha: Viernes, Enero 7, 2005 3:03 pm
Asunto: RE: conditional NAT
> Hi,
>
> Good news: what you need is conditional policy based routing :-)
> So, load up the latest IOS release, and unleash the power of IOS !:
>
> Using SAA, track an ip address on the other side of each ISP
> connection(other side of the point-to-point
> connection is great)
>
> rtr 1
> type echo protocol ipIcmpEcho Y.Y.Y.Y (default router other side ISP1)
> rtr schedule 1 start-time now life forever
>
> track 123 rtr 1 reachability
>
> rtr 2
> type echo protocol ipIcmpEcho X.X.X.X (default router other side ISP2)
> rtr schedule 2 start-time now life forever
>
> track 321 rtr 2 reachability
>
>
>
>
> Then take your policy-based routing config and change to:
>
> route-map salidaeth permit 10
> match ip address 101
> set ip next hop verify-availability X.X.X.X 10 track 321
> set ip next hop verify-availability Y.Y.Y.Y 20 track 123
> !
>
> route-map salidaeth permit 20
> match ip address 102
> set ip next hop verify-availability Y.Y.Y.Y 20 track 123
> set ip next hop verify-availability X.X.X.X 10 track 321
>
>
> Maybe you need to experiment a bit with the ip adresses you track, but
> you should be able to get
> it working with this. No need for a special NAT config.
>
>
> Regards,
> Geert
> CCIE #13729
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of
> fferrer10@vodafone.es
> Sent: vrijdag 7 januari 2005 12:06
> To: Matt Mullen; ccielab@groupstudy.com
> Subject: Re: conditional NAT
>
> Matt:
>
> Firstly, thank you very much for the info.
>
> The sample you provided is good if you aren't using DIALER
> interfaces to
> control the internet access (ADSL on mi case, as i have said on my
> previous mail).
>
> Our provider uses some way of ppp over atm on these adsl, and the
> tipical config at the adsl router is like this one:
>
>
> interface ATM0/0
> no ip address
> no atm ilmi-keepalive
> dsl operating-mode auto
> pvc 8/35
> encapsulation aal5mux ppp dialer
> dialer pool-member 1
>
> interface Dialer1
> ip address negotiated
> ip nat outside
> encapsulation ppp
> dialer pool 1
> ppp chap hostname PA281XI1
> ppp chap password 7 032B032A2C5C157E7A
>
> As you can suppose, the problem i have is that a DIALER interfaz
> is
> always UP/UP (spoofing), no matters how the access line (adsl) is
> up or
> down. Then, if one of the 2 adsl i have to go out fails, i can't
> access
> to internet via the another one.
>
> I have tried to configure this adsl with a virtual-template
> interface,
> instead the dialer interface, but i can't achieve that the remote
> end
> gives me the ip public address to work with this config...
>
> Have anyone seen a problem like this and knows a solution?
>
> Regards
>
> ----- Mensaje Original -----
> De: Matt Mullen <mullenm@gmail.com>
> Fecha: Martes, Enero 4, 2005 10:17 pm
> Asunto: Re: conditional NAT
>
> > Hi,
> >
> > Here is a configuration that will allow traffic to be port address
> > translated to the public IP address on the interface which the
> traffic> is leaving. The key is the 'match interface' command on the
> > route-map which causes the traffic to be translated based on the
> > interface that it is passing through. If one interface goes
> > down,
> > traffic will always leave the other one that is up and will be
> > translated to the public IP of that interface.
> >
> > interface Serial0
> > Description ISP-A
> > ip address 88.88.88.88 255.255.255.252
> > ip nat outside
> >
> > interface Serial1
> > Description ISP-B
> > ip address 99.99.99.99 255.255.255.252
> > ip nat outside
> >
> > interface Ethernet0
> > Description Inside
> > ip address 10.1.1.1 255.255.255.0
> >
> > ip nat inside source route-map ISP-A interface Serial0 overload
> > ip nat inside source route-map ISP-B interface Serial1 overload
> >
> > route-map ISP-A permit 10
> > match interface Serial0
> > match access-group 100
> >
> > route-map ISP-B permit 10
> > match interface Serial1
> > match access-group 100
> >
> > access-list 100 permit ip 10.1.1.0 0.0.0.255 any
> >
> >
> > HTH,
> > Matt
> >
> >
> >
> >
> > On Tue, 04 Jan 2005 19:44:59 +0100, fferrer10@vodafone.es
> > <fferrer10@vodafone.es> wrote:
> > > Hi group:
> > >
> > > Anyone knows a way to configure some form of "conditional
> natting"?> > This is, i have 1 router with 2 adsl interfaces to
> connect to
> > internet,> and i want to load balance the traffic using both the
> > interfaces...then> i thought: well, maybe using policy based
> > routing i could redirect a
> > > group of internal subnets to one interface and the another
> group
> > to the
> > > other configuring a route-map like this one:
> > >
> > > route-map salidaeth permit 10
> > > match ip address 101
> > > set default interface atm0/0 atm0/1
> > > !
> > > route-map salidaeth permit 20
> > > description toINTERNET
> > > match ip address 102
> > > set default interface atm0/1 atm0/0
> > >
> > > Where 101, 102 are ACL matching the subnets i said...
> > >
> > > However, this router must also do the natting, and i only have
> > the 2
> > > public ip addresses of the adsl interfaces to use, and i must
> assure> > that if one adsl interface goes down, all the traffic
> use the
> > other adsl
> > > interface to go to internet. Also i can't use BGP on this router.
> > >
> > > Then, i'm wondering if there is any way to nat the subnets
> > matching 101
> > > acl to the ip of atm0/0 if this atm0/0 is up, and to nat them
> to
> > the ip
> > > of the atm0/1 if that it is down (and similarly with the other
> > group of
> > > subnets).
> > >
> > > Regards
> > >
> > >
> >
>
This archive was generated by hypermail 2.1.4 : Wed Feb 02 2005 - 22:10:21 GMT-3