Solved: Config help plse - dual WAN on 1811.

neilmac · ‎08-27-2010

Hi, I have a

1811 router with one connection to the internet. This connection is going to be tu

rned off for a while, so I would like to set up another interface as a fall back for when it does.

The second WAN connection will be DHCP connected via ethernet.

I have to confiure this remotely prior to changeover, and I am paranoid about locking myself out of the router if I make a wrong turn.

I would like to ask if anyone can help me so that the primary WAN (the one in there now) is always used, and when it goes down, the secondary one will route traffic to the internet.

I am sure it's a simple config to add a second WAN port, all help gratefully received.

NM

Here is current config, some identifying details have been masked.

router.1811#show run
Building configuration...

Current configuration : 5505 bytes
!
! Last configuration change at 09:18:51 UTC Fri Aug 27 2010 by xxxxx
! NVRAM config last updated at 12:29:28 UTC Fri Oct 30 2009 by xxxxx
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router.1811
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
!
!
ip cef
!
!
ip name-server 216.7.159.195
ip name-server 216.7.159.133
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
crypto pki trustpoint TP-self-signed-2663121659
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2663121659
revocation-check none
rsakeypair TP-self-signed-2663121659
!
!
crypto pki certificate chain TP-self-signed-2663121659
certificate self-signed 01
30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32363633 31323136 3539301E 170D3039 31303239 30373333
34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36363331
32313635 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C737 EB0584C5 AA2ADD1F 90B3586B 873DF4EE 1FA55B68 202F08E2 BFF052A8
056D6BC7 5FECDCC1 4570C547 EFA239FA 4D0816F8 E00AAEBE 36038FEB 0CD6978C
9A6305E5 1518BC21 AE2259D4 01D784DF 58C63DC7 49A70B66 9A6C4396 B8FE1F6C
D00ED195 5D6F62DE 99714942 69EB6286 17E8D19E AB95ED39 316971A0 37E05088
A23B0203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603
551D1104 12301082 0E63322E 726F7574 65722E31 38313130 1F060355 1D230418
30168014 6B11EFF2 E7635566 19AC68F9 431C274C 84CEF1D0 301D0603 551D0E04
1604146B 11EFF2E7 63556619 AC68F943 1C274C84 CEF1D030 0D06092A 864886F7
0D010104 05000381 81008F34 15ED6E3B 329073CF CA64939F FC0EADDF E1034B8D
3231D662 9132BBD4 B3E577F3 5270A020 7E180030 BA54582B 38CD6E03 C22D67B1
A279E24E 8E250061 C5FEF223 CB8C2432 4ED46E6B 9072DBDC 5E2187A9 899FB6C0
6016586F 940A4760 6E34E55E 48A9998B F5FCD8A3 6772123B C39F32FA 86D0AFFE
638EB9AA AAEF6F57 AA38
quit
username xxxx privilege 15 secret 5 xxxx
!
!
!
!
interface FastEthernet0
description $FW_OUTSIDE$$ETH-WAN$
ip address 216.7.xxx.xx 255.255.255.252
ip verify unicast reverse-path
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
switchport mode trunk
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$
ip address 192.168.8.10 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Async1
no ip address
encapsulation slip
shutdown
!
ip route 0.0.0.0 0.0.0.0 216.7.149.33
ip route 192.168.3.0 255.255.255.0 192.168.8.1
ip route 192.168.4.0 255.255.255.0 192.168.8.1
ip route 192.168.5.0 255.255.255.0 192.168.8.1
ip route 192.168.6.0 255.255.255.0 192.168.8.2
ip route 192.168.7.0 255.255.255.0 192.168.8.1
!
ip dns server
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.8.2 5045 interface FastEthernet0 5045
ip nat inside source static tcp 192.168.8.2 4125 interface FastEthernet0 4125
ip nat inside source static tcp 192.168.8.2 3389 interface FastEthernet0 3389
ip nat inside source static tcp 192.168.8.2 3085 interface FastEthernet0 3085
ip nat inside source static tcp 192.168.8.2 443 interface FastEthernet0 443
ip nat inside source static tcp 192.168.8.11 22 interface FastEthernet0 22
ip nat inside source static tcp 192.168.8.11 57 interface FastEthernet0 57
ip nat inside source static tcp 192.168.8.11 80 interface FastEthernet0 80
ip nat inside source static tcp 192.168.8.11 3660 interface FastEthernet0 3660
ip nat inside source static tcp 192.168.8.11 3663 interface FastEthernet0 3663
ip nat inside source static tcp 192.168.8.11 4665 interface FastEthernet0 4665
ip nat inside source static tcp 192.168.8.11 3000 interface FastEthernet0 3000
ip nat inside source static tcp 192.168.8.11 4000 interface FastEthernet0 4000
!
access-list 1 permit any
no cdp run
!
!
!
!
!
!
control-plane
!
!
line con 0
login local
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
ntp clock-period 17180445
ntp server 192.168.8.2 key 0 prefer
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

router.1811#

Richard Burts · ‎09-26-2010

NM

The biggest problem that I see in the most recent config is that while you have added the translate statements that use route maps you have left the original translate statement in place which will translate everythig to the address of FastEthernet0. Try removing this statement from the config and let us know what happens

ip nat inside source list 1 interface FastEthernet0 overload

I would also note that access list 1 is a bit different from what I suggested that it be

access-list 1 permit any
access-list 1 permit 192.168.8.0 0.0.0.255

I am not sure that it is a big deal but I would suggest that you change the access list to remove the permit any.

HTH

Rick

HTH

Rick

View solution in original post

Giuseppe Larosa · ‎08-27-2010

Hello Neil,

you need a floating default static route using second wan like

ip route 0.0.0.0 0.0.0.0 wan2 201

and you need a NAT configuration that uses route-maps to check what is the current exit interface of traffic in order to perform a correct NAT translation

see

https://supportforums.cisco.com/thread/2039029?tstart=0

Hope to help

Giuseppe

Richard Burts · ‎08-27-2010

The response by Giuseppe is a good start and correctly addresses the need for a floating static route and the need to perform address translation on the second/backup interface. I have a couple of things to add to his suggestions.

- it should be pretty obvious that you need to configure the second Fastethernet to use DHCP to obtain its IP address.

- the syntax that Giuseppe suggests for the floating static route works fine if you know the next hop address (the provider device that you are connecting to). With DHCP sometimes you do know that address and sometimes you do not. If you do not know the next hop address then there is an optional parameter on the static route that I have seen used that uses information from DHCP to construct the static default route.

- the floating static route works well if the primary route is removed from the routing table. We do not know anything about your primary connection on Fastethernet0 and do not know exactly what you mean about it will be turned off. So it is hard to know whether the primary static default route will be removed from the routing table. If Fastethernet0 goes to protocol down state then the static default route should be removed from the routing table. But if turning off is just stopping the provider from responding to you then it might leave the interface in the protocol up state. And in that case the original static default route would still be in the routing table and the backup floating static route would not work. In this case you may need to configure IP SLA to track the primary provider connection and to remove the primary static default route when the primary provider is not accessible.

Also if you are worried that you might lock yourself out while making the config changes I would suggest that you schedule a reload before you start your changes. That means that if you do lock yourself out that the router will reboot, come back without your changes and allow you access again. The process might look something like this:

! first make sure that the current config is saved

copy running startup

! then schedule a reload to occur in 45 minutes (or however long you think it might take)

reload in 45

! respond to the prompt to confirm the reload

! then begin your config changes

config t

end

! if things are working then you need to cancel the reload

reload cancel

HTH

Rick

HTH

Rick

neilmac · ‎09-07-2010

Thanks for the help.

I haven't had time to look into this so I am going to go for an easy way out, and that's to set WAN1 to DHCP and swap cables.

However, I am stuck with this default route:

ip route 0.0.0.0 0.0.0.0 216.7.149.33

So this will clearly change.

Please would you tell me how to make this dynamic (floating ?)

Many thanks,

NM

neilmac · ‎09-19-2010

I am sorry to bump this thread up again !

I am still looking for any advice or help that will allow me to fall over from fa0 to fa1 automatically.

Fa1 is going to pick up dhcp and then I will cut the device on fa0, the aim is to have the internet flowing then via fa1.

The problems I have are the default route, ip route 0.0.0.0 0.0.0.0 216.7.149.33, I can't work out how to make this a floating default route that works.

I have been playing with the config, but can't get anything to work.

I would like to ask if anyone would give me the steps needed to achieve this, on the face of it it looks like it should be easy.

Many thanks in advance for any help.

NM

Richard Burts · ‎09-21-2010

NM

I believe that the feature that will help you is sometimes called Reliable Static Routing Using Object Tracking. I believe that this link has helpful information that should help to get you started

http://www.cisco.com/en/US/partner/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html

HTH

Rick

HTH

Rick

mrmoothe · ‎09-22-2010

Hi NM,

Let me give you my two cents....

Do the following steps and check after every step:

1. Check whether the secondary link is working as expected

Plug in your secondary provider in Fa1 and under the interface give the command 'ip address dhcp'

Run 'show ip interface brief'

Check whether now fa1 has any ip address associated to it.

If you can see an ip address on the interface. See if you can ping this address from the outside.

Note down this ip address.

2. If step 1 succeeds continue to 2..

Let us create now a static route that is less preferable than say the one through Fa0. This is called a floating static route.

You can do this using

ip route 0.0.0.0 0.0.0.0 interface fa1 100

The above command would create a static route through the secondary ISP and make it come into play only if the path through fa0 is down.

3. Before you do this make sure you do what one of the earlier answers quoted...

under config mode - run timed reload command , just in case something gets messed up.

reload in 20

Now, go ahead and shut down the interface fa0. Check whether you can now reach the router using the ip address on fa1 which you now know because you had noted it down earlier.

If you can telnet to the router using the ip address of fa1... then our failover was successful!

Lets do steps 1,2 &3 and check how it goes...

Once you have the three working.... do a no shut on interface fa0 to revert things back to the way it was.

Please let me know once you have achieved the above and then we can start working on NAT.

Cheers,

Manas

Richard Burts · ‎09-22-2010

NM

I like most of the suggestions from Manas and how he presents them (and I certainly agree that going through things step by step is good). But I disagree with his suggestion of how to configure the floating static default route. His suggestion was:

ip route 0.0.0.0 0.0.0.0 interface fa1 100

I would advocate that you not point the static default route at interface FastEthernet1. If you do this then part of the result is that the router must ARP for every destination to which it forwards a packet. There are a number of implications of doing this:

- this depends on whether the ISP router has enabled proxy arp. If proxy arp is enabled then your floating static default route will work. But if proxy arp is not enabled then your floating static route will not be able to forward any packets.

- the ARP table will grow large and consume more memory.

- the router will consume more CPU cycles in maintaining the large ARP table and in searching the ARP table.

- since IOS refreshes entries in the ARP table every 4 hours the resources required to put an address in the ARP table is not a one time thing but will be done over and over every 4 hours - for every entry in the ARP table.

- it will increase the amount of traffic on the link to the ISP since every 4 hours the router will send an ARP request and will receive an ARP response and do this for every entry in the ARP table.

I have 2 suggestions about how to configure the floating static default route.

- if you know the address of the ISP router then put that address into the floating static default route

ip route 0.0.0.0 0.0.0.0 A.B.C.D 100

- if you do not know the address of the ISP router then configure the floating static default route like this

ip route 0.0.0.0 0.0.0.0 dhcp 100

HTH

Rick

HTH

Rick

neilmac · ‎09-22-2010

Thanks to you both for this really excellent help and advice.

I will be going to the site on Friday for a couple of hours to try to get this implemented.

I will let you know how it goes.

Of course, if you have any more thoughts between now and then please keep them coming.

Many thanks again,

NM

mrmoothe · ‎09-22-2010

I completely agree with Richard on that note about implication of simply using the interface... my bad there...

Niel... what you can do to avoid it in the process get the best of both worlds is to use the following....

ip route 0.0.0.0 0.0.0.0 fa1 dhcp 100

What the above will do is it will create the default route out fastethernet 1 but get the next hop using DHCP.

I have tried the above on a enterprise services image running 12.4(24)T1.

I hope this helps...

We'll wait for your update when you can try this out.

Cheers,

neilmac · ‎09-23-2010

OK, this is starting to really promising now !

Just to clarify, this entry for default route, it's an additional entry ?

So I would have:

ip route 0.0.0.0 0.0.0.0 216.7.149.33
ip route 0.0.0.0 0.0.0.0 fa1 dhcp 100

Is that right ?

NM

Richard Burts · ‎09-23-2010

NM

Yes the floating static default route is a second statement.

HTH

Rick

HTH

Rick

sumitava123 · ‎09-23-2010

Hi ,

I think with this config the failover wont work. We need to add track for the primary link default route.

Sumit

mrmoothe · ‎09-23-2010

Yep that's bang on target...

So you'll be on site later during the weeked looking at this issue?

Let me know how this goes...

Cheers,

Manas

sumitava123 · ‎09-23-2010

Hi ,

I think only floating static route will not help for failover. We need to add track with the primary default route.

Sumit