04-24-2009 12:25 AM - edited 03-04-2019 04:30 AM
Hello,
I have a 2811 router with two fastethernet interfaces, and a switch card. I've configured one interface 0/0 like the primary, and the second one 0/1 like a backup, but I have some doubts. This is the configuration of the interfaces,
interface FastEthernet0/0
backup delay 10 30
backup interface fastethernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
interface FastEthernet0/1
ip address 10.100.100.20 255.255.255.0
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
Mi doubts are:
I had this nat configuration:
ip nat inside source list 102 interface fastEthernet0/0 overload
!
access-list 102 permit ip 192.168.4.0 0.0.0.255 any
But, what happen if the interface working is the backup, do I have to change this configuration to make it work? because the interface can be 0/0 or 0/1, but how do I configure both of them?
And the other doubt:
I have a VPN with a tunnel with this configuration:
interface Tunnel1
ip address 10.1.1.6 255.255.255.252
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination 216.7.149.150
crypto map IPSEC_VPN
And I don't know what to do whit the configuration of tunnel source, because sometimes it will be fastethernet0/0 and others fastethernet0/1.
Can somebody help me with my doubts?
Thanks
Regards
Solved! Go to Solution.
04-27-2009 09:58 AM
Hi,
Just as you configure the first one:
ip route 0.0.0.0 0.0.0.0
ip route 0.0.0.0 0.0.0.0
The 2nd one will be in the configuration but not in the routing table unless the primary interface is down.
HTH
Laurent.
04-24-2009 06:45 AM
Hi,
Your doubts are correct.
Here is the NAT configuration you should use:
ip nat inside source route-map backup interface FastEthernet0/1 overload
ip nat inside source route-map primary interface FastEthernet0/0 overload
!
route-map backup permit 10
match ip address 102
match interface FastEthernet0/1
!
route-map primary permit 10
match ip address 102
match interface FastEthernet0/0
!
Regarding your GRE tunnel, I see two solutions:
1-Create a second GRE tunnel identical to the first one except it will use Fas1/0 as its source address. It should work as only one tunnel will be UP at a time. Don't forget the backup route for your VPN traffic,
2- You could de-correlate the GRE IP header and the IPSec IP Header:
- Apply your crypto-map on Fast0/0 and 1/0
- Use Private loopback address for your tunnel source and destination
- Configure IPSec in Tunnel mode if it's currently in transport mode.
-Update the ACL used by the crypto-map to match the new tunnel addresses.
This way, GRE packets will be routed either to F0/0 or 0/1 and will be intercepted by the crypto-map which will encrypt those packets.
Also don't forget to add a 2nd default-route pointing to your backup interface.
HTH
Laurent.
04-27-2009 12:33 AM
Thanks a lot for your reply Laurent.
I have another question to ask you, is about the routes:
I have this route,
ip route 0.0.0.0 0.0.0.0 [next_hop_IP]
but with the backup interface next hop is different. How can I configure this 2 routes for primay and backup?
Thanks
04-27-2009 09:58 AM
Hi,
Just as you configure the first one:
ip route 0.0.0.0 0.0.0.0
ip route 0.0.0.0 0.0.0.0
The 2nd one will be in the configuration but not in the routing table unless the primary interface is down.
HTH
Laurent.
05-05-2009 03:36 AM
Thanks a lot Laurent.
It worked!!
Regards.
05-05-2009 06:38 AM
Marian:
You have an interesting set up.
May I ask you a few questions?
What are your ethernet interfaces connected to?
Why have you only configured an IP address on the backup and not the primary?
I have seen configurations in which the backup interface is a dialer or a BRI with its own IP address. Also, the failover was predictable in that if the primary serial interface failed, the BRI would dial out to create a backup.
What happens in your case when the primary fails?
Can you elaborate a bit on the requirements and how you are meeting them?
Thanks for your time
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide