cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
668
Views
0
Helpful
5
Replies

2911 and 2 ISP

shimabuku
Level 1
Level 1

I currently have 2 ISPs and have one configured on the 2911 on a subinterface. Both ISPs are providing me with a static IP. I am not quite sure how to tackle the 2nd ISP on the 2911. Should I just create another subinterface on the 2911? What about NAT for the 2nd ISP? I also wanted to utilize HSRP for failover capabilities, can this be accomplished on subinterfaces? I have attaches a small diagram and some of the output from my 2911 and C2970.

CISCO2911/K9

interface GigabitEthernet0/2.5

description <== ISP 1 ==>

encapsulation dot1Q 5

ip address 74.202.xxx.xxx 255.255.255.248

ip flow ingress

ip nat outside

ip virtual-reassembly

end

!

interface GigabitEthernet0/2.10

description <== Server ==>

encapsulation dot1Q 10

ip address 10.0.10.1 255.255.255.128

ip flow ingress

ip nat inside

ip virtual-reassembly

!

interface GigabitEthernet0/2.15

description <== VMWare MGMT ==>

encapsulation dot1Q 15

ip address 10.130.15.1 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly

!

interface GigabitEthernet0/2.50

description <== VLAN50 - USER LAN - ==>

encapsulation dot1Q 50

ip address 10.130.50.1 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly

!

interface GigabitEthernet0/2.52

description <== VLAN52 - USER LAN - ==>

encapsulation dot1Q 52

ip address 10.130.52.1 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly

!

ip nat inside source list 100 interface GigabitEthernet0/2.5 overload

!

access-list 100 remark ########## NAT Overload ############

access-list 100 permit ip 10.0.10.0 0.0.0.127 any

access-list 100 permit ip 10.0.100.0 0.0.1.255 any

access-list 100 permit ip 10.1.1.0 0.0.0.255 any

access-list 100 permit ip 10.1.99.0 0.0.0.255 any

access-list 100 permit ip 10.1.20.0 0.0.0.255 any

access-list 100 permit ip 10.100.10.0 0.0.0.127 any

access-list 100 permit ip 10.130.10.0 0.0.0.63 any

access-list 100 permit ip 10.130.10.64 0.0.0.63 any

access-list 100 permit ip 10.130.15.0 0.0.0.255 any

access-list 100 permit ip 10.130.50.0 0.0.0.255 any

access-list 100 permit ip 10.130.52.0 0.0.0.255 any

access-list 100 permit ip 10.130.53.0 0.0.0.255 any

access-list 100 permit ip 10.130.55.0 0.0.0.255 any

access-list 100 permit ip 10.130.100.0 0.0.0.255 any

access-list 100 permit ip 74.202.xxx.xxx 0.0.0.7 any

access-list 100 permit ip 172.16.105.0 0.0.0.255 any

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

access-list 100 permit ip 192.168.3.0 0.0.0.255 any

access-list 100 permit ip 192.168.10.0 0.0.0.255 any

access-list 100 permit ip 192.168.30.0 0.0.0.255 any

access-list 100 permit ip 192.168.35.0 0.0.0.255 any

access-list 100 permit ip 192.168.55.0 0.0.0.255 any

access-list 100 permit ip 192.168.199.0 0.0.0.255 any

access-list 100 permit ip 192.168.250.0 0.0.0.255 any

access-list 100 permit tcp any any eq 443

access-list 100 permit udp any any eq 943

access-list 100 permit udp any any eq 1194

access-list 100 permit udp any any eq 3435

access-list 100 permit tcp any any eq 56121

access-list 100 permit udp any any eq 56121

access-list 100 permit tcp any host 74.202.xxx.xxx eq 3389

access-list 100 remark ########## END NAT Overload ##########

!

WS-C2970G-24TS-E

interface GigabitEthernet0/22

description <== Connection to ISP 2 ==>

switchport access vlan 4

!

interface GigabitEthernet0/23

description <== Connection to ISP 1 ==>

switchport access vlan 5

!

interface GigabitEthernet0/24

description <== Connection to CISCO2911/K9 ==>

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1-1005

switchport mode trunk

speed 1000

duplex full

!

5 Replies 5

Reza Sharifi
Hall of Fame
Hall of Fame

If you have 2 ISPs, each one will hand off a connection to you and so you need to put each one on a different interface.

for example: ISP-1 will connect to port 0/0 and ISP-2 will connect to port 0/1.  It depends on your ISP, but you don't usually need any sub-interfaces.

As for static IP, you need to assign those to the interfaces that connect to both ISPs (0/0 and 0/1) and then configure the router to NAT for you.

Also, you can't configure HSRP, because you have only one router.  You need a minimum of 2 routers to do HSRP or VRRP.

HTH

ALIAOF_
Level 6
Level 6

You don't have any more interfaces on your router?  I see that you are using sub interfaces for your WAN as well as LAN together.  Usually a general practice is what Reza mentioned above for instance:

gi0/0 = ISP 1

gi0/1 = ISP 2

gi0/2 = LAN (sub interfaces if needed)

Next your create appropriate NAT, routing and ACL's.  Are you planning on using second ISP as a backup?  You can accomplish something like that with IP SLA, tracking and metric.

The diagram in the original post clearly shows a 2911 router with 3 Gig Ether interfaces of which only 1 is being used. I agree with the other posts that I do not understand the use of trunking and subinterfaces on the 2911 when interfaces are available. Using interfaces for each ISP and for the LAN would be more simple and reduce chances for errors. But it should work either way if the original poster is careful.

Regardless of whether the choice is to use physical interfaces or to use subinterfaces/trunking there are several issues that should be addressed.

- I agree with Reza that HSRP is not feasible when there is only a single router.

- the original post does not supply any information about routing. So it is difficult to say what changes will be needed when a second ISP is added. Running a dynamic routing protocol with one or both ISPs is one alternative to consider. Configuring two equal cost static default routes to achieve load sharing is an alternative to consider. Configuring a primary default route and a backup default route is an alternative to consider.

- changes will be needed in nat. When there are 2 connections to ISPs the usual solution is to configure the address translation using route maps rather than with just access lists as is common for a single ISP. In the route map you would have a match statement that matches one of the interfaces and a second match statement that matches an access list to identify the traffic. This allows you to separate the translations for each interface.

HTH

Rick

HTH

Rick

shimabuku
Level 1
Level 1

Thanks guys for the replies. My current employer stuck me in a Network Admin position because our current one quit.

Yes, the two ISP connections connect directly to the 2970. Then, there are two subinterfaces on the 2911 for the two ISPs. I would like to move both ISP connections directly to 2911 and use IP SLA. Would it matter which subinterfaces my user VLANS reside? For example if ISP1 is on G0/0 and ISP2 is on G0/1, user vlan 50 is on G0/0.50 and user vlan 52 is on G0/1.52. Would this affect anything?

ALIAOF_
Level 6
Level 6

If you are going to move interfaces around like that, then might as well make everything easy and simple for yourself. Like:

Gi0/0 = ISP1
Gi0/1 = ISP2
Gi0/2 = User VLANs


Sent from Cisco Technical Support Android App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: