That's an interesting thought...good catch...  but yes if the inteface is connected to a modem then only if the link between router and modem goes down the failover will happen.

Now even if it is a cable modem, shutting down the fast ethernet port will make it failover.

But no... fast ethernet interfaces do not need to be always connected to a modem. We can get a direct link from the provider that plugs into an RJ45 jack on the router. But yeah generally these setups with generally give you a static ip address from the provider.

In this case since it is over DHCP - its more probable its a cable modem.

I'm not sure what it is in this case though...

Cheers,

Manas

OK, followed the instructions and it's not working :>(

fa0 is a broadband connection, when it goes down the next hop will still be up so I plan to disable it by shutting fa0, thereby hoping that fa1 will then take over.

I changed the config to that shown below. I also addess the ip nat outside command to fa1.

I can ping external addresses from the router. If I ping externally from a client on the network, I get request timed out or destination host unreachable.

So, did I miss something ?

Thanks again guys, it's such a small thing yet it seems so difficult to get right. I value your assistance.

NM

router#show run
Building configuration...

Current configuration : 5592 bytes
!
! Last configuration change at 12:29:34 UTC Fri Sep 24 2010 by admin
! NVRAM config last updated at 12:27:03 UTC Fri Sep 24 2010 by admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
!
!
ip cef
!
!
ip name-server 216.7.159.195
ip name-server 216.7.159.133
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
crypto pki trustpoint TP-self-signed-2663121659
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2663121659
revocation-check none
rsakeypair TP-self-signed-2663121659
!
!
crypto pki certificate chain TP-self-signed-2663121659
certificate self-signed 01
  xxxxx  quit
username xxxxx!
!
!
!
!
!
interface FastEthernet0
description $FW_OUTSIDE$$ETH-WAN$
ip address 216.7.149.34 255.255.255.252
ip verify unicast reverse-path
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
shutdown
duplex auto
speed auto
!
interface FastEthernet1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
switchport mode trunk
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$$ES_LAN$
ip address 192.168.8.10 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Async1
no ip address
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 216.7.149.33
ip route 192.168.3.0 255.255.255.0 192.168.8.1
ip route 192.168.4.0 255.255.255.0 192.168.8.1
ip route 192.168.5.0 255.255.255.0 192.168.8.1
ip route 192.168.6.0 255.255.255.0 192.168.8.2
ip route 192.168.7.0 255.255.255.0 192.168.8.1
ip route 0.0.0.0 0.0.0.0 FastEthernet1 dhcp 100
!
ip dns server
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.8.11 4000 interface FastEthernet0 4000
ip nat inside source static tcp 192.168.8.11 3000 interface FastEthernet0 3000
ip nat inside source static tcp 192.168.8.11 4665 interface FastEthernet0 4665
ip nat inside source static tcp 192.168.8.11 3663 interface FastEthernet0 3663
ip nat inside source static tcp 192.168.8.11 3660 interface FastEthernet0 3660
ip nat inside source static tcp 192.168.8.11 80 interface FastEthernet0 80
ip nat inside source static tcp 192.168.8.11 57 interface FastEthernet0 57
ip nat inside source static tcp 192.168.8.11 22 interface FastEthernet0 22
ip nat inside source static tcp 192.168.8.2 443 interface FastEthernet0 443
ip nat inside source static tcp 192.168.8.2 3085 interface FastEthernet0 3085
ip nat inside source static tcp 192.168.8.2 3389 interface FastEthernet0 3389
ip nat inside source static tcp 192.168.8.2 4125 interface FastEthernet0 4125
ip nat inside source static tcp 192.168.8.2 5045 interface FastEthernet0 5045
!
access-list 1 permit any
no cdp run
!
!
!
!
!
!
control-plane
!
!
line con 0
login local
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
ntp clock-period 17180462
ntp server 192.168.8.2 key 0 prefer
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

router#

NM

If your plan for failover is that your will manually shut down FastEth0 when there are problems then failover should work and you will not need to use IP SLA as we have been suggesting. But that means that your failover requires manual intervention (you must recognize that there is a problem, then you must access the router, and you must make a config change). But what will be the situation when the problem occurs on the day that you are on vacation, or happens when you are busy in an important meeting, etc?

The problem in the config that you have posted is that there are no address translations configured for when traffic is going out FastEth1. All the translations use the address of FastEth0, and if it is shut down then the translations will not work. You need to configure translations that use the address of FastEthe1 when traffic is going out that interface.

HTH

Rick

Rick, would you mind telling me how to do that ?

NM

NM

Your explanation of the environment verifies that you do not need to configure IP SLA. We did not realize that you were not looking for a dynamic failover. If the failover is planned and will be accomplished by shutting down the first FastEthernet then the original static default route will certainly be removed from the routing table and the floating static default route should be used.

Doing address translation when the translation needs to change depending on which interface is being used is a bit more complex than translation using only a single outbound interface. It is usually accomplished by using a route map which can match on both the souce address (as is done in your current configuration) but can also match on the outbound interface.

Here is an example of PAT (interface overload) which I modified a bit. It is a fairly close fit to your environment and I think should give you what you need to do on your router.

!
interface Vlan1
description inside private LAN interface
ip address 192.168.8.10 255.255.255.0
ip nat inside
!--This connects to the private LAN, designated as the NAT inside interface. 
interface FastEthernet0
description first outbound link
ip address 192.168.1.2 255.255.255.252
ip nat outside
!---This connects to the outside and is designated as the NAT outside interface. 
!
interface FastEthernet1
description second outbound link
ip address 192.168.2.2 255.255.255.252
ip nat outside
!---This connects to the outside and is designated as the NAT outside interface. 
!
ip nat inside source route-map link-1 interface Serial0 overload
!---The above line will translate for traffic matched by the route-map link-1. 
!
ip nat inside source route-map link-2 interface Serial1 overload
!---The above line will translate for traffic matched by the route-map link-2. 
!
access-list 1 permit 192.168.8.0 0.0.0.255
!---This ACL permits traffic from all hosts in the private LAN. 
!
route-map link-2 permit 10
match ip address 1
match interface FastEthernet1
!---This route-map matches all traffic matched by ACL 1 and going out of interface FastEthernet1. In other words, all traffic from the private LAN through link-2 is matched. 
!
route-map link-1 permit 10
match ip address 1
match interface FastEthernet0
!---This route-map matches all traffic matched by ACL 1 and going out of interface FastEthernet0. In other words, all traffic from the private LAN through link-1 is matched. 
!

This takes care of the dynamic translations. If you need the same kind of port translations that are in your posted config I guess that you could also use the route map approach to translate them.

HTH

Rick

Hi, Rick.

Unfortunatley I only had an hour on site between flights, it's a shame I didn't have enough time or information to configure the router correctly. I am back to working remotely again.

OK, I am going to follow your instructions, however I have to say that it does seem to be excessively complex, and not at all intuitive.

Surely there is an easier way to have to possible WAN connections, whichever one is up gets the traffic... well, I would have hoped there was an easier way....

I'll feed back once I have tested.

NM

NM

My suggestions for config changes may be complex but that is because doing translation one way if going out one interface and doing translation differently if going out the other interface is complex. I am not aware of any config that is more simple that would make the appropriate translations.

HTH

Rick

I agree with Sumit that  while we do not know the details of the connection to the second provider on FastEthernet and so can not know for sure whether the link will fail if they lose connectivity to the provider, that it is likely to be a problem and that IP SLA would be a prudent thing to include in the config. I raised exactly this issue in my first post in this thread on August 27.

HTH

Rick

Hopefully I can clear up.

Fa0 is an expensive service that can be truned of for periods of up one to three months, in order to reduce costs.

While it is off, we can connect a lan to Fa1, it's not an ISP as such, but piggy backing off someone else's network.

I am remote to the site, so I would like to be able to remote in and issue the shut/ no shut command on fa0 as a means of switching over.

The idea here is to take away the need for anyone on site to get involved in the changeover.

NM

Latest Show run...

Not sure if it works yet, I have to wait for the reload...

NM

OK, this current configuration does not work.

If I disable Fa0 then the network dows not get access to the internet. It's difficult to give you more info as I am remote, so not sure what connectivity if any is there once I drop fa0.

I really need a solution here as fa0 is going to be disconnected this week and we need fa1 to be routing traffic. I am running out of time :>(

Have I missed a step ?

Anyone ?

Beautiful....

Rick, thank you so much, I just grabbed this from a remote connection via the second WAN port.

You are an absolute champ for giving up your time to guide me through this.

Brilliant !!

NM

router#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0              216.7.xxx.xxx.xxx    YES NVRAM  administratively down down  
FastEthernet1              192.168.1.41    YES DHCP   up                    up    
FastEthernet2              unassigned      YES unset  up                    down  
FastEthernet3              unassigned      YES unset  up                    down  
FastEthernet4              unassigned      YES unset  up                    down  
FastEthernet5              unassigned      YES unset  up                    down  
FastEthernet6              unassigned      YES unset  up                    down  
FastEthernet7              unassigned      YES unset  up                    down  
FastEthernet8              unassigned      YES unset  up                    up    
FastEthernet9              unassigned      YES unset  up                    down  
Vlan1                      192.168.8.10    YES NVRAM  up                    up    
Async1                     unassigned      YES NVRAM  down                  down  
NVI0                       unassigned      NO  unset  up                    up    
router#