Hi All,
I'm setting up a LAB wherein I have 2 vEdge with direct internet connection.
vEdge-A is acting as the primary router; it has also a TLOC-Extension to vEdge-B. I also enabled NAT and applied a tracker on vEdge Tloc-extension interface.
I'm able to validate that this is working with both lines active/enabled. However, when the tracker goes down. I can see that the packet is still being sent to TLOC-Extension causing the packet to silently drop since internet connection via TLOC-Extension is down.
The objective is to reroute the traffic to the active internet connection if the tracker applien on tlo-extension interface at vEdge-A goes down.
Here's what I configured.
a. Applied a tracker and created a data policy with nat fall-back.
from-vsmart data-policy VPN1_DIANAT direction all vpn-list VPN1 sequence 10 match source-ip 10.0.0.0/16 destination-ip 10.0.0.0/16 action accept sequence 11 match source-data-prefix-list VPN1-Sites102060-Services action accept nat use-vpn 0 nat fallback set local-tloc-list color biz-internet public-internet default-action accept from-vsmart lists vpn-list VPN1 vpn 1 from-vsmart lists data-prefix-list VPN1-Sites102060-Services ip-prefix 10.0.50.0/24 b. vEdge-A(Primary):
vEdge-A interface: Tloc-Extension: 0 ge0/2 ipv4 192.168.20.2/30 Up Up Up null transport 1500 50:00:00:11:00:03 1000 full 1416 0:00:30:31 39078 46931 Direct=-Internet: 0 ge0/4 ipv4 192.88.88.1/24 Up Up NA null transport 1500 50:00:00:11:00:05 1000 full 1416 0:00:00:03 417 2277 - Tracker is up 0 ge0/2 0 udp 192.168.20.2 200.1.10.1 12386 12346 192.168.20.2 200.1.10.1 12386 12346 established 0:00:00:59 704 115104 704 125527 - 0 ge0/4 0 icmp 192.88.88.1 200.1.1.3 716 716 192.88.88.1 200.1.1.3 716 716 established 0:00:00:05 1 98 0 0 - From NAT statistics able to see that both interfaces are used. The issue is when both interface are enable, Somehow client can't reach the 8.8.8.8 but if I disable one of the link I can see that client can reach 8.8.8.8.
REFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
0 0.0.0.0/0static - ge0/4 192.88.88.254- - - - F,S (direct)
0 0.0.0.0/0static - ge0/2 192.168.20.1- - - - F,S (Tlocex)
vpn 0 interface ge0/4 ip address 192.88.88.1/24 nat ! tunnel-interface encapsulation ipsec color public-internet no allow-service bgp allow-service dhcp allow-service dns allow-service icmp no allow-service sshd no allow-service netconf no allow-service ntp no allow-service ospf no allow-service stun allow-service https ! no shutdown ! ! vEdge-A# show running-config vpn 0 interface ge0/2 vpn 0 interface ge0/2 description "TLOC" ip address 192.168.20.2/30 nat ! tracker track_public_internet tunnel-interface encapsulation ipsec color biz-internet restrict no allow-service bgp allow-service dhcp allow-service dns allow-service icmp no allow-service sshd no allow-service netconf no allow-service ntp no allow-service ospf no allow-service stun allow-service https ! no shutdown When a Did a TCP dump on both interfaces it seem like no data passing through. Switch#ping 8.8.8.8 repeat 1000 source 10.0.50.10 Type escape sequence to abort. Sending 1000, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: Packet sent with a source address of 10.0.50.10 ...................................................................... ............................... vEdge-A# tcpdump vpn 0 interface ge0/4 options "host 8.8.8.8 -n" tcpdump -p -i ge0_4 -s 128 host 8.8.8.8 -n in VPN 0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ge0_4, link-type EN10MB (Ethernet), capture size 128 bytes # tcpdump vpn 0 interface ge0/2 options "host 8.8.8.8 -n" tcpdump -p -i ge0_2 -s 128 host 8.8.8.8 -n in VPN 0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ge0_2, link-type EN10MB (Ethernet), capture size 128 bytes Disabled one of the interface
SITE-C_ID500_MPLS(config-vpn-0)# interface ge0/4 SITE-C_ID500_MPLS(config-interface-ge0/4)# shutdown SITE-C_ID500_MPLS(config-interface-ge0/4)# commit Commit complete. - Ping works after disabling ................!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! <> !!!!!!!!!!!!!!!!!!!! Success rate is 87 percent (878/1000), round-trip min/avg/max = 1/1/7 ms Question:
a. Is it possible to use both biz-internet public-internet transport connections, however if the tloc extension tracker goes down the traffic should flow to the active internet connection? How can I achieve that?
b. Am I missing something in my configuration?
No comments:
Post a Comment