cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2088
Views
0
Helpful
10
Replies

Redundant ISPs connection

Ali Bahnam
Level 1
Level 1

Dears,

I have two ISP need to connect them on my router.

The Router that I have is 2811 where it contains two Fa ports only, so I put an access switch between the two ISPs and the Fa0/0 then configured the Interface Fa0/0 with two IPs ISP1 and ISP2 as a secondary.

The problem that I faced that when ISP1 become down the another secondary IP (ISP2) stay down and the internal users have no access to the internet.

Please I need your assist to solve this issue.   

Regards,       

1 Accepted Solution

Accepted Solutions

Hi,

the config seems ok but I would add this:

route-map SLA-PINGS

match ip address 101

set ip next-hop 200.20.20.2

exit

ip local policy route-map SLA-PINGS

access-list 101 permit icmp any host 8.8.8.8

and modify this:

ip sla 1

  no icmp-echo 200.20.20.2 source-interface GigabitEthernet0/0.1

  icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0.1

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

10 Replies 10

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Ali,

you should use Vlan based subinterfaces instead of secondary addresses

int fas0/0

no ip address

int fas0/0.10

enc dot1q 10

desc connection to ISP1

ip address A.B.C.D 255.255.255.E

int fas0/0.20

enc dot1q 20

desc connection to ISP2

ip address H.I.J.L 255.255.255.M

on the switch you need to create two vlans vlan 10 and vlan 20, you associate the port facing the router with an 802.1Q trunk carrying two Vlans 10,20

on switch:

vlan database

vlan 10

vlan 20

apply

exit

configure terminal

int fasx/y

desc to router fas0/0

switchport

! the following command may be needed or not platform dependent

switchport trunk enc dot1q

switchport mode trunk

switchport trunk allowed vlan 10,20

int fas X/w

desc to ISP1 link

switchport

switchport mode access

switchport access vlan 10

int fasx/z

desc to ISP2 link

switchport

switchport mode access

switchport access vlan 20

Hope to help

Giuseppe

The above solution will work. Just keep in mind that if you are using static routes to ISP's, link failures will cause blackhole

Hello Prashsin1,

you are right  for the intermediate LAN switch presence ISP link failures are indirect failures.

static routing with object tracking completes the solution

http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html

Hope to help

Giuseppe

Thank you Giuseppe,

Please this senario will work if I configured site to site VPN between this site (Redundant ISPs) and another one??

Regards,

Dear Giuseppe,

I tried the configuration that you advised for, but I faced problem on the NAT of the router.

When the first ISP1 become down the traffic didn't NAT through the second sub interface.

In my toplogy I need the traffice to go through ISP2 in case ISP1 down.

Appreciate your feedback,

Regards,

Hi,

did you use route-maps matching the traffic to be natted with an ACL and matching the outgoing sub-interface for the  2 NAT statements ?

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hi,

You meen that I have to create two maps for the same traffice, then put this route-map in the NAT (NAT for f0/0.1 and f0/0.2)??

Please can clarify me by an example??

Thank you ,

Hi,

here's an example where we have a router with 2 interfaces to two different isps:

f0/0 to isp1 and f0/1 to isp2 and the internal lan is vlan1

int vlan 1

ip add 192.168.1.254 255.255.255.0

ip nat inside

int f0/0

descr to isp1

ip add 200.11.11.11 255.255.255.0

ip nat outside

int f0/1

descr to isp2

ip add 201.11.11.11 255.255.255.0

ip nat outside

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

route-map ISP1 permit 10

match ip address 100

match interface f0/0

route-map ISP2

match ip address 100

match interface f0/1

ip nat inside source route-map ISP1 interface f0/0

ip nat inside source route-map ISP2 interface f0/1

ip route 0.0.0.0 0.0.0.0 200.11.11.x

ip route 0.0.0.0 0.0.0.0 201.11.11.x

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Dear,

I applied the below config on my router so please check it if this will work because I will go to configure GRE tunnel with another site:-

sh run
Building configuration...

Current configuration : 6014 bytes
!
! Last configuration change at 12:08:31 UTC Mon Aug 13 2012 by cisco
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!

  D865B924 53BBC78F 1F336192 D7E3CC
   quit
license udi pid CISCO2901/K9 sn FCZ162191PU
!
!
username cisco privilege 15 password 0 cisco
!
redundancy
!
!
!
--More--                           !
!
track 1 ip sla 1 reachability
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 10
ip address 200.20.20.1 255.255.255.0
ip nat outside
--More--                            ip virtual-reassembly in
!
interface GigabitEthernet0/0.2
encapsulation dot1Q 20
ip address 201.20.20.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
--More--                           !
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map ISP1 interface GigabitEthernet0/0.1 overload
ip nat inside source route-map ISP2 interface GigabitEthernet0/0.2 overload
ip route 0.0.0.0 0.0.0.0 200.20.20.2 track 1
ip route 0.0.0.0 0.0.0.0 201.20.20.2 200
!
ip sla 1
icmp-echo 200.20.20.2 source-interface GigabitEthernet0/0.1
threshold 2
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
!
!
!
--More--                           !
route-map ISP2 permit 10
match ip address 100
match interface GigabitEthernet0/0.2
!
route-map ISP1 permit 10
match ip address 100
match interface GigabitEthernet0/0.1
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
--More--                           
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN
CREDENTIALS

Here are the Cisco IOS commands.

username   privilege 15 secret 0
no username cisco
--More--                          
Replace and with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
--More--                            privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end

yourname#

Hi,

the config seems ok but I would add this:

route-map SLA-PINGS

match ip address 101

set ip next-hop 200.20.20.2

exit

ip local policy route-map SLA-PINGS

access-list 101 permit icmp any host 8.8.8.8

and modify this:

ip sla 1

  no icmp-echo 200.20.20.2 source-interface GigabitEthernet0/0.1

  icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0.1

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: