cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5352
Views
185
Helpful
26
Replies

Dual Internet connection on a Cisco 2900

olufemi.bakare
Level 1
Level 1

I have 2 locations in Nigeria, Lagos and abuja. I wan to share implement 2 internet connections on the 2 cisco routers, one per location.  How do i go about it?



Below is the config of the 1st router in location 1:


Building configuration...


Current configuration : 8814 bytes

!

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname r_boyle

!

boot-start-marker

boot-end-marker

!

!

enable secret 5 $1$x8Ca$zIFk5rmcw4l7117SvgsRz.

enable password networkadmin

!

aaa new-model

!

!

aaa authentication login default local

!

!

!

!

!

aaa session-id common

clock timezone GMT 1 0

!

no ipv6 cef

ip source-route

ip cef

!

!

!

no ip dhcp use vrf connected

no ip dhcp conflict logging

ip dhcp excluded-address 192.168.13.1 192.168.13.140

ip dhcp excluded-address 192.168.13.182

ip dhcp excluded-address 192.168.13.189

ip dhcp excluded-address 192.168.13.191

ip dhcp excluded-address 192.168.13.176

ip dhcp excluded-address 192.168.13.161

ip dhcp excluded-address 192.168.13.37

ip dhcp excluded-address 192.168.13.183

!

ip dhcp pool Boyle

network 192.168.13.0 255.255.255.0

default-router 192.168.13.1

dns-server 62.173.32.89 62.173.34.222

domain-name resort.local

lease 3

!

ip dhcp pool mainserver

host 192.168.13.23 255.255.255.0

!

!

multilink bundle-name authenticated

!

!

crypto pki token default removal timeout 0

!

!

license udi pid CISCO2911/K9 sn FTX1613ALQG

!

!

!

!

!

class-map match-any SOCIAL_NET

match protocol http host "www.facebook.com"

match protocol http host "facebook.com"

match protocol http host "gmail.com"

match protocol http host "yahoo.com"

!

!

policy-map DROP_SOCIAL_NET

class SOCIAL_NET

  drop

!

!

!

!

!

interface Loopback1

ip address 62.173.38.206 255.255.255.255

!

interface Loopback2

ip address 10.163.106.152 255.255.255.255

!

interface Tunnel0

description to fie

ip address 172.17.60.1 255.255.255.252

ip nat inside

ip virtual-reassembly in

tunnel source 10.163.106.152

tunnel destination 192.168.163.123

!

interface Tunnel2

description tunnel to headoffice

ip address 172.17.12.1 255.255.255.252

tunnel source 10.163.106.152

tunnel destination 192.168.164.123

!

interface Tunnel8

description tunnel to abuja

ip address 172.18.11.2 255.255.255.252

ip nat inside

ip virtual-reassembly in

tunnel source 10.163.106.152

tunnel destination 10.163.170.110

!

interface Tunnel9

description Tunnel to Aluminium

ip address 172.19.11.2 255.255.255.252

ip nat inside

ip virtual-reassembly in

tunnel source 10.163.106.152

tunnel destination 192.168.163.166

!

interface Tunnel11

description tunnel to ikeja

ip address 172.20.13.2 255.255.255.252

ip nat inside

ip virtual-reassembly in

tunnel source 10.163.106.152

tunnel destination 192.168.164.242

!

interface Tunnel12

description tunnel to lekki

ip address 172.20.14.2 255.255.255.252

ip nat inside

ip virtual-reassembly in

tunnel source 10.163.106.152

tunnel destination 192.168.164.236

!

interface Tunnel16

description Tunnel to Garki

ip address 172.12.13.2 255.255.255.252

ip nat inside

ip virtual-reassembly in

tunnel source 10.163.106.152

tunnel destination 192.168.180.94

!

interface Tunnel17

description Tunnel to PH

ip address 172.28.12.1 255.255.255.252

ip nat inside

ip virtual-reassembly in

tunnel source 10.163.106.152

!

interface Tunnel77

description Tunnel to PHh

ip address 172.17.80.2 255.255.255.252

ip nat inside

ip virtual-reassembly in

tunnel source 10.163.106.152

tunnel destination 10.60.19.98

!

interface Tunnel78

description Tunnel to wimax_abj

ip address 172.17.46.2 255.255.255.252

ip nat inside

ip virtual-reassembly in

tunnel source 10.163.106.152

tunnel destination 10.60.17.110

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description WAN interface

ip address 172.16.64.180 255.255.255.248

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

load-interval 30

duplex auto

speed auto

!

interface GigabitEthernet0/1

description LAN interface

ip address 192.168.13.1 255.255.0.0

ip nat inside

ip virtual-reassembly in

no ip route-cache

duplex auto

speed auto

service-policy output DROP_SOCIAL_NET

!

interface GigabitEthernet0/2

no ip address

shutdown

duplex auto

speed auto

!

!

router eigrp 25

network 10.0.0.0

network 172.16.0.0

network 192.168.1.0

network 192.168.13.0

network 192.168.15.0

network 192.168.18.0

network 192.168.19.0

network 192.168.24.0

!

router rip

network 192.168.13.0

no auto-summary

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source list 8 interface Loopback1 overload

ip nat inside source static 192.168.13.37 62.173.38.40

ip route 0.0.0.0 0.0.0.0 172.16.64.177

ip route 10.163.0.0 255.255.0.0 10.163.106.1

ip route 10.163.0.0 255.255.0.0 10.60.18.137

ip route 10.163.106.0 255.255.255.0 10.163.192.1

ip route 10.163.106.0 255.255.255.0 10.60.18.137

ip route 10.163.106.0 255.255.255.0 10.163.170.1

ip route 10.163.106.0 255.255.255.0 10.60.17.109

ip route 10.163.106.0 255.255.255.0 10.60.19.97

ip route 62.173.38.40 255.255.255.255 GigabitEthernet0/0

ip route 62.173.38.41 255.255.255.255 GigabitEthernet0/0

ip route 62.173.38.206 255.255.255.255 GigabitEthernet0/1

ip route 172.16.3.0 255.255.255.0 10.163.106.1

ip route 172.16.6.0 255.255.255.0 10.163.106.1

ip route 172.16.19.30 255.255.255.255 10.163.106.1

ip route 192.168.10.0 255.255.255.0 172.17.60.2

ip route 192.168.11.0 255.255.255.0 172.19.11.1

ip route 192.168.12.0 255.255.255.0 172.17.12.2

ip route 192.168.14.0 255.255.255.0 172.18.11.1

ip route 192.168.16.0 255.255.255.0 172.20.13.1

ip route 192.168.17.0 255.255.255.0 172.20.14.1

ip route 192.168.19.0 255.255.255.0 172.12.13.1

ip route 192.168.20.0 255.255.255.0 172.28.12.2

ip route 192.168.21.0 255.255.255.0 172.17.2.1

ip route 192.168.21.0 255.255.255.0 172.17.2.2

ip route 192.168.22.0 255.255.255.0 172.17.80.1

ip route 192.168.23.0 255.255.255.0 172.17.46.1

ip route 192.168.27.0 255.255.255.0 172.27.17.2

ip route 192.168.101.0 255.255.255.0 172.17.20.2

ip route 192.168.163.0 255.255.255.0 10.163.106.1

ip route 192.168.163.0 255.255.255.0 172.16.64.177

ip route 192.168.163.0 255.255.255.255 172.16.64.177

ip route 192.168.164.0 255.255.255.0 10.163.106.1

ip route 192.168.164.0 255.255.255.0 172.16.64.177

ip route 192.168.170.0 255.255.255.0 10.163.106.1

ip route 192.168.180.0 255.255.255.0 10.163.106.1

!

access-list 8 deny   192.168.13.37

access-list 8 permit 192.168.13.0 0.0.0.255

access-list 8 permit 192.168.18.0 0.0.0.255

access-list 8 permit 192.168.19.0 0.0.0.255

access-list 8 permit 192.168.20.0 0.0.0.255

access-list 8 permit 192.168.21.0 0.0.0.255

access-list 8 permit 192.168.17.0 0.0.0.255

access-list 8 permit 192.168.15.0 0.0.0.255

access-list 8 permit 192.168.14.0 0.0.0.255

access-list 8 permit 192.168.11.0 0.0.0.255

access-list 8 permit 192.168.10.0 0.0.0.255

access-list 8 permit 192.168.23.0 0.0.0.255

access-list 8 permit 192.168.22.0 0.0.0.255

access-list 8 permit 192.168.16.0 0.0.0.255

access-list 8 permit 192.168.24.0 0.0.0.255

access-list 101 permit gre host 10.163.106.152 host 192.168.163.123

access-list 102 permit gre host 10.163.106.152 host 192.168.164.123

access-list 104 permit gre host 10.163.106.152 host 192.168.163.166

access-list 109 permit gre host 10.163.106.152 host 10.163.170.110

access-list 120 permit gre host 10.163.106.152 host 172.16.3.66

access-list 121 permit gre host 10.163.106.152 host 192.168.164.242

access-list 122 permit gre host 10.163.106.152 host 192.168.164.236

access-list 123 permit gre host 10.163.106.152 host 172.16.19.30

access-list 124 permit gre host 10.163.106.152 host 192.168.180.94

access-list 125 permit gre host 10.163.106.152 host 192.168.170.23

access-list 139 permit gre host 172.16.64.177 host 10.163.170.110

access-list 140 permit gre host 172.16.64.177 host 172.16.3.66

access-list 141 permit gre host 172.16.64.177 host 192.168.163.123

access-list 142 permit gre host 172.16.64.177 host 192.168.164.123

access-list 144 permit gre host 172.16.64.177 host 192.168.163.166

access-list 151 permit gre host 172.16.64.177 host 192.168.164.242

access-list 152 permit gre host 172.16.64.177 host 192.168.164.236

access-list 153 permit gre host 172.16.64.177 host 172.16.19.30

access-list 154 permit gre host 172.16.64.177 host 192.168.180.94

access-list 155 permit gre host 172.16.64.177 host 192.168.170.23

!

no cdp run

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

password networkadmin

transport input all

!

scheduler allocate 20000 1000

ntp logging

end



The 2nd location's router config is:


Building configuration...


Current configuration : 1803 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname resort_Wimax_GARKI

!

boot-start-marker

boot config flash:flash

boot-end-marker

!

!

no aaa new-model

!

!

ip cef

no ip dhcp use vrf connected

no ip dhcp conflict logging

ip dhcp excluded-address 192.168.23.1 192.168.23.20

!

ip dhcp pool wimax_garki

   network 192.168.23.0 255.255.255.0

   domain-name resort.com

   dns-server 62.173.34.222 62.173.32.89

   default-router 192.168.22.1

   lease 3

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

voice-card 0

no dspfarm

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

interface Tunnel1

description tunnel to boyle

ip address 172.17.46.1 255.255.255.252

ip mtu 1340

ip tcp adjust-mss 1340

tunnel source FastEthernet0/0

tunnel destination 10.163.106.152

!

interface FastEthernet0/0

description WAN interface

ip address 10.60.17.110 255.255.255.252

ip nat outside

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

duplex auto

speed auto

!

interface FastEthernet0/1

description LAN interface

ip address 192.168.23.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Tunnel1

ip route 10.163.106.0 255.255.255.0 10.60.17.109

ip route 10.163.170.0 255.255.255.255 10.60.17.109

ip route 172.16.64.177 255.255.255.255 10.60.17.109

ip route 192.168.13.0 255.255.255.0 172.17.46.2

!

!

no ip http server

no ip http secure-server

!

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line vty 0 4

login local

!

scheduler allocate 20000 1000

!

end



I have an existing internet connection(IPNX) and a new connection(IS) to the internet that i want to integrate. On the Lagos router, i tried implementing PBR with SLA thus:


<span style="color: #993366;" mcestyle="color: #993366;">interface GigabitEthernet0/1

<span style="color: #993366;" mcestyle="color: #993366;">ip policy route-map PBR  




<span style="color: #993366;" mcestyle="color: #993366;">interface GigabitEthernet0/0

<span style="color: #993366;" mcestyle="color: #993366;">description To IPNX

<span style="color: #993366;" mcestyle="color: #993366;">!

<span style="color: #993366;" mcestyle="color: #993366;">interface GigabitEthernet0/2


<span style="color: #993366;" mcestyle="color: #993366;">description To IS

<span style="color: #993366;" mcestyle="color: #993366;">ip address 197.156.206.172 255.255.255.248

<span style="color: #993366;" mcestyle="color: #993366;">ip nat outside



<span style="color: #993366;" mcestyle="color: #993366;">ip sla 1

<span style="color: #993366;" mcestyle="color: #993366;">icmp-echo 172.16.64.177

<span style="color: #993366;" mcestyle="color: #993366;">timeout 500

<span style="color: #993366;" mcestyle="color: #993366;">frequency 1

<span style="color: #993366;" mcestyle="color: #993366;">ip sla schedule 1 life forever start-time now



<span style="color: #993366;" mcestyle="color: #993366;">ip sla 2

<span style="color: #993366;" mcestyle="color: #993366;">icmp-echo 197.156.206.169

<span style="color: #993366;" mcestyle="color: #993366;">timeout 5000

<span style="color: #993366;" mcestyle="color: #993366;">frequency 5

<span style="color: #993366;" mcestyle="color: #993366;">ip sla schedule 2 life forever start-time now




<span style="color: #993366;" mcestyle="color: #993366;">track 10 ip sla 1 reachability

<span style="color: #993366;" mcestyle="color: #993366;">delay down 1 up 1

<span style="color: #993366;" mcestyle="color: #993366;">!

<span style="color: #993366;" mcestyle="color: #993366;">track 20 ip sla 2 reachability

<span style="color: #993366;" mcestyle="color: #993366;">delay down 1 up 1

<span style="color: #993366;" mcestyle="color: #993366;">!



<span style="color: #993366;" mcestyle="color: #993366;">ip route 0.0.0.0 0.0.0.0 172.16.64.177 track 10

<span style="color: #993366;" mcestyle="color: #993366;">ip route 0.0.0.0 0.0.0.0 197.156.206.169 track 20



<span style="color: #993366;" mcestyle="color: #993366;">access-list 10 permit 192.168.13.0 0.0.0.255

<span style="color: #993366;" mcestyle="color: #993366;">access-list 100 permit ip any any

<span style="color: #993366;" mcestyle="color: #993366;">access-list 150 permit ip any any




<span style="color: #993366;" mcestyle="color: #993366;">these ACLs will be used with PBR and NATing




<span style="color: #993366;" mcestyle="color: #993366;">route-map PBR permit 10

<span style="color: #993366;" mcestyle="color: #993366;">match ip address 100

<span style="color: #993366;" mcestyle="color: #993366;">set ip next-hop verify-availability 172.16.64.177 1 track 20

<span style="color: #993366;" mcestyle="color: #993366;">!

<span style="color: #993366;" mcestyle="color: #993366;">route-map PBR permit 30

<span style="color: #993366;" mcestyle="color: #993366;">match ip address 150

<span style="color: #993366;" mcestyle="color: #993366;">set ip next-hop verify-availability 197.156.206.169 2 track 10

<span style="color: #993366;" mcestyle="color: #993366;">!



<span style="color: #993366;" mcestyle="color: #993366;">route-map ISP2 permit 10

<span style="color: #993366;" mcestyle="color: #993366;">match ip address 10

<span style="color: #993366;" mcestyle="color: #993366;">match interface GigabitEthernet0/2

<span style="color: #993366;" mcestyle="color: #993366;">!

<span style="color: #993366;" mcestyle="color: #993366;">route-map ISP1 permit 10

<span style="color: #993366;" mcestyle="color: #993366;">match ip address 10

<span style="color: #993366;" mcestyle="color: #993366;">match interface GigabitEthernet0/0




<span style="color: #993366;" mcestyle="color: #993366;">ip nat inside source route-map ISP1 interface GigabitEthernet0/0 overload

<span style="color: #993366;" mcestyle="color: #993366;">ip nat inside source route-map ISP2 interface GigabitEthernet0/2 overload



<span style="font-size: 14pt; color: #ff0000;" mcestyle="font-size: 14pt; color: #ff0000;">pls can anyone review my config and verify for me?



26 Replies 26

rfalconer.sffcu
Level 3
Level 3

I think your tracking statements are backwards on your PBR route-maps.

Can you suggest how it should be? i thought i did something wrong, but can't figure out what exactly......

nterface GigabitEthernet0/1

ip policy route-map PBR    ---- this is for policy based routing

interface GigabitEthernet0/0

description To IPNX

!

interface GigabitEthernet0/2

description To IS

ip address 197.156.206.172 255.255.255.248

ip nat outside

ip sla 1 (for ipnx)

icmp-echo 172.16.64.177

timeout 500

frequency 1

ip sla schedule 1 life forever start-time now

ip sla 2 (for IS)

icmp-echo 197.156.206.169

timeout 500

frequency 1

ip sla schedule 2 life forever start-time now

track 10 ip sla 1 reachability

delay down 1 up 1

!

track 20 ip sla 2 reachability

delay down 1 up 1

!

ip route 0.0.0.0 0.0.0.0 172.16.64.177 track 10

ip route 0.0.0.0 0.0.0.0 197.156.206.169 track 20

access-list 10 permit 192.168.13.0 0.0.0.255

access-list 100 permit ip any any

access-list 150 permit ip any any

these ACLs will be used with PBR and NATing

route-map PBR permit 10

match ip address 100

set ip next-hop verify-availability 172.16.64.177 1 track 20

!

route-map PBR permit 30

match ip address 150

set ip next-hop verify-availability 197.156.206.169 2 track 10

!

route-map ISP2 permit 10

match ip address 10

match interface GigabitEthernet0/2

!

route-map ISP1 permit 10

match ip address 10

match interface GigabitEthernet0/0

ip nat inside source route-map ISP1 interface GigabitEthernet0/0 overload

ip nat inside source route-map ISP2 interface GigabitEthernet0/2 overload

(pls take a look again)

So you want the IPNX link to be primary and the IS to be secondary, correct?

route-map PBR permit 10

match ip address 100

set ip next-hop verify-availability 172.16.64.177 1 track 20 <------ I think this should be 10

route-map PBR permit 30

match ip address 150

set ip next-hop verify-availability 197.156.206.169 2 track 10 <------ I think this should be 20

You'll also still need the 'ip nat inside' commands referencing the route-maps.

Have you tested this and it doesn't work?

Thank Robert. I am yet to test it. was just dry-running this for now. tried setting up gns3 for this.....but time constraint.

Robert Falconer wrote:

So you want the IPNX link to be primary and the IS to be secondary, correct?

route-map PBR permit 10

match ip address 100

set ip next-hop verify-availability 172.16.64.177 1 track 20 <------ I think this should be 10

route-map PBR permit 30

match ip address 150

set ip next-hop verify-availability 197.156.206.169 2 track 10 <------ I think this should be 20

You'll also still need the 'ip nat inside' commands referencing the route-maps.

Have you tested this and it doesn't work?

If I got you right, why don't you just set a static route for each interent connection and on one of the static routes specify a greater routing value. If the first default route fails it will use the route with the next lowest value.

ip route 0.0.0.0 0.0.0.0 0.0.0.0

ip route 0.0.0.0 0.0.0.0 0.0.0.0 10

hmmmmmmmmmmm.....would this work?

yes it should. And remember that the last 0.0.0.0 is your next hop

Good Luck!

Thank you. i would try this out too....you guys are life savers.....you just saved me from bringing down a whole bank's network....

You're welcome, Olufemi.

We're happy to help

Now let me ask. would my gre tunnels also work across the new link?

Just use two GRE tunnels, one for each ISP

ehhhhhhhmmmmmm....i inherited this network. and i am new with gre tunnels. I want to ask, the public ip address for the tunnels, will i have to get them from the new isp? or i can just pick any address?

GRE allows routers to act as if they have a virtual point-to-point connection to each other. And btw, if you want to use only one GRE tunnel, this can be done as well.

Review Cisco Networking for a $25 gift card