09-25-2012 04:35 AM - edited 03-07-2019 09:05 AM
Hi Experts,
I want to configure simple Redundancy/Failover between these two sites only for internet access and each site have 1 mbps internet link of different ISP.
The distance between site A to site B is approximately 1 kms. Currently Both sites running Seperatly, there is no point to point connectivity but i drawn
in my attached network Diagram bcoz i will buy 2 mbps point to point LL with one Fastethernet HWIC card for each Router.
Plz see whole Network configuration below, i m not sure about that it is correct or not so make changes according to yourself.
Overall i need only two things with solution.
1. In my current setup, suppose isp1 goes down, that time Site A user can not access internet. suppose isp2 goes down,
that time Site B user can not access internet.
our requirement is, if isp1 goes to down, all internet traffic should go through isp2, if isp2 goes to down, all internet traffic should go through isp1.
then isp1 get back to normal, the internet traffic should back to isp1. is there any need to configure "Administrative Distance" ?
2. Site-A's LAN should be communicate with Site-B's LAN and Site-B's LAN should be communicate with Site-A's LAN
Things to be remember :
-- Once see my attached network Diagram
-- I am using only default Routing at Both Sites
-- No any Routing protocol here and also do not want to configure any Routing protocols
-- Plz do not use words like Load Balancing/ Load Sharing, only simple setup with static route and AD if requird
============================================================
Router Site A Config=>
ip name-server 201.122.33.154
ip name-server 201.122.33.152
interface FastEthernet0/0
description $For WAN$
ip address 122.55.66.77 255.255.255.224
ip nat outside
interface FastEthernet0/1
description $For LAN$
ip address 172.25.182.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/2
description --- 2Mbps LL to SiteB Fe0/0 ---
ip address 192.168.1.1 255.255.255.0
ip nat inside (Yes or No)
ip route ????????????????????
ip route 0.0.0.0 0.0.0.0 122.55.66.76
ip http server
ip nat inside source list 101 interface FastEthernet0/0 overload
!
access-list 101 permit ip any any
access-list 101 permit icmp any any
!
end
Router Site B Config=>
ip name-server 201.122.33.154
ip name-server 201.122.33.152
interface Fe0/0
description --- 2Mbps LL to SiteA Feo/2 ---
ip address 192.168.1.2 255.255.255.0
ip nat inside ( yes or no)
interface Fe0/1
description $For LAN$
ip address 192.168.20.1 255.255.255.0
ip nat inside
interface FastEthernet0/2
description $For WAN$
ip address 78.87.23.4 255.255.255.224
ip nat outside
=========================
ip classless
ip route ??????????????????????
ip route 0.0.0.0 0.0.0.0 78.87.23.3
=====================
ip http server
ip nat inside source list 101 interface FastEthernet0/2 overload
!
access-list 101 permit ip any any
access-list 101 permit icmp any any
!
end
Solved! Go to Solution.
09-25-2012 05:46 AM
You could try something like this.
IP SLA is used to verify downstream connectivity. In the example, we will send icmp-echo to public DNS servers every 5 seconds. If the router does not receive a response for 60 seconds, the ISP is presumed down and the route is removed from the routing table causing traffic to be routed over the point to point link.
Also note that once the ISP connections comes back online the route is automatically inserted back into the routing table.
In the example I have used public DNS servers (Google & OpenDNS), you can change this value to whatever you want. Ensure the IP you are sending pings too is extremely reliable, i.e never offline. I typically use my ISP DNS servers for example.
Site A
ip route 0.0.0.0 0.0.0.0 122.55.66.76 track 20
ip route 0.0.0.0 0.0.0.0 192.168.1.2 10 - Floating Route with AD of 10
ip sla 20
icmp-echo 8.8.8.8 source-interface FastEthernet0/2
timeout 2000
threshold 2000
frequency 5
ip sla schedule 20 life forever start-time now
track 20 ip sla 20 reachability
delay down 60 up 60
Site B
ip route 0.0.0.0 0.0.0.0 78.87.23.3 track 20
ip route 0.0.0.0 0.0.0.0 192.168.1.1 10 - Floating Route with AD of 10
ip sla 20
icmp-echo 208.67.222.22 source-interface FastEthernet0/0
timeout 2000
threshold 2000
frequency 5
ip sla schedule 20 life forever start-time now
track 20 ip sla 20 reachability
delay down 60 up 60
09-25-2012 05:47 AM
Hello Kuldeep,
you need additional static routes and you need to modify ACLs used for NAT in order to provide correct behaviour.
RA.
You need to provide routing information to reach Site B local subnets and to configure a backup default static route that is a floating static route with an increased AD as you noted.
ip route 192.168.20.0 255.255.255.0 192.168.1.2
ip route 0.0.0.0 0.0.0.0 192.168.1.2 220
interface fas0/2
ip nat inside
! it is needed to provide internet access failover
NAT access-list has to be modified to take in account inter site traffic that doesn't need to be NATTED
access-list 102 deny ip 172.25.160.0 0.0.31.255 192.168.20.0 0.0.0.255
access-list 102 deny ip 172.25.160.0 0.0.31.255 192.168.1.0 0.0.0.255
access-list 102 deny ip 192.168.20.0 0.0.0.255 172.25.160.0 0.0.31.255
access-list 102 deny ip 192.168.1.0 0.0.0.255 172.25.160.0 0.0.31.255
access-list 102 permit ip 172.25.160.0 0.0.31.255 any
access-list 102 permit ip 192.168.20.0 0.0.0.255 any
Note:
I have used a greater range to include all the existing IP subnets in SiteA you can use multiple ranges instead if you like.
The first lines that are denied are not blocking traffic but they are preventing NAT from happening.
Actually, NAT is triggered when going from nat inside to nat outside interface so the above ACL is in part redundant when describing the inter site traffic but it is useful for documentation purposes.
NAT change
ip nat inside source list 102 interface fas0/0 overload
RB
ip route 172.25.160.0 255.224.0.0 192.168.1.1
ip route 0.0.0.0 0.0.0.0.0 192.168.1.1 220
interface fas0/0
ip nat inside
ip nat inside source list 102 interface fas0/2 overload
the same ACL can be deployed here to configure NAT
Edit:
As explained by Ryan you can use IP SLA to track the primary static route in each site. This would allow to detect indirect failures.
Hope to help
Giuseppe
09-25-2012 07:09 AM
Hi,
1. I am confuse with same AD value given by you at both site static route i.e 220.
I think value should be different, i am not sure about this , am i right or wrong ?
What counts is that the floating static route has a higher AD than the primary one and these static routes are only locally significant so you can use same AD on both sites
2. Can i write in this way ?
Site A Router =>
ip route 0.0.0.0 0.0.0.0 122.55.66.76 219
ip route 0.0.0.0 0.0.0.0 192.168.1.2 220
Site Router=>
ip route 0.0.0.0 0.0.0.0 78.87.23.3 219
ip route 0.0.0.0 0.0.0.0.0 192.168.1.1 220
Yes it's correct but you can leave the default AD of the static route for primary which is 1
4. I read out many posts where Administrative value of static route is 1. what does meant of it ??
It means that when you don't specify an AD for a static route it is equal to 1 by default, just do a sh ip route static and you'll see it.
Regards.
Alain
Don't forget to rate helpful posts.
09-25-2012 05:46 AM
You could try something like this.
IP SLA is used to verify downstream connectivity. In the example, we will send icmp-echo to public DNS servers every 5 seconds. If the router does not receive a response for 60 seconds, the ISP is presumed down and the route is removed from the routing table causing traffic to be routed over the point to point link.
Also note that once the ISP connections comes back online the route is automatically inserted back into the routing table.
In the example I have used public DNS servers (Google & OpenDNS), you can change this value to whatever you want. Ensure the IP you are sending pings too is extremely reliable, i.e never offline. I typically use my ISP DNS servers for example.
Site A
ip route 0.0.0.0 0.0.0.0 122.55.66.76 track 20
ip route 0.0.0.0 0.0.0.0 192.168.1.2 10 - Floating Route with AD of 10
ip sla 20
icmp-echo 8.8.8.8 source-interface FastEthernet0/2
timeout 2000
threshold 2000
frequency 5
ip sla schedule 20 life forever start-time now
track 20 ip sla 20 reachability
delay down 60 up 60
Site B
ip route 0.0.0.0 0.0.0.0 78.87.23.3 track 20
ip route 0.0.0.0 0.0.0.0 192.168.1.1 10 - Floating Route with AD of 10
ip sla 20
icmp-echo 208.67.222.22 source-interface FastEthernet0/0
timeout 2000
threshold 2000
frequency 5
ip sla schedule 20 life forever start-time now
track 20 ip sla 20 reachability
delay down 60 up 60
09-25-2012 06:39 AM
Hi Ryan,
In your solution, no need to configure IP NAT INSIDE on Site A Router Fe0/2 port and
IP NAT INSIDE on Site B Router Fe0/0 port..
Am i right ?????
09-25-2012 06:53 AM
As Giuseppe mentioned, ip nat inside should be enabled on both interfaces.
Site A Router
interface fe0/2
ip nat inside
Site B Router
interface fe0/0
ip nat inside
09-25-2012 05:47 AM
Hello Kuldeep,
you need additional static routes and you need to modify ACLs used for NAT in order to provide correct behaviour.
RA.
You need to provide routing information to reach Site B local subnets and to configure a backup default static route that is a floating static route with an increased AD as you noted.
ip route 192.168.20.0 255.255.255.0 192.168.1.2
ip route 0.0.0.0 0.0.0.0 192.168.1.2 220
interface fas0/2
ip nat inside
! it is needed to provide internet access failover
NAT access-list has to be modified to take in account inter site traffic that doesn't need to be NATTED
access-list 102 deny ip 172.25.160.0 0.0.31.255 192.168.20.0 0.0.0.255
access-list 102 deny ip 172.25.160.0 0.0.31.255 192.168.1.0 0.0.0.255
access-list 102 deny ip 192.168.20.0 0.0.0.255 172.25.160.0 0.0.31.255
access-list 102 deny ip 192.168.1.0 0.0.0.255 172.25.160.0 0.0.31.255
access-list 102 permit ip 172.25.160.0 0.0.31.255 any
access-list 102 permit ip 192.168.20.0 0.0.0.255 any
Note:
I have used a greater range to include all the existing IP subnets in SiteA you can use multiple ranges instead if you like.
The first lines that are denied are not blocking traffic but they are preventing NAT from happening.
Actually, NAT is triggered when going from nat inside to nat outside interface so the above ACL is in part redundant when describing the inter site traffic but it is useful for documentation purposes.
NAT change
ip nat inside source list 102 interface fas0/0 overload
RB
ip route 172.25.160.0 255.224.0.0 192.168.1.1
ip route 0.0.0.0 0.0.0.0.0 192.168.1.1 220
interface fas0/0
ip nat inside
ip nat inside source list 102 interface fas0/2 overload
the same ACL can be deployed here to configure NAT
Edit:
As explained by Ryan you can use IP SLA to track the primary static route in each site. This would allow to detect indirect failures.
Hope to help
Giuseppe
09-25-2012 07:00 AM
Hi Giuseppe,
There are some queries with your solution:
1. I am confuse with same AD value given by you at both site static route i.e 220.
I think value should be different, i am not sure about this , am i right or wrong ?
2. Can i write in this way ?
Site A Router =>
ip route 0.0.0.0 0.0.0.0 122.55.66.76 219
ip route 0.0.0.0 0.0.0.0 192.168.1.2 220
Site Router=>
ip route 0.0.0.0 0.0.0.0 78.87.23.3 219
ip route 0.0.0.0 0.0.0.0.0 192.168.1.1 220
3. I do not have 172.160.X.X subnet then what need of these ACL's
access-list 102 deny ip 172.25.160.0 0.0.31.255 192.168.20.0 0.0.0.255
access-list 102 deny ip 172.25.160.0 0.0.31.255 192.168.1.0 0.0.0.255
access-list 102 deny ip 192.168.20.0 0.0.0.255 172.25.160.0 0.0.31.255
access-list 102 deny ip 192.168.1.0 0.0.0.255 172.25.160.0 0.0.31.255
access-list 102 permit ip 172.25.160.0 0.0.31.255 any
4. I read out many posts where Administrative value of static route is 1. what does meant of it ??
09-25-2012 07:09 AM
Hi,
1. I am confuse with same AD value given by you at both site static route i.e 220.
I think value should be different, i am not sure about this , am i right or wrong ?
What counts is that the floating static route has a higher AD than the primary one and these static routes are only locally significant so you can use same AD on both sites
2. Can i write in this way ?
Site A Router =>
ip route 0.0.0.0 0.0.0.0 122.55.66.76 219
ip route 0.0.0.0 0.0.0.0 192.168.1.2 220
Site Router=>
ip route 0.0.0.0 0.0.0.0 78.87.23.3 219
ip route 0.0.0.0 0.0.0.0.0 192.168.1.1 220
Yes it's correct but you can leave the default AD of the static route for primary which is 1
4. I read out many posts where Administrative value of static route is 1. what does meant of it ??
It means that when you don't specify an AD for a static route it is equal to 1 by default, just do a sh ip route static and you'll see it.
Regards.
Alain
Don't forget to rate helpful posts.
09-25-2012 07:10 AM
Hello Kuldeep,
1) I only wrote the backup default static route. Starting from your configuration template I assumed primary static route with default AD 1, the use of AD 220 for the floating static route is just a choice that makes this static route less preferred then any info coming from a routing protocol if any.
And you need also static routes for inter site communication as I have explained,
2) as explained above I would not specify the AD for the primary route in each site using the default value of 1. However, the configuration that you have proposed would work. For primary routes a real improvement is given by object tracking as proposed by Ryan.
3)
I have used the address range 172.25.160.0/19 meaning from 172.25.60.0 to 172.25.191.255 to represent your IP subnets in site A.
The ACL written in this way may be of help in troubleshooting however you can use your ACL 101 instead if you like.
4) with AD 1 a static route is preferred over any other routing information except connected routes.
Hope to help
Giuseppe
09-25-2012 07:42 AM
Hi Giuseppe,
can i use different AD values at both sites like as :
Site A:
ip route 0.0.0.0 0.0.0.0 192.168.1.2 220
Site B:
ip route 0.0.0.0 0.0.0.0.0 192.168.1.1 222
09-25-2012 07:46 AM
Hello Kuldeep,
yes you can if this gives you some benefit at least for documentation purposes
Hope to help
Giuseppe
09-25-2012 07:16 AM
Hi Kuldeep,
You can have a PBR against your default route to make the redundancy to work between the sites for internet. Please make sure that you use the default next hop method so that it will take the default route as a primary route and if that fails it will take the policy based route.
For site A and Site B communication you can have the static route....
Please do rate if the given information helps.
By
Karthik
09-25-2012 10:02 PM
Hello Kuldeep,
As reviewed
1. In my current setup, suppose isp1 goes down, that time Site A user can not access internet. suppose isp2 goes down,
that time Site B user can not access internet.
As suggested above, IPsla will do this for you. Let us know if you need any clarifications here.
a.
can i use different AD values at both sites like as :
Site A:
ip route 0.0.0.0 0.0.0.0 192.168.1.2 220
Site B:
ip route 0.0.0.0 0.0.0.0.0 192.168.1.1 222
Ans: Yes you can use.. Administrative distance
is the metric cal. used to select the best path when there are two or more different routes to the same destination.
2. Site-A's LAN should be communicate with Site-B's LAN and Site-B's LAN should be communicate with Site-A's LAN
yes please make sure that you doesnt nat internal comincation and the same is been clearly pointed out by
Giuseppe. Please follow it
3.
Site A Router
interface fe0/2
ip nat inside
Site B Router
interface fe0/0
ip nat inside
Yes
a) As suggested you in other other post (https://supportforums.cisco.com/message/3743193#3743193) here we are not using the common sharing or single ISP point for the two sites and have the seperate ISP line for each. then to make the respective sites use the connected ISP link then you should specify the natting on it.
b) If any of the ISP link goes down the IP-SLA will remove the default route from routing table and hence all the traffic is moved via floating route i.e traffic to be routed over the point to point link.
Regards
srikanth
09-25-2012 11:33 PM
Hi Srikanth,
i am unable to getting this line written by you :
" yes please make sure that you doesnt nat internal comincation"
where i m doing this,u r talking about which site and which subnet.
can u plz explain in simple way with config so that
i can easily understand.....
09-25-2012 11:49 PM
Hello Kuldeep,
I mean to say what an expert :Giuseppe as suggested you to do for the siteA and siteB lan communication and vice versa.
Below is his suggestions with the configurations:
you need additional static routes and you need to modify ACLs used for NAT in order to provide correct behaviour.
RA.
You need to provide routing information to reach Site B local subnets and to configure a backup default static route that is a floating static route with an increased AD as you noted.
ip route 192.168.20.0 255.255.255.0 192.168.1.2
ip route 0.0.0.0 0.0.0.0 192.168.1.2 220
interface fas0/2
ip nat inside
! it is needed to provide internet access failover
NAT access-list has to be modified to take in account inter site traffic that doesn't need to be NATTED
access-list 102 deny ip 172.25.160.0 0.0.31.255 192.168.20.0 0.0.0.255
access-list 102 deny ip 172.25.160.0 0.0.31.255 192.168.1.0 0.0.0.255
access-list 102 deny ip 192.168.20.0 0.0.0.255 172.25.160.0 0.0.31.255
access-list 102 deny ip 192.168.1.0 0.0.0.255 172.25.160.0 0.0.31.255
access-list 102 permit ip 172.25.160.0 0.0.31.255 any
access-list 102 permit ip 192.168.20.0 0.0.0.255 any
Note:
I have used a greater range to include all the existing IP subnets in SiteA you can use multiple ranges instead if you like.
The first lines that are denied are not blocking traffic but they are preventing NAT from happening.
Actually, NAT is triggered when going from nat inside to nat outside interface so the above ACL is in part redundant when describing the inter site traffic but it is useful for documentation purposes.
NAT change
ip nat inside source list 102 interface fas0/0 overload
RB
ip route 172.25.160.0 255.224.0.0 192.168.1.1
ip route 0.0.0.0 0.0.0.0.0 192.168.1.1 220
interface fas0/0
ip nat inside
ip nat inside source list 102 interface fas0/2 overload
the same ACL can be deployed here to configure NAT
Edit:
As explained by Ryan you can use IP SLA to track the primary static route in each site. This would allow to detect indirect failures.
Hope to help
Giuseppe
Thats it, above all suggestions by expert will meet all your requirements, keep us posted, If you have any queries in implementing it.
Regards,
srikanth
09-26-2012 03:55 AM
Hi Srikanth,
I have little confusion plz rectify :
Site A =>
1. ip route 0.0.0.0 0.0.0.0 122.55.66.76
2. ip route 0.0.0.0 0.0.0.0 192.168.1.2 220
3. ip route 192.168.20.0 255.255.255.0 192.168.1.2 ( is there any need of this static route
bcoz second route(2) command is sufficient for both internet + communicate to site B)
Site B:=>
1. ip route 0.0.0.0 0.0.0.0 78.87.23.3
2. ip route 0.0.0.0 0.0.0.0.0 192.168.1.1 220
3. ip route 172.25.160.0 255.224.0.0 192.168.1.1 ( ( is there any need of this static route
bcoz second route (2) command is sufficient for both internet + communicate to site A)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide