Re: ISR1000 Basic Configuration / Routing Issue

JPolisel · ‎08-23-2021

I'm trying to setup a C1111-4P with my 2 ISPs. I was able to configure both WAN and I can ping 8.8.8.8 from each WAN as well as Vlan, but when I add the route everything stops working. In addition, one of my ISP allows for IPv6 connectivity but the router doesn't seem to acquire the IPv6 address.

I factory reset the router and used WebUI to configure but I got same results.

G0/0/0 connects the ISP that provides both IPv4 and IPv6 via DHCP, this is currently configured as router but later I intend to change to bridge and it will still use DHCP

G0/0/1 connects a slower ISP that provides only IPv4, this is currently setup as router but later I intend to change to bridge and it will then use PPPoE

I have not changed them from router to bridge yet because I have devices connected to each ISP and I need the C1111 to be working before I make the change.

Adding the following causes the problem (same commands are added by WebUI):

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 track 1

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 253

I also have questions about how do I setup each ISP link nominal speed and how do I configure the router to load-balance between both, but that's a step further after I get it working.

This is my current configuration

!
! Last configuration change at 23:21:43 UTC Sun Aug 22 2021
!
version 17.5
service timestamps debug datetime msec
service timestamps log datetime msec
! Call-home is enabled by Smart-Licensing.
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 150000
!
hostname ISR1000
!
boot-start-marker
boot-end-marker
!
!
enable secret 9 $9$gXU3UBpqMdGvDk$4fOdn8s6OgcQQMC.4xGrZdJIA8MgSa9Nqhy76tkajtg
enable password XXXXXXXXXX
!
no aaa new-model
clock timezone UTC -3 0
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool WEBUIPool
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
 lease 7
!
!
!
login on-success log
ipv6 unicast-routing
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-901209512
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-901209512
 revocation-check none
 rsakeypair TP-self-signed-901209512
!
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-901209512
 certificate self-signed 01
  3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 39303132 30393531 32301E17 0D323130 38323330 30333134
  395A170D 33313038 32333030 33313439 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3930 31323039
  35313230 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 82010A02
  82010100 A05EEDA6 8654C8B0 14A3B7D7 B1514C1C D5831783 5BEE46A0 B08EE562
  9BE082BE A70BA7EA F7199F32 CA5838F9 992ADA16 35EC2198 D36EA84D 4E8625C4
  354C62E9 B5AC6062 713B8E39 0F63BA05 56918EC5 15F10924 C56AAFA2 47AFA9AD
  8F2DCC34 88F49A99 8A7CEB92 E1B19701 A7D7FB69 EB6E1BBC F3B9A91A C459D721
  1E3C9875 32656063 72668CEC 95EAE618 7E9E26AA 80273FBB 514CD0BB 49F5B53A
  51F0372C 7D7C6C44 72028420 1930C325 0E0BE0D2 E7C63900 37CF51D0 10C75EC0
  935FBEF8 45E273BA 14D52B1D 7D0ED45E 8D42A4F4 F7042FD5 9D3CD6A5 15B324D8
  EC7F598D 61B073A9 1D48DB07 7D2810BD 6C7A0BF7 AE929787 37C7D871 DB2BB213
  EECF34F7 02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F
  0603551D 23041830 1680145F D572E844 DFBB46A3 8CF76D3C 2D05F7E2 B3C51030
  1D060355 1D0E0416 04145FD5 72E844DF BB46A38C F76D3C2D 05F7E2B3 C510300D
  06092A86 4886F70D 01010505 00038201 0100348E 62A072A0 3C3F99CF CE56D64A
  9E8AF928 0D4C65D5 D2E7FB50 1F28850E A6D9CA71 639DE069 973A4E61 06872E17
  FE4F4577 73505AFD AAC5196E E6497236 F81EA513 551800E3 E0A90DF4 7952DD57
  864347C0 6117CF00 F2B3E484 20CE726C 2ED08B02 69C3FFE3 E078FF8A F21DE95A
  84EFD23B 03AFFF20 719FD95A 581E838B 41EA734F 9573E79A D4A2ACEE 0D3B8E01
  F35060BF 9CF513CD 2D820D35 884DDD7F 75C80E52 D5C36E5A 37583F81 056B874B
  3E72EE3E F116DC47 451BFBD7 D4FAAA87 6BE1E8EC 10F52CD7 9604B9B2 49D16398
  5E6D7240 675F590F 04DB87E4 B8CD381B 162F2BF0 0D0A3FF7 9A2F4A70 2DD1A03D
  22D50FC1 88902C5E 01CDA2E3 DBFA12A5 258A
        quit
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01
  30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
  32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
  6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
  3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
  43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
  526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
  82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
  CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
  1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
  4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
  7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
  68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
  C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
  C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
  DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
  06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
  4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
  03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
  604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
  D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
  467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
  7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
  5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
  80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
  418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
  D697DF7F 28
        quit
!
!
license udi pid C1111-4P sn XXXXXXXXXX
memory free low-watermark processor 70642
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username webui privilege 15 one-time password 0 cisco
username jpolisel privilege 15 password 0 XXXXXXXXXX
!
redundancy
 mode none
!
!
vlan internal allocation policy ascending
!
track 1 ip sla 1 reachability
!
!
!
!
!
!
interface GigabitEthernet0/0/0
 description CLARO
 ip address dhcp
 ip nat outside
 negotiation auto
 ipv6 enable
 ipv6 nd autoconfig default-route
 ipv6 dhcp client request vendor
!
interface GigabitEthernet0/0/1
 description VIVO
 ip address dhcp
 ip nat outside
 negotiation auto
!
interface GigabitEthernet0/1/0
 switchport access vlan 100
!
interface GigabitEthernet0/1/1
 switchport access vlan 100
!
interface GigabitEthernet0/1/2
 switchport access vlan 100
!
interface GigabitEthernet0/1/3
 switchport access vlan 100
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan100
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
!
ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
ip nat inside source list 11 interface GigabitEthernet0/0/0 overload
ip nat inside source list 12 interface GigabitEthernet0/0/1 overload
!
!
!
ip sla 1
 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/0
ip sla schedule 1 life forever start-time now
ip access-list standard 11
 10 remark define interal networks
 10 permit 192.168.1.0 0.0.0.255
ip access-list standard 12
 10 remark define interal networks
 10 permit 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
 transport input none
 stopbits 1
line vty 0 4
 password XXXXXXXXXX
 login
 transport input ssh
line vty 5 14
 password XXXXXXXXXX
 login
 transport input ssh
!
call-home
 ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
 contact-email-addr sch-smart-licensing@cisco.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
ntp server b.ntp.br
ntp server c.ntp.br
ntp server a.ntp.br
ntp server a.st1.ntp.br
ntp server c.st1.ntp.br
ntp server d.st1.ntp.br
ntp server gps.ntp.br
ntp server b.st1.ntp.br
!
!
!
!
!
!
end

I appreciate any guidance! Thank you!

Georg Pauwen · ‎08-23-2021

Hello,

try the NAT configuration marked in bold:

Last configuration change at 23:21:43 UTC Sun Aug 22 2021
!
version 17.5
service timestamps debug datetime msec
service timestamps log datetime msec
! Call-home is enabled by Smart-Licensing.
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 150000
!
hostname ISR1000
!
boot-start-marker
boot-end-marker
!
enable secret 9 $9$gXU3UBpqMdGvDk$4fOdn8s6OgcQQMC.4xGrZdJIA8MgSa9Nqhy76tkajtg
enable password XXXXXXXXXX
!
no aaa new-model
clock timezone UTC -3 0
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool WEBUIPool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
lease 7
!
login on-success log
ipv6 unicast-routing
!
subscriber templating
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-901209512
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-901209512
revocation-check none
rsakeypair TP-self-signed-901209512
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki certificate chain TP-self-signed-901209512
certificate self-signed 01
3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 39303132 30393531 32301E17 0D323130 38323330 30333134
395A170D 33313038 32333030 33313439 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3930 31323039
35313230 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 82010A02
82010100 A05EEDA6 8654C8B0 14A3B7D7 B1514C1C D5831783 5BEE46A0 B08EE562
9BE082BE A70BA7EA F7199F32 CA5838F9 992ADA16 35EC2198 D36EA84D 4E8625C4
354C62E9 B5AC6062 713B8E39 0F63BA05 56918EC5 15F10924 C56AAFA2 47AFA9AD
8F2DCC34 88F49A99 8A7CEB92 E1B19701 A7D7FB69 EB6E1BBC F3B9A91A C459D721
1E3C9875 32656063 72668CEC 95EAE618 7E9E26AA 80273FBB 514CD0BB 49F5B53A
51F0372C 7D7C6C44 72028420 1930C325 0E0BE0D2 E7C63900 37CF51D0 10C75EC0
935FBEF8 45E273BA 14D52B1D 7D0ED45E 8D42A4F4 F7042FD5 9D3CD6A5 15B324D8
EC7F598D 61B073A9 1D48DB07 7D2810BD 6C7A0BF7 AE929787 37C7D871 DB2BB213
EECF34F7 02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F
0603551D 23041830 1680145F D572E844 DFBB46A3 8CF76D3C 2D05F7E2 B3C51030
1D060355 1D0E0416 04145FD5 72E844DF BB46A38C F76D3C2D 05F7E2B3 C510300D
06092A86 4886F70D 01010505 00038201 0100348E 62A072A0 3C3F99CF CE56D64A
9E8AF928 0D4C65D5 D2E7FB50 1F28850E A6D9CA71 639DE069 973A4E61 06872E17
FE4F4577 73505AFD AAC5196E E6497236 F81EA513 551800E3 E0A90DF4 7952DD57
864347C0 6117CF00 F2B3E484 20CE726C 2ED08B02 69C3FFE3 E078FF8A F21DE95A
84EFD23B 03AFFF20 719FD95A 581E838B 41EA734F 9573E79A D4A2ACEE 0D3B8E01
F35060BF 9CF513CD 2D820D35 884DDD7F 75C80E52 D5C36E5A 37583F81 056B874B
3E72EE3E F116DC47 451BFBD7 D4FAAA87 6BE1E8EC 10F52CD7 9604B9B2 49D16398
5E6D7240 675F590F 04DB87E4 B8CD381B 162F2BF0 0D0A3FF7 9A2F4A70 2DD1A03D
22D50FC1 88902C5E 01CDA2E3 DBFA12A5 258A
quit
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
!
license udi pid C1111-4P sn XXXXXXXXXX
memory free low-watermark processor 70642
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username webui privilege 15 one-time password 0 cisco
username jpolisel privilege 15 password 0 XXXXXXXXXX
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
track 1 ip sla 1 reachability
!
interface GigabitEthernet0/0/0
description CLARO
ip address dhcp
ip nat outside
negotiation auto
ipv6 enable
ipv6 nd autoconfig default-route
ipv6 dhcp client request vendor
!
interface GigabitEthernet0/0/1
description VIVO
ip address dhcp
ip nat outside
negotiation auto
!
interface GigabitEthernet0/1/0
switchport access vlan 100
!
interface GigabitEthernet0/1/1
switchport access vlan 100
!
interface GigabitEthernet0/1/2
switchport access vlan 100
!
interface GigabitEthernet0/1/3
switchport access vlan 100
!
interface Vlan1
no ip address
shutdown
!
interface Vlan100
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
!
ip nat inside source route-map NAT_ISP1 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map NAT_ISP2 interface GigabitEthernet0/0/1 overload
!

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp track 1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 dhcp 253

!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/0
!
ip sla schedule 1 life forever start-time now
!
ip access-list extended 101
permit ip 192.168.1.0 0.0.0.255 any
!
route-map NAT_ISP1 permit 10
match ip address 101
match interface GigabitEthernet0/0/0
!
route-map NAT_ISP2 permit 10
match ip address 101
match interface GigabitEthernet0/0/1

!
control-plane
!
line con 0
transport input none
stopbits 1
line vty 0 4
password XXXXXXXXXX
login
transport input ssh
line vty 5 14
password XXXXXXXXXX
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
ntp server b.ntp.br
ntp server c.ntp.br
ntp server a.ntp.br
ntp server a.st1.ntp.br
ntp server c.st1.ntp.br
ntp server d.st1.ntp.br
ntp server gps.ntp.br
ntp server b.st1.ntp.br
!
end

Richard Burts · ‎08-23-2021

I like the changes suggested by @Georg Pauwen. The change in address translation to use route maps is the way to optimize address translation when there is translation on more than one interface. It is not enough to just have a separate access list on the second interface, since both access lists are permitting the same subnet. Using a route map allows you to match not only the access list but also to match the interface.

The change to add dhcp to the static routes is essential to solving the problem described in the original post. There have been numerous discussions in the community about using a static route which points to an outbound inteface but does not specify a next hop. We say sometimes that works and sometimes it does not work. This is one of the times where it does not work. The underlying problem is that the static route which specifies an outbound Ethernet interface without specifying a next hop requires the router to arp for EVERY destination address. This works if the next hop supports proxy arp. But it does not work if the next hop does not support proxy arp and it sure looks like these next hops do not support proxy arp.

HTH

Rick

JPolisel · ‎08-23-2021

I should have disclosed this in first message and I apologize, I work in IT but I am not a network engineer, my network knowledge is very limited to fixing and improving my home network, although it is something I have interest in learning better. This ISR1000 is my first attempt on using more professional hardware.

I changed configuration per @Georg Pauwen instructions but I got an error adding the route (marker was on track):

ISR1000(config)#ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp track 1
^
% Invalid input detected at '^' marker.

ISR1000(config)#ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 dhcp 253
ISR1000(config)#

Everything else worked re-configuring ACL and NAT

I pasted the route command replacing "track 1" by a question mark and it shows me that only parameter accepted after dhcp is the metric.

I went back and added route without "track 1" or metric and everything works now, I enabled and configured dns and etc.

I understand that "ip sla" and "track" are to monitor availability and change routing based on my primary ISP being available, but without "track 1" on the route how is this going to work when primary ISP is down?

About load balancing the 2 ISP connections I have done some research and read few other posts like https://community.cisco.com/t5/switching/dual-isp-connection-and-load-balancing/td-p/3395681 but I still don't understand what should I do to enable it. The current configuration of the router seems to forward all traffic through primary ISP only. Can you give me some pointers on that as well?

Here's my current configuration:

!
! Last configuration change at 18:51:11 UTC Mon Aug 23 2021
! NVRAM config last updated at 19:02:02 UTC Mon Aug 23 2021
!
version 17.5
service timestamps debug datetime msec
service timestamps log datetime msec
! Call-home is enabled by Smart-Licensing.
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 150000
!
hostname ISR1000
!
boot-start-marker
boot-end-marker
!
enable secret 9 $9$gXU3UBpqMdGvDk$4fOdn8s6OgcQQMC.4xGrZdJIA8MgSa9Nqhy76tkajtg
enable password XXXXXXXXXX
!
no aaa new-model
clock timezone UTC -3 0
!
ip name-server 1.1.1.1 8.8.8.8 8.8.4.4
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool WEBUIPool
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
 dns-server 192.168.1.1
 lease 7
!
login on-success log
ipv6 unicast-routing
!
subscriber templating
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-901209512
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-901209512
 revocation-check none
 rsakeypair TP-self-signed-901209512
!
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
!
crypto pki certificate chain TP-self-signed-901209512
 certificate self-signed 01
  3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
## REMOVED ##
  22D50FC1 88902C5E 01CDA2E3 DBFA12A5 258A
        quit
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01
  30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
## REMOVED ##
  D697DF7F 28
        quit
!
license udi pid C1111-4P sn XXXXXXXXXXX
memory free low-watermark processor 70642
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username webui privilege 15 one-time password 0 cisco
username jpolisel privilege 15 password 0 XXXXXXXXXX
!
redundancy
 mode none
!
vlan internal allocation policy ascending
!
track 1 ip sla 1 reachability
!
interface GigabitEthernet0/0/0
 description CLARO
 ip address dhcp
 ip nat outside
 negotiation auto
 ipv6 enable
 ipv6 nd autoconfig default-route
 ipv6 dhcp client request vendor
!
interface GigabitEthernet0/0/1
 description VIVO
 ip address dhcp
 ip nat outside
 negotiation auto
!
interface GigabitEthernet0/1/0
 switchport access vlan 100
!
interface GigabitEthernet0/1/1
 switchport access vlan 100
!
interface GigabitEthernet0/1/2
 switchport access vlan 100
!
interface GigabitEthernet0/1/3
 switchport access vlan 100
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan100
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
!
ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
ip dns server
ip nat inside source route-map NAT_ISP1 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map NAT_ISP2 interface GigabitEthernet0/0/1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 dhcp 253
!
ip sla 1
 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/0
ip sla schedule 1 life forever start-time now
ip access-list extended 101
 10 permit ip 192.168.1.0 0.0.0.255 any
!
route-map NAT_ISP2 permit 10
 match ip address 101
 match interface GigabitEthernet0/0/1
!
route-map NAT_ISP1 permit 10
 match ip address 101
 match interface GigabitEthernet0/0/0
!
control-plane
!
line con 0
 transport input none
 stopbits 1
line vty 0 4
 password XXXXXXXXXX
 login
 transport input ssh
line vty 5 14
 password XXXXXXXXXX
 login
 transport input ssh
!
call-home
 ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
 contact-email-addr sch-smart-licensing@cisco.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
ntp server b.ntp.br
ntp server c.ntp.br
ntp server a.ntp.br
ntp server a.st1.ntp.br
ntp server c.st1.ntp.br
ntp server d.st1.ntp.br
ntp server gps.ntp.br
ntp server b.st1.ntp.br
!
end

Thanks a lot!

Georg Pauwen · ‎08-23-2021

Hello,

it won't work without the track, so just leave the 'dhcp' out and add the 'track'.

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 track 1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 253

As for the load balancing, putting two static default routes in will do 50/50 load sharing:

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 dhcp

which might not be what you want if the links have different speeds.

JPolisel · ‎08-23-2021

I ran

ISR1000(config)#ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 track 1
%Default route without gateway, if not a point-to-point interface, may impact performance
ISR1000(config)#ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 253
%Default route without gateway, if not a point-to-point interface, may impact performance

I noticed these 2 warnings about performance, is this what @Richard Burts described above as having to do ARP for each address?

Then I ran

no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 dhcp

As I removed the DHCP routes almost immediately I got notification

Aug 23 23:00:38.255: %TRACK-6-STATE: 1 ip sla 1 reachability Up -> Down

Then I can no longer ping 8.8.8.8 from any source. This is my initial problem. So it looks like I need to specify both DHCP and track on the route but I can do just one or the other?

On the load balancing, 50/50 is not what I had in mind. ISP1 is 240/20 and ISP2 is 25/2.5 download/upload Mbps respectively. I understand if this is too much for a single post, and I can come back at this later. I looked into some documents and found something about CEF and dCEF, is this what I should study for this issue in particular?

Thank you!

Richard Burts · ‎08-23-2021

We have been having this discussion assuming that the objective was to establish a preferred primary default route and a secondary failover route (that is what track 1 and a higher Administrative Distance do). But I read the original post again and notice this statement "how do I configure the router to load-balance between both". If the longer term objective is to load balance then we do not need track 1 or 253. In fact if the objective is load balance then I wonder if we need the static routes at all. If both WAN interfaces are using DHCP then I assume that both are learning a default route. And that should provide load balancing.

HTH

Rick

JPolisel · ‎08-23-2021

I appreciate the response Rick. When I was looking for a router to buy, I was initially looking at something like Cisco RV340, the emulator for this model shows that you can setup multi-wan and configure a "weight" to each WAN https://www.cisco.com/assets/sol/sb/RV340_Emulators/RV340_Emulator_v1-0-03-15/index.html#/WAN_Multi_WAN but then I found tests indicating that it can route much slower than my fastest ISP therefore I looked for other alternatives and found the ISR1100 which indicated to be much faster, and given that it is a more robust device I assumed it would have same capability of RV340 and more. I knew it would be more complex to configure and operate too but I wasn't expecting this much level of complexity - honestly I thought I would configure using Web UI then tweak via console and actually I couldn't succeed configuring it properly on web ui.

About "I wonder if we need static routes at all", if I remove the static routes it won't work. So far I only got it working adding the static routes with DHCP.

I'll try to do some testing unplugging the cable from cable modem and see how it will behave, if it can failover between ISPs that's good enough for now.

Thanks!

Richard Burts · ‎08-23-2021

My comments were based on this statement in the original post "I'm trying to setup a C1111-4P with my 2 ISPs. I was able to configure both WAN and I can ping 8.8.8.8 from each WAN as well as Vlan, but when I add the route everything stops working." Are you now saying that this was not correct and that you were not able to ping 8.8.8.8 until you configured the static routes?

Dealing with some other points:

- you said "I noticed these 2 warnings about performance, is this what @Richard Burts described above as having to do ARP for each address?" yes indeed that is what I was talking about. When you configure a static route specifying an outbound Ethernet interface but no next hop then these are the implications:

* the router must arp for every destination - so more network traffic

* if it work the router adds an arp entry for each destination address - bigger arp table requires more memory

* bigger arp table makes searching the arp table a bigger task

* refreshing the entries in the arp table every 4 hours requires more cpu processing, and generates more network traffic

- I am surprised that you can successfully configure either dhcp or track but not both. As I think about it I believe that the issue may be that track was designed to operate on locally configured routes, but adding the dhcp parameter indicates that the route actually was learned from an external source. I am not authoritative on this aspect and if anyone who is authoritative would jump in I would appreciate it.

HTH

Rick