cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
664
Views
0
Helpful
3
Replies

WAN Failover from Ethernet(Charter Spectrum) to Cellular(AT&T)

stevenclark612
Level 1
Level 1

Both WAN service are DHCP.... Please Help!! If you see anything else that I missed please let me know. Thanks in Advance. I have about 50 Ring Devices. Did not want issue with video and sound. 

 

Building configuration...

Current configuration : 12575 bytes
!
! Last configuration change at 09:42:19 GMT Wed Aug 2 2023
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER-001
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 BLANK
enable password BLANK
!
no aaa new-model
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
clock timezone GMT -4 0
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 10.0.100.1
ip dhcp excluded-address 10.0.154.1
ip dhcp excluded-address 10.0.254.1
ip dhcp excluded-address 10.0.100.1 10.0.100.50
ip dhcp excluded-address 10.0.100.250 10.0.100.254
ip dhcp excluded-address 10.0.154.1 10.0.154.50
ip dhcp excluded-address 10.0.154.250 10.0.154.254
ip dhcp excluded-address 10.0.254.1 10.0.254.50
ip dhcp excluded-address 10.0.254.250 10.0.254.254
!
ip dhcp pool VLAN-1
import all
network 10.0.100.0 255.255.255.0
dns-server 208.67.222.222 208.67.220.220
default-router 10.0.100.1
domain-name cgnc.us
!
ip dhcp pool VLAN-154
import all
network 10.0.154.0 255.255.255.0
dns-server 208.67.222.222 208.67.220.220
default-router 10.0.154.1
domain-name cgnc.us
!
ip dhcp pool VLAN-254
import all
network 10.0.254.0 255.255.255.0
default-router 10.0.254.1
dns-server 208.67.222.222 208.67.220.220
domain-name cgnc.us
!
!
!
ip domain name CGNC.US
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip name-server 1.1.1.1
ip cef
no ipv6 cef
!
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
!
multilink bundle-name authenticated
!
!
chat-script lte "" "AT!CALL" TIMEOUT 60 "OK"
cts logging verbose
license udi pid CISCO2951/K9 sn xxx
!
!
!
object-group service Inbound_Traffic
description ACL:Inbound-Traffic
icmp echo
tcp eq 7351
tcp eq 7752
tcp range 60000 61000
udp eq snmp
udp eq snmptrap
tcp range 9998 9999
tcp eq 6970
udp range 7076 7077
udp range 9078 9079
tcp range 15063 15064
udp range 15063 15064
tcp range 5060 5062
tcp eq 8883
udp range 5060 5062
tcp eq 3030
tcp eq 8088
udp eq 7351
tcp range 2195 2196
tcp eq 5223
tcp eq 993
tcp eq 7734
udp eq ntp
udp eq domain
tcp eq 587
tcp eq lpd
tcp eq 9100
tcp eq 8631
tcp eq 2165
udp eq 2165
tcp eq 8080
tcp eq 8443
tcp eq 1723
gre
tcp eq exec
tcp eq smtp
!
object-group service Outbound_Traffic
description ACL:Outbound-Traffic
icmp echo
tcp eq 7351
tcp eq 7752
tcp range 60000 61000
udp eq snmp
udp eq snmptrap
tcp range 9998 9999
tcp eq 6970
udp range 7076 7077
udp range 9078 9079
tcp range 15063 15064
udp range 15063 15064
tcp range 5060 5062
tcp eq 8883
udp range 5060 5062
tcp eq 3030
tcp eq 8088
udp eq 7351
tcp range 2195 2196
tcp eq 5223
tcp eq 993
tcp eq 7734
udp eq ntp
udp eq domain
tcp eq 587
tcp eq lpd
tcp eq 9100
tcp eq 8631
tcp eq 2165
udp eq 2165
tcp eq 8080
tcp eq 8443
tcp eq 1723
gre
tcp eq exec
!
object-group network local_cws_net
!
object-group network local_lan_subnets
any
!
object-group network vpn_remote_subnets
any
!
username xxx privilege 15 secret xxx
!
redundancy
!
!
!
!
!
controller Cellular 0/1
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
track 1 ip sla 1 reachability
!
!
class-map type inspect match-any WAN-TO-LAN-CLASS
description Allowed_Protocol_From_WAN-TO-LAN
match protocol snmp
match protocol icmp
match protocol ntp
match protocol echo
class-map type inspect match-any LAN-TO-WAN-CLASS
description Allowed_Protocol_From_LAN-TO-WAN
match protocol http
match protocol dns
match protocol udp
match protocol tcp
match protocol smtp
match protocol icmp
match protocol ftp
match protocol snmp
match protocol telnet
match protocol irc
match protocol ntp
match protocol ssh
match protocol syslog
match protocol nfs
match protocol streamworks
match protocol skinny
match protocol vdolive
match protocol imap
match protocol msnmsgr
match protocol snmptrap
match protocol tftp
match protocol echo
match protocol time
match protocol netshow
match protocol ica
match protocol hsrp
match protocol icabrowser
match protocol ident
match protocol icq
match protocol irc-serv
match protocol citrix
match protocol sms
match protocol appleqtc
match protocol realmedia
match protocol cifs
match protocol nntp
match protocol ldaps
match protocol ms-sql
match protocol pop3
match protocol https
match protocol rtsp
match protocol ldap
match protocol login
match protocol msexch-routing
match protocol mysql
match protocol oracle
match protocol oracle-em-vp
match protocol oraclenames
match protocol orasrv
match protocol pptp
match protocol router
match protocol sql-net
match protocol sqlserv
match protocol sqlsrv
match protocol sshell
match protocol timed
match protocol winmsgr
match protocol stun
match protocol kerberos
!
policy-map type inspect LAN-TO-WAN-POLICY
class type inspect LAN-TO-WAN-CLASS
inspect
class class-default
drop log
policy-map type inspect WAN-TO-LAN-POLICY
class type inspect WAN-TO-LAN-CLASS
inspect
class class-default
drop log
!
zone security WAN
zone security LAN
zone security VPN
zone security DMZ
zone-pair security WAN-TO-LAN source WAN destination LAN
service-policy type inspect WAN-TO-LAN-POLICY
zone-pair security LAN-TO-WAN source LAN destination WAN
service-policy type inspect LAN-TO-WAN-POLICY
!
!
!
!
!
!
!
!
!
!
interface Port-channel1
description TRUNK-VLANS
no ip address
ip access-group Inbound_Traffic in
ip access-group Outbound_Traffic out
ip nat inside
ip virtual-reassembly in
zone-member security LAN
!
interface Port-channel1.1
description VLAN-001
encapsulation dot1Q 1 native
ip address 10.0.100.1 255.255.255.0
ip access-group Inbound_Traffic in
ip access-group Outbound_Traffic out
ip nat inside
ip virtual-reassembly in
zone-member security LAN
!
interface Port-channel1.154
description VLAN-001
encapsulation dot1Q 154
ip address 10.0.154.1 255.255.255.0
ip access-group Inbound_Traffic in
ip access-group Outbound_Traffic out
ip nat inside
ip virtual-reassembly in
zone-member security LAN
!
interface Port-channel1.254
description VLAN-254
encapsulation dot1Q 254
ip address 10.0.254.1 255.255.255.0
ip access-group Inbound_Traffic in
ip access-group Outbound_Traffic out
ip nat inside
ip virtual-reassembly in
zone-member security LAN
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description LACP/LAG-GROUP
no ip address
ip access-group Inbound_Traffic in
ip access-group Outbound_Traffic out
ip nat inside
ip virtual-reassembly in
zone-member security LAN
duplex full
speed 1000
channel-group 1
no mop enabled
!
interface GigabitEthernet0/1
description LACP/LAG-GROUP
no ip address
ip access-group Inbound_Traffic in
ip access-group Outbound_Traffic out
ip nat inside
ip virtual-reassembly in
zone-member security LAN
duplex full
speed 1000
channel-group 1
no mop enabled
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
description PrimaryWANDesc_
ip address dhcp hostname ROUTER-001
ip access-group Inbound_Traffic in
ip access-group Outbound_Traffic out
ip nat outside
ip virtual-reassembly in
zone-member security WAN
duplex full
speed 1000
!
interface Cellular0/1/0
description BackupWANDesc_
ip address negotiated
ip access-group Inbound_Traffic in
ip access-group Outbound_Traffic out
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer-group 1
async mode interactive
!
interface Cellular0/1/1
description Backup-WAN-2
ip address negotiated
ip access-group Inbound_Traffic in
ip access-group Outbound_Traffic out
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer-group 1
async mode interactive
!
interface Vlan1
!
interface Dialer1
description BackupWANDesc__Cellular0/1/0
ip address negotiated
ip nat outside
ip virtual-reassembly in
zone-member security WAN
encapsulation slip
dialer pool 1
dialer idle-timeout 0
dialer string lte
dialer persistent
dialer-group 1
!
router rip
version 2
network 10.0.0.0
network 172.0.0.0
network 192.0.0.0
no auto-summary
!
ip forward-protocol nd
!
ip http server
ip http port 8080
ip http upload enable path flash:
ip http upload overwrite
no ip http secure-server
!
ip nat inside source list Meraki_Cloud interface GigabitEthernet0/0/0 overload
ip nat inside source list NAT-Inside_Subnets interface GigabitEthernet0/0/0 overload
ip nat inside source list Ring_Devices interface GigabitEthernet0/0/0 overload
ip nat inside source route-map nat2backup interface Dialer1 overload
ip nat inside source route-map nat2primary interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 track 1
ip route 0.0.0.0 0.0.0.0 47.7.240.1
ip route 0.0.0.0 0.0.0.0 Dialer1 253
ip route 8.8.8.8 255.255.255.255 GigabitEthernet0/0/0
!
ip access-list standard NAT-Inside_Subnets
permit 10.0.100.0 0.0.0.255
permit 10.0.154.0 0.0.0.255
permit 10.0.254.0 0.0.0.255
permit 192.168.1.0 0.0.0.255
!
ip access-list extended Meraki_Cloud
permit udp any any eq 7351
permit tcp any any eq 7734
permit tcp any any eq 7752
permit tcp any any range 60000 61000
permit udp any any eq snmp
permit udp any any eq snmptrap
permit udp any eq snmptrap any
permit icmp any any
ip access-list extended OUTSIDE_NBN_IN
permit tcp object-group DDNS-ALLOW any
ip access-list extended Ring_Devices
permit tcp any any range 9998 9999
permit tcp any any eq 6970
permit udp any any range 7076 7077
permit udp any any range 9078 9079
permit tcp any any eq 15063
permit tcp any any eq 15064
permit udp any any eq 15064
permit udp any any eq 15063
permit tcp any any eq 5060
permit tcp any any eq 5061
permit tcp any any eq 5062
permit udp any any eq 5060
permit udp any any eq 5061
permit udp any any eq 5062
permit tcp any any eq 8883
!
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
deny ip any any
!
ip sla 1
icmp-echo 1.1.1.1 source-interface GigabitEthernet0/0/0
ip sla schedule 1 life forever start-time now
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipv6 permit
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/0
!
route-map nat2primary permit 1
match ip address 198
match interface GigabitEthernet0/0/0
!
route-map nat2backup permit 1
match ip address 198
match interface Dialer1
!
!
snmp-server community private RW
snmp-server community public RO
access-list 197 permit icmp any host 1.1.1.1
access-list 198 permit ip any any
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 0/1/0 0/1/1
script dialer lte
modem InOut
no exec
transport input all
line vty 0 4
access-class 23 in
privilege level 15
password xxx
login
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp master
ntp update-calendar
ntp server 129.6.15.32
ntp server 129.6.15.26
ntp server 129.6.15.27
ntp server 129.6.15.28
ntp server 129.6.15.29
ntp server 129.6.15.30
!
end

3 Replies 3

Hello
You CFG file is rather convoluted and seems to suggest it has historic entries that are currently not being used?

I have consolidated the nat route-maps & acls down to two nat route-maps and a single extended acl, also amended the default route entries.

Please review and share your thoughts


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thank you, I will give that a try. 

Paul, I cleaned up my config a bit. Some of the lines on your recommendation for failover did not work on my router. Especially the failover. A lot of the junk on previous one is something weird when you login to CCP and do any changes to config. It puts a bunch of crap I dont use like the nbar. 

I have a 2951 Router

 

Building configuration...

Current configuration : 8553 bytes
!
! Last configuration change at 12:35:01 GMT Fri Aug 4 2023
! NVRAM config last updated at 12:35:26 GMT Fri Aug 4 2023
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER-001
!
boot-start-marker
boot-end-marker
!
!
enable secret 5
enable password
!
no aaa new-model
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
clock timezone GMT -4 0
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 10.0.100.1
ip dhcp excluded-address 10.0.154.1
ip dhcp excluded-address 10.0.254.1
ip dhcp excluded-address 10.0.100.1 10.0.100.50
ip dhcp excluded-address 10.0.100.250 10.0.100.254
ip dhcp excluded-address 10.0.154.1 10.0.154.50
ip dhcp excluded-address 10.0.154.250 10.0.154.254
ip dhcp excluded-address 10.0.254.1 10.0.254.50
ip dhcp excluded-address 10.0.254.250 10.0.254.254
!
ip dhcp pool VLAN-1
import all
network 10.0.100.0 255.255.255.0
dns-server 208.67.222.222 208.67.220.220
default-router 10.0.100.1
domain-name cgnc.us
!
ip dhcp pool VLAN-154
import all
network 10.0.154.0 255.255.255.0
dns-server 208.67.222.222 208.67.220.220
default-router 10.0.154.1
domain-name cgnc.us
!
ip dhcp pool VLAN-254
import all
network 10.0.254.0 255.255.255.0
default-router 10.0.254.1
dns-server 208.67.222.222 208.67.220.220
domain-name cgnc.us
!
!
!
no ip domain lookup
ip domain name CGNC.US
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip name-server 1.1.1.1
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
chat-script lte "" "AT!CALL" TIMEOUT 60 "OK"
cts logging verbose
license udi pid CISCO2951/K9 sn FJC1924A0WP
!
!
!
redundancy
!
!
!
!
!
controller Cellular 0/1
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
!
class-map type inspect match-any WAN-TO-LAN-CLASS
description Allowed_Protocol_From_WAN-TO-LAN
match protocol snmp
match protocol icmp
match protocol ntp
match protocol echo
class-map type inspect match-any LAN-TO-WAN-CLASS
description Allowed_Protocol_From_LAN-TO-WAN
match protocol http
match protocol dns
match protocol udp
match protocol tcp
match protocol smtp
match protocol icmp
match protocol ftp
match protocol snmp
match protocol telnet
match protocol irc
match protocol ntp
match protocol ssh
match protocol syslog
match protocol nfs
match protocol streamworks
match protocol skinny
match protocol vdolive
match protocol imap
match protocol msnmsgr
match protocol snmptrap
match protocol tftp
match protocol echo
match protocol time
match protocol netshow
match protocol ica
match protocol hsrp
match protocol icabrowser
match protocol ident
match protocol icq
match protocol irc-serv
match protocol citrix
match protocol sms
match protocol appleqtc
match protocol realmedia
match protocol cifs
match protocol nntp
match protocol ldaps
match protocol ms-sql
match protocol pop3
match protocol https
match protocol rtsp
match protocol ldap
match protocol login
match protocol msexch-routing
match protocol mysql
match protocol oracle
match protocol oracle-em-vp
match protocol oraclenames
match protocol orasrv
match protocol pptp
match protocol router
match protocol sql-net
match protocol sqlserv
match protocol sqlsrv
match protocol sshell
match protocol timed
match protocol winmsgr
match protocol stun
match protocol kerberos
!
policy-map type inspect LAN-TO-WAN-POLICY
class type inspect LAN-TO-WAN-CLASS
inspect
class class-default
drop log
policy-map type inspect WAN-TO-LAN-POLICY
class type inspect WAN-TO-LAN-CLASS
inspect
class class-default
drop log
!
zone security WAN
zone security LAN
zone security VPN
zone security DMZ
zone-pair security WAN-TO-LAN source WAN destination LAN
service-policy type inspect WAN-TO-LAN-POLICY
zone-pair security LAN-TO-WAN source LAN destination WAN
service-policy type inspect LAN-TO-WAN-POLICY
!
!
!
!
!
!
!
!
!
!
interface Port-channel1
description TRUNK-VLANS
no ip address
ip nat inside
ip virtual-reassembly in
zone-member security LAN
!
interface Port-channel1.1
description VLAN-001
encapsulation dot1Q 1 native
ip address 10.0.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security LAN
!
interface Port-channel1.154
description VLAN-154
encapsulation dot1Q 154
ip address 10.0.154.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security LAN
!
interface Port-channel1.254
description VLAN-254
encapsulation dot1Q 254
ip address 10.0.254.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security LAN
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description LACP/LAG-GROUP
no ip address
ip nat inside
ip virtual-reassembly in
zone-member security LAN
duplex full
speed 1000
channel-group 1
no mop enabled
!
interface GigabitEthernet0/1
description LACP/LAG-GROUP
no ip address
ip nat inside
ip virtual-reassembly in
zone-member security LAN
duplex full
speed 1000
channel-group 1
no mop enabled
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
description Primary-WAN
ip address dhcp hostname ROUTER-001
ip nat outside
ip virtual-reassembly in
zone-member security WAN
duplex full
speed 1000
!
interface GigabitEthernet0/2/0
no ip address
shutdown
!
interface GigabitEthernet0/2/1
no ip address
shutdown
!
interface GigabitEthernet0/2/2
no ip address
shutdown
!
interface GigabitEthernet0/2/3
no ip address
shutdown
!
interface Cellular0/1/0
description Backup-WAN
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer-group 1
async mode interactive
!
interface Cellular0/1/1
description Backup-WAN
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer-group 1
async mode interactive
!
interface Vlan1
no ip address
shutdown
!
interface Dialer1
description Backup-WAN
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer pool 1
dialer idle-timeout 0
dialer string lte
dialer persistent
dialer-group 1
!
router rip
version 2
network 10.0.0.0
network 172.0.0.0
network 192.0.0.0
no auto-summary
!
ip forward-protocol nd
!
ip http server
ip http port 8080
no ip http secure-server
!
ip nat inside source list Hosts-Ports interface GigabitEthernet0/0/0 overload
ip nat inside source list NAT-Inside_Subnets interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 47.7.240.1
!
ip access-list standard NAT-Inside_Subnets
permit 10.0.100.0 0.0.0.255
permit 10.0.154.0 0.0.0.255
permit 10.0.254.0 0.0.0.255
permit 192.168.1.0 0.0.0.255
!
ip access-list extended Hosts-Ports
permit udp any any eq 7351
permit tcp any any eq 7734
permit tcp any any eq 7752
permit tcp any any range 60000 61000
permit udp any any eq snmp
permit udp any any eq snmptrap
permit udp any eq snmptrap any
permit tcp any any range 9998 9999
permit tcp any any eq 6970
permit udp any any range 7076 7077
permit udp any any range 9078 9079
permit tcp any any eq 15063
permit tcp any any eq 15064
permit udp any any eq 15064
permit udp any any eq 15063
permit tcp any any eq 5060
permit tcp any any eq 5061
permit tcp any any eq 5062
permit udp any any eq 5060
permit udp any any eq 5061
permit udp any any eq 5062
permit tcp any any eq 8883
permit icmp any any
!
!
!
snmp-server community private RW
snmp-server community public RO
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 0/1/0 0/1/1
script dialer lte
modem InOut
no exec
transport input all
line vty 0 4
access-class 23 in
privilege level 15
password 7 0813595D1D005445414A
login
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp master
ntp update-calendar
ntp server 129.6.15.32
ntp server 129.6.15.26
ntp server 129.6.15.27
ntp server 129.6.15.28
ntp server 129.6.15.29
ntp server 129.6.15.30
!
end

Review Cisco Networking for a $25 gift card