05-22-2013 10:13 PM - edited 03-04-2019 07:58 PM
I have two ISP's. One Verizon 4G and the other is HughesNet. Can I route ONLY my GRE tunnel out the Verizon IPS and everythingelse out HughesNet withthe equipment I have now?
I tried setting this up using sub-interfaces on my router just to start but the PC could not get any Internet connectivity. I may have needed to do a reload on the router as I had to do to get it working when I put the satellite back directly connected. Sometimes these routers seem to get routing confused. The Verizon is on Vlan 30 and the Sat is on Vlan 31 with a trunk to the router. Its too late to try again tonight.
I have a GRE Tunnel going back to my corp office of the IP phone above and when I have just one ISP connected to the router and I o not use sub-interfaces, everthingworks perfect! Well, if I use Verizon 4G that is. When I use the HughesNet, everything works this way except VoIP call suck dueto the 700ms ping times. So my goal is to have my GRE tunnel for the IP phone go out Verizon while all other Internet traffic goes viathe satellite.
I need to do this for several reasons.
1. VoIP over the satellite does not work (we've done our best to make it work)
2. The Verizon 4G is my cell phone and when I leave home I take it with me thuis killing internet at home.
3. If I use the cell phone for both VoIP and Internet surfing/downloading, the battery drain is so bad that the phone dies in 4-6 hours.
4. I need to make calls with the VoIP phone becasue the customers get that caller ID otherwise the get my home phone. (not cool).
I could use your help please.
Solved! Go to Solution.
05-24-2013 12:06 AM
I know that you are not trying to load balance, BUT probably you obtain two default routes via DHCP, so I just want to make sure that you are not using them both.
Problem with internet access -> your NAT configuration is not valid.
ip nat inside source list NAT_ACL interface GigabitEthernet0/0 overload
This will work only if you use Gi0/0 as WAN interface. After you configure subinterfaces, Gi0/0 has no IP address so it can not be used with NAT.
Best Regards
Please rate all helpful posts and close solved questions
05-23-2013 04:48 AM
Hello Michael,
Point default route toward satt. link and specific route for GRE tunnel endpoint toward Verizon.
Best Regards
Please rate all helpful posts and close solved questions
05-23-2013 08:00 AM
Well... it works... sort of...
From the rotuer itself it does work as I need it, GRE out Verizon and everything else out HughesNet with ping only.
The tunnel never comes up and my PC has nop Internet access. When I get rid of the sub-interfaces and just have one ISP everything works correctly. I have attached my router config file above with a sh ip route at the bottom. This config file is when I set up sub-interfaces and two ISPs.
Any idea why I am not getting routing over the sub-interfaces to the Internet and getting the tunnel to come up too.
Here is the change made to get it to work with only 1 ISP:
no int gi0/0.30
no int gi0/0.31
int gi0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
NO other changes are made.
05-23-2013 09:29 AM
Sorry, I did not notice configuration earlier.
GRE tunnel can not work if you configure Gi0/0 as source interface but this interface has no IP address.
interface Tunnel0
tunnel source GigabitEthernet0/0
interface GigabitEthernet0/0
no ip address
small output from routing table ->
S* 0.0.0.0/0 [254/0] via 100.75.64.217
100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 150.5.64.216/29 is directly connected, GigabitEthernet0/0.31
L 150.5.64.219/32 is directly connected, GigabitEthernet0/0.31
I can see that you obtain IP address on one subinterface, but not on other one, also your default gateway is really strange. I can not see any connected network obtaining 100.75.64.217.
Can you please check if these outputs are correct?
Can you also post configuration of switch ports toward router and also both ISPs.
Best Regards
Please rate all helpful posts and close solved questions
05-23-2013 10:40 AM
Okay, I see where I need to change the tunnel's source to GI0/0.30 but that sure kills my next plan, have the tunnel automatically roll over to the satelitte when Verizon goes down. That is, unless you know how to do that too.
But I don't understand why the PC's don't get internet access. The routing table output was changed by me to try and hid my public IP. The last two lines should read 100.75.64.216/29 and 100.75.64.219/32. If forgot to change the first one.
You see, my problem is that my office phone is connected back to our office CME router over the GRE Tunnel. When I jsut use the satellite connection I can talk to co-workers just fine. But I cannot make calls to customers or answer incomeing calls. For most of the day this is fine as I do not make many calls or answer them.
However, those few times I do need to call customers, I really do not want them to have my home phone number so I would like to call via the office phone here on my desk. To do that I need to use my Verizon 4G data connection. What I need is ether an automatic setup where when the Verizon 4G is active all calls go over that data connection and when its no there they go over the satellie connection.
I don't mind doing a manual swap over if it is just a command or two. But right now, its a pain to do. Oh yea, the salellite connection is in my garage and my Verizon is beside me in my office. So just swapping out a calbe is not an option. I hae a PC running ICS connected to the 2851 edge router in the garage so I don't have to run there every time I want ot hook it up. When I was trying to set up dual IPS's, I placed a 3524 switch on the outside interface of the 2851.
The switch is configured like this
fa0/1
switchport access vlan 30
fa0/2
switchport access vlan 31
fa0/24
switchport mode trund
swtichport encapsulation dot1q
switchport trunk allowed vlans all
switchport trunk native vlan 100
05-23-2013 01:34 PM
I understand what you are trying to accomplish. But ->
#1 - on both subinterfaces you obtain IP address together with defualt route, so I think that both default routes are installed in routing table and traffic is loadbalanced.
Can you check if this is true?
#2 - I do not think that there is some clever way to dynamically change GRE tunnel souce IP. But you can configure IP SLA to check if desired link is working, if not EEM script will be executed which will change GRE tunnel souce IP, but same thing you have to do on other side of the tunnel.
Best Regards
Please rate all helpful posts and close solved questions
05-23-2013 02:51 PM
I am not trying to do load balancing, I just need my VoIP to to out the Verizon ISP.
The problem I am having is that when I set up either ISP on a sub-interface, only the router has Internet connectivity. My PC's do not. But all else being the same and I just put the ISP on the main interface it all works. Why can't the PC's getto the Internet when I have th ISP on a sub-interface?
I was going to use SLA to change the tunnel's default route automatically and just manually change the tunnel source. One quick command change will be fine. But all is moot until I can figure out hte above probem.
Any ideas?
05-24-2013 12:06 AM
I know that you are not trying to load balance, BUT probably you obtain two default routes via DHCP, so I just want to make sure that you are not using them both.
Problem with internet access -> your NAT configuration is not valid.
ip nat inside source list NAT_ACL interface GigabitEthernet0/0 overload
This will work only if you use Gi0/0 as WAN interface. After you configure subinterfaces, Gi0/0 has no IP address so it can not be used with NAT.
Best Regards
Please rate all helpful posts and close solved questions
05-24-2013 11:04 AM
Geez, stupid me. I totally mised that one too. I must need better glasses. Thanks so much for pointing that out to me. I am so embarrised.
I am waitig on a call and as soon as that is done I am going to fix this correctly this time. I feel that it will work this time. I will update as soon as I get it done.
Thank you so much!!!!
05-28-2013 10:45 AM
Over the weekend I fixed the mistakes you showed me. Now I get the GRE Tunnel going over the Verizon connection (not automatically yet) and I get my data over HughesNet. AWESOME!!! Thank you so much.
I had to change the tunnel's source to Gi0/0.30 and I had to setup a route, ip route 55.19.6.90 255.255.255.0 192.168.30.1
That is it, just tow command changes to swap ISP's for my VoIP phone.
I know I can use LSA's to automatically set my route of the Verizon is connect to my system. But. how can I automate the tunnel's source interface based on the Verizion service being reachable? Any thoughts on that one?
05-28-2013 02:06 PM
Hello,
I am glad that you managed to work it out.
But. how can I automate the tunnel's source interface based on the Verizion service being reachable? Any thoughts on that one?
I wrote you earlier one possible solution for this ->
#2 - I do not think that there is some clever way to dynamically change GRE tunnel source IP. But you can configure IP SLA to check if desired link is working, if not, EEM script will be executed which will change GRE tunnel source IP, but same thing you have to do on other side of the tunnel.
Last thing is very important, you will have to change tunnel source interface on tour router, but also tunnel destination on other end. Do you have access to that device and can you execute same EEM script there?
Best Regards
Please rate all helpful posts and close solved questions
05-28-2013 02:21 PM
Thanks,
Yes I do have access to both sides but I do not know anything about EEM scripts. Sounds like I need to learn it!
Since I made these changes I cannot telnet from my PC to the office router. I can telnet from my edge router to the office just fine. I tried to add this command to the VPN1-FLA-TRAFFIC ACL list for the tunnel but it did not help.
permit tcp 192.168.69.150 0.0.0.0 eq 23 55.9.6.88 0.0.0.7
Remember,I changed the IP on the public netowork for priviacy.
My desktop PC is 192.168.69.150 and I am using SecureCRT to telnet with.
05-28-2013 03:06 PM
Okay, my requirements got even crazier. Somehow I need to be able to use my PC's browser (192.168.69.150) to access the CME router at the office (55.9.6.9) so I can ceate and auto-atendant. I think i need to modify my access list somewhat. I do not care if I lose Internet while I am connecting in to the CME router via the web browser,
Can you help me build the right access-list?
05-29-2013 02:56 AM
Hello,
Yes I do have access to both sides but I do not know anything about EEM scripts. Sounds like I need to learn it!
Your EEM script will look something like this:
event manager applet CHANGE_GRE_SOURCE_to-backup
event syslog pattern "TRACKING-5-STATE: 1 rtr 1 state Up->Down"
action 1.0 cli command "enable"
action 1.1 cli command "interface Tunnel 0"
action 1.2 cli command "tunnel source XXX"
action 1.3 cli command "end"
event manager applet CHANGE_GRE_SOURCE_to-primary
event syslog pattern "TRACKING-5-STATE: 1 rtr 1 state Down->Up"
action 1.0 cli command "enable"
action 1.1 cli command "interface Tunnel 0"
action 1.2 cli command "tunnel source XXX"
action 1.3 cli command "end"
You need to scripts, frist to change tunnel source when your primary link fails and second script to change tunnel source back in case primary link is working again.
IP SLA configuration with tracking should look something like this:
ip sla 1
icmp-echo XXX
frequency 10
ip sla schedule 1 start now live forever
track 1 ip sla 1
delay down 35 up 35
Also it would be better if you configure local PBR for IP SLA to use only primary link. Reason -> IP SLA will monitor primary link if it is working sou you should deny IP SLA probes to reach destination via backup link. If you do not, there could be situation that primary link will fail, IP SLA should also fail, but it will not becasue it can use backup link so GRE tunnel source will not be changed.
Okay, my requirements got even crazier. Somehow I need to be able to use my PC's browser (192.168.69.150) to access the CME router at the office (55.9.6.9) so I can ceate and auto-atendant. I think i need to modify my access list somewhat. I do not care if I lose Internet while I am connecting in to the CME router via the web browser,
Can you help me build the right access-list?
Can you upload current configuration to be able provide better help?
Best Regards
Please rate all helpful posts and close solved questions
05-30-2013 08:13 AM
Thank you, I will give this a try this weekend when there is no one in the office.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide