Re: Cisco 1811 router dual Internet connections - Page 2

bsallison · ‎12-14-2007

Hello all!

Looking for a little bit of help, please.

Company has an 1811 router, running version 12.4(6)T7 IOS. We have 1 broadband Internet connection with static IP into FastEthernet0. I would like to add a different slower broadband IP DHCP type into FastEthernet1 for backup and redundancy purposes.

My goal is backup and redundcany, and load balance outbound web browsing, if possible.

I have looked at Cisco doc #99427, but that is a slightly different config than I am working with and I can't quite follow where the doc is getting some of its parameters.

I can post my current config if someone is willing to help or has a similar working config that I can mirror with obvious IP changes.

Thanks, the recent ice storms in the midwest have brought this to fore front and I need to get this working.

Thank You

Brian

bsallison · ‎12-17-2007

Correct syntax for adding the source-interface, please? I am currently determining the next up stream point to use as my test address.

Also, when the primary comes back online, what causes the router the switch back over to that connection for routing traffic?

Edison Ortiz · ‎12-17-2007

1.

ip sla 1

icmp-echo 216.203.117.81 source-ipaddr x.x.x.x

frequency 5

ip sla schedule 1 life forever start-time now

2.

The SLA will ping the destination IP for an x interval. Once the destination IP replies, the track is up and reinstated.

bsallison · ‎12-17-2007

Still have an issue. I unplug the cable from FE0 and try for several minutes but never ever to browse out over backup connection. Backup connection is up and has DHCP assigned address. But traffic not routing, I think.

I even unplug the backup connection from FE1 and plug directly into laptop. Laptop gets DHCP assigned address and is able to browse out, so I know circuit is working.

I must be missing something else.

Ideas....

Edison Ortiz · ‎12-17-2007

> Backup connection is up and has DHCP assigned address. But traffic not routing, I think.

You can verify if routing is working or not by pinging the internet sourcing from that interface.

Example,

ping 4.2.2.1 source fastethernet1

Can you post the output from

show ip nat trans

show track

and

show ip interface brief | ex una

while the FE0 is down ?

bsallison · ‎12-28-2007

Edison,

Sorry for the lengthy delay over the holiday season. I hope you are still watching this thread. I have done as you advised and have attached the output you ask for.

Still not working and when I do the testing, I have a tough time getting the router to see that FE0 is back online after test and getting traffic to route back to the primary.

Edison Ortiz · ‎12-28-2007

Let's see your current config.

I believe the nat timeout would help on this situation.

bsallison · ‎12-30-2007

Attached is latest config, I highlighted the lines which I have added per the instructions in this thread.

The address I used in the ip sla icmp-echo I found by doing a tracert to several outside locations, it is a couple hops upstream from my modem, a public address, and it responds to ping command.

I think we're close. I need to get failover DSL to respond when primary is down AND for the primary to come back online seamlessly when it is restored.

Edison Ortiz · ‎12-30-2007

Your config looks perfect and it's very similar to a config that I've deployed successfully in other environments.

You mentioned you have a hard time switching back to the primary ISP, so I have a couple of questions:

1) When the track is down, your users are able to access the internet via the DSL connection ?

2) When you want to return back to the primary ISP, is the track back up ?

bsallison · ‎01-02-2008

1) No, can not access Internet over DSL.

2) So far after manually taking FE0 down to test failover to FE1 (DSL), when I plug FE0 back in route does not come back up. I either have reboot router, or remove the route-map and ip route commands that point to FE1.

Did you see other suggestion posted on my issue. Had more to config, including IP SLA 2. Any validity to this?

palomoj · ‎12-28-2007

I'm not sure if your current running configuration is the same as you posted a couple of weeks ago but you should be able to see what is needed for this to work. You will have to implement the following configuration changes based on your last posting of the running config.

Please read the changes carefully as it contains a part that requires input from you (backup ISP device IP address to monitor).

Interesting items to point out so far:

1. Interface Fa1 seems to be administratively shutdown.

2. ip sla 2 is missing entirely from the config.

3. ip sla 1 doesn't specify source interface as Fa0.

4. there is no ACL on interface Fa1 which is going to be needed if it is used as backup interface.

5. there are no NAT statements for when interface Fa1 is going to be used. You can use a DynDNS.org client to update a DNS name to make it easier for you to know what IP address the backup interface is using.

6. you mentioned load balancing outbound web traffic. you will have per destination load balancing outbound if you have fast-switching enabled on the interfaces which i think you already do have.

give this a try and let us know the outcome.

!

access-list 102 permit udp any eq domain any

access-list 102 permit udp host 132.163.4.102 eq ntp any

access-list 102 permit tcp any any eq 1494

access-list 102 permit tcp any any eq 5367

access-list 102 permit tcp any any eq 5366

access-list 102 permit tcp any any eq 5365

access-list 102 permit tcp any any eq 5364

access-list 102 permit tcp any any eq 3389

access-list 102 permit tcp any any eq 5360

access-list 102 permit tcp any any eq 5361

access-list 102 permit tcp any any eq 5362

access-list 102 permit tcp any any eq 443

access-list 102 permit tcp any any eq www

access-list 102 permit tcp any any eq smtp

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any any unreachable

!

interface FastEthernet1

ip access-group 102 in

no shutdown

!

no ip route 0.0.0.0 0.0.0.0 FastEthernet1 20

!

do clear ip nat trans force

no ip nat inside source list 1 interface FastEthernet0 overload

no ip nat inside source route-map backup-nat interface FastEthernet1 overload oer

no ip nat inside source route-map primary-nat interface FastEthernet0 overload oer

!

ip nat inside source static tcp 10.2.1.4 1494 interface FastEthernet1 1494 extendable

ip nat inside source static tcp 10.2.1.4 3389 interface FastEthernet1 3389 extendable

ip nat inside source static tcp 10.2.1.2 5360 interface FastEthernet1 5360 extendable

ip nat inside source static tcp 10.2.1.3 5361 interface FastEthernet1 5361 extendable

ip nat inside source static tcp 10.2.1.74 5364 interface FastEthernet1 5364 extendable

ip nat inside source static tcp 10.2.1.77 5365 interface FastEthernet1 5365 extendable

ip nat inside source static tcp 10.2.1.78 5366 interface FastEthernet1 5366 extendable

ip nat inside source static tcp 10.2.1.100 5367 interface FastEthernet1 5367 extendable

ip nat inside source static tcp 10.2.1.6 25 interface FastEthernet1 25 extendable

ip nat inside source static tcp 10.2.1.6 80 interface FastEthernet1 80 extendable

ip nat inside source static tcp 10.2.1.6 443 interface FastEthernet1 443 extendable

ip nat inside source static tcp 10.2.1.6 5362 interface FastEthernet1 5362 extendable

!

ip nat inside source list 1 interface FastEthernet1 overload

ip nat inside source list 1 interface FastEthernet0 overload

!

no track 123

!

no track 345

!

no ip sla 1

!

ip sla 1

icmp-echo 216.203.117.81 source-interface FastEthernet0

frequency 5

!

ip sla schedule 1 life forever start-time now

!

ip sla 2

icmp-echo X.X.X.X source-interface FastEthernet1 (needs to be an IP address on backup ISP network)

frequency 5

!

ip sla schedule 2 life forever start-time now

!

track 123 rtr 1 reachability

delay down 10 up 5

!

track 345 rtr 2 reachability

delay down 10 up 5

!

no route-map primary-nat

!

no route-map backup-nat

!

bsallison · ‎01-27-2008

I hope you are still watching this thread. I was pulled away to another project, unannounced. Anyway, I implemented all the changes you recommended and still NO connectivity to Internet through FE1 when FE0 is down. Addressing your concerns specifically:

1) FE1 is now up

2) Added the IP SLA 2 with a known upstream IP address to ping

3) Added source interface to IP SLA 1

4) Added ACL on interface FE1

5) Not clear on this & when I tried to add IP NAT INSIDE SOURCE statements, it errored out, possibly because I did not understand the syntax & use of DynDNS.org

6) How do I verify that fast-switching is enabled?

I have attached 2 configs, my last config BEFORE I added your recommended changes, and the AFTER config with your changes included.

When FE0 is down I still can not get out to Internet. I verified that FE0 is down by manually trying to ping 10.13.2.5 & another upstream host, FE0 definitely down. But while it was down I could not ping 209.181.206.195. That is the next upstream hop from the WAN interface on DSL modem (71.213.237.219). I could ping that WAN interface on DSL modem, but nothing beyond.

When I plug laptop directly into DSL modem, I am able to browse Internet, and successfully ping 209.181.206.195. So, I know that DSL circuit is working. But when that DSL circuit is plugged into Cisco 1811 router, and FE0 is down I get nothing.

It would seem to me that there needs to be some sort of IP ROUTE command identifying FE1 as a viable route to Internet, but you recommended I remove that. For that matter, for load-balancing to work when both FE0 & FE1 are up I would think the IP ROUTE command is needed?

I would truly appreciate if you could look over my configs and see what piece is still missing to make this fail-over DSL circuit work correctly.

THANK YOU

Edison Ortiz · ‎01-27-2008

Sorry, I don't have the hardware nor time to recreate this environment. I'm afraid I've reached the end of the line here.

__

Edison.

palomoj · ‎01-27-2008

Based on the current "after" running configuration these are the necessary commands to run to get the router working as you desire.