cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
607
Views
0
Helpful
9
Replies

2 Cell SIMs on Cradlepoint to Cisco 881.

Scott Saunders
Level 1
Level 1

I have a branch office with a Cisco 881, using LAN address 10.1.1.0/24, and a Cradlepoint IBR650B router for Verizon using passthrough to the router, so it's effectively a modem. The office needs more data in a billing month, so a 2nd SIM has been ordered - the SIM unfortunately cannot share the same static IP as the first. The campus ASA (5510) appliance will *not* connect a second IPSec VPN tunnel terminating in a LAN already in use in a different tunnel because of security (a good thing usually). 

The 881's programming is fairly complicated with multiple LAN subnets and depends on DNS & DHCP off-site for those subnets. 

In summary - I need to be able to have two VPN tunnels to the same LAN, and load balancing between the 2 tunnels. 

Is this possible? Either at the router, or at the ersatz-modem?

 

9 Replies 9

Hello,

 

my first thought is, it might be possible using two VRFs...

 

Can you post the config of your 881 ?

version 15.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
!
hostname BRANCH
!
boot-start-marker
boot-end-marker
!
!
logging count
logging buffered 51200 informational
enable secret 5 XXX
!
no aaa new-model
memory-size iomem 10
clock timezone CST -6 0
clock summer-time CDT recurring
!
!
!
!
!
!
no ip source-route
!
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
ip domain name INSTITUTION.ORG
ip name-server 1
ip name-server 2
ip name-server 3
ip name-server 4
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
cts logging verbose
license udi pid CISCO881-SEC-K9 sn FTX--------
!
!
archive
log config
hidekeys
username password
!
!
!
!
lldp run
!
!
!
crypto isakmp policy 1
encr ENCODING
authentication pre-share
group 2
crypto isakmp key
!
!
crypto ipsec transform-set to_vpn ENCODING
mode tunnel
!
!
!
crypto map to_vpn 10 ipsec-isakmp
set peer X
set transform-set to_vpn
match address 101
!
!
!
!
!
interface FastEthernet0
switchport access vlan 72
no ip address
shutdown
!
interface FastEthernet1
switchport access vlan 72
no ip address
shutdown
!
interface FastEthernet2
switchport access vlan 72
no ip address
!
interface FastEthernet3
switchport access vlan 72
no ip address
!
interface FastEthernet4
description WAN Interface
ip address STATIC IP 1
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1428
duplex auto
speed auto
crypto map to_vpn
!
interface Vlan1
no ip address
ip tcp adjust-mss 1452
shutdown
!
interface Vlan72
description Data LAN Interface
ip address GUEST secondary
ip address SANDBOX secondary
ip address DATA
ip access-group 100 in
ip helper-address DNS1
ip helper-address DNS2
no ip redirects
no ip unreachables
ip directed-broadcast 150
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
ip verify unicast source reachable-via rx
ip tcp adjust-mss 1374
ip policy route-map guest-access-policy-route
!
ip forward-protocol nd
ip forward-protocol udp 5246
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map nonat interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 GATEWAY
!
logging trap debugging
logging facility local6
logging source-interface Vlan72
logging host TRAP
!
route-map guest-access-policy-route permit 7
description -- Allow guests/registrants direct access to certain systems --
match ip address 133
!
route-map guest-access-policy-route permit 10
description -- Next hop towards loopback on CAMPUS SWITCH --
match ip address 132
set ip next-hop NEXTHOP
!
route-map nonat permit 10
match ip address 110
!
snmp-server community public RO 95
snmp-server contact
snmp-server enable traps tty
access-list 23 permit TRAP
access-list 23 permit CAMPUS
access-list 23 permit CAMPUS
access-list 95 permit TRAP
access-list 95 permit CAMPUS
access-list 95 permit CAMPUS
access-list 95 deny any log
access-list 100 remark -- Campus Services REMOVED --
access-list 100 permit tcp SANDBOX host CAMPUS
access-list 100 remark -- Deny all other SANDBOX traffic --
access-list 100 deny ip SANDBOX any log
access-list 100 remark -- Permit all other traffic --
access-list 100 permit ip any any
access-list 100 remark -- End Access-list 100 --
access-list 101 permit ip DATA.0 0.0.0.255 CAMPUS
access-list 101 permit ip DATA.0 0.0.0.255 BRANCH
access-list 101 permit ip DATA.0 0.0.0.255 CAMPUS
access-list 101 permit ip DATA.0 0.0.0.255 CAMPUS
access-list 101 permit ip DATA.0 0.0.0.255 CAMPUS
access-list 101 permit ip DATA.0 0.0.0.255 CAMPUS
access-list 101 permit ip SANDBOX.0 0.0.0.255 CAMPUS
access-list 101 permit ip SANDBOX.0 0.0.0.255 BRANCH
access-list 101 permit ip SANDBOX.0 0.0.0.255 CAMPUS
access-list 101 permit ip SANDBOX.0 0.0.0.255 CAMPUS
access-list 101 permit ip SANDBOX.0 0.0.0.255 CAMPUS
access-list 101 permit ip SANDBOX.0 0.0.0.255 CAMPUS
access-list 101 permit ip GUEST.0 0.0.0.255 CAMPUS
access-list 101 permit ip GUEST.0 0.0.0.255 BRANCH
access-list 101 permit ip GUEST.0 0.0.0.255 CAMPUS
access-list 101 permit ip GUEST.0 0.0.0.255 CAMPUS
access-list 101 permit ip GUEST.0 0.0.0.255 CAMPUS
access-list 101 permit ip GUEST.0 0.0.0.255 CAMPUS
access-list 110 deny ip DATA.0 0.0.0.255 CAMPUS
access-list 110 deny ip DATA.0 0.0.0.255 BRANCH
access-list 110 deny ip DATA.0 0.0.0.255 CAMPUS
access-list 110 deny ip DATA.0 0.0.0.255 CAMPUS
access-list 110 deny ip DATA.0 0.0.0.255 CAMPUS
access-list 110 deny ip DATA.0 0.0.0.255 CAMPUS
access-list 110 deny ip SANDBOX.0 0.0.0.255 CAMPUS
access-list 110 deny ip SANDBOX.0 0.0.0.255 BRANCH
access-list 110 deny ip SANDBOX.0 0.0.0.255 CAMPUS
access-list 110 deny ip SANDBOX.0 0.0.0.255 CAMPUS
access-list 110 deny ip SANDBOX.0 0.0.0.255 CAMPUS
access-list 110 deny ip SANDBOX.0 0.0.0.255 CAMPUS
access-list 110 deny ip GUEST.0 0.0.0.255 CAMPUS
access-list 110 deny ip GUEST.0 0.0.0.255 BRANCH
access-list 110 deny ip GUEST.0 0.0.0.255 CAMPUS
access-list 110 deny ip GUEST.0 0.0.0.255 CAMPUS
access-list 110 deny ip GUEST.0 0.0.0.255 CAMPUS
access-list 110 deny ip GUEST.0 0.0.0.255 CAMPUS
access-list 110 permit ip DATA.0 0.0.0.255 any
access-list 110 permit ip GUEST.0 0.0.0.255 any
access-list 132 remark -- GuestAccess -- route-map --
access-list 132 remark -- Permit guest-access packets to leave the router --
access-list 132 permit ip GUEST any
access-list 133 remark -- GuestAccess by-pass route-map --
access-list 133 remark -- REGISTRATION --
access-list 133 permit ip GUEST host CAMPUS
access-list 133 permit icmp GUEST host CAMPUS
access-list 133 remark -- REGISTRATION1
access-list 133 permit ip GUEST CAMPUS
access-list 133 permit icmp GUEST CAMPUS
access-list 133 remark -- REGISTRATION2
access-list 133 remark -- Including : server --
access-list 133 permit ip GUEST CAMPUS
access-list 133 permit icmp GUEST CAMPUS
access-list 133 remark -- Allow pinging of the local router interface
access-list 133 permit ip GUEST GUEST
access-list 133 remark -- all other direct traffic falls through the rest of the policy-route to NAT --
access-list 150 remark -- Wake-On-LAN --
access-list 150 permit ip host CAMPUS any log
access-list 150 permit icmp host CAMPUS any log
!
control-plane
!
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
session-timeout 60
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
sntp server TIME1
sntp server TIME2
!
end

Hello,

 

thanks for the config, I'll lab this and see what I can come up with. Since you can't use the ASA, the other endpoint I assume will be an IOS device ?

Thank you! The other endpoint will remain the ASA. I can do limited configuration changes to it, but my working group doesn't own the device on campus. It's got 100+ other tunnels on it that are workplace-priority, so I'm very apprehensive about modifying it globally.

Hello,

 

thinking about this again, the 881 has an IPSec throughput of about 25 to 30 MB max. It won't increase even if you have multiple tunnels terminating on that one device. It also has only one (FastEthernet4) WAN port, so you would have to use subinterfaces, which I am not sure will work.

 

How much bandwidth does your remote office need ?

Load balancing is more a way to split the 2 25GB pools of data attached to the 2 4G LTE SIM cards in the modem. Speed is not the issue. Verizon (here in the States) has "unlimited*" data plans; once you go through 25GB of data to anyone but Verizon and their partners, they de-prioritize your data so deep that even an SSH session has lag.
So I need either a load balance, or a failover once the data stream on SIM 1 falls below a certain threshold input rate.

Hello,

 

understood. I'll lab this up and see if I get it to work. It will be tomorrow though, I am on GMT +1 time...

Thank you! You're doing me a major favor here.

Hello,

 

after a lot of thinking and testing, the only feasible way to do this is, I think, to split the local subnet and build another tunnel using the second public IP as a peer. That said, and I mentioned this yesterday, I don't even think you can do this on the 881, which has only one WAN port. 

Before figuring out if the NAT and VPN setup for two tunnels will work on the Cradlepoint, is it even an option to add a new tunnel to the ASA (it won't go to the same subnet, since you are splitting it in half)..?

Review Cisco Networking for a $25 gift card