08-09-2012 11:44 AM - edited 03-04-2019 05:13 PM
Dears,
I have two ISP need to connect them on my router.
The Router that I have is 2811 where it contains two Fa ports only, so I put an access switch between the two ISPs and the Fa0/0 then configured the Interface Fa0/0 with two IPs ISP1 and ISP2 as a secondary.
The problem that I faced that when ISP1 become down the another secondary IP (ISP2) stay down and the internal users have no access to the internet.
Please I need your assist to solve this issue.
Regards,
Solved! Go to Solution.
08-13-2012 05:49 AM
Hi,
the config seems ok but I would add this:
route-map SLA-PINGS
match ip address 101
set ip next-hop 200.20.20.2
exit
ip local policy route-map SLA-PINGS
access-list 101 permit icmp any host 8.8.8.8
and modify this:
ip sla 1
no icmp-echo 200.20.20.2 source-interface GigabitEthernet0/0.1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0.1
Regards.
Alain
Don't forget to rate helpful posts.
08-09-2012 01:24 PM
Hello Ali,
you should use Vlan based subinterfaces instead of secondary addresses
int fas0/0
no ip address
int fas0/0.10
enc dot1q 10
desc connection to ISP1
ip address A.B.C.D 255.255.255.E
int fas0/0.20
enc dot1q 20
desc connection to ISP2
ip address H.I.J.L 255.255.255.M
on the switch you need to create two vlans vlan 10 and vlan 20, you associate the port facing the router with an 802.1Q trunk carrying two Vlans 10,20
on switch:
vlan database
vlan 10
vlan 20
apply
exit
configure terminal
int fasx/y
desc to router fas0/0
switchport
! the following command may be needed or not platform dependent
switchport trunk enc dot1q
switchport mode trunk
switchport trunk allowed vlan 10,20
int fas X/w
desc to ISP1 link
switchport
switchport mode access
switchport access vlan 10
int fasx/z
desc to ISP2 link
switchport
switchport mode access
switchport access vlan 20
Hope to help
Giuseppe
08-10-2012 02:33 AM
The above solution will work. Just keep in mind that if you are using static routes to ISP's, link failures will cause blackhole
08-10-2012 04:38 AM
Hello Prashsin1,
you are right for the intermediate LAN switch presence ISP link failures are indirect failures.
static routing with object tracking completes the solution
http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html
Hope to help
Giuseppe
08-11-2012 11:50 PM
Thank you Giuseppe,
Please this senario will work if I configured site to site VPN between this site (Redundant ISPs) and another one??
Regards,
08-13-2012 03:09 AM
Dear Giuseppe,
I tried the configuration that you advised for, but I faced problem on the NAT of the router.
When the first ISP1 become down the traffic didn't NAT through the second sub interface.
In my toplogy I need the traffice to go through ISP2 in case ISP1 down.
Appreciate your feedback,
Regards,
08-13-2012 03:18 AM
Hi,
did you use route-maps matching the traffic to be natted with an ACL and matching the outgoing sub-interface for the 2 NAT statements ?
Regards.
Alain
Don't forget to rate helpful posts.
08-13-2012 03:42 AM
Hi,
You meen that I have to create two maps for the same traffice, then put this route-map in the NAT (NAT for f0/0.1 and f0/0.2)??
Please can clarify me by an example??
Thank you ,
08-13-2012 04:05 AM
Hi,
here's an example where we have a router with 2 interfaces to two different isps:
f0/0 to isp1 and f0/1 to isp2 and the internal lan is vlan1
int vlan 1
ip add 192.168.1.254 255.255.255.0
ip nat inside
int f0/0
descr to isp1
ip add 200.11.11.11 255.255.255.0
ip nat outside
int f0/1
descr to isp2
ip add 201.11.11.11 255.255.255.0
ip nat outside
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
route-map ISP1 permit 10
match ip address 100
match interface f0/0
route-map ISP2
match ip address 100
match interface f0/1
ip nat inside source route-map ISP1 interface f0/0
ip nat inside source route-map ISP2 interface f0/1
ip route 0.0.0.0 0.0.0.0 200.11.11.x
ip route 0.0.0.0 0.0.0.0 201.11.11.x
Regards.
Alain
Don't forget to rate helpful posts.
08-13-2012 05:32 AM
Dear,
I applied the below config on my router so please check it if this will work because I will go to configure GRE tunnel with another site:-
sh run
Building configuration...
Current configuration : 6014 bytes
!
! Last configuration change at 12:08:31 UTC Mon Aug 13 2012 by cisco
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
  D865B924 53BBC78F 1F336192 D7E3CC
   quit
license udi pid CISCO2901/K9 sn FCZ162191PU
!
!
username cisco privilege 15 password 0 cisco
!
redundancy
!
!
!
 --More--                           !
!
track 1 ip sla 1 reachability
! 
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.1
 encapsulation dot1Q 10
 ip address 200.20.20.1 255.255.255.0
 ip nat outside
 --More--                            ip virtual-reassembly in
!
interface GigabitEthernet0/0.2
 encapsulation dot1Q 20
 ip address 201.20.20.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
!
interface GigabitEthernet0/1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/0/1
 no ip address
 shutdown
 clock rate 2000000
 --More--                           !
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map ISP1 interface GigabitEthernet0/0.1 overload
ip nat inside source route-map ISP2 interface GigabitEthernet0/0.2 overload
ip route 0.0.0.0 0.0.0.0 200.20.20.2 track 1
ip route 0.0.0.0 0.0.0.0 201.20.20.2 200
!
ip sla 1
 icmp-echo 200.20.20.2 source-interface GigabitEthernet0/0.1
 threshold 2
 timeout 1000
 frequency 3
ip sla schedule 1 life forever start-time now
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
!
!
!
 --More--                           !
route-map ISP2 permit 10
 match ip address 100
 match interface GigabitEthernet0/0.2
!
route-map ISP1 permit 10
 match ip address 100
 match interface GigabitEthernet0/0.1
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Configuration Professional (Cisco CP) is installed on this device 
and it provides the default username "cisco" for  one-time use. If you have 
already used the username "cisco" to login to the router and your IOS image 
supports the "one-time" user option, then this username has already expired. 
You will not be able to login to the router with this username after you exit 
this session.
 --More--                            
It is strongly suggested that you create a new username with a privilege level 
of 15 using the following command.
 
username 
 
Replace 
use.
 
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device. 
This feature requires the one-time use of the username "cisco" with the 
password "cisco". These default credentials have a privilege level of 15.
 
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN 
CREDENTIALS
Here are the Cisco IOS commands.
username 
no username cisco
 --More--                           
Replace 
to use. 
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE 
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
 
For more information about Cisco CP please follow the instructions in the 
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp 
-----------------------------------------------------------------------
^C
!
line con 0
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 23 in
 --More--                            privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
end
yourname#
08-13-2012 05:49 AM
Hi,
the config seems ok but I would add this:
route-map SLA-PINGS
match ip address 101
set ip next-hop 200.20.20.2
exit
ip local policy route-map SLA-PINGS
access-list 101 permit icmp any host 8.8.8.8
and modify this:
ip sla 1
no icmp-echo 200.20.20.2 source-interface GigabitEthernet0/0.1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0.1
Regards.
Alain
Don't forget to rate helpful posts.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide