Cisco 1811 router dual Internet connections

Unanswered Question
Dec 14th, 2007
User Badges:

Hello all!


Looking for a little bit of help, please.


Company has an 1811 router, running version 12.4(6)T7 IOS. We have 1 broadband Internet connection with static IP into FastEthernet0. I would like to add a different slower broadband IP DHCP type into FastEthernet1 for backup and redundancy purposes.


My goal is backup and redundcany, and load balance outbound web browsing, if possible.


I have looked at Cisco doc #99427, but that is a slightly different config than I am working with and I can't quite follow where the doc is getting some of its parameters.


I can post my current config if someone is willing to help or has a similar working config that I can mirror with obvious IP changes.


Thanks, the recent ice storms in the midwest have brought this to fore front and I need to get this working.


Thank You


Brian

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Edison Ortiz Fri, 12/14/2007 - 13:15
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Let's see the config.

Edison Ortiz Fri, 12/14/2007 - 13:45
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

ip sla 1

icmp-echo 216.203.117.81

frequency 5

ip sla schedule 1 life forever start-time now



track 1 rtr 1 reachability


ip route 0.0.0.0 0.0.0.0 216.203.117.81 track 1

ip route 0.0.0.0 0.0.0.0 FastEthernet1 20


ip nat inside source route-map primary-nat interface FastEthernet0 overload oer

ip nat inside source route-map backup-nat interface FastEthernet1 overload oer


route-map primary-nat permit 10

match ip address 1

set ip next-hop verify-availability 216.203.117.81 track 1

!

route-map backup-nat permit 10

match ip address 1

set interface fastethernet1


_____________


I'm afraid you will have problems with the static NATs as you can't do extendable with interface as the global address.

bsallison Fri, 12/14/2007 - 13:58
User Badges:

Edison,


First, Thank You so much for stepping up.


I understand the issues with static NAT. One piece I still don't get, where do I define trck 1 rtr 1 as being my FastEthernet0 connection. Or, is that unnecessary? The doc #99427, also defined an sla 2 on the second Internet connection, is that needed?


Does your solution provide redundancy only or both load-balancing & redundancy on the outbound traffic?


Thanks

Edison Ortiz Fri, 12/14/2007 - 14:08
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The SLA pings FastEthernet0's gateway. If FasEthernet0 connection is down, you should be unable to ping the gateway.


Once the gateway is unreachable the track will be marked down and subsequently the ip route will be removed since it has tracking enabled.


OER on the NAT will enable the changeover once the state of the SLA changes.


The rest is very straight forward.


I've implemented this config on some of my customers and suggested to other members of this community, with success.

bsallison Fri, 12/14/2007 - 14:07
User Badges:

When inputting commands I am getting bad responses on the oer in the ip nat commands and also on the route-map primary section on the track 1 command.


I am just copying & pasting, so its not typos. Ideas?

Edison Ortiz Fri, 12/14/2007 - 14:09
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Argh, IOS limitations. OER may not be supported on some IOS versions, let me check which IOS is supported under 1811.

bsallison Fri, 12/14/2007 - 14:22
User Badges:

Edison,


Attached is an updated config, showing IOS information at the top. This new version also contains the lines I was successful in adding based upon your suggested config.


Looking FWD to your next response.


Thanks again for your help.



Attachment: 
Edison Ortiz Fri, 12/14/2007 - 14:28
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

12.4(15)T supports it.

bsallison Fri, 12/14/2007 - 14:30
User Badges:

OK, so I need an IOS update. Will do that and get back to you Monday. THANKS! Have a good weekend.

bsallison Sun, 12/16/2007 - 14:31
User Badges:

Alright, I updated the IOS on the router to version you specified.


Completed input of your commands. Though I called my track 123, instead of track 1.


Disconnected cable from FE0 on router. Appears failover did NOT work, as I could not browse anywhere. Waited and tried for several minutes in case failover takes a little while, still no luck.


Have attached new updated config, showing all commands and updated IOS. Please review and tell me what I missed or screwed up.


THANKS!



Attachment: 
Edison Ortiz Sun, 12/16/2007 - 18:31
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Remove

ip nat inside source list 1 interface FastEthernet0 overload


Also, can you verify if you can ping 216.203.117.81 while FE0 is down ?

If so, IP SLA won't declare the track as down.

bsallison Mon, 12/17/2007 - 08:57
User Badges:

Your second issue brings up an interesting question on my part. Since both my connections are broadband, through diff carriers and speeds. I have a carrier provided high-speed modem on both connections. Typically the gateway declared on a router would point you to the modem. Since the modem is on my premise that might not be a good IP SLA test, if the carrier circuit is down beyond the modem. Can I substitute a different IP address in the IP SLA section for testing?

Edison Ortiz Mon, 12/17/2007 - 09:07
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

> Can I substitute a different IP address in the IP SLA section for testing?



Yes, but you need to make sure the track is declared down for switchover.


You can add the source-interface on the IP SLA configuration to ensure the ping is leaving the proper interface.

bsallison Mon, 12/17/2007 - 09:15
User Badges:

Correct syntax for adding the source-interface, please? I am currently determining the next up stream point to use as my test address.


Also, when the primary comes back online, what causes the router the switch back over to that connection for routing traffic?

Edison Ortiz Mon, 12/17/2007 - 09:18
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

1.

ip sla 1

icmp-echo 216.203.117.81 source-ipaddr x.x.x.x

frequency 5

ip sla schedule 1 life forever start-time now



2.

The SLA will ping the destination IP for an x interval. Once the destination IP replies, the track is up and reinstated.


bsallison Mon, 12/17/2007 - 11:13
User Badges:

Still have an issue. I unplug the cable from FE0 and try for several minutes but never ever to browse out over backup connection. Backup connection is up and has DHCP assigned address. But traffic not routing, I think.


I even unplug the backup connection from FE1 and plug directly into laptop. Laptop gets DHCP assigned address and is able to browse out, so I know circuit is working.


I must be missing something else.


Ideas....

Edison Ortiz Mon, 12/17/2007 - 11:20
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

> Backup connection is up and has DHCP assigned address. But traffic not routing, I think.


You can verify if routing is working or not by pinging the internet sourcing from that interface.


Example,


ping 4.2.2.1 source fastethernet1


Can you post the output from


show ip nat trans

show track

and

show ip interface brief | ex una


while the FE0 is down ?

bsallison Fri, 12/28/2007 - 13:34
User Badges:

Edison,


Sorry for the lengthy delay over the holiday season. I hope you are still watching this thread. I have done as you advised and have attached the output you ask for.


Still not working and when I do the testing, I have a tough time getting the router to see that FE0 is back online after test and getting traffic to route back to the primary.



Edison Ortiz Fri, 12/28/2007 - 15:24
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Let's see your current config.


I believe the nat timeout would help on this situation.

bsallison Sun, 12/30/2007 - 15:18
User Badges:

Attached is latest config, I highlighted the lines which I have added per the instructions in this thread.


The address I used in the ip sla icmp-echo I found by doing a tracert to several outside locations, it is a couple hops upstream from my modem, a public address, and it responds to ping command.


I think we're close. I need to get failover DSL to respond when primary is down AND for the primary to come back online seamlessly when it is restored.



Attachment: 
Edison Ortiz Sun, 12/30/2007 - 16:44
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Your config looks perfect and it's very similar to a config that I've deployed successfully in other environments.


You mentioned you have a hard time switching back to the primary ISP, so I have a couple of questions:


1) When the track is down, your users are able to access the internet via the DSL connection ?


2) When you want to return back to the primary ISP, is the track back up ?

bsallison Wed, 01/02/2008 - 14:23
User Badges:

1) No, can not access Internet over DSL.


2) So far after manually taking FE0 down to test failover to FE1 (DSL), when I plug FE0 back in route does not come back up. I either have reboot router, or remove the route-map and ip route commands that point to FE1.


Did you see other suggestion posted on my issue. Had more to config, including IP SLA 2. Any validity to this?

I'm not sure if your current running configuration is the same as you posted a couple of weeks ago but you should be able to see what is needed for this to work. You will have to implement the following configuration changes based on your last posting of the running config.


Please read the changes carefully as it contains a part that requires input from you (backup ISP device IP address to monitor).


Interesting items to point out so far:

1. Interface Fa1 seems to be administratively shutdown.

2. ip sla 2 is missing entirely from the config.

3. ip sla 1 doesn't specify source interface as Fa0.

4. there is no ACL on interface Fa1 which is going to be needed if it is used as backup interface.

5. there are no NAT statements for when interface Fa1 is going to be used. You can use a DynDNS.org client to update a DNS name to make it easier for you to know what IP address the backup interface is using.

6. you mentioned load balancing outbound web traffic. you will have per destination load balancing outbound if you have fast-switching enabled on the interfaces which i think you already do have.


give this a try and let us know the outcome.


!

access-list 102 permit udp any eq domain any

access-list 102 permit udp host 132.163.4.102 eq ntp any

access-list 102 permit tcp any any eq 1494

access-list 102 permit tcp any any eq 5367

access-list 102 permit tcp any any eq 5366

access-list 102 permit tcp any any eq 5365

access-list 102 permit tcp any any eq 5364

access-list 102 permit tcp any any eq 3389

access-list 102 permit tcp any any eq 5360

access-list 102 permit tcp any any eq 5361

access-list 102 permit tcp any any eq 5362

access-list 102 permit tcp any any eq 443

access-list 102 permit tcp any any eq www

access-list 102 permit tcp any any eq smtp

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any any unreachable

!

interface FastEthernet1

ip access-group 102 in

no shutdown

!

no ip route 0.0.0.0 0.0.0.0 FastEthernet1 20

!

do clear ip nat trans force

no ip nat inside source list 1 interface FastEthernet0 overload

no ip nat inside source route-map backup-nat interface FastEthernet1 overload oer

no ip nat inside source route-map primary-nat interface FastEthernet0 overload oer

!

ip nat inside source static tcp 10.2.1.4 1494 interface FastEthernet1 1494 extendable

ip nat inside source static tcp 10.2.1.4 3389 interface FastEthernet1 3389 extendable

ip nat inside source static tcp 10.2.1.2 5360 interface FastEthernet1 5360 extendable

ip nat inside source static tcp 10.2.1.3 5361 interface FastEthernet1 5361 extendable

ip nat inside source static tcp 10.2.1.74 5364 interface FastEthernet1 5364 extendable

ip nat inside source static tcp 10.2.1.77 5365 interface FastEthernet1 5365 extendable

ip nat inside source static tcp 10.2.1.78 5366 interface FastEthernet1 5366 extendable

ip nat inside source static tcp 10.2.1.100 5367 interface FastEthernet1 5367 extendable

ip nat inside source static tcp 10.2.1.6 25 interface FastEthernet1 25 extendable

ip nat inside source static tcp 10.2.1.6 80 interface FastEthernet1 80 extendable

ip nat inside source static tcp 10.2.1.6 443 interface FastEthernet1 443 extendable

ip nat inside source static tcp 10.2.1.6 5362 interface FastEthernet1 5362 extendable

!

ip nat inside source list 1 interface FastEthernet1 overload

ip nat inside source list 1 interface FastEthernet0 overload

!

no track 123

!

no track 345

!

no ip sla 1

!

ip sla 1

icmp-echo 216.203.117.81 source-interface FastEthernet0

frequency 5

!

ip sla schedule 1 life forever start-time now

!

ip sla 2

icmp-echo X.X.X.X source-interface FastEthernet1 (needs to be an IP address on backup ISP network)

frequency 5

!

ip sla schedule 2 life forever start-time now

!

track 123 rtr 1 reachability

delay down 10 up 5

!

track 345 rtr 2 reachability

delay down 10 up 5

!

no route-map primary-nat

!

no route-map backup-nat

!


bsallison Sun, 01/27/2008 - 13:44
User Badges:

I hope you are still watching this thread. I was pulled away to another project, unannounced. Anyway, I implemented all the changes you recommended and still NO connectivity to Internet through FE1 when FE0 is down. Addressing your concerns specifically:

1) FE1 is now up

2) Added the IP SLA 2 with a known upstream IP address to ping

3) Added source interface to IP SLA 1

4) Added ACL on interface FE1

5) Not clear on this & when I tried to add IP NAT INSIDE SOURCE statements, it errored out, possibly because I did not understand the syntax & use of DynDNS.org

6) How do I verify that fast-switching is enabled?


I have attached 2 configs, my last config BEFORE I added your recommended changes, and the AFTER config with your changes included.


When FE0 is down I still can not get out to Internet. I verified that FE0 is down by manually trying to ping 10.13.2.5 & another upstream host, FE0 definitely down. But while it was down I could not ping 209.181.206.195. That is the next upstream hop from the WAN interface on DSL modem (71.213.237.219). I could ping that WAN interface on DSL modem, but nothing beyond.


When I plug laptop directly into DSL modem, I am able to browse Internet, and successfully ping 209.181.206.195. So, I know that DSL circuit is working. But when that DSL circuit is plugged into Cisco 1811 router, and FE0 is down I get nothing.


It would seem to me that there needs to be some sort of IP ROUTE command identifying FE1 as a viable route to Internet, but you recommended I remove that. For that matter, for load-balancing to work when both FE0 & FE1 are up I would think the IP ROUTE command is needed?


I would truly appreciate if you could look over my configs and see what piece is still missing to make this fail-over DSL circuit work correctly.


THANK YOU



Edison Ortiz Sun, 01/27/2008 - 14:15
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Sorry, I don't have the hardware nor time to recreate this environment. I'm afraid I've reached the end of the line here.


__


Edison.

Based on the current "after" running configuration these are the necessary commands to run to get the router working as you desire.


!

ip nat inside source static tcp 10.2.1.4 1494 interface FastEthernet1 1494 extendable

ip nat inside source static tcp 10.2.1.4 3389 interface FastEthernet1 3389 extendable

ip nat inside source static tcp 10.2.1.2 5360 interface FastEthernet1 5360 extendable

ip nat inside source static tcp 10.2.1.3 5361 interface FastEthernet1 5361 extendable

ip nat inside source static tcp 10.2.1.74 5364 interface FastEthernet1 5364 extendable

ip nat inside source static tcp 10.2.1.77 5365 interface FastEthernet1 5365 extendable

ip nat inside source static tcp 10.2.1.78 5366 interface FastEthernet1 5366 extendable

ip nat inside source static tcp 10.2.1.100 5367 interface FastEthernet1 5367 extendable

ip nat inside source static tcp 10.2.1.6 25 interface FastEthernet1 25 extendable

ip nat inside source static tcp 10.2.1.6 80 interface FastEthernet1 80 extendable

ip nat inside source static tcp 10.2.1.6 443 interface FastEthernet1 443 extendable

ip nat inside source static tcp 10.2.1.6 5362 interface FastEthernet1 5362 extendable

!

ip nat inside source list 1 interface FastEthernet1 overload

!

no ip route 0.0.0.0 0.0.0.0 216.203.117.81

!

ip route 0.0.0.0 0.0.0.0 216.203.117.81 254

!


Since FE1 is getting an IP address via DHCP the router will obtain a default route via the DHCP process. This default route will have an administrative distance of 254. If you remove the existing default route and reenter it with an administrative distance of 254 then you will end up with two default routes installed in the routing table. This will help you achieve load balancing outbound.

bsallison Mon, 01/28/2008 - 09:16
User Badges:

I am getting Invalid input at EXTENDABLE on the ip nat staments. Accepts command up to that point.


Ideas?

bsallison Tue, 01/29/2008 - 16:03
User Badges:

Joe,


I ran the commands you specified. I received one error:

ip nat inside source list 1 interface FastEthernet1 overload

returned:

%Dynamic mapping in use, cannot change


I have attached another config, showing all the changes you instructed. I am concerned why FastEthernet1 does not show in brief list of IP interfaces, though line & protocol both appear to be up.


Thank You for your continued help, hopefully we are almost resolved.



paolo bevilacqua Tue, 01/29/2008 - 16:14
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi, let me jump in here in relief to the commendable efforts by Joe.


To solve the "translation in use" problem, try "clear ip nat translation forced", then QUICKLY "conf t" and the suggested commands.


If that doesn't work, disconnect all cables except console, reload router, configure as suggested, reconnect cables.


Good luck!

bsallison Sun, 02/03/2008 - 11:05
User Badges:

Joe,


Added the commands you referenced, also followed the steps offered by other engineer.


The router appears to not allow me to have both:

ip nat inside source list 1 interface FastEthernet0 overload


and


ip nat inside source list 1 interface FastEthernet1 overload


As soon as insert the command containing fa1, it overwrite or removes the same command containing fe0. When fe1 is the only statement in the config, I can access the Internet. When fe0 is in the config all works just fine. I have attached lastest config, also shows the IP INT Status and now both interfaces are up.


Am I missing something silly simple?


Sorry to drag this issue out, but I just want the failover redundancy to work...

THANKS!



Attachment: 
paolo bevilacqua Sun, 02/03/2008 - 11:16
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi,


please configure an access-list 2 that is like 1, and reference it as


ip nat inside source list 2 interface FastEthernet1 overload


Be advised after that you're not done yet, you will need to tie the sla track to default routes, thing that is not done yet. That can be even be a problem as you are suing DHCP, workst case you will have to reference the GW that should never change.


And after you will need the timeout and possibly oer setting for NAT.


Sorry if that is not so easy.

Gerard Roy Thu, 02/19/2009 - 16:49
User Badges:

Do This - Add two route maps and two NAT overloads pointing to the same ACL


route-map INTERNET_FA0 permit 10

match ip address 1

match interface FastEthernet0

!

route-map INTERNET_FA1 permit 10

match ip address 1

match interface FastEthernet1


ip nat inside source route-map INTERNET_FA0 interface FastEthernet0 overload


ip nat inside source route-map INTERNET_FA1 interface FastEthernet1 overload


Now here is the problem your going to run into. DHCP by default has an administrative distance of 254 (REALLY dumb Cisco!) so when you do your routing, how is it going to know which path to take to the internet if you have a routing protocol running? One way is to reduce the AD is with "ip dhcp-client default-router distance 1" but now here it introduces a new problem. If both your wan links are DHCP, it applies the same AD to both routes "ip route 0.0.0.0 0.0.0.0 dhcp" If you try and append a AD to the end of the ip route 0.0.0.0 0.0.0.0 dhcp 100 for the secondary route - IT doesnt seem to work. I see tha you have RFC 1918 Space so I would recommend setting a static IP and route to the Fa1 device and leaving FA0 dhcp. Hope this helps

tekha Mon, 12/31/2007 - 03:49
User Badges:
  • Bronze, 100 points or more

How come you have an RFC1918 address on your FE1?!? Is that what you get from your ISP? And what kind of address did you get when connecting the laptop directky into the modem?

Could you try and disconnect the primary line and from the CLI ping 4.2.2.1? With no filters on the FE1 interface BTW.

Actions

This Discussion