cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
792
Views
0
Helpful
19
Replies

LAN - LTE Failover

Joy3
Level 1
Level 1

Hallo,

For my ISR LTE router, I would like to switch my connection from LTE to LAN in case of a failure. The LTE connection is working perfectly and I would like to know how to setup the LAN connection. A suggestion is given to use AD and another EEM but unfortunately I do not know how to do this (an example would even be better). Could someone kindly give me an idea. Please note that this is a DMVPN connection, if it helps

R1#sh run int cell 0/2/0
interface Cellular0/2/0
description INTERNET-UPLINK-VIA-LTE
bandwidth receive 18000
vrf forwarding INTERNET
ip address negotiated
ip nat outside
ip tcp adjust-mss 1460
load-interval 30
shutdown
dialer in-band
dialer idle-timeout 0
dialer-group 1
pulse-time 1
end

R1#sh run int tunnel 100
Building configuration...

Current configuration : 534 bytes
!
interface Tunnel100
description TUNNEL-TO-DMVPN-HUB
ip address x.x.x.x
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN-I1
ip nhrp network-id 100
ip nhrp nhs x.x.x.x nbma x.x.x.x multicast
ip nhrp registration timeout 60
ip nhrp redirect
zone-member security DMVPN
ip tcp adjust-mss 1360
delay 1000
cdp enable
if-state nhrp
tunnel source Cellular0/2/0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf INTERNET
tunnel protection ipsec profile DMVPN-PROFILE-1
end

The idea is to connect the LAN port to this interface but from here, I don't quite know how the switch can be done. Thanks in advance

R1#sh run int gi0/1/7
interface GigabitEthernet0/1/7
description BACKUPLINK_LAN
switchport trunk allowed vlan 500,600,700
switchport mode trunk
service-policy output WAN-EDGE-4-CLASS
end

19 Replies 19

...

Hello,

 

you have a Zone Based Firewall configured as well ? Post the full running config (sh run) of the router...

Hallo @Georg Pauwen. Here is the running config

 

no service pad
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
! Call-home is enabled by Smart-Licensing.
service call-home
service unsupported-transceiver
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
vrf definition INTERNET
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 50000
enable secret 9 xxx
!
aaa new-model
!
!
aaa group server tacacs+ TACACS-ISE
server name xxx
server name xxx
!
aaa group server radius RADIUS-ISE
server name xxx
server name xxx
!
--More--
aaa authentication login VTY group TACACS-ISE local
aaa authentication login default group TACACS-ISE local
aaa authentication login CONSOLE group TACACS-ISE local
aaa authentication enable default group TACACS-ISE none
aaa authentication dot1x default group RADIUS-ISE
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group TACACS-ISE local
aaa authorization exec VTY group TACACS-ISE local if-authenticated
aaa authorization exec CONSOLE group TACACS-ISE local
aaa authorization commands 15 VTY group TACACS-ISE local if-authenticated
aaa authorization commands 15 CONSOLE group TACACS-ISE local
aaa authorization network default group RADIUS-ISE
aaa accounting update periodic 15
aaa accounting identity default start-stop group RADIUS-ISE
!
!
!
!
!
!
aaa session-id common
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
!
!
!
!
!
!
no ip domain lookup
ip domain name stadtulm.lan
!
ip dhcp pool webuidhcp
!
!
!
login on-failure log
login on-success log
ipv6 unicast-routing
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
vtp domain DMVPN-SPOKE
vtp mode transparent
!
!
multilink bundle-name authenticated
!
!
!
access-session mac-move deny
!
!
crypto pki trustpoint TP-self-signed-2698500584
enrollment selfsigned
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
no license feature hseck9
license udi pid C1126-8PLTEP sn xxx
license boot level appxk9
license boot level securityk9
memory free low-watermark processor 70293
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree logging
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree pathcost method long
spanning-tree vlan 1-4094 priority 4096
service-template webauth-global-inactive
inactivity-timer 3600
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
linksec policy must-secure
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
linksec policy should-secure
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
service-template DEFAULT_CRITICAL_DATA_TEMPLATE
dot1x system-auth-control
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause port-mode-failure
errdisable recovery cause pppoe-ia-rate-limit
errdisable recovery cause oam-remote-failure
errdisable recovery cause psp
errdisable recovery interval 360
!
username xxx privilege 15 secret 9 xxx

!
redundancy
mode none
!
!
!
crypto ikev2 keyring DMVPN-KEYRING-1
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key xxx
!
!
crypto ikev2 keyring DMVPN-KEYRING-2
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key xxxx
!
!
!
crypto ikev2 profile FVRF-IKEv2-IWAN-TRANSPORT-1
match fvrf INTERNET
match identity remote address 0.0.0.0
identity local address xxxx
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING-1
dpd 40 5 on-demand
!
crypto ikev2 profile FVRF-IKEv2-IWAN-TRANSPORT-2
match fvrf INTERNET
match identity remote address 0.0.0.0
identity local address xxxx
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING-2
dpd 40 5 on-demand
!
!
controller Cellular 0/2/0
!
controller VDSL 0/3/0
!
!
vlan internal allocation policy ascending
!
vlan 100
name x1
!
vlan 251
name x2
!
vlan 300
name x3
!
vlan 804
name x4
!
vlan 805
name x5
!
vlan 806
name x6
!
class-map type control subscriber match-any AAA-DOWN
match result-type aaa-timeout
!
class-map type control subscriber match-all DOT1X-FAILED
match method dot1x
match result-type method dot1x authoritative
!
!
class-map match-any REALTIME
match dscp ef
match dscp cs5
match dscp cs4
class-map type inspect match-all x
match access-group name x
class-map match-any CRITICAL-DATA
match dscp af41 af42 af43
match dscp af31 af32 af33
match dscp af21 af22 af23
match dscp af11 af12 af13
class-map match-any CONTROL
match dscp cs6
match dscp cs3
match dscp cs2
!
policy-map type control subscriber DOT1X-DEFAULT
event session-started match-all
10 class always do-all
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event violation match-all
10 class always do-all
10 restrict
event agent-found match-all
10 class always do-all
10 authenticate using dot1x
event authentication-failure match-all
10 class AAA-DOWN do-all
10 authorize
20 activate service-template CRITICAL
30 terminate dot1x
40 terminate mab
20 class DOT1X-FAILED do-all
10 authenticate using mab
!
policy-map type inspect TRAFFIC-POLICY
class type inspect x
drop
class class-default
pass
policy-map WAN-EDGE-4-CLASS
class REALTIME
priority level 1 percent 10
class CONTROL
bandwidth 100
class CRITICAL-DATA
bandwidth 100
!
!
zone security DMVPN
zone security INTRANET
zone security GLT
zone security MGMT
zone-pair security DMVPN->GLT source DMVPN destination GLT
service-policy type inspect TRAFFIC-POLICY
zone-pair security DMVPN->INTRANET source DMVPN destination INTRANET
service-policy type inspect TRAFFIC-POLICY
zone-pair security DMVPN->MGMT source DMVPN destination MGMT
service-policy type inspect TRAFFIC-POLICY
zone-pair security GLT->DMVPN source GLT destination DMVPN
service-policy type inspect TRAFFIC-POLICY
zone-pair security INTRANET->DMVPN source INTRANET destination DMVPN
service-policy type inspect TRAFFIC-POLICY
zone-pair security MGMT->DMVPN source MGMT destination DMVPN
service-policy type inspect TRAFFIC-POLICY
!
!
!
!
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE-1
set transform-set AES256/SHA/TRANSPORT
set ikev2-profile FVRF-IKEv2-IWAN-TRANSPORT-1
!
crypto ipsec profile DMVPN-PROFILE-2
set transform-set AES256/SHA/TRANSPORT
set ikev2-profile FVRF-IKEv2-IWAN-TRANSPORT-2
!
!
interface Loopback0
description ROUTER-MGMT
ip address xxx
!
interface Tunnel100
ip address xxx
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN-I1
ip nhrp network-id 100
ip nhrp nhs xxx nbma xxx multicast
ip nhrp registration timeout 60
ip nhrp redirect
zone-member security DMVPN
ip tcp adjust-mss 1360
delay 1000
cdp enable
if-state nhrp
tunnel source Cellular0/2/0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf INTERNET
tunnel protection ipsec profile DMVPN-PROFILE-1
!
interface Tunnel200
description TUNNEL-TO-DMVPN-HUB-RTH
ip address xxx
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN-I2
ip nhrp network-id 200
ip nhrp nhs xxx nbma xxx multicast
ip nhrp registration timeout 60
ip nhrp redirect
zone-member security DMVPN
ip tcp adjust-mss 1360
delay 1000
cdp enable
if-state nhrp
tunnel source Cellular0/2/0
tunnel mode gre multipoint
tunnel key 200
tunnel vrf INTERNET
tunnel protection ipsec profile DMVPN-PROFILE-2
!
interface GigabitEthernet0/0/0
ip address xxx
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
description Dose <DOSEN-ID>
switchport access vlan 100
switchport mode access
switchport voice vlan 251
authentication periodic
authentication timer reauthenticate server
access-session control-direction in
access-session port-control auto
mab
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber DOT1X-DEFAULT
service-policy output WAN-EDGE-4-CLASS
!
interface GigabitEthernet0/1/1
description UPLINK-ACCESSPOINT
switchport trunk native vlan 806
switchport trunk allowed vlan 100,251,300,804-806
switchport mode trunk
spanning-tree portfast trunk
service-policy output WAN-EDGE-4-CLASS
!
interface GigabitEthernet0/1/2
description Dose <DOSEN-ID>
switchport access vlan 100
switchport mode access
switchport voice vlan 251
authentication periodic
authentication timer reauthenticate server
access-session control-direction in
access-session port-control auto
mab
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber DOT1X-DEFAULT
service-policy output WAN-EDGE-4-CLASS
!
interface GigabitEthernet0/1/3
description UPLINK-ACCESSPOINT
switchport trunk native vlan 806
switchport trunk allowed vlan 100,251,300,804-806
switchport mode trunk
spanning-tree portfast trunk
service-policy output WAN-EDGE-4-CLASS
!
interface GigabitEthernet0/1/4
description Dose <DOSEN-ID>
switchport access vlan 100
switchport mode access
switchport voice vlan 251
authentication periodic
authentication timer reauthenticate server
access-session control-direction in
access-session port-control auto
mab
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber DOT1X-DEFAULT
service-policy output WAN-EDGE-4-CLASS
!
interface GigabitEthernet0/1/5
description Dose <DOSEN-ID>
switchport access vlan 100
switchport mode access
switchport voice vlan 251
authentication periodic
authentication timer reauthenticate server
access-session control-direction in
access-session port-control auto
mab
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber DOT1X-DEFAULT
service-policy output WAN-EDGE-4-CLASS
!
interface GigabitEthernet0/1/6
description Dose <DOSEN-ID>
switchport access vlan 100
switchport mode access
switchport voice vlan 251
authentication periodic
authentication timer reauthenticate server
access-session control-direction in
access-session port-control auto
mab
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber DOT1X-DEFAULT
service-policy output WAN-EDGE-4-CLASS
!

###########################################################################

I would like this to be the uplink to my DSL Modem, so this cofig is just a trial that is not working

interface GigabitEthernet0/1/7
description UPLINK_LAN
switchport trunk allowed vlan 100,251,300,804-806
switchport mode trunk
service-policy output WAN-EDGE-4-CLASS

#############################################################################
!
interface Cellular0/2/0
description INTERNET-UPLINK-VIA-LTE
bandwidth receive 18000
vrf forwarding INTERNET
ip address negotiated
ip nat outside
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer-group 1
pulse-time 1
!
interface Cellular0/2/1
no ip address
shutdown
!
interface ATM0/3/0
no ip address
shutdown
atm oversubscribe factor 2
no atm enable-ilmi-trap
!
interface Ethernet0/3/0
no ip address
shutdown
no negotiation auto
!
interface Vlan1
no ip address
shutdown
!
interface Vlan100
ip address xxx
ip helper-address xxx
ip helper-address xxx
no ip redirects
no ip proxy-arp
zone-member security INTRANET
no autostate
!
interface Vlan251
ip address xxx
ip helper-address xxx
no ip redirects
no ip proxy-arp
zone-member security INTRANET
no autostate
!
interface Vlan300
ip address xxx
ip helper-address xxx
ip helper-address xxx
no ip redirects
no ip proxy-arp
zone-member security INTRANET
no autostate
!
interface Vlan804
ip address xxx
no ip redirects
no ip proxy-arp
zone-member security GLT
no autostate
!
interface Vlan805
ip address xxx
no ip redirects
no ip proxy-arp
zone-member security MGMT
no autostate
!
interface Vlan806
ip address xxx
ip helper-address xxx
no ip redirects
no ip proxy-arp
zone-member security MGMT
no autostate
!
interface Dialer1
vrf forwarding INTERNET
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
shutdown
dialer pool 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname kitatest
!
router bgp 65500
bgp router-id xxx
bgp log-neighbor-changes
neighbor USA-HUB peer-group
neighbor USA-HUB remote-as 65500
neighbor USA-HUB timers 20 60
neighbor CAN-HUB peer-group
neighbor CAN-HUB remote-as 65500
neighbor CAN-HUB timers 20 60
neighbor xxx peer-group CAN-HUB
neighbor xxx peer-group USA-HUB
!
address-family ipv4
bgp redistribute-internal
redistribute connected route-map RM-REDIST-CONNECTED-TO-BGP
neighbor USA-HUB send-community
neighbor USA-HUB weight 50000
neighbor USA-HUB next-hop-self all
neighbor USA-HUB soft-reconfiguration inbound
neighbor USA-HUB send-community
neighbor USA-HUB weight 50000
neighbor USA-HUB next-hop-self all
neighbor USA-HUB soft-reconfiguration inbound
neighbor xxx activate
neighbor xxx weight 50000
neighbor xxx activate
neighbor xxx weight 50000
distance bgp 201 19 250
exit-address-family
!
ip forward-protocol nd
ip ftp source-interface Loopback0
ip ftp username xxx
ip ftp password 7 xxx
no ip http server
ip http authentication local
no ip http secure-server
ip route vrf INTERNET 0.0.0.0 0.0.0.0 Cellular0/2/0
ip tacacs source-interface Loopback0
!
!
ip access-list standard SNMP-MGMT
10 remark Erlaube SNMP Zugriff aus MGMT Zone
10 permit xxx
!
ip access-list extended KITA-NETWORKS
10 remark Kita Netze fuer Zone Based Firewall
10 permit ip any xxx
20 permit ip any xxx
ip access-list extended SSH-MGMT
10 remark Erlaube SSH Zugriff aus MGMT Zone
10 permit tcp xxx any eq 22
!
ip radius source-interface Loopback0
ip sla 2
icmp-echo 8.8.8.8
vrf INTERNET
threshold 500
timeout 1000
frequency 4
ip sla schedule 2 life forever start-time now
logging source-interface Loopback0
logging host xxx
logging host xxx
ip access-list standard 1
dialer-list 1 protocol ip permit
!
!
route-map RM-REDIST-CONNECTED-TO-BGP permit 10
description Redistributiere dedizierte Interfaces in den BGP Prozess
match interface Loopback0 Vlan100 Vlan251 Vlan300 Vlan804 Vlan805 Vlan806
!
snmp-server group GROUP-RO v3 priv read V3READ-ALL
snmp-server group GROUP-RW v3 priv read V3READ-ALL write V3WRITE-ALL
snmp-server group ArpGuardUser v3 priv
snmp-server group ArpGuardGroup v3 priv write ArpGuardView
snmp-server group ArpGuardGroup v3 priv context vlan- match prefix write ArpGuardView
snmp-server view V3READ-ALL iso included
snmp-server view V3WRITE-ALL iso included
snmp-server view ArpGuardView iso included
snmp-server trap-source Loopback0
snmp-server source-interface informs Loopback0
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps stpx root-inconsistency loop-inconsistency
snmp-server host xxx version 3 priv ArpGuardUser
snmp-server host xxx version 3 priv ArpGuardUser
snmp-server host xxx version 3 priv ArpGuardUser
snmp-server host xxx MUC-IPL
snmp-server host xxx RTH-IPL
snmp ifmib ifindex persist
!
tacacs server SUS-ISE-01-LP
address ipv4 xxx
key 7 xxx
tacacs server SUS-ISE-02-LP
address ipv4 xxx
key 7 xxx
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server deadtime 15
!
radius server SUS-ISE-02-LP
address ipv4 xxx auth-port 1812 acct-port 1813
key 7 xxx
!
radius server SUS-ISE-01-LP
address ipv4 xxx auth-port 1812 acct-port 1813
key 7 xxx
!
!
control-plane
!
line con 0
exec-timeout 0 0
login authentication CONSOLE
stopbits 1
line vty 0 4
!
ntp source Loopback0
ntp server xxx
!
end

Hallo @Georg Pauwen I have attached the configs.

Hello,

 

what router model is this ?

 

On the GigabitEthernet1/0/7, can you issue the command:

 

interface GigabitEthernet0/1/7

--> no switchport

Since you most likely cannot convert that port into a layer 3 port, use the config below (changes/additions marked in bold):

 

no service pad
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
! Call-home is enabled by Smart-Licensing.
service call-home
service unsupported-transceiver
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname R1
!
boot-start-marker
boot-end-marker
!
vrf definition INTERNET
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 50000
enable secret 9 xxx
!
aaa new-model
!
!
aaa group server tacacs+ TACACS-ISE
server name xxx
server name xxx
!
aaa group server radius RADIUS-ISE
server name xxx
server name xxx
!
aaa authentication login VTY group TACACS-ISE local
aaa authentication login default group TACACS-ISE local
aaa authentication login CONSOLE group TACACS-ISE local
aaa authentication enable default group TACACS-ISE none
aaa authentication dot1x default group RADIUS-ISE
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group TACACS-ISE local
aaa authorization exec VTY group TACACS-ISE local if-authenticated
aaa authorization exec CONSOLE group TACACS-ISE local
aaa authorization commands 15 VTY group TACACS-ISE local if-authenticated
aaa authorization commands 15 CONSOLE group TACACS-ISE local
aaa authorization network default group RADIUS-ISE
aaa accounting update periodic 15
aaa accounting identity default start-stop group RADIUS-ISE
!
aaa session-id common
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
no ip domain lookup
ip domain name stadtulm.lan
!
ip dhcp pool webuidhcp
!
login on-failure log
login on-success log
ipv6 unicast-routing
!
subscriber templating
!
vtp domain DMVPN-SPOKE
vtp mode transparent
!
multilink bundle-name authenticated
!
access-session mac-move deny
!
crypto pki trustpoint TP-self-signed-2698500584
enrollment selfsigned
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
no license feature hseck9
license udi pid C1126-8PLTEP sn xxx
license boot level appxk9
license boot level securityk9
memory free low-watermark processor 70293
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree logging
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree pathcost method long
spanning-tree vlan 1-4094 priority 4096
service-template webauth-global-inactive
inactivity-timer 3600
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
linksec policy must-secure
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
linksec policy should-secure
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
service-template DEFAULT_CRITICAL_DATA_TEMPLATE
dot1x system-auth-control
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause port-mode-failure
errdisable recovery cause pppoe-ia-rate-limit
errdisable recovery cause oam-remote-failure
errdisable recovery cause psp
errdisable recovery interval 360
!
username xxx privilege 15 secret 9 xxx
!
redundancy
mode none
!
crypto ikev2 keyring DMVPN-KEYRING-1
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key xxx
!
crypto ikev2 keyring DMVPN-KEYRING-2
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key xxxx
!
crypto ikev2 profile FVRF-IKEv2-IWAN-TRANSPORT-1
match fvrf INTERNET
match identity remote address 0.0.0.0
identity local address xxxx
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING-1
dpd 40 5 on-demand
!
crypto ikev2 profile FVRF-IKEv2-IWAN-TRANSPORT-2
match fvrf INTERNET
match identity remote address 0.0.0.0
identity local address xxxx
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING-2
dpd 40 5 on-demand
!
controller Cellular 0/2/0
!
controller VDSL 0/3/0
!
vlan internal allocation policy ascending
!
vlan 100
name x1
!
vlan 251
name x2
!
vlan 300
name x3
!
vlan 804
name x4
!
vlan 805
name x5
!
vlan 806
name x6
!
class-map type control subscriber match-any AAA-DOWN
match result-type aaa-timeout
!
class-map type control subscriber match-all DOT1X-FAILED
match method dot1x
match result-type method dot1x authoritative
!
class-map match-any REALTIME
match dscp ef
match dscp cs5
match dscp cs4
class-map type inspect match-all x
match access-group name x
class-map match-any CRITICAL-DATA
match dscp af41 af42 af43
match dscp af31 af32 af33
match dscp af21 af22 af23
match dscp af11 af12 af13
class-map match-any CONTROL
match dscp cs6
match dscp cs3
match dscp cs2
!
policy-map type control subscriber DOT1X-DEFAULT
event session-started match-all
10 class always do-all
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event violation match-all
10 class always do-all
10 restrict
event agent-found match-all
10 class always do-all
10 authenticate using dot1x
event authentication-failure match-all
10 class AAA-DOWN do-all
10 authorize
20 activate service-template CRITICAL
30 terminate dot1x
40 terminate mab
20 class DOT1X-FAILED do-all
10 authenticate using mab
!
policy-map type inspect TRAFFIC-POLICY
class type inspect x
drop
class class-default
pass
policy-map WAN-EDGE-4-CLASS
class REALTIME
priority level 1 percent 10
class CONTROL
bandwidth 100
class CRITICAL-DATA
bandwidth 100
!
zone security DMVPN
zone security INTRANET
zone security GLT
zone security MGMT
zone-pair security DMVPN->GLT source DMVPN destination GLT
service-policy type inspect TRAFFIC-POLICY
zone-pair security DMVPN->INTRANET source DMVPN destination INTRANET
service-policy type inspect TRAFFIC-POLICY
zone-pair security DMVPN->MGMT source DMVPN destination MGMT
service-policy type inspect TRAFFIC-POLICY
zone-pair security GLT->DMVPN source GLT destination DMVPN
service-policy type inspect TRAFFIC-POLICY
zone-pair security INTRANET->DMVPN source INTRANET destination DMVPN
service-policy type inspect TRAFFIC-POLICY
zone-pair security MGMT->DMVPN source MGMT destination DMVPN
service-policy type inspect TRAFFIC-POLICY
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE-1
set transform-set AES256/SHA/TRANSPORT
set ikev2-profile FVRF-IKEv2-IWAN-TRANSPORT-1
!
crypto ipsec profile DMVPN-PROFILE-2
set transform-set AES256/SHA/TRANSPORT
set ikev2-profile FVRF-IKEv2-IWAN-TRANSPORT-2
!
--> track 1 ip sla 1 reachability
!
interface Loopback0
description ROUTER-MGMT
ip address xxx
!
interface Tunnel100
ip address xxx
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN-I1
ip nhrp network-id 100
ip nhrp nhs xxx nbma xxx multicast
ip nhrp registration timeout 60
ip nhrp redirect
zone-member security DMVPN
ip tcp adjust-mss 1360
delay 1000
cdp enable
if-state nhrp
tunnel source Cellular0/2/0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf INTERNET
tunnel protection ipsec profile DMVPN-PROFILE-1
!
interface Tunnel200
description TUNNEL-TO-DMVPN-HUB-RTH
ip address xxx
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN-I2
ip nhrp network-id 200
ip nhrp nhs xxx nbma xxx multicast
ip nhrp registration timeout 60
ip nhrp redirect
zone-member security DMVPN
ip tcp adjust-mss 1360
delay 1000
cdp enable
if-state nhrp
tunnel source Cellular0/2/0
tunnel mode gre multipoint
tunnel key 200
tunnel vrf INTERNET
tunnel protection ipsec profile DMVPN-PROFILE-2
!
interface GigabitEthernet0/0/0
ip address xxx
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
description Dose <DOSEN-ID>
switchport access vlan 100
switchport mode access
switchport voice vlan 251
authentication periodic
authentication timer reauthenticate server
access-session control-direction in
access-session port-control auto
mab
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber DOT1X-DEFAULT
service-policy output WAN-EDGE-4-CLASS
!
interface GigabitEthernet0/1/1
description UPLINK-ACCESSPOINT
switchport trunk native vlan 806
switchport trunk allowed vlan 100,251,300,804-806
switchport mode trunk
spanning-tree portfast trunk
service-policy output WAN-EDGE-4-CLASS
!
interface GigabitEthernet0/1/2
description Dose <DOSEN-ID>
switchport access vlan 100
switchport mode access
switchport voice vlan 251
authentication periodic
authentication timer reauthenticate server
access-session control-direction in
access-session port-control auto
mab
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber DOT1X-DEFAULT
service-policy output WAN-EDGE-4-CLASS
!
interface GigabitEthernet0/1/3
description UPLINK-ACCESSPOINT
switchport trunk native vlan 806
switchport trunk allowed vlan 100,251,300,804-806
switchport mode trunk
spanning-tree portfast trunk
service-policy output WAN-EDGE-4-CLASS
!
interface GigabitEthernet0/1/4
description Dose <DOSEN-ID>
switchport access vlan 100
switchport mode access
switchport voice vlan 251
authentication periodic
authentication timer reauthenticate server
access-session control-direction in
access-session port-control auto
mab
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber DOT1X-DEFAULT
service-policy output WAN-EDGE-4-CLASS
!
interface GigabitEthernet0/1/5
description Dose <DOSEN-ID>
switchport access vlan 100
switchport mode access
switchport voice vlan 251
authentication periodic
authentication timer reauthenticate server
access-session control-direction in
access-session port-control auto
mab
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber DOT1X-DEFAULT
service-policy output WAN-EDGE-4-CLASS
!
interface GigabitEthernet0/1/6
description Dose <DOSEN-ID>
switchport access vlan 100
switchport mode access
switchport voice vlan 251
authentication periodic
authentication timer reauthenticate server
access-session control-direction in
access-session port-control auto
mab
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber DOT1X-DEFAULT
service-policy output WAN-EDGE-4-CLASS
!
interface Cellular0/2/0
description INTERNET-UPLINK-VIA-LTE
bandwidth receive 18000
vrf forwarding INTERNET
ip address negotiated
ip nat outside
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer-group 1
pulse-time 1
!
interface Cellular0/2/1
no ip address
shutdown
!
interface ATM0/3/0
no ip address
shutdown
atm oversubscribe factor 2
no atm enable-ilmi-trap
!
interface Ethernet0/3/0
no ip address
shutdown
no negotiation auto
!
interface Vlan1
no ip address
shutdown
!
interface Vlan100
ip address xxx
ip helper-address xxx
ip helper-address xxx
no ip redirects
no ip proxy-arp
zone-member security INTRANET
no autostate
!
interface Vlan251
ip address xxx
ip helper-address xxx
no ip redirects
no ip proxy-arp
zone-member security INTRANET
no autostate
!
interface Vlan300
ip address xxx
ip helper-address xxx
ip helper-address xxx
no ip redirects
no ip proxy-arp
zone-member security INTRANET
no autostate
!
interface Vlan804
ip address xxx
no ip redirects
no ip proxy-arp
zone-member security GLT
no autostate
!
interface Vlan805
ip address xxx
no ip redirects
no ip proxy-arp
zone-member security MGMT
no autostate
!
interface Vlan806
ip address xxx
ip helper-address xxx
no ip redirects
no ip proxy-arp
zone-member security MGMT
no autostate
!
interface Dialer1
vrf forwarding INTERNET
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
shutdown
dialer pool 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname kitatest
!
router bgp 65500
bgp router-id xxx
bgp log-neighbor-changes
neighbor USA-HUB peer-group
neighbor USA-HUB remote-as 65500
neighbor USA-HUB timers 20 60
neighbor CAN-HUB peer-group
neighbor CAN-HUB remote-as 65500
neighbor CAN-HUB timers 20 60
neighbor xxx peer-group CAN-HUB
neighbor xxx peer-group USA-HUB
!
address-family ipv4
bgp redistribute-internal
redistribute connected route-map RM-REDIST-CONNECTED-TO-BGP
neighbor USA-HUB send-community
neighbor USA-HUB weight 50000
neighbor USA-HUB next-hop-self all
neighbor USA-HUB soft-reconfiguration inbound
neighbor USA-HUB send-community
neighbor USA-HUB weight 50000
neighbor USA-HUB next-hop-self all
neighbor USA-HUB soft-reconfiguration inbound
neighbor xxx activate
neighbor xxx weight 50000
neighbor xxx activate
neighbor xxx weight 50000
distance bgp 201 19 250
exit-address-family
!
--> ip sla 1
--> icmp-echo 8.8.8.8 source-interface Cellular0/2/0
!
--> ip sla schedule 1 start-time now life forever
!
ip forward-protocol nd
ip ftp source-interface Loopback0
ip ftp username xxx
ip ftp password 7 xxx
no ip http server
ip http authentication local
no ip http secure-server
ip route vrf INTERNET 0.0.0.0 0.0.0.0 Cellular0/2/0
--> ip route vrf INTERNET 8.8.8.8 255.255.255.255 Cellular0/2/0
ip tacacs source-interface Loopback0
!
ip access-list standard SNMP-MGMT
10 remark Erlaube SNMP Zugriff aus MGMT Zone
10 permit xxx
!
ip access-list extended KITA-NETWORKS
10 remark Kita Netze fuer Zone Based Firewall
10 permit ip any xxx
20 permit ip any xxx
ip access-list extended SSH-MGMT
10 remark Erlaube SSH Zugriff aus MGMT Zone
10 permit tcp xxx any eq 22
!
ip radius source-interface Loopback0
ip sla 2
icmp-echo 8.8.8.8
vrf INTERNET
threshold 500
timeout 1000
frequency 4
ip sla schedule 2 life forever start-time now
logging source-interface Loopback0
logging host xxx
logging host xxx
ip access-list standard 1
dialer-list 1 protocol ip permit
!
route-map RM-REDIST-CONNECTED-TO-BGP permit 10
description Redistributiere dedizierte Interfaces in den BGP Prozess
match interface Loopback0 Vlan100 Vlan251 Vlan300 Vlan804 Vlan805 Vlan806
!
snmp-server group GROUP-RO v3 priv read V3READ-ALL
snmp-server group GROUP-RW v3 priv read V3READ-ALL write V3WRITE-ALL
snmp-server group ArpGuardUser v3 priv
snmp-server group ArpGuardGroup v3 priv write ArpGuardView
snmp-server group ArpGuardGroup v3 priv context vlan- match prefix write ArpGuardView
snmp-server view V3READ-ALL iso included
snmp-server view V3WRITE-ALL iso included
snmp-server view ArpGuardView iso included
snmp-server trap-source Loopback0
snmp-server source-interface informs Loopback0
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps stpx root-inconsistency loop-inconsistency
snmp-server host xxx version 3 priv ArpGuardUser
snmp-server host xxx version 3 priv ArpGuardUser
snmp-server host xxx version 3 priv ArpGuardUser
snmp-server host xxx MUC-IPL
snmp-server host xxx RTH-IPL
snmp ifmib ifindex persist
!
tacacs server SUS-ISE-01-LP
address ipv4 xxx
key 7 xxx
tacacs server SUS-ISE-02-LP
address ipv4 xxx
key 7 xxx
!
event manager applet CELL_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 1.1.0 cli command "config t"
action 1.1 cli command "interface Cellular0/2/0"
action 1.3 cli command "shut"
action 1.4 cli command "exit"
action 2.0 cli command "interface GigabitEthernet0/1/7"
action 2.1 cli command "no switchport trunk allowed vlan 100,251,300,804-806"
action 2.2 cli command "no switchport mode trunk"
action 2.3 cli command "no service-policy output WAN-EDGE-4-CLASS"
action 2.4 cli command "switchport mode access"
action 2.5 cli command "exit"
action 3.0 cli command "interface Vlan 1"
action 3.1 cli command "no shut"
action 3.2 cli command "ip address dhcp"
action 3.3 cli command "exit"
action 4.0 cli command "no ip route vrf INTERNET 0.0.0.0 0.0.0.0 Cellular0/2/0"
action 4.1 cli command "ip route 0.0.0.0 0.0.0.0 Vlan 1"
action 5.0 cli command "end"
!
event manager applet CELL_UP
event track 1 state up
action 1.0 cli command "enable"
action 1.1.0 cli command "config t"
action 1.1 cli command "interface Cellular0/2/0"
action 1.3 cli command "no shut"
action 1.4 cli command "exit"
action 2.0 cli command "interface GigabitEthernet0/1/7"
action 2.1 cli command "switchport trunk allowed vlan 100,251,300,804-806"
action 2.2 cli command "switchport mode trunk"
action 2.3 cli command "service-policy output WAN-EDGE-4-CLASS"
action 2.4 cli command "no switchport mode access"
action 2.5 cli command "exit"
action 3.0 cli command "interface Vlan 1"
action 3.1 cli command "shut"
action 3.2 cli command "ip address dhcp"
action 3.3 cli command "exit"
action 4.0 cli command "ip route vrf INTERNET 0.0.0.0 0.0.0.0 Cellular0/2/0"
action 4.1 cli command "no ip route 0.0.0.0 0.0.0.0 Vlan 1"
action 5.0 cli command "end"
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server deadtime 15
!
radius server SUS-ISE-02-LP
address ipv4 xxx auth-port 1812 acct-port 1813
key 7 xxx
!
radius server SUS-ISE-01-LP
address ipv4 xxx auth-port 1812 acct-port 1813
key 7 xxx
!
control-plane
!
line con 0
exec-timeout 0 0
login authentication CONSOLE
stopbits 1
line vty 0 4
!
ntp source Loopback0
ntp server xxx
!
end

Joy3
Level 1
Level 1

Hallo @Georg Pauwen. Thanks for the tip but that doesn't work. I also don't understand this part of the EEM script:

action 3.0 cli command "interface Vlan 1"
action 3.1 cli command "no shut"

 

Hello,

 

can you make interface GigabitEthernet1/0/7 (the backup interface) into a layer 3 interface ? Probably not. You need Vlan 1 to get an IP address from the modem, and GigabitEtherner1/0/7 needs to be part of the Vlan.

 

What exactly does not work ? 

Hi @Georg Pauwen. Int gi1/0/7 cannot be a routed port ('no switchport' command doesn't work) on the C1126-8PLTEP model. 

What doesn't work is that when I manually shut down the cellular interface, the failover LAN connection does not automatically come up.

Hello,

 

when you do a 'no shut' and 'ip address dhcp' on the Vlan 1 interface, with the interface GigabitEthernet1/0/7 configured as an access port, does Vlan 1 get an IP address ?

 

Post the full running configuration again with the changes you have implemented...

Joy3
Level 1
Level 1

Here is the full config. 

 

no service pad
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service call-home
service unsupported-transceiver
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
vrf definition INTERNET
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 50000
!
aaa new-model
!
!
aaa group server tacacs+ TACACS-ISE
server name xxx
server name xxx
!
aaa group server radius RADIUS-ISE
server name xxx
server name xxx
!
aaa authentication login default group TACACS-ISE local
aaa authentication login CONSOLE group TACACS-ISE local
aaa authentication enable default group TACACS-ISE none
aaa authentication dot1x default group RADIUS-ISE
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group TACACS-ISE local
aaa authorization exec VTY group TACACS-ISE local if-authenticated
aaa authorization exec CONSOLE group TACACS-ISE local
aaa authorization commands 15 VTY group TACACS-ISE local if-authenticated
aaa authorization commands 15 CONSOLE group TACACS-ISE local
aaa authorization network default group RADIUS-ISE
aaa accounting update periodic 15
aaa accounting identity default start-stop group RADIUS-ISE
!
!
!
!
!
!
aaa session-id common
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
!
!
!
!
!
!
no ip domain lookup
ip domain name xxx
!
ip dhcp pool webuidhcp
!
!
!
login on-failure log
login on-success log
ipv6 unicast-routing
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
vtp domain DMVPN-SPOKE
vtp mode transparent
!
!
multilink bundle-name authenticated
!
!
!
access-session mac-move deny
!
!
crypto pki trustpoint TP-self-signed-xxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxx
revocation-check none
rsakeypair TP-self-signed-xxx
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
no license feature hseck9
license udi pid C1126-8PLTEP sn
license boot level appxk9
license boot level securityk9
memory free low-watermark processor 70293
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree logging
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree pathcost method long
spanning-tree vlan 1-4094 priority 4096
service-template webauth-global-inactive
inactivity-timer 3600
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
linksec policy must-secure
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
linksec policy should-secure
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
service-template DEFAULT_CRITICAL_DATA_TEMPLATE
dot1x system-auth-control
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause port-mode-failure
errdisable recovery cause pppoe-ia-rate-limit
errdisable recovery cause oam-remote-failure
errdisable recovery cause psp
errdisable recovery interval 360
!
!
redundancy
mode none
!
!
!
crypto ikev2 keyring DMVPN-KEYRING-1
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key xxx
!
!
crypto ikev2 keyring DMVPN-KEYRING-2
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key xxx
!
!
!
crypto ikev2 profile FVRF-IKEv2-IWAN-TRANSPORT-1
match fvrf INTERNET
match identity remote address 0.0.0.0
identity local address xxx
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING-1
dpd 40 5 on-demand
!
crypto ikev2 profile FVRF-IKEv2-IWAN-TRANSPORT-2
match fvrf INTERNET
match identity remote address 0.0.0.0
identity local address xxx
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING-2
dpd 40 5 on-demand
!
!
controller Cellular 0/2/0
!
controller VDSL 0/3/0
!
!
vlan internal allocation policy ascending
!
vlan 100

!
vlan 251

!
vlan 300

!
vlan 804

!
vlan 805

!
vlan 806

!
class-map type control subscriber match-any AAA-DOWN
match result-type aaa-timeout
!
class-map type control subscriber match-all DOT1X-FAILED
match method dot1x
match result-type method dot1x authoritative
!
!
class-map match-any REALTIME
match dscp ef
match dscp cs5
match dscp cs4
class-map type inspect match-all xxx
match access-group name xxx
class-map match-any CRITICAL-DATA
match dscp af41 af42 af43
match dscp af31 af32 af33
match dscp af21 af22 af23
match dscp af11 af12 af13
class-map match-any CONTROL
match dscp cs6
match dscp cs3
match dscp cs2
!
!
policy-map type control subscriber DOT1X-DEFAULT
event session-started match-all
10 class always do-all
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event violation match-all
10 class always do-all
10 restrict
event agent-found match-all
10 class always do-all
10 authenticate using dot1x
event authentication-failure match-all
10 class AAA-DOWN do-all
10 authorize
20 activate service-template CRITICAL
30 terminate dot1x
40 terminate mab
20 class DOT1X-FAILED do-all
10 authenticate using mab
!
policy-map type inspect TRAFFIC-POLICY
class type inspect xxx
drop
class class-default
pass
policy-map WAN-EDGE-4-CLASS
class REALTIME
priority level 1 percent 10
class CONTROL
bandwidth 100
class CRITICAL-DATA
bandwidth 100
!
!
zone security DMVPN
zone security INTRANET
zone security GLT
zone security MGMT
zone-pair security DMVPN->GLT source DMVPN destination GLT
service-policy type inspect TRAFFIC-POLICY
zone-pair security DMVPN->INTRANET source DMVPN destination INTRANET
service-policy type inspect TRAFFIC-POLICY
zone-pair security DMVPN->MGMT source DMVPN destination MGMT
service-policy type inspect TRAFFIC-POLICY
zone-pair security GLT->DMVPN source GLT destination DMVPN
service-policy type inspect TRAFFIC-POLICY
zone-pair security INTRANET->DMVPN source INTRANET destination DMVPN
service-policy type inspect TRAFFIC-POLICY
zone-pair security MGMT->DMVPN source MGMT destination DMVPN
service-policy type inspect TRAFFIC-POLICY
!
!
!
!
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE-1
set transform-set AES256/SHA/TRANSPORT
set ikev2-profile FVRF-IKEv2-IWAN-TRANSPORT-1
!
crypto ipsec profile DMVPN-PROFILE-2
set transform-set AES256/SHA/TRANSPORT
set ikev2-profile FVRF-IKEv2-IWAN-TRANSPORT-2
!
!
!
!
!
!
!
!
!
!
interface Loopback0
description ROUTER-MGMT
ip address xxx
!
interface Tunnel100
ip address xxx
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN-I1
ip nhrp network-id 100
ip nhrp nhs xxx nbma xxx multicast
ip nhrp registration timeout 60
ip nhrp redirect
zone-member security DMVPN
ip tcp adjust-mss 1360
delay 1000
cdp enable
if-state nhrp
tunnel source Cellular0/2/0
tunnel mode gre multipoint
tunnel key 100
tunnel vrf INTERNET
tunnel protection ipsec profile DMVPN-PROFILE-1
!
interface Tunnel200
description TUNNEL-TO-DMVPN-HUB-RTH
ip address xxx
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN-I2
ip nhrp network-id 200
ip nhrp nhs xxx nbma xxx multicast
ip nhrp registration timeout 60
ip nhrp redirect
zone-member security DMVPN
ip tcp adjust-mss 1360
delay 1000
cdp enable
if-state nhrp
tunnel source Cellular0/2/0
tunnel mode gre multipoint
tunnel key 200
tunnel vrf INTERNET
tunnel protection ipsec profile DMVPN-PROFILE-2
!
interface GigabitEthernet0/0/0
ip address xxx
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
switchport access vlan 100
switchport mode access
switchport voice vlan 251
authentication periodic
authentication timer reauthenticate server
access-session control-direction in
access-session port-control auto
mab
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber DOT1X-DEFAULT
service-policy output WAN-EDGE-4-CLASS
!
interface GigabitEthernet0/1/1
switchport trunk native vlan 806
switchport trunk allowed vlan 100,251,300,804-806
switchport mode trunk
spanning-tree portfast trunk
service-policy output WAN-EDGE-4-CLASS
!
interface GigabitEthernet0/1/2
switchport access vlan 100
switchport mode access
switchport voice vlan 251
authentication periodic
authentication timer reauthenticate server
access-session control-direction in
access-session port-control auto
mab
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber DOT1X-DEFAULT
service-policy output WAN-EDGE-4-CLASS
!
interface GigabitEthernet0/1/3
switchport trunk native vlan 806
switchport trunk allowed vlan 100,251,300,804-806
switchport mode trunk
spanning-tree portfast trunk
service-policy output WAN-EDGE-4-CLASS
!
interface GigabitEthernet0/1/4
switchport access vlan 100
switchport mode access
switchport voice vlan 251
authentication periodic
authentication timer reauthenticate server
access-session control-direction in
access-session port-control auto
mab
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber DOT1X-DEFAULT
service-policy output WAN-EDGE-4-CLASS
!
interface GigabitEthernet0/1/5
switchport access vlan 100
switchport mode access
switchport voice vlan 251
authentication periodic
authentication timer reauthenticate server
access-session control-direction in
access-session port-control auto
mab
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber DOT1X-DEFAULT
service-policy output WAN-EDGE-4-CLASS
!
interface GigabitEthernet0/1/6
switchport access vlan 100
switchport mode access
switchport voice vlan 251
authentication periodic
authentication timer reauthenticate server
access-session control-direction in
access-session port-control auto
mab
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber DOT1X-DEFAULT
service-policy output WAN-EDGE-4-CLASS
!
interface GigabitEthernet0/1/7
description UPLINK_LAN
switchport trunk allowed vlan 100,251,300,804-806
switchport mode trunk
service-policy output WAN-EDGE-4-CLASS
!
interface Cellular0/2/0
description INTERNET-UPLINK-VIA-LTE
bandwidth receive 18000
vrf forwarding INTERNET
ip address negotiated
ip nat outside
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer-group 1
pulse-time 1
!
interface Cellular0/2/1
no ip address
shutdown
!
interface ATM0/3/0
no ip address
shutdown
atm oversubscribe factor 2
no atm enable-ilmi-trap
!
interface Ethernet0/3/0
no ip address
shutdown
no negotiation auto
!
interface Vlan1
ip address dhcp
!
interface Vlan100
ip address xxx
ip helper-address xxx
ip helper-address xxx
no ip redirects
no ip proxy-arp
zone-member security INTRANET
no autostate
!
interface Vlan251
ip address xxx
ip helper-address xxx
no ip redirects
no ip proxy-arp
zone-member security INTRANET
no autostate
!
interface Vlan300
ip address xxx
ip helper-address xxx
ip helper-address xxx
no ip redirects
no ip proxy-arp
zone-member security INTRANET
no autostate
!
interface Vlan804
ip address xxx
no ip redirects
no ip proxy-arp
zone-member security GLT
no autostate
!
interface Vlan805
ip address xxx
no ip redirects
no ip proxy-arp
zone-member security MGMT
no autostate
!
interface Vlan806
ip address xxx
ip helper-address xxx
no ip redirects
no ip proxy-arp
zone-member security MGMT
no autostate
!
interface Dialer1
vrf forwarding INTERNET
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
shutdown
dialer pool 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname kitatest
!
router bgp 65500
bgp router-id xxx
bgp log-neighbor-changes
neighbor USA-HUB peer-group
neighbor USA-HUB remote-as 65500
neighbor USA-HUB timers 20 60
neighbor CAN-HUB peer-group
neighbor CAN-HUB remote-as 65500
neighbor CAN-HUB timers 20 60
neighbor xxx peer-group CAN-HUB
neighbor xxx peer-group USA-HUB
!
address-family ipv4
bgp redistribute-internal
redistribute connected route-map RM-REDIST-CONNECTED-TO-BGP
neighbor USA-HUB send-community
neighbor USA-HUB weight 50000
neighbor USA-HUB next-hop-self all
neighbor USA-HUB soft-reconfiguration inbound
neighbor CAN-HUB send-community
neighbor CAN-HUB weight 50000
neighbor CAN-HUB next-hop-self all
neighbor CAN-HUB soft-reconfiguration inbound
neighbor xxx activate
neighbor xxx weight 50000
neighbor xxx activate
neighbor xxx weight 50000
distance bgp 201 19 250
exit-address-family
!
ip forward-protocol nd
ip ftp source-interface Loopback0
ip ftp username xxx
ip ftp password 7 xxx
no ip http server
ip http authentication local
no ip http secure-server
ip route vrf INTERNET 0.0.0.0 0.0.0.0 Cellular0/2/0
ip route vrf INTERNET 8.8.8.8 255.255.255.255 Cellular0/2/0
ip tacacs source-interface Loopback0
!
!
ip access-list standard Sxxx
10 remark Erlaube SNMP Zugriff aus MGMT Zone
10 permit xxx
!
ip access-list extended xxx
10 remark Kita Netze fuer Zone Based Firewall
10 permit ip any xxx
20 permit ip any xxx
ip access-list extended SSH-MGMT
10 remark Erlaube SSH Zugriff aus MGMT Zone
10 permit tcp xxx any eq 22
!
ip radius source-interface Loopback0
ip sla 1
icmp-echo 8.8.8.8 source-interface Cellular0/2/0
ip sla schedule 1 life forever start-time now
logging source-interface Loopback0
logging host xxx
logging host xxx
ip access-list standard 1
dialer-list 1 protocol ip permit
!
!
route-map RM-REDIST-CONNECTED-TO-BGP permit 10
description Redistributiere dedizierte Interfaces in den BGP Prozess
match interface Loopback0 Vlan100 Vlan251 Vlan300 Vlan804 Vlan805 Vlan806
!
!
tacacs server xxx
address ipv4 xxx
key 7 xxx
tacacs server xxx
address ipv4 xxx
key 7 xxx
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server deadtime 15
!
radius server xxx
address ipv4 xxx.12 auth-port 1812 acct-port 1813
key 7 xxx
!
radius server xxx
address ipv4 xxx auth-port 1812 acct-port 1813
key 7 xxx
!
!
control-plane
line con 0
exec-timeout 0 0
login authentication CONSOLE
stopbits 1
line vty 0 4
!
ntp source Loopback0
ntp server xxx
!
!
!
!
event manager applet CELL_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 1.1 cli command "interface Cellular0/2/0"
action 1.1.0 cli command "config t"
action 1.3 cli command "shut"
action 1.4 cli command "exit"
action 2.0 cli command "interface GigabitEthernet0/1/7"
action 2.1 cli command "no switchport trunk allowed vlan 100,251,300,804-806"
action 2.2 cli command "no switchport mode trunk"
action 2.3 cli command "no service-policy output WAN-EDGE-4-CLASS"
action 2.4 cli command "switchport mode access"
action 2.5 cli command "exit"
action 3.0 cli command "interface Vlan 1"
action 3.1 cli command "no shut"
action 3.2 cli command "ip address dhcp"
action 3.3 cli command "exit"
action 4.0 cli command "no ip route vrf INTERNET 0.0.0.0 0.0.0.0 Cellular0/2/0"
action 4.1 cli command "ip route 0.0.0.0 0.0.0.0 Vlan 1"
action 5.0 cli command "end"
event manager applet CELL_UP
event track 1 state up
action 1.0 cli command "enable"
action 1.1 cli command "interface Cellular0/2/0"
action 1.1.0 cli command "config t"
action 1.3 cli command "no shut"
action 1.4 cli command "exit"
action 2.0 cli command "interface GigabitEthernet0/1/7"
action 2.1 cli command "switchport trunk allowed vlan 100,251,300,804-806"
action 2.2 cli command "switchport mode trunk"
action 2.3 cli command "service-policy output WAN-EDGE-4-CLASS"
action 2.4 cli command "no switchport mode access"
action 2.5 cli command "exit"
action 3.0 cli command "interface Vlan 1"
action 3.1 cli command "shut"
action 3.2 cli command "ip address dhcp"
action 3.3 cli command "exit"
action 4.0 cli command "ip route vrf INTERNET 0.0.0.0 0.0.0.0 Cellular0/2/0"
action 4.1 cli command "no ip route 0.0.0.0 0.0.0.0 Vlan 1"
action 5.0 cli command "end"
!
end

And here is the 'ip int brief'. Even with the changes on vlan 1, the vlan 1 interface doesn't get an ip address (up/down)

R1#sh ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 xxx YES NVRAM administratively down down
GigabitEthernet0/1/0 unassigned YES unset down down
GigabitEthernet0/1/1 unassigned YES unset down down
GigabitEthernet0/1/2 unassigned YES unset down down
GigabitEthernet0/1/3 unassigned YES unset down down
GigabitEthernet0/1/4 unassigned YES unset down down
GigabitEthernet0/1/5 unassigned YES unset down down
GigabitEthernet0/1/6 unassigned YES unset down down
GigabitEthernet0/1/7 unassigned YES unset up up
Cellular0/2/0 xxx YES IPCP up up
Cellular0/2/1 unassigned YES NVRAM administratively down down
ATM0/3/0 unassigned YES NVRAM administratively down down
Ethernet0/3/0 unassigned YES NVRAM administratively down down
Dialer1 unassigned YES NVRAM administratively down down
Loopback0 xxx YES NVRAM up up
Tunnel100 xxx YES NVRAM up up
Tunnel200 xxx YES NVRAM up up
Vlan1 unassigned YES manual up down
Vlan100 xxx YES NVRAM up up
Vlan251 xxx YES NVRAM up up
Vlan300 xxx YES NVRAM up up
Vlan804 xxx YES NVRAM up up
Vlan805 xxx YES NVRAM up up
Vlan806 xxx YES NVRAM up up

Hello,

 

what IP address range is the DHCP server on your modem dishing out ?

Joy3
Level 1
Level 1

With the above configs, the cellular interface has lost its connectivity and is now only in the up/up state without an IP address. I have confirmed that IP SLA is configured so that, to me, is somewhat strange.

Joy3
Level 1
Level 1

Hi @Georg Pauwen. The DHCP range on the modem is 192.168.8.100-192.168.8.200. Btw thanks a lot for the engagement.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: