08-09-2012 11:44 AM - edited 03-04-2019 05:13 PM
Dears,
I have two ISP need to connect them on my router.
The Router that I have is 2811 where it contains two Fa ports only, so I put an access switch between the two ISPs and the Fa0/0 then configured the Interface Fa0/0 with two IPs ISP1 and ISP2 as a secondary.
The problem that I faced that when ISP1 become down the another secondary IP (ISP2) stay down and the internal users have no access to the internet.
Please I need your assist to solve this issue.
Regards,
Solved! Go to Solution.
08-13-2012 05:49 AM
Hi,
the config seems ok but I would add this:
route-map SLA-PINGS
match ip address 101
set ip next-hop 200.20.20.2
exit
ip local policy route-map SLA-PINGS
access-list 101 permit icmp any host 8.8.8.8
and modify this:
ip sla 1
no icmp-echo 200.20.20.2 source-interface GigabitEthernet0/0.1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0.1
Regards.
Alain
Don't forget to rate helpful posts.
08-09-2012 01:24 PM
Hello Ali,
you should use Vlan based subinterfaces instead of secondary addresses
int fas0/0
no ip address
int fas0/0.10
enc dot1q 10
desc connection to ISP1
ip address A.B.C.D 255.255.255.E
int fas0/0.20
enc dot1q 20
desc connection to ISP2
ip address H.I.J.L 255.255.255.M
on the switch you need to create two vlans vlan 10 and vlan 20, you associate the port facing the router with an 802.1Q trunk carrying two Vlans 10,20
on switch:
vlan database
vlan 10
vlan 20
apply
exit
configure terminal
int fasx/y
desc to router fas0/0
switchport
! the following command may be needed or not platform dependent
switchport trunk enc dot1q
switchport mode trunk
switchport trunk allowed vlan 10,20
int fas X/w
desc to ISP1 link
switchport
switchport mode access
switchport access vlan 10
int fasx/z
desc to ISP2 link
switchport
switchport mode access
switchport access vlan 20
Hope to help
Giuseppe
08-10-2012 02:33 AM
The above solution will work. Just keep in mind that if you are using static routes to ISP's, link failures will cause blackhole
08-10-2012 04:38 AM
Hello Prashsin1,
you are right for the intermediate LAN switch presence ISP link failures are indirect failures.
static routing with object tracking completes the solution
http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html
Hope to help
Giuseppe
08-11-2012 11:50 PM
Thank you Giuseppe,
Please this senario will work if I configured site to site VPN between this site (Redundant ISPs) and another one??
Regards,
08-13-2012 03:09 AM
Dear Giuseppe,
I tried the configuration that you advised for, but I faced problem on the NAT of the router.
When the first ISP1 become down the traffic didn't NAT through the second sub interface.
In my toplogy I need the traffice to go through ISP2 in case ISP1 down.
Appreciate your feedback,
Regards,
08-13-2012 03:18 AM
Hi,
did you use route-maps matching the traffic to be natted with an ACL and matching the outgoing sub-interface for the 2 NAT statements ?
Regards.
Alain
Don't forget to rate helpful posts.
08-13-2012 03:42 AM
Hi,
You meen that I have to create two maps for the same traffice, then put this route-map in the NAT (NAT for f0/0.1 and f0/0.2)??
Please can clarify me by an example??
Thank you ,
08-13-2012 04:05 AM
Hi,
here's an example where we have a router with 2 interfaces to two different isps:
f0/0 to isp1 and f0/1 to isp2 and the internal lan is vlan1
int vlan 1
ip add 192.168.1.254 255.255.255.0
ip nat inside
int f0/0
descr to isp1
ip add 200.11.11.11 255.255.255.0
ip nat outside
int f0/1
descr to isp2
ip add 201.11.11.11 255.255.255.0
ip nat outside
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
route-map ISP1 permit 10
match ip address 100
match interface f0/0
route-map ISP2
match ip address 100
match interface f0/1
ip nat inside source route-map ISP1 interface f0/0
ip nat inside source route-map ISP2 interface f0/1
ip route 0.0.0.0 0.0.0.0 200.11.11.x
ip route 0.0.0.0 0.0.0.0 201.11.11.x
Regards.
Alain
Don't forget to rate helpful posts.
08-13-2012 05:32 AM
Dear,
I applied the below config on my router so please check it if this will work because I will go to configure GRE tunnel with another site:-
sh run
Building configuration...
Current configuration : 6014 bytes
!
! Last configuration change at 12:08:31 UTC Mon Aug 13 2012 by cisco
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
D865B924 53BBC78F 1F336192 D7E3CC
quit
license udi pid CISCO2901/K9 sn FCZ162191PU
!
!
username cisco privilege 15 password 0 cisco
!
redundancy
!
!
!
--More-- !
!
track 1 ip sla 1 reachability
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 10
ip address 200.20.20.1 255.255.255.0
ip nat outside
--More-- ip virtual-reassembly in
!
interface GigabitEthernet0/0.2
encapsulation dot1Q 20
ip address 201.20.20.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
--More-- !
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map ISP1 interface GigabitEthernet0/0.1 overload
ip nat inside source route-map ISP2 interface GigabitEthernet0/0.2 overload
ip route 0.0.0.0 0.0.0.0 200.20.20.2 track 1
ip route 0.0.0.0 0.0.0.0 201.20.20.2 200
!
ip sla 1
icmp-echo 200.20.20.2 source-interface GigabitEthernet0/0.1
threshold 2
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
!
!
!
--More-- !
route-map ISP2 permit 10
match ip address 100
match interface GigabitEthernet0/0.2
!
route-map ISP1 permit 10
match ip address 100
match interface GigabitEthernet0/0.1
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
--More--
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username
Replace
use.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username
no username cisco
--More--
Replace
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
--More-- privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
yourname#
08-13-2012 05:49 AM
Hi,
the config seems ok but I would add this:
route-map SLA-PINGS
match ip address 101
set ip next-hop 200.20.20.2
exit
ip local policy route-map SLA-PINGS
access-list 101 permit icmp any host 8.8.8.8
and modify this:
ip sla 1
no icmp-echo 200.20.20.2 source-interface GigabitEthernet0/0.1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0.1
Regards.
Alain
Don't forget to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide