Solved: Re: Cisco 891 Fail over Configuration

andyspranata · ‎02-03-2012

Cisco 891 configuration Details:

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname XXXXX

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 YYYYYYYYYYYYYYYYYYYYYYYYYY

!

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

!

aaa session-id common

!

no ip source-route

!

ip dhcp pool ccp-pool1

import all

network 10.153.64.0 255.255.255.128

default-router 10.153.64.1

dns-server 8.8.8.8

lease infinite

!

ip cef

no ip bootp server

ip domain name VVVVVVVVVVVV

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip name-server 10.153.65.1

ip name-server 10.153.66.1

ip inspect tcp reassembly queue length 128

no ipv6 cef

!

track 1 ip sla 1 reachability

delay down 9 up 10

!

track 2 ip sla 2 reachability

delay down 9 up 10

!

interface FastEthernet8

description $ETH-WAN$$FW_OUTSIDE$

ip address 10.153.66.5 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface GigabitEthernet0

description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$

ip address 10.153.65.5 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Vlan1

description LAN Connection$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$

ip address 10.153.64.1 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Async1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation slip

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map A interface FastEthernet8 overload

ip nat inside source route-map B interface GigabitEthernet0 overload

ip route 0.0.0.0 0.0.0.0 10.153.65.1 track 1

ip route 0.0.0.0 0.0.0.0 10.153.66.1 100 track 2

!

ip sla 1

icmp-echo 10.153.65.1 source-interface GigabitEthernet0

threshold 2

frequency 5

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 10.153.66.1 source-interface FastEthernet8

frequency 5

ip sla schedule 2 life forever start-time now

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.153.64.0 0.0.0.127

access-list 10 permit 10.153.64.0

access-list 110 permit ip 10.153.64.0 0.0.0.127 any

no cdp run

!

route-map A permit 10

match ip address 110

match interface GigabitEthernet0

!

route-map B permit 10

match ip address 110

match interface FastEthernet8

!

I could connect to the Gigabitethernet wan, based on above configuration.

When I test on FastEthernet8 for the secondary ISP connection it will not go through the internet.

The Ping details

ping from (10.153.65.5) to 8.8.8.8 = OK

ping from (10.153.66.5) to 10.153.66.1 = OK

ping from (10.153.66.5) to 8.8.8.8 = not OK

PLease advice?

Thotsaphon Lueangwattanaphong · ‎02-03-2012

Hello,

Well, you're trying to "ping" from WAN (10.153.66.5). You need to enable another default route for that . Just shut down "Gigabit 0" for testing.

Don't forget you're using "Track" to install a default route once at a time

HTH,

Toshi

View solution in original post

Thotsaphon Lueangwattanaphong · ‎02-03-2012

Hello,

Frist off, you need to make sure that which WAN interface you're using to get the outside. "Show ip route" will reveal you that. You can shut down Gigabit0 for testing.

HTH,

Toshi

View solution in original post

Thotsaphon Lueangwattanaphong · ‎02-04-2012

Hi Andy,

Yes you can.

Edit: Your configuration looks fine to me. It's Active/Standby.

You can use PBR to redirect a host to WAN(FastEthernet)

!

ip access-list ext Redirect-Host

permit ip host 10.153.64.61 any

!

route-map GoToFastEthernet permit 10

match ip address Redirect-Host

set ip next-hop 10.153.66.1

!

int vlan 1

ip policy route-map GoToFastEthernet

!

HTH,

Toshi

View solution in original post

ebarticel · ‎02-03-2012

You have missmatched route map to FastEhternet8 interface

ip nat inside source route-map A interface FastEthernet8 overload

route-map B permit 10

match ip address 110

match interface FastEthernet8

Hope this helps

Eugen

andyspranata · ‎02-03-2012

sorry, that was a mistake when I copy paste the configuration

ip nat inside source route-map A interface FastEthernet8 overload

ip nat inside source route-map B interface GigabitEthernet0 overload

route-map B permit 10

match ip address 110

match interface GigabitEthernet0

!

route-map A permit 10

match ip address 110

match interface FastEthernet8

ebarticel · ‎02-03-2012

Did you try to change FastEthernet8 with the IP address for the interface in the nat statement?

Also both map statement are using the same acl 110. I see that you have and acl 1 configured.

Did you try to change one of map to use acl 1?

andyspranata · ‎02-03-2012

ip nat inside source route-map A interface FastEthernet8 overload

to

ip nat inside source route-map A interface 10.153.66.5 overload

is that correct?

Changed the route-map configuration to:

route-map B permit 10

match ip address 110

match interface GigabitEthernet0

!

route-map A permit 10

match ip address 1

match interface FastEthernet8

ebarticel · ‎02-03-2012

Don't need the "interface", just ip address

ip nat inside source route-map A 10.153.66.5 overload

andyspranata · ‎02-03-2012

I tried it and it give me a wrong syntax warning

% invalid input detected

ip nat inside source route-map A 10.153.66.5 overload

^

ebarticel · ‎02-03-2012

You need a space between "route-map" and "A".

Also you have two default routes, but the one out Fa8 has a 100 AD. maybe if you remove that value it will use it

ip route 0.0.0.0 0.0.0.0 10.x.x.x 100 track 2

change to

ip route 0.0.0.0 0.0.0.0 10.x.x.x track 2

Thotsaphon Lueangwattanaphong · ‎02-03-2012

Helllo,

Try this out.

!

ip nat inside source route-map B interface FastEthernet8 overload

ip nat inside source route-map A interface GigabitEthernet0 overload

!

route-map A permit 10

match ip address 110

match interface GigabitEthernet0

!

route-map B permit 10

match ip address 110

match interface FastEthernet8

!

Edit: Well, you're trying to "ping" from WAN(10.153.66.5). You need to enable another default route for that . Just shut down "Gigabit 0" for testing.

HTH,

Toshi

andyspranata · ‎02-03-2012

HI ,

It was a wrong copy-paste configuration: the right one is:

ip nat inside source route-map A interface FastEthernet8 overload

ip nat inside source route-map B interface GigabitEthernet0 overload

route-map B permit 10

match ip address 110

match interface GigabitEthernet0

!

route-map A permit 10

match ip address 110

match interface FastEthernet8

Thotsaphon Lueangwattanaphong · ‎02-03-2012

Hello,

Well, you're trying to "ping" from WAN (10.153.66.5). You need to enable another default route for that . Just shut down "Gigabit 0" for testing.

Don't forget you're using "Track" to install a default route once at a time

HTH,

Toshi

andyspranata · ‎02-03-2012

Thanks Man,

You are correct - I just tried it and it is working

The failover configuration

Thanks to you.

Best regards,

Andy

andyspranata · ‎02-03-2012

Please find below the ping details

#ping

Protocol [ip]:

Target IP address: 8.8.8.8

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: FastEthernet8

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 10.153.66.5

.....

Success rate is 0 percent (0/5)

Please give the details to enable default route?

is this what you mean:

ip route 0.0.0.0 0.0.0.0 10.153.65.1 track 1

ip route 0.0.0.0 0.0.0.0 10.153.66.1 100 track 2

Thotsaphon Lueangwattanaphong · ‎02-03-2012

Hello,

Frist off, you need to make sure that which WAN interface you're using to get the outside. "Show ip route" will reveal you that. You can shut down Gigabit0 for testing.

HTH,

Toshi

andyspranata · ‎02-03-2012

Hi,

I have test it - and it is working.

So the FastEthernet8 will not active when GigabitEthernert0 is active.

is there a way to make sure that both of them active but

GigabitEthernert0 as the primary.

because I would like to configure 1 ip - 10.153.64.61 to route directly to 10.153.66.5

Best regards

Andy