Dual WAN Cisco IAD2431

Brian Taylor · ‎08-23-2019

After reading various posts I created a dual wan connection which seems to work. The two internet connections are: Fas0/1 (link 1) and Fas0/0.51 (link 2). (Fas0/0.20 is the local network connection.) The script is below and the two ip route statements seem to do the work. Is this all that needs to be done? It seems to both interfaces. Is there any way to get it to use Fas0/1 (link 1) only and Fas0/0.51 (link 2) if this goes down?

interface FastEthernet0/0
description Local Link
no ip address
duplex full
speed auto
!
interface FastEthernet0/0.20
description Local Network
encapsulation dot1Q 20 native
ip address 192.168.2.23 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.51
description Internet Link 2
encapsulation dot1Q 51
ip address 192.168.5.23 255.255.255.0
no cdp enable
!
interface FastEthernet0/1
description Internet Link 1
ip address x.x.x.x 255.255.255.252

ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0.51

Giuseppe Larosa · ‎08-23-2019

Hello Brian,

you need to build a hierarchy in routing

a)

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0.51

this should become:

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0.51 220

b) NAT statements

in order to be able to use Fas0/0/.51 as a backup exit path for internet we need to enable ip nat outside on it

int fas0/0.51

ip nat outside

Now, when having multiple exit points the best way is to use route-maps in NAT statement in this way we can make a match on outgoing interface

access-list 11 remark internal LAN for NAT

acccess-list 11 permit 192.168.2.0 0.0.0.255

route-map NAT1 permit 10

match ip address 11

match interface fas0/1

route-map NAT2 permit 10

match ip address 11

match interface fas0/0.51

Then you need the following statements:

ip nat source inside route-map NAT1 interface fas0/1 overload

ip nat souce inside route-map NAT2 interface fas0/0.51 overload

To complete the configuration you can use an IP SLA to track the state of the primary default route.

Hope to help

Giuseppe

Brian Taylor · ‎08-26-2019

Thanks Giuseppe!

Have the following configuration from your info which works in that if I shutdown FAS0/1 it switches over to FAS0/0.55. However it does go back to FAS0/1 with "no shutdown". There is no entry in the log showing "%TRACKING-5-STATE: 1 ip sla 20 reachability Down->Up" (after the Up->Down). Is this even possible though? If "ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 track 1" disables FAS0/1 then how can "icmp-echo 49.255.197.184 source-interface FastEthernet0/1" ever work?

track 1 ip sla 20 reachability
!
interface FastEthernet0/0
description Link
no ip address
duplex full
speed auto
!
interface FastEthernet0/0.20
description Local link
encapsulation dot1Q 20 native
ip address 192.168.2.23 255.255.255.0
ip helper-address 192.168.2.201
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.51
description Link 2
encapsulation dot1Q 51
ip address 192.168.5.23 255.255.255.0
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/1
description Link 1
ip address x.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip http server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 track 1
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0.51 220
!
ip nat inside source route-map NAT1 interface FastEthernet0/1 overload
ip nat inside source route-map NAT2 interface FastEthernet0/0.51 overload
!
!
ip sla 20
icmp-echo 49.255.197.184 source-interface FastEthernet0/1
timeout 10000
frequency 10
ip sla schedule 20 life forever start-time now
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.5.0 0.0.0.255
!
route-map NAT2 permit 10
match ip address 1
match interface FastEthernet0/0.51
!
route-map NAT1 permit 10
match ip address 1
match interface FastEthernet0/1
!

Giuseppe Larosa · ‎08-26-2019

Hello Brian,

>> if "ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 track 1" disables FAS0/1 then how can "icmp-echo 49.255.197.184 source-interface FastEthernet0/1" ever work?

The tracking action should only remove the primary default route if the IP SLA fails it should not disable interface fas1/0, so then interface Fas0/1 comes back up the IP SLA should work again and trigger a restore of the primary route.

This is my understanding of how it should work.

>>%TRACKING-5-STATE: 1 ip sla 20 reachability Down->Up" (after the Up->Down). Is this even possible though?

Verify the status of the IP SLA with

show ip sla,

the status of the interface with show ip int brief.

Hope to help

Giuseppe

Brian Taylor · ‎08-27-2019

Thanks again Giuseppe,

With the same config (see previous post):

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 track 1
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0.51 220

"sh ip sla stat" shows timeout, reachability is down and "ping 49.255.197.184 source fas0/1" fails. Also "traceroute 8.8.8.8" times out after the first line. ip route is via fas0/0.51

Adding "ip route 0.0.0.0 0.0.0.0 FastEthernet0/1" makes all these things work again including traceroute, and routing via fas0/1.

Not sure what to make of this based on what you said which is as per cisco documentation. Strange thing is that on one occasion I'm sure ping and everything was actually working with the same config.

Brian