Router Failover Configuration with BGP and NAT with two ISPs

Posted on 17 April 2015 by pim

This is for the more hard core Cisco IOS users:

With multi-homed BGP you can let your router failover internet service providers. You can track their availability with SLA, or simply let BGP do its thing. The thing that had my noodle cooked however was.. IF my router decides to route to the Internet via another ISP router.. How do I make the NAT failover to the new interface interface without manual intervention? Simply creating 2 NAT statements and hoping that IOS will pick the right one will not work.

For this scenario, there is that wonderful glue technology “route-maps” that allow you to break every rule in the book. In the next configuration I am not going to abbreviate with tedious pictures and BGP or NAT commands, (I send send them to you if you want but it’s a standard setup) instead I am just going to focus on: How do I failover NAT?!

 

The interfaces on my Border router:

interface Ethernet0/1

description link to ISP1

ip address 209.165.200.5 255.255.255.248

ip nat outside

!

interface Ethernet0/2

description link to ISP2

ip address 209.165.201.5 255.255.255.248

ip nat outside

 

And the internal address:

interface Ethernet0/0

description link to DSW

ip address 10.1.0.7 255.255.255.0

ip nat inside

 

The BGP configuration to the ISPs:

router bgp 65000

bgp log-neighbor-changes

neighbor 209.165.200.6 remote-as 65111

neighbor 209.165.201.6 remote-as 65222

(note : the BGP routers inject a default-route with “default-information originate”)

 

And now.. for the NAT part, first the obligatory ACL:

ip access-list standard nat-acl

permit 10.0.10.0 0.0.0.255

permit 10.0.20.0 0.0.0.255

permit 10.0.30.0 0.0.0.255

 

The overload statements.. with a twist:

ip nat inside source route-map ISP1 interface Ethernet0/1 overload

ip nat inside source route-map ISP2 interface Ethernet0/2 overload

 

And the Magic at work:

route-map ISP2 permit 10

match ip address nat-acl

match interface Ethernet0/2

!

route-map ISP1 permit 10

match ip address nat-acl

match interface Ethernet0/1

 

So… if my router prefers the E0/1 interface for default routing (towards IPS1), the route-map ISP1 matches in the NAT statement and that will activate the NAT configuration.

IF however my routers prefers the E0/2 interface (maybe ISP1 is unreachable), it will failover to the seconds NAT statement. Works like a charm!

Credit is due to this webpage, where I got the idea from!

http://www.ciscozine.com/dual-internet-connections-in-activestandby-mode-without-bgp/

This entry was posted in Cisco Networking and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *