IP SLA on Cisco Router
Sooner or later, but every company faces the problem with the Internet connection being out of order. And right after that, the question about backup channel arises. What settings needed to be done to automatically switch to backup link in case of an accident?
This article describes the configurations for Cisco 881 routers and similar models (1841, 1941, 2900, 3800…). If you have Cisco ASA, the settings for it are described in the article Dual WAN on Cisco ASA.
One of the easiest and most effective ways to configure a Cisco router – is using the IP SLA monitor. The device will track the availability of the primary Internet provider, and once the connection is lost (certain address won’t respond to ICMP requests during several seconds), it will forward traffic through the backup link.
Let’s take a look at the settings, considering the example of a standard router model for small office – Cisco 881.
- Fa 4 interface – the primary service provider is connected here. This is an l3 interface of OSI model, so the ip address is assigned directly to the interface;
- FastEthernet 3 (Vlan 3) – the backup ISP is connected.
- Fa 0 interface (Vlan 1) – the local office network (LAN) is connected here;
If you have another model of a router, then, the difference will be only in the name of the interfaces, but not in the settings itself.
Goal: to set the resilient Internet connection (dual wan).
Step 1. Routes check.
Checking current routes on the device. For convenience we are using sh run | inc route command that allows seeing current configuration, containing the word «route»
R-DELTACONFIG-1# sh run | inc route
Ip route 0.0.0.0 0.0.0.0 10.10.10.1 1
Translating from the device’s language to a more understandable, “human” one, it will sound like this:
«Forward all packages, about which I know to the outside interface through the gateway 10.10.10.1».
Router “knows” only about networks, which are connected to it directly or for which the routes strings are set up.
Step 2. The backup provider settings.
On the router, the outside interface Fastethernet 4 is already set up. Here the primary ISP is connected. So In current configuration (can be shown using command sh run) there will be strings similar to these:
R-DELTACONFIG-1# sh run
…
interface Fastethernet 4
ip address 10.10.10.2 255.255.255.252
Now, let’s add the settings for the backup link, that is connected with Fa 3/ Vlan 3.
Firstly, we need to create Vlan to connect the backup service, bind it to one of its free ports, and after that set an IP-address.
Creation of Vlan 3
R-DELTACONFIG-1#
vlan database
R-DELTACONFIG-1 (vlan)#
vlan 3 name BACKUP_ISP
To check current settings, you can use command sh current, without leaving the VLAN configuration mode. It’s enough to have Vlan 3 in the list of existing interfaces.
R-DELTACONFIG-1 (vlan)#
sh current
To bind Vlan 3 to FastEthernet 3 interface, you must leave the Vlan set up mode and then enter the regular conf t configuration mode. After that, bind Vlan 3 to the FastEthernet 3 interface and activate it with the command no shut.
R-DELTACONFIG-1 (vlan)#
exit
conf t
R-DELTACONFIG-1 (config)#
interface FastEthernet 3
switchport access vlan 3
no shut
And right after that set an IP address and activate the interface using the command no shut.
R-DELTACONFIG-1 (config)#
interface Vlan 3
ip address 20.20.20.2 255.255.255.252
ip nat outside
no shut
If all the wires are connected and the settings are correct, then the gateway of the backup provider should be available from the Cisco 881 router.
R-DELTACONFIG-1 # ping 20.20.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Step 3. Configuration of the ISP availability tracking.
In order to make Cisco 881 router track the availability of the primary link, it is necessary to configure the IP SLA monitor feature. In equal time intervals, the ping (ICMP request) will be sent on the 1 provider’s gateway address (the main one). The receival of the responsive package (ICMP response) means the availability of the channel.
What to check?
In most cases, both the address of the external interface and an ISP gateway are known beforehand. So, that’s why it is enough to check only the availability of the provider gateway address. But here’s a trick. What will happen if the gateway is still available, but the fault has turned out being somewhere in the provider network? I.e. “the Internet isn’t working”, though the gateway is accessible. Actually – nothing. The router would not recognize the fault, and it won’t switch to the backup mode. Another similar case is when an ISP provides a dynamic address, for example, using PPPoE technology.
To avoid such a case, usually, the stable working address on the Internet is being chosen, which can be located in any place in the world. Then, on the Cisco 881 router, the static route to the chosen address through the gateway of main ISP is being set. And the availability of the default gateway to the side of the main provider is being placed depending on the availability of the chosen address. Then, whatever happens with the connection, whether it is with the router settings problem, connection operator disruption or other reason, the switch to the backup ISP will be performed automatically. At the same time, the disadvantage of such approach is that the needed address always will be unavailable along with the primary provider. For such aims, I recommend using the address 1.1.1.1, which is stably available but is used quite rarely in daily users’ or devices work.
It is written kind of complicated, isn’t it? Let’s simplify it for the algorithm of the 881 router’s actions:
- Router, keep in mind, that the host 1.1.1.1 is always located behind the main ISP gateway 10.10.10.1
- Router, check the availability of the host 1.1.1.1 ones in 10 seconds.
- If host 1.1.1.1 is available, then the default gateway – address of the 1st ISP
- If host 1.1.1.1 is not available, then the default gateway – address of the 2nd ISP
Now, we are setting the static route through the main provider to the address 1.1.1.1
R-DELTACONFIG-1 (config)#
ip route 1.1.1.1 255.255.255.255 10.10.10.1
Activating the IP SLA function
R-DELTACONFIG-1 (config)#
ip sla 1
icmp-echo 1.1.1.1 source-interface Fa 4
threshold 10000
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
For reference:
threshold 10000 – The requests will be sent 1 time in 10 seconds.
Step 4. Checking the work of the tracking tool.
For checking the tracking work of the IP SLA the command sh ip sla statistics is used.
R-DELTACONFIG-1# sh ip sla statistics
IPSLAs Latest Operation Statistics
IPSLA operation id: 1
Latest RTT: 4 milliseconds
Latest operation start time: 14:07:40 MSK Thu Aug 8 2019
Latest operation return code: Over threshold
Number of successes: 15
Number of failures: 0
Operation time to live: Forever
Number of successes: 15 – shows the number of successful ICMP requests
Number of failures: 0 – shows the number of failed requests
Before executing any of the following steps check the output of this command several times, to make sure that the counter of the successes grows over time. That means that the main channel is working stably and can continue the configuration without the risk of losing the connection with the Internet.
Step 5. The default gateway for the backup provider.
For backup provider, the default gateway is required to be specified, where the Cisco 881 router will send all the packages, but with one difference – this route shouldn’t be considered when the primary provider is available. To enable this, lower the route priority, that is also called as ‘administrative distance’. In other words, it has to be longer.
By default, the value of the administrative distance for a static route – 1.
Let’s set for the backup channel the value, that is close to maximum – 250 (very expensive)
R-DELTACONFIG-1 (config)#
ip route 0.0.0.0 0.0.0.0 20.20.20.1 250
After such update, in the Cisco 881 router configuration has to be 2 default routes.
R-DELTACONFIG-1# sh run | inc route
ip route 1.1.1.1 255.255.255.255 10.10.10.1
ip route 0.0.0.0 0.0.0.0 10.10.10.1 1
ip route 0.0.0.0 0.0.0.0 20.20.20.1 250
Step 6. The switch activation.
The final step is to bind the main route to the tracking function by the channel availability (IP SLA). Firstly, we have to add the new string for the default gateway marked as ‘track 1’ and remove the old one.
R-DELTACONFIG-1 (config)#
ip route 0.0.0.0 0.0.0.0 10.10.10.1 1 track 1
no ip route 0.0.0.0 0.0.0.0 10.10.10.1 1
After that, in the final Configuration, there will be two strings for the default gateways.
R-DELTACONFIG-1# sh run | inc route
ip route 1.1.1.1 255.255.255.255 10.10.10.1
ip route 0.0.0.0 0.0.0.0 10.10.10.1 1 track 1
ip route 0.0.0.0 0.0.0.0 20.20.20.1 250
Important note!
If the route strings exist for some networks, besides the default gateway, then you should take into account their presence during configuration, thinking through the switching logic similarly to the default gateway.
Step 7. The NAT adjustment.
The most important thing, that distinguishes the dual wan configuration on Cisco 881 and Cisco ASA routers – is the necessity to reconfigure the translation rules of the NAT (conversion of the internal private addresses into public ones of the external interface). If for Cisco ASA it is enough to duplicate the NAT settings for the backup provider, then for Cisco routers it is necessary to reconfigure the command logic.
The ‘Regular’ NAT settings to access the Internet, for users, boil down to selecting the range of the internal addresses and adding the rule “translate ‘these addresses’ into the external interface address”. In fact, it is just the description of the traffic, BEFORE it gets into the internal router interface.
ip access-list standard ACL_NAT
permit 192.168.10.0 0.0.0.255
Interface Vlan 1
ip nat inside
Interface Fa 4
ip nat outside
ip nat inside source list ACL_NAT interface fa4
In case of the realization of a resilient switching to the backup ISP using the IP SLA feature, it is necessary to use the route-map. It is the extended function of the traffic control flow, in which the condition (which traffic) and action (what to do with it) is specified. In our case, for each of the providers, a route-map is created only with “conditions”, which are:
- Pre-created list of ACL_NAT access, in which the traffic is reflected for all internal hosts
- Output interface (own for each of the providers)
route-map ROUTE_ISP_MAIN permit 10
match ip address ACL_NAT
match interface FastEthernet 4
route-map ROUTE_ISP_BACKUP permit 10
match IP address ACL_NAT
match interface Vlan 3
Then, you need to add rules for NAT, which refer to the route-map.
ip nat inside source route-map ROUTE_ISP_MAIN interface FastEthernet 4 overload
ip nat inside source route-map ROUTE_ISP_BACKUP interface Vlan 3 overload
Important note!
Don’t forget to check, that on each of the three interfaces, through which the traffic is passed, there are strings about belonging to the NAT.
Interface Vlan 1
ip nat inside
Interface Fa 4
ip nat outside
interface Vlan 3
ip nat outside
This article was written by Alexey Yurchenko