Announcement

Collapse
No announcement yet.

failover on 2811 with 2 ISPs

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • failover on 2811 with 2 ISPs

    Hi,

    I have a cisco 2811 router with 2 wan ethernet ports and 4 lan ethernet ports, 2 internet connections (1 is FTTC (vdsl) connection so I configured pppoe dialer and 2 is Virgin media connection to the VM router so its simple ethernet connection with static public ip address) , both connections works fine.

    I configured local network with NAT on FTTC connection (tried it on VM as well) and that workes fine as well.

    What I am trying to achive is use wan1 (fttc) connection by default for NAT and if it goes down - switch to wan2 automaticaly.

    Idealy I would need to have part of local network to be NATing to wan1 and, if wan1 goes down, failover to wan2 and other part of local network to NAT to wan2 and, if wan2 goes down, to failover to wan1.

    Router details: Version 12.4(13r)T

    Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(12), RELEASE SOFTWARE (fc1)

    System image file is "flash:c2800nm-advipservicesk9-mz.124-12.bin"

    I configured the router as in example below using route maps and track command and the issue is that dialer (wan1 fttc connection) goes down, it swithes over to wan2 and doesnt go back to wan1 (dialer), its just doesnt dial fttc connection.

    this is my config:
    ----------------------------------------------------------------------------------

    interface FastEthernet0/0

    description FTTC

    no ip address

    ip nat outside

    ip virtual-reassembly

    duplex auto

    speed auto

    pppoe enable group global

    pppoe-client dial-pool-number 1

    !

    interface FastEthernet0/1

    description $ETH-WAN$

    ip address 94.174.*** 255.255.255.248

    ip nat outside

    ip virtual-reassembly

    duplex auto

    speed auto


    interface Dialer1

    ip address negotiated

    ip mtu 1492

    ip nat outside

    ip virtual-reassembly

    encapsulation ppp

    load-interval 30

    dialer pool 1

    dialer-group 1

    ppp authentication chap callin

    ppp chap hostname ***********@itp.4adsl.net

    ppp chap password 0 *****

    ppp ipcp dns request



    route-map VIRGIN permit 10

    match ip address 1

    match interface fast 0/1

    exit


    route-map ENTA permit 10

    match ip address 1

    match interface Dialer1

    exit

    ip nat inside source route-map VIRGIN interface FastEthernet 0/1 overload

    ip nat inside source route-map ENTA interface Dialer1 overload

    ip sla 100

    icmp-echo 4.2.2.2 source-interface Fastethernet0

    timeout 500

    frequency 3


    track 100 rtr 100 reachability

    delay down 10 up 20


    ip route 0.0.0.0 0.0.0.0 Dialer1 track 100

    ip route 0.0.0.0 0.0.0.0 FastEthernet 0/1 94.174.**** 10

    -----------------------------------------

    Any input would be appreciated

    Thanks

  • #2
    Re: failover on 2811 with 2 ISPs

    The source interface for the SLA should be dialer1 not fa0. Also I dont see where you started up the IP SLA. Also watch your timeout as if this is pinging an internet based host then any congestion may cause the sla to fail even though the host is reachable.


    ip sla schedule 100 life forever start-time now


    Some good show commands:

    show ip sla statistics

    show ip sla configuration

    show track
    Last edited by auglan; 2nd July 2012, 15:55.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: failover on 2811 with 2 ISPs

      Originally posted by auglan View Post
      The source interface for the SLA should be dialer1 not fa0. Also I dont see where you started up the IP SLA. Also watch your timeout as if this is pinging an internet based host then any congestion may cause the sla to fail even though the host is reachable.


      ip sla schedule 100 life forever start-time now


      Some good show commands:

      show ip sla statistics

      show ip sla configuration

      show track
      Thanks for your reply Auglan,
      I dont have "ip sla" command on my router but I have "ip sla monitor schedule 100 life forever start-time now" which was on the router, I just missed it when was copying/pasting in here.
      I have done some troubleshooting and found that it does fail over if I do "shutdown" on default route interface, but when I do "no shut", the routing doesnt go back to default interface because ping from that int still doesnt work.
      It looks like ping only works via active default route and thats why "ip sla" doesnt switch it back.

      Comment


      • #4
        Re: failover on 2811 with 2 ISPs

        Try changing the default route to point to the next hop instead of the outgoing interface. Also can you post a show ip route.

        When the dialer interface comes back up is it getting an ip from the ISP? Is the dialer interface line protocol showing as down? The tracked object is looking for the line protocol on the dialer interface to be up which in turn would bring the default route back in the routing table with the lower metric. I would try changing to the next hop instead of the outgoing interface to see if it works like that.
        Last edited by auglan; 3rd July 2012, 12:04.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: failover on 2811 with 2 ISPs

          Just wanted to add why you should use the numeric next hop instead of the outgoing interface. When you specify the outgoing interface with a static route, your router ARP's for every destination found through the default route as your router considers these destinations as directly connected. It also relies on proxy arp being enabled on the upstream router. If you look at your arp cache you will see an arp entry for every destination through the default route but the corresponding layer 2 address (mac address) will be the same for every arp entry (The upstream routers mac address doing proxy arp) This can result in a very large arp cache and unnecessary broadcast traffic and sometimes high processor and memory usage. The only time you should point a static route to an outgoing interface is on point to point links (P2P serial connections either PPP or HDLC or point to point Frame Relay).
          CCNA, CCNA-Security, CCNP
          CCIE Security (In Progress)

          Comment


          • #6
            Re: failover on 2811 with 2 ISPs

            Thanks for your replies Auglan
            I made it a bit simpler this time - no dialers, just 2 wan interfaces with static ip addresses.
            I set routes just with next hop addresses, no interfaces and still having the same issue - once I shut int f0/0 (default one) it fails over to f 0/1, but when I "no hut" int f0/0, default route never goes back to f0/0.
            here is my current config and show ip route after shut and no shut on int f 0/0
            -------------------------------------

            Router#show run
            Building configuration...

            Current configuration : 4674 bytes
            !
            version 12.4
            service timestamps debug datetime msec
            service timestamps log datetime msec
            no service password-encryption
            !
            hostname Router
            !
            boot-start-marker
            boot-end-marker
            !
            enable secret 5 $1$08EB$q*******ANj1g5hx5lKb.
            !
            aaa new-model
            !
            !
            aaa authentication login default local
            aaa authentication login VPN_USERS local
            aaa authentication ppp default local
            aaa authorization exec default local
            aaa authorization network VPNCLIENTS local
            !
            aaa session-id common
            !
            !
            ip cef
            !
            !
            ip domain name itpartnership
            ip sla monitor 100
            type echo protocol ipIcmpEcho 4.2.2.2 source-interface FastEthernet0/0
            timeout 500
            frequency 3
            ip sla monitor schedule 100 life forever start-time now
            vpdn enable
            !
            !
            !
            voice-card 0
            no dspfarm
            !
            !
            !
            !
            !
            !
            !
            !
            !
            !
            !
            !
            --More--  !
            !
            username ******* privilege 15 password 0 *******
            username ******* password 0 *******
            !
            !
            track 100 rtr 100 reachability
            delay down 10 up 20
            !
            !
            crypto isakmp policy 100
            encr aes
            authentication pre-share
            group 2
            crypto isakmp keepalive 20
            crypto isakmp xauth timeout 20

            !
            crypto isakmp client configuration group VPNCLIENTS
            key *******
            dns 10.1.1.5
            domain itpartnership.local
            pool VPNPOOL
            !
            !
            crypto ipsec transform-set VPNCLTRSET esp-3des esp-sha-hmac
            crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac
            !
            crypto dynamic-map SDM_DYNMAP_1 1
            description Created by web int
            set transform-set SDM_TRANSFORMSET_1
            reverse-route
            !
            !
            crypto map SDM_CMAP_1 client authentication list VPN_USERS
            crypto map SDM_CMAP_1 isakmp authorization list VPNCLIENTS
            crypto map SDM_CMAP_1 client configuration address respond
            crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
            !
            crypto map VPNDYNMAP isakmp authorization list VPNCLIENTS
            !
            !
            !
            !
            interface FastEthernet0/0
            description FTTC
            ip address 87.***.86.243 255.255.255.248
            ip nat outside
            ip virtual-reassembly
            duplex auto
            speed auto
            !
            interface FastEthernet0/1
            description $ETH-WAN$
            --More--   ip address 94.***.177.156 255.255.255.248
            ip nat outside
            ip virtual-reassembly
            duplex auto
            speed auto
            crypto map SDM_CMAP_1
            !
            interface FastEthernet0/0/0
            !
            interface FastEthernet0/0/1
            switchport access vlan 2
            !
            interface FastEthernet0/0/2
            !
            interface FastEthernet0/0/3
            switchport mode trunk
            !
            interface Vlan1
            ip address 10.1.1.2 255.255.255.0
            ip nat inside
            ip virtual-reassembly
            !
            interface Vlan2
            no ip address
            !
            interface Dialer1
            ip address negotiated
            ip mtu 1452
            ip nat outside
            ip virtual-reassembly
            encapsulation ppp
            load-interval 30
            dialer pool 1
            dialer idle-timeout 0
            dialer persistent
            dialer-group 1
            ppp authentication chap callin
            ppp chap hostname *******@itp.4adsl.net
            ppp chap password 0 *******
            ppp ipcp dns request
            !
            ip local pool VPNPOOL 10.1.1.150 10.1.1.170
            ip route 0.0.0.0 0.0.0.0 87.***.86.242 track 100
            ip route 0.0.0.0 0.0.0.0 94.***.177.153 10
            !
            !
            ip http server
            no ip http secure-server
            ip nat inside source route-map ENTA interface FastEthernet0/0 overload
            ip nat inside source route-map VIRGIN interface FastEthernet0/1 overload
            !
            access-list 1 remark SDM_ACL Category=16
            access-list 1 permit 10.1.1.0 0.0.0.255
            access-list 2 permit 10.1.1.0 0.0.0.255
            --More--  access-list 5 permit 10.1.1.72
            access-list 6 permit 10.1.1.212
            access-list 100 remark SDM_ACL Category=2
            access-list 100 deny ip any host 10.1.1.150
            access-list 100 deny ip any host 10.1.1.151
            access-list 100 deny ip any host 10.1.1.152
            access-list 100 deny ip any host 10.1.1.153
            access-list 100 deny ip any host 10.1.1.154
            access-list 100 deny ip any host 10.1.1.155
            access-list 100 deny ip any host 10.1.1.156
            access-list 100 deny ip any host 10.1.1.157
            access-list 100 deny ip any host 10.1.1.158
            access-list 100 deny ip any host 10.1.1.159
            access-list 100 deny ip any host 10.1.1.160
            access-list 100 deny ip any host 10.1.1.161
            access-list 100 deny ip any host 10.1.1.162
            access-list 100 deny ip any host 10.1.1.163
            access-list 100 deny ip any host 10.1.1.164
            access-list 100 deny ip any host 10.1.1.165
            access-list 100 deny ip any host 10.1.1.166
            access-list 100 deny ip any host 10.1.1.167
            access-list 100 deny ip any host 10.1.1.168
            access-list 100 deny ip any host 10.1.1.169
            access-list 100 deny ip any host 10.1.1.170
            access-list 100 permit ip 10.1.1.0 0.0.0.255 any
            !
            route-map VIRGIN permit 10
            match ip address 1
            match interface FastEthernet0/1
            !
            route-map ENTA permit 10
            match ip address 1
            match interface FastEthernet0/0
            !
            route-map SDM_RMAP_1 permit 1
            match ip address 100
            !
            !
            !
            !
            control-plane
            !
            !
            !
            !
            !
            !
            !
            !
            !
            !
            line con 0
            password *******
            line aux 0
            --More--  line vty 0 4
            exec-timeout 30 0
            password *******
            transport input ssh
            line vty 5 15
            !
            scheduler allocate 20000 1000
            !
            end

            Router#show ip route
            Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
            D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
            N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
            E1 - OSPF external type 1, E2 - OSPF external type 2
            i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
            ia - IS-IS inter area, * - candidate default, U - per-user static route
            o - ODR, P - periodic downloaded static route

            Gateway of last resort is 94.***.177.153 to network 0.0.0.0

            87.0.0.0/29 is subnetted, 1 subnets
            C 87.***.86.240 is directly connected, FastEthernet0/0
            10.0.0.0/24 is subnetted, 1 subnets
            C 10.1.1.0 is directly connected, Vlan1
            94.0.0.0/29 is subnetted, 1 subnets
            C 94.***.177.152 is directly connected, FastEthernet0/1
            S* 0.0.0.0/0 [10/0] via 94.***.177.153
            Router#exit
            -----------------------------
            Thanks

            Comment


            • #7
              Re: failover on 2811 with 2 ISPs

              Is the IP SLA showing success's or failures when you bring the interface backup? Instead of using 4.2.2.2 as your target try using 87.***.86.242.
              CCNA, CCNA-Security, CCNP
              CCIE Security (In Progress)

              Comment


              • #8
                Re: failover on 2811 with 2 ISPs

                Originally posted by auglan View Post
                Is the IP SLA showing success's or failures when you bring the interface backup? Instead of using 4.2.2.2 as your target try using 87.***.86.242.
                I changed ip address in sla to routers default gateway instead of 4.2.2.2 and if I shut the interface - it failing over and if I do "no shut" it switches back.

                So thanks again for your help Auglan

                Comment


                • #9
                  Re: failover on 2811 with 2 ISPs

                  Okay good. Thanks for letting me know.
                  CCNA, CCNA-Security, CCNP
                  CCIE Security (In Progress)

                  Comment


                  • #10
                    Re: failover on 2811 with 2 ISPs

                    I am just curious how all this rules are applied.
                    If I have the next route map:
                    #route-map ENTA permit 10
                    #match ip address 1
                    #set interface FastEthernet0/0
                    and the next NAT:
                    #ip nat inside source route-map ENTA interface FastEthernet0/1 overload
                    Which interface traffic matched in access-list 1 will use - FastEthernet0/0 or FastEthernet0/1, I mean which rule takes priority - "set interface" in route map or "interface" in "ip nat inside" command?
                    Also do I need to have default routes setup for this to work? do I need to have different metrics for this default routes?

                    Thanks

                    Comment


                    • #11
                      Re: failover on 2811 with 2 ISPs

                      Also do I need to have default routes setup for this to work? do I need to have different metrics for this default routes?

                      For a failover scenario you want 2 default routes but the non tracked route with a higher administrative distance.

                      I am just curious how all this rules are applied.
                      If I have the next route map:
                      #route-map ENTA permit 10
                      #match ip address 1
                      #set interface FastEthernet0/0
                      and the next NAT:
                      #ip nat inside source route-map ENTA interface FastEthernet0/1 overload
                      Which interface traffic matched in access-list 1 will use - FastEthernet0/0 or FastEthernet0/1, I mean which rule takes priority - "set interface" in route map or "interface" in "ip nat inside" command?

                      Using route-maps with nat is different then using route-maps with policy based routing. All the route-map does when used with nat is tell the router what traffic to send to the nat engine to be natted. The "set intefface" command in the route-map when used with nat doesn't do anything. You use the "match interface" command. You use the "set interface" when doing policy based routing.
                      Last edited by auglan; 4th August 2012, 13:29.
                      CCNA, CCNA-Security, CCNP
                      CCIE Security (In Progress)

                      Comment


                      • #12
                        Re: failover on 2811 with 2 ISPs

                        Originally posted by auglan View Post
                        For a failover scenario you want 2 default routes but the non tracked route with a higher administrative distance.




                        Using route-maps with nat is different then using route-maps with policy based routing. All the route-map does when used with nat is tell the router what traffic to send to the nat engine to be natted. The "set intefface" command in the route-map when used with nat doesn't do anything. You use the "match interface" command. You use the "set interface" when doing policy based routing.
                        Thanks Auglan

                        So what does actually "match interface" command do in route map when used with ip nat?

                        Comment


                        • #13
                          Re: failover on 2811 with 2 ISPs

                          The router looks at the source and destination ip address. If there is a route for the destination out the same interface in the route-map the traffic is then natted and then routed via the route out that interface.

                          The match interface matches any routes that have their next hop out of listed interfaces in the route-map.

                          Cisco's documentation on this is kinda vague with the "match interface" command.

                          To route we are relying on the static route in the routing table found out that interface in the route-map.

                          When we use the "set interface" we are using "policy based routing" which if the packet matches the route-map it is policy routed "regardless of what the routing table says".
                          Last edited by auglan; 4th August 2012, 17:48.
                          CCNA, CCNA-Security, CCNP
                          CCIE Security (In Progress)

                          Comment


                          • #14
                            Re: failover on 2811 with 2 ISPs

                            Thanks again Auglan, all looks much more clear now

                            Comment

                            Working...
                            X