backup interface fastethernet

Answered Question
Apr 24th, 2009

Hello,


I have a 2811 router with two fastethernet interfaces, and a switch card. I've configured one interface 0/0 like the primary, and the second one 0/1 like a backup, but I have some doubts. This is the configuration of the interfaces,


interface FastEthernet0/0

backup delay 10 30

backup interface fastethernet0/1

ip address dhcp

ip nat outside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto


interface FastEthernet0/1

ip address 10.100.100.20 255.255.255.0

ip nat outside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto


Mi doubts are:


I had this nat configuration:


ip nat inside source list 102 interface fastEthernet0/0 overload

!

access-list 102 permit ip 192.168.4.0 0.0.0.255 any


But, what happen if the interface working is the backup, do I have to change this configuration to make it work? because the interface can be 0/0 or 0/1, but how do I configure both of them?


And the other doubt:

I have a VPN with a tunnel with this configuration:


interface Tunnel1

ip address 10.1.1.6 255.255.255.252

keepalive 10 3

tunnel source FastEthernet0/0

tunnel destination 216.7.149.150

crypto map IPSEC_VPN


And I don't know what to do whit the configuration of tunnel source, because sometimes it will be fastethernet0/0 and others fastethernet0/1.


Can somebody help me with my doubts?


Thanks


Regards

Correct Answer by Laurent Aubert about 7 years 10 months ago

Hi,


Just as you configure the first one:


ip route 0.0.0.0 0.0.0.0

ip route 0.0.0.0 0.0.0.0


The 2nd one will be in the configuration but not in the routing table unless the primary interface is down.


HTH


Laurent.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Laurent Aubert Fri, 04/24/2009 - 06:45

Hi,


Your doubts are correct.


Here is the NAT configuration you should use:


ip nat inside source route-map backup interface FastEthernet0/1 overload

ip nat inside source route-map primary interface FastEthernet0/0 overload

!

route-map backup permit 10

match ip address 102

match interface FastEthernet0/1

!

route-map primary permit 10

match ip address 102

match interface FastEthernet0/0

!


Regarding your GRE tunnel, I see two solutions:


1-Create a second GRE tunnel identical to the first one except it will use Fas1/0 as its source address. It should work as only one tunnel will be UP at a time. Don't forget the backup route for your VPN traffic,


2- You could de-correlate the GRE IP header and the IPSec IP Header:


- Apply your crypto-map on Fast0/0 and 1/0

- Use Private loopback address for your tunnel source and destination

- Configure IPSec in Tunnel mode if it's currently in transport mode.

-Update the ACL used by the crypto-map to match the new tunnel addresses.


This way, GRE packets will be routed either to F0/0 or 0/1 and will be intercepted by the crypto-map which will encrypt those packets.




Also don't forget to add a 2nd default-route pointing to your backup interface.


HTH


Laurent.


usuario0001 Mon, 04/27/2009 - 00:33

Thanks a lot for your reply Laurent.

I have another question to ask you, is about the routes:


I have this route,


ip route 0.0.0.0 0.0.0.0 [next_hop_IP]


but with the backup interface next hop is different. How can I configure this 2 routes for primay and backup?


Thanks

Correct Answer
Laurent Aubert Mon, 04/27/2009 - 09:58

Hi,


Just as you configure the first one:


ip route 0.0.0.0 0.0.0.0

ip route 0.0.0.0 0.0.0.0


The 2nd one will be in the configuration but not in the routing table unless the primary interface is down.


HTH


Laurent.


ex-engineer Tue, 05/05/2009 - 06:38

Marian:


You have an interesting set up.


May I ask you a few questions?


What are your ethernet interfaces connected to?


Why have you only configured an IP address on the backup and not the primary?


I have seen configurations in which the backup interface is a dialer or a BRI with its own IP address. Also, the failover was predictable in that if the primary serial interface failed, the BRI would dial out to create a backup.


What happens in your case when the primary fails?


Can you elaborate a bit on the requirements and how you are meeting them?


Thanks for your time



Actions

This Discussion