cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
544
Views
0
Helpful
4
Replies
Highlighted
Beginner

WAN Routing Config Question

Hi everyone, so this is my first post here.  I am hoping that an expert (because I certainly am not one) can take a look at my config and tell me if I am achieving the goals that I have for routing.  I have changed all the IP Addresses to 5.5.5.X so as to not post our actual IPs

Netowrk Config:

4x Bonded T-1's

1x Cisco 2911 Router with IP Base license

1x HWIC-4T1 interface card for the Four T-1's in Slot 0

1x DSL Connection connected to port GI0/0 on the 2911

Port GI0/1 is connected to my ASA 5512

I have the ASA 5512 doing NAT for the following:

If traffic is coming from my VoIP subnet, then Translate it to 5.5.5.85

If traffic is coming from my Guest WiFi subnet, then Translate it to 5.5.5.83

If traffic is coming from any other subnet translate it to 5.5.5.82

Note that all traffic is coming into the router via port GI0/1

Goals:

Bond all 4 t-1's into 1 "big" 6MB pipe

Configure Policy Based Routing to achieve the following:

* All VoIP traffic should be marked as critical for precendence (5)

* All Guest WiFi traffic should be routed to the DSL connection and never touch the T-1 connections

* If My T-1 connection fails, switch over all traffic to the DSL connection temporarily

I think I have all of this down (except for the backup WAN connection) and I was hoping that someone can tell me if I did this right? I am NOT a CCNA, and I literally used logic and pieced all of this together myself, so please be gentle!!! Here is my Sh Run Output...

sh run
Building configuration...

Current configuration : 4977 bytes
!
! Last configuration change at 21:03:44 UTC Fri Feb 7 2014 by gbundy
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 2911
!
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.154-1.T.bin
boot system flash0:c2900-universalk9-mz.SPA.152-4.M4.bin
boot-end-marker
!
!
card type t1 0 0
logging buffered 51200 warnings
enable secret 4 >>REMOVED<<
!
no aaa new-model
no network-clock-participate wic 0
!
!
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
!
!
no ip domain lookup
ip domain name >>REMOVED<<.com
no ip mfib
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-1149088280
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1149088280
revocation-check none
rsakeypair TP-self-signed-1149088280
!
!
crypto pki certificate chain TP-self-signed-1149088280
certificate self-signed 01
  >>REMOVED<<
   quit
license udi pid CISCO2911/K9 sn FGLXXXXXXXX
!
!
username >>REMOVED<< privilege 15 secret 4 >>REMOVED<<
!
redundancy
!
!
controller T1 0/0/0
fdl both
cablelength long 0db
channel-group 0 timeslots 1-24
!
controller T1 0/0/1
fdl both
cablelength long 0db
channel-group 0 timeslots 1-24
!
controller T1 0/0/2
fdl both
cablelength long 0db
channel-group 0 timeslots 1-24
!
controller T1 0/0/3
fdl both
cablelength long 0db
channel-group 0 timeslots 1-24
!
!
!
!
!
interface Multilink1
description connection to AT&T circuit with bonded T1s
bandwidth 6144
ip address 1.1.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ppp multilink
ppp multilink group 1
no cdp enable
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 10.10.10.1 255.255.255.248
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 5.5.5.81 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip policy route-map TPR_Default
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0:0
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
!
interface Serial0/0/1:0
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
!
interface Serial0/0/2:0
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
!
interface Serial0/0/3:0
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
!
route-map TPR_Default permit 10
match ip address 100
set ip precedence critical
set interface Multilink1
!
route-map TPR_Default permit 20
match ip address 101
set interface GigabitEthernet0/0
!
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit ip host 5.5.5.85 any
access-list 101 permit ip host 5.5.5.83 any
!
control-plane
!
!
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Any and all advice is appreciated as I only have one shot to make this work right                   

4 REPLIES 4
Highlighted
Beginner

Hi,

Goals:

  • Bond all 4 t-1's into 1 "big" 6MB pipe

    -  Multilink configuration looked good.

Configure Policy Based Routing to achieve the following:

   1. All VoIP traffic should be marked as critical for precendence (5)

  • Following config should do the job, reason for using verify-availability is explained in point no. 3

!

route-map TPR_Default permit 10

match ip address 100

set ip precedence critical

set ip next-hop verify-availability 1.1.1.x 10 track 10

set ip next-hop verify-availability 10.10.10.x 20

! 
   2. All Guest WiFi traffic should be routed to the DSL connection and never touch the T-1 connections
  • You should change the config with following, using multiaccess interface can cause issues with proxy-arp.

!

route-map TPR_Default permit 20

match ip address 101

set ip next-hop 10.10.10.x

!

   3. If My T-1 connection fails, switch over all traffic to the DSL connection temporarily

  • Following config tracks all serial links and track 6 will go down only if all serial links go down; following that track 10 will go down if either Multilink or all serial links go down and as result all traffic will be switched through G0/1 via next hop 10.10.10.x

!

ip route 0.0.0.0 0.0.0.0 multilink1 track 10

ip route 0.0.0.0 0.0.0.0 10.10.10.x 200

!

track 1 interface Serial0/0/0:0 line-protocol

track 2 interface Serial0/0/1:0 line-protocol

track 3 interface Serial0/0/2:0 line-protocol

track 4 interface Serial0/0/3:0 line-protocol

!

track 5 interface Multilink1 line-protocol

!

track 6 list boolean or

object 1

object 2

object 3

object 4

!

track 10 list boolean and

object 5

object 6

!

For more information about Policy Based Routing with the Multiple Tracking Options Feature

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml

For information about Enhanced Object Tracking and Boolean

http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp/configuration/12-4t/iap-eot.html#GUID-7D791673-D0FB-4C75-BDAB-30E8AB427862

For information about Dual ISP Failover

https://supportforums.cisco.com/thread/2260396

-Vishesh

Highlighted

Thank you so much for your help. I have implemented the changes you suggested, but I have two questions:

route-map TPR_Default permit 10

match ip address 100

set ip precedence critical

set ip next-hop verify-availability 1.1.1.x 10 track 10

set ip next-hop verify-availability 10.10.10.x 20

in the last line above there is no track statement, so I just used set ip next-hop 10.10.10.x

Also with tracking, will that fail back over to the primary circuit once it is back up and running, or do I need to upgrade and use a data license and implement IP SLA monitoring?

Thanks again!!!!

Highlighted

In second statement we won't need track as its seq number is 20 (secondary next-hop) so as long as track 10 is up only 1 next-hop would be used. It will fallback to the primary once the track comes up after Multilink comes up.

SLA can also be used for tracking, but is not essential with your requirements.

-Vishesh

Highlighted
Beginner

I am not sure if this command would be required, in case you have any trouble with Multilink try removing it -

multilink bundle-name authenticated