04-24-2009 12:25 AM - edited 03-04-2019 04:30 AM
Hello,
I have a 2811 router with two fastethernet interfaces, and a switch card. I've configured one interface 0/0 like the primary, and the second one 0/1 like a backup, but I have some doubts. This is the configuration of the interfaces,
interface FastEthernet0/0
backup delay 10 30
backup interface fastethernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
interface FastEthernet0/1
ip address 10.100.100.20 255.255.255.0
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
Mi doubts are:
I had this nat configuration:
ip nat inside source list 102 interface fastEthernet0/0 overload
!
access-list 102 permit ip 192.168.4.0 0.0.0.255 any
But, what happen if the interface working is the backup, do I have to change this configuration to make it work? because the interface can be 0/0 or 0/1, but how do I configure both of them?
And the other doubt:
I have a VPN with a tunnel with this configuration:
interface Tunnel1
ip address 10.1.1.6 255.255.255.252
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination 216.7.149.150
crypto map IPSEC_VPN
And I don't know what to do whit the configuration of tunnel source, because sometimes it will be fastethernet0/0 and others fastethernet0/1.
Can somebody help me with my doubts?
Thanks
Regards
Solved! Go to Solution.
04-27-2009 09:58 AM
Hi,
Just as you configure the first one:
ip route 0.0.0.0 0.0.0.0
ip route 0.0.0.0 0.0.0.0
The 2nd one will be in the configuration but not in the routing table unless the primary interface is down.
HTH
Laurent.
04-24-2009 06:45 AM
Hi,
Your doubts are correct.
Here is the NAT configuration you should use:
ip nat inside source route-map backup interface FastEthernet0/1 overload
ip nat inside source route-map primary interface FastEthernet0/0 overload
!
route-map backup permit 10
match ip address 102
match interface FastEthernet0/1
!
route-map primary permit 10
match ip address 102
match interface FastEthernet0/0
!
Regarding your GRE tunnel, I see two solutions:
1-Create a second GRE tunnel identical to the first one except it will use Fas1/0 as its source address. It should work as only one tunnel will be UP at a time. Don't forget the backup route for your VPN traffic,
2- You could de-correlate the GRE IP header and the IPSec IP Header:
- Apply your crypto-map on Fast0/0 and 1/0
- Use Private loopback address for your tunnel source and destination
- Configure IPSec in Tunnel mode if it's currently in transport mode.
-Update the ACL used by the crypto-map to match the new tunnel addresses.
This way, GRE packets will be routed either to F0/0 or 0/1 and will be intercepted by the crypto-map which will encrypt those packets.
Also don't forget to add a 2nd default-route pointing to your backup interface.
HTH
Laurent.
04-27-2009 12:33 AM
Thanks a lot for your reply Laurent.
I have another question to ask you, is about the routes:
I have this route,
ip route 0.0.0.0 0.0.0.0 [next_hop_IP]
but with the backup interface next hop is different. How can I configure this 2 routes for primay and backup?
Thanks
04-27-2009 09:58 AM
Hi,
Just as you configure the first one:
ip route 0.0.0.0 0.0.0.0
ip route 0.0.0.0 0.0.0.0
The 2nd one will be in the configuration but not in the routing table unless the primary interface is down.
HTH
Laurent.
05-05-2009 03:36 AM
Thanks a lot Laurent.
It worked!!
Regards.
05-05-2009 06:38 AM
Marian:
You have an interesting set up.
May I ask you a few questions?
What are your ethernet interfaces connected to?
Why have you only configured an IP address on the backup and not the primary?
I have seen configurations in which the backup interface is a dialer or a BRI with its own IP address. Also, the failover was predictable in that if the primary serial interface failed, the BRI would dial out to create a backup.
What happens in your case when the primary fails?
Can you elaborate a bit on the requirements and how you are meeting them?
Thanks for your time
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: