Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
578
Views
0
Helpful
8
Replies

OER and routing problems

kbozung
Level 1
Level 1

‎11-11-2006 06:31 PM - edited ‎03-03-2019 02:40 PM

I'm trying to create a load-balanced/fail-over configuration for a customer using a single router. My customer can't get any routing information from the ISP and most likley will not have a down interface during an outage I thought OER would be the ideal way to go. I'm having all kinds of difficulty with this.

My test lab has a DSL connection and a Cable modem connection which both have dynamic IP addressing. I have a Cisco 2811 router with a 4-port 10/100 HWIC. The integrated FA ports are configured for the ISP connections. I've created a VLAN on 4-port HWIC to communicate with my LAN. At this time I'm not convinced I have an OER problem but more of a general routing issue. My first question is how should I create my default routes? If I create two 'ip route 0.0.0.0 0.0.0.0 fa0/x DHCP' nothing works, I'll intermittenly get a packet to go through. I thought this was a pretty normal configuration? I currently have the two default routes configured with different administrative distances. This allows me to get to the Internet but fail-over doesn't happen during a brown-out, OER doesn't take over. Attached is my configuration, I've tried this with all OER configuration removed still no luck.

My second question is, does anybody have a functional OER configuration they could share? Information on this is hard to come by. Any suggestions would be appreciated.

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Cisco2811

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

no logging console

!

no aaa new-model

!

resource policy

!

ip subnet-zero

!

!

ip cef

!

!

no ip domain lookup

ip domain name yourdomain.com

!

!

!

key chain OER

key 1

key-string abcd1234

!

oer master

policy-rules OER

max-range-utilization percent 50

logging

!

border 1.1.1.1 key-chain OER

interface Vlan100 internal

interface FastEthernet0/0 external

interface FastEthernet0/1 external

!

learn

throughput

periodic-interval 1

monitor-period 2

prefixes 250

mode route control

mode select-exit best

!

oer border

local Loopback0

master 1.1.1.1 key-chain OER

username cisco privilege 15 secret xxx

!

!

!

!

!

interface Loopback0

ip address 1.1.1.1 255.255.255.255

!

interface FastEthernet0/0

description Ethernet to WAN ISP1

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description Ethernet to WAN ISP2

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/0/0

switchport access vlan 100

vlan-id dot1q 100

exit-vlan-config

!

!

interface FastEthernet0/0/1

switchport access vlan 100

!

interface FastEthernet0/0/2

switchport access vlan 100

!

interface FastEthernet0/0/3

switchport access vlan 100

!

interface Vlan1

no ip address

!

interface Vlan100

description LAN VLAN

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 dhcp 11

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 dhcp 10

!

ip nat inside source route-map CHARTER interface FastEthernet0/0 overload

ip nat inside source route-map UTMI-DSL interface FastEthernet0/1 overload

!

!

ip prefix-list OER seq 10 permit 0.0.0.0/0

access-list 100 permit ip 192.168.0.0 0.0.255.255 any

route-map CHARTER permit 10

match ip address 100

match interface FastEthernet0/0

!

route-map UTMI-DSL permit 10

match ip address 100

match interface FastEthernet0/1

!

!

!

oer-map OER 10

match ip address prefix-list OER

!

control-plane

!

!

!

line con 0

login local

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

Labels:
0 Helpful
8 Replies 8

Adam Frederick
Level 3
Level 3

‎11-11-2006 09:19 PM

Try this;

no ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 dhcp 11

no ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 dhcp 10

!

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1

!

I've only implemented OER once, but from what I recall you want equal cost paths, however I do believe it works w/ unequal cost paths but just for testing sakes try this out and see if there is any difference. If the IP from the provider never changes even though it is DHCP, you could try pointing to that IP address in the static route, even just for testing it would be worth a shot. Depending on what type of connection you have from each provider, you may be better off using basic CEF load balancing..

0 Helpful

paolo bevilacqua
Hall of Fame
Hall of Fame

‎11-12-2006 04:05 AM

Perhaps OER is too much an overkill for this application ?

Your could try PBR for multiple tracking

http://cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080457bcc.html

It is much simpler and would support a dual connection/NAT/backup scenario.

0 Helpful

paolo bevilacqua
Hall of Fame
Hall of Fame
In response to paolo bevilacqua

‎11-12-2006 05:04 AM

I was thinking about all this and there may be implications depending on the order in which the inside interface processes PBR and NAT, thing that I'm not sure about.

So I would need to lab this out before saying for sure.

I hope to be able to do that after I'm back from a trip I'm taking now.

0 Helpful

kbozung
Level 1
Level 1
In response to paolo bevilacqua

‎11-12-2006 05:16 AM

Okay. I've decided to simplify this. I removed all the OER configuration. All I have now are two Internet connections both set as default routes. Both interfaces are set to do NAT overloading. As before Internet access is extremely spotty and slow. I'm thinking about wiping my configuration and starting over but there just isn't that much in here. Please see current config. Thank you for your replies.

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname 2811

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

no logging console

!

no aaa new-model

!

resource policy

!

ip subnet-zero

!

!

ip cef

!

!

no ip domain lookup

ip domain name yourdomain.com

!

!

username cisco privilege 15 secret 5 $1$

!

!

!

!

!

interface FastEthernet0/0

description Ethernet to WAN ISP1

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description Ethernet to WAN ISP2

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/0/0

switchport access vlan 100

vlan-id dot1q 100

exit-vlan-config

!

!

interface FastEthernet0/0/1

switchport access vlan 100

!

interface FastEthernet0/0/2

switchport access vlan 100

!

interface FastEthernet0/0/3

switchport access vlan 100

!

interface Vlan1

no ip address

!

interface Vlan100

description LAN VLAN

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map CHARTER interface FastEthernet0/0 overload

ip nat inside source route-map UTMI-DSL interface FastEthernet0/1 overload

!

access-list 100 permit ip 192.168.0.0 0.0.255.255 any

route-map CHARTER permit 10

match ip address 100

match interface FastEthernet0/0

!

route-map UTMI-DSL permit 10

match ip address 100

match interface FastEthernet0/1

!

!

!

control-plane

!

!

line con 0

login local

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

Osprey2811#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

68.0.0.0/32 is subnetted, 1 subnets

S 68.114.36.54 [254/0] via 66.227.208.1, FastEthernet0/0

C 192.168.10.0/24 is directly connected, Vlan100

66.0.0.0/22 is subnetted, 1 subnets

C 66.227.208.0 is directly connected, FastEthernet0/0

67.0.0.0/24 is subnetted, 1 subnets

C 67.59.46.0 is directly connected, FastEthernet0/1

S* 0.0.0.0/0 is directly connected, FastEthernet0/0

is directly connected, FastEthernet0/1

Osprey2811#

0 Helpful

kbozung
Level 1
Level 1
In response to kbozung

‎11-12-2006 05:27 AM

One more thing. I removed all my NAT configuration and performed ping tests from the router. The behavior is the same without NAT. The only way I can get reliable outbound access is to set unequal cost default routes or disabling one of the interfaces. Thanks.

0 Helpful

kbozung
Level 1
Level 1
In response to kbozung

‎11-12-2006 08:25 AM

Well I opened up a case with Cisco. The engineer had me remove all default routes. Because the interfaces were on DHCP they automatically learn a default route. These default routes end up in the routing table. Just like that everything started working properly.

I'm still working on some OER related problems. Once I have it all done I'll post a final config.

0 Helpful

kbozung
Level 1
Level 1
In response to kbozung

‎11-12-2006 04:20 PM

Success!!! For anybody following in my foot steps be aware of your testing procedures. My method of testing was to send several continuous pings from my PC to different locations on the Internet. This lead me to believe I had a problem because some of the connections would drop and not come backup. The reason they wouldn't come back up was not because OER wasn't working but because my continuous ping never allowed my dynamic NAT translation to clear out. The default timeout for a NAT translation is 60 seconds.

Thank you to everybody who helped on this.

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Cisco2811

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

no logging console

!

no aaa new-model

!

!

ip cef

!

!

no ip domain lookup

ip domain name yourdomain.com

!

!

!

key chain OER

key 1

key-string OER-KEY-123

!

crypto pki trustpoint TP-self-signed-xxx

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3209123731

revocation-check none

rsakeypair TP-self-signed-xxx

!

!

crypto pki certificate chain TP-self-signed-3209123731

certificate self-signed 01 nvram:IOS-Self-Sig#3131.cer

oer master

policy-rules OER

max-range-utilization percent 50

logging

!

border 1.1.1.1 key-chain OER

interface Vlan100 internal

interface FastEthernet0/0 external

interface FastEthernet0/1 external

!

learn

throughput

periodic-interval 1

monitor-period 2

prefixes 250

mode route control

mode monitor active

!

active-probe echo 66.227.208.1

active-probe echo 67.59.46.1

!

oer border

local Loopback0

master 1.1.1.1 key-chain OER

username cisco privilege 15 secret 5 $1

!

!

!

!

!

interface Loopback0

ip address 1.1.x.x.255.255.255

!

interface FastEthernet0/0

description Ethernet to WAN ISP1

bandwidth 3072

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description Ethernet to WAN ISP2

bandwidth 384

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/0/0

switchport access vlan 100

!

interface FastEthernet0/0/1

switchport access vlan 100

!

interface FastEthernet0/0/2

switchport access vlan 100

!

interface FastEthernet0/0/3

switchport access vlan 100

!

interface Vlan1

no ip address

!

interface Vlan100

description LAN VLAN

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat translation icmp-timeout 15

ip nat inside source route-map CHARTER interface FastEthernet0/0 overload oer

ip nat inside source route-map UTMI-DSL interface FastEthernet0/1 overload oer

!

!

ip prefix-list OER seq 5 permit 0.0.0.0/0

access-list 100 permit ip 192.168.0.0 0.0.255.255 any

route-map CHARTER permit 10

match ip address 100

match interface FastEthernet0/0

!

route-map UTMI-DSL permit 10

match ip address 100

match interface FastEthernet0/1

!

!

!

oer-map OER 10

match ip address prefix-list OER

!

control-plane

!

!

line con 0

login local

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

0 Helpful

andychua.chua
Level 1
Level 1
In response to kbozung

‎06-03-2008 05:27 PM

What is the function of IP prefix list?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card