cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10181
Views
0
Helpful
15
Replies

2 Routers + 2 Sites + 2 ISP + Internet Failover without any Routing protocols

Kuldeep singh
Level 1
Level 1

Hi Experts,

I want to configure simple Redundancy/Failover between these two sites only for internet access and each site have 1 mbps internet link of different ISP.

The distance between site A to site B is approximately 1 kms. Currently Both sites running Seperatly, there is no point to point connectivity but i drawn

in my attached network Diagram bcoz i will buy 2 mbps point to point LL with one Fastethernet HWIC card for each Router.

Plz see whole Network configuration below, i m not sure about that it is correct or not so make changes according to yourself.

Overall i need only two things with solution.

1.  In my current setup, suppose isp1 goes down, that time Site A user can not access internet. suppose isp2 goes down,

     that time Site B user can not  access internet.

     our requirement is, if isp1 goes to down, all internet traffic should go through isp2, if isp2 goes to down, all internet traffic should go through isp1.

     then isp1 get back to normal, the internet traffic should back to isp1. is there any need to configure "Administrative Distance" ?

2. Site-A's LAN should be communicate with Site-B's LAN   and   Site-B's LAN should be communicate with Site-A's LAN

Things to be remember :

-- Once see my attached network Diagram

-- I am using only default Routing at Both Sites

-- No any Routing protocol here and also do not want to configure any Routing protocols

-- Plz do not use words like Load Balancing/ Load Sharing, only simple setup with static route and AD if requird

============================================================

Router Site A Config=>

ip name-server 201.122.33.154

ip name-server 201.122.33.152

interface FastEthernet0/0

description $For WAN$

ip address 122.55.66.77 255.255.255.224

ip nat outside

interface FastEthernet0/1

description $For LAN$

ip address 172.25.182.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/2

description --- 2Mbps LL to SiteB Fe0/0 ---

ip address 192.168.1.1 255.255.255.0

ip nat inside (Yes or No)

ip route  ????????????????????

ip route 0.0.0.0 0.0.0.0 122.55.66.76

ip http server

ip nat inside source list 101 interface FastEthernet0/0 overload

!

access-list 101 permit ip any any

access-list 101 permit icmp any any

!

end

Router Site B Config=>

ip name-server 201.122.33.154

ip name-server 201.122.33.152

interface Fe0/0

description --- 2Mbps LL to SiteA Feo/2 ---

ip address 192.168.1.2 255.255.255.0

ip nat inside ( yes or no)

interface Fe0/1

description $For LAN$

ip address 192.168.20.1 255.255.255.0

ip nat inside

interface FastEthernet0/2

description $For WAN$

ip address 78.87.23.4 255.255.255.224

ip nat outside

=========================

ip classless

ip route ??????????????????????

ip route 0.0.0.0 0.0.0.0 78.87.23.3

=====================

ip http server

ip nat inside source list 101 interface FastEthernet0/2 overload

!

access-list 101 permit ip any any

access-list 101 permit icmp any any

!

end

3 Accepted Solutions

Accepted Solutions

Ryan-Kramer
Level 1
Level 1

You could try something like this.

IP SLA is used to verify downstream connectivity. In the example, we will send icmp-echo to public DNS servers every 5 seconds. If the router does not receive a response for 60 seconds, the ISP is presumed down and the route is removed from the routing table causing traffic to be routed over the point to point link. 

Also note that once the ISP connections comes back online the route is automatically inserted back into the routing table. 

In the example I have used public DNS servers (Google & OpenDNS), you can change this value to whatever you want. Ensure the IP you are sending pings too is extremely reliable, i.e never offline. I typically use my ISP DNS servers for example.

Site A


ip route 0.0.0.0 0.0.0.0 122.55.66.76 track 20

ip route 0.0.0.0 0.0.0.0 192.168.1.2 10                              - Floating Route with AD of 10

ip sla 20

icmp-echo 8.8.8.8 source-interface FastEthernet0/2

timeout 2000

threshold 2000

frequency 5

ip sla schedule 20 life forever start-time now

track 20 ip sla 20 reachability

delay down 60 up 60

Site B

ip route 0.0.0.0 0.0.0.0 78.87.23.3 track 20

ip route 0.0.0.0 0.0.0.0 192.168.1.1 10                              - Floating Route with AD of 10

ip sla 20

icmp-echo 208.67.222.22 source-interface FastEthernet0/0

timeout 2000

threshold 2000

frequency 5

ip sla schedule 20 life forever start-time now

track 20 ip sla 20 reachability

delay down 60 up 60

View solution in original post

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Kuldeep,

you need additional static routes and you need to modify ACLs used for NAT in order to provide correct behaviour.

RA.

You need to provide routing information to reach Site B local subnets and to configure a backup default static route that is a floating static route with an increased AD as you noted.

ip route 192.168.20.0 255.255.255.0 192.168.1.2

ip route 0.0.0.0 0.0.0.0 192.168.1.2 220

interface fas0/2

ip nat inside

! it is needed to provide internet access failover

NAT access-list has to be modified to take in account inter site traffic that doesn't need to be NATTED

access-list 102 deny ip 172.25.160.0 0.0.31.255 192.168.20.0 0.0.0.255

access-list 102 deny ip 172.25.160.0 0.0.31.255 192.168.1.0 0.0.0.255

access-list 102 deny ip 192.168.20.0 0.0.0.255 172.25.160.0 0.0.31.255

access-list 102 deny ip 192.168.1.0 0.0.0.255 172.25.160.0 0.0.31.255

access-list 102 permit ip 172.25.160.0 0.0.31.255 any

access-list 102 permit ip 192.168.20.0 0.0.0.255 any

Note:

I have used a greater range to include all the existing IP subnets in SiteA you can use multiple ranges instead if you like.

The first lines that are denied are not blocking traffic but they are preventing NAT from happening.

Actually, NAT is triggered when going from nat inside to nat outside interface so the above ACL is in part redundant when describing the inter site traffic but it is useful for documentation purposes.

NAT change

ip nat inside source list 102 interface fas0/0 overload

RB

ip route 172.25.160.0 255.224.0.0 192.168.1.1

ip route 0.0.0.0 0.0.0.0.0 192.168.1.1 220

interface fas0/0

ip nat inside

ip nat inside source list 102 interface fas0/2 overload

the same ACL can be deployed here to configure NAT

Edit:

As explained by Ryan you can use IP SLA to track the primary static route in each site. This would allow to detect indirect failures.

Hope to help

Giuseppe

View solution in original post

Hi,

1. I am confuse with same AD value given by you at both site static route i.e 220.

    I think value should be different, i am not sure about this , am i right or wrong ?

What counts is that the floating static route has a higher AD than the primary one and these static routes are only locally significant so you can use same AD on both sites

2.  Can i write in this way ?

    Site A Router =>

      ip route 0.0.0.0  0.0.0.0  122.55.66.76  219       

     ip route 0.0.0.0 0.0.0.0 192.168.1.2  220

     Site  Router=>

     ip route 0.0.0.0  0.0.0.0  78.87.23.3   219

     ip route 0.0.0.0  0.0.0.0.0  192.168.1.1   220

Yes it's correct but you can leave the default AD of the static route for primary which is 1

4.  I read out many posts where Administrative value of static route is 1.  what does meant of it ??

It means that when you don't specify an AD for a static route it is equal to 1 by default, just do a sh ip route static and you'll see it.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

15 Replies 15

Ryan-Kramer
Level 1
Level 1

You could try something like this.

IP SLA is used to verify downstream connectivity. In the example, we will send icmp-echo to public DNS servers every 5 seconds. If the router does not receive a response for 60 seconds, the ISP is presumed down and the route is removed from the routing table causing traffic to be routed over the point to point link. 

Also note that once the ISP connections comes back online the route is automatically inserted back into the routing table. 

In the example I have used public DNS servers (Google & OpenDNS), you can change this value to whatever you want. Ensure the IP you are sending pings too is extremely reliable, i.e never offline. I typically use my ISP DNS servers for example.

Site A


ip route 0.0.0.0 0.0.0.0 122.55.66.76 track 20

ip route 0.0.0.0 0.0.0.0 192.168.1.2 10                              - Floating Route with AD of 10

ip sla 20

icmp-echo 8.8.8.8 source-interface FastEthernet0/2

timeout 2000

threshold 2000

frequency 5

ip sla schedule 20 life forever start-time now

track 20 ip sla 20 reachability

delay down 60 up 60

Site B

ip route 0.0.0.0 0.0.0.0 78.87.23.3 track 20

ip route 0.0.0.0 0.0.0.0 192.168.1.1 10                              - Floating Route with AD of 10

ip sla 20

icmp-echo 208.67.222.22 source-interface FastEthernet0/0

timeout 2000

threshold 2000

frequency 5

ip sla schedule 20 life forever start-time now

track 20 ip sla 20 reachability

delay down 60 up 60

Hi Ryan,

             In your solution, no need to configure  IP NAT INSIDE on Site A Router Fe0/2 port    and 

             IP NAT INSIDE  on Site B Router Fe0/0 port..

             Am i right ?????

As Giuseppe mentioned, ip nat inside should be enabled on both interfaces.

Site A Router

interface fe0/2

ip nat inside

Site B Router

interface fe0/0

ip nat inside

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Kuldeep,

you need additional static routes and you need to modify ACLs used for NAT in order to provide correct behaviour.

RA.

You need to provide routing information to reach Site B local subnets and to configure a backup default static route that is a floating static route with an increased AD as you noted.

ip route 192.168.20.0 255.255.255.0 192.168.1.2

ip route 0.0.0.0 0.0.0.0 192.168.1.2 220

interface fas0/2

ip nat inside

! it is needed to provide internet access failover

NAT access-list has to be modified to take in account inter site traffic that doesn't need to be NATTED

access-list 102 deny ip 172.25.160.0 0.0.31.255 192.168.20.0 0.0.0.255

access-list 102 deny ip 172.25.160.0 0.0.31.255 192.168.1.0 0.0.0.255

access-list 102 deny ip 192.168.20.0 0.0.0.255 172.25.160.0 0.0.31.255

access-list 102 deny ip 192.168.1.0 0.0.0.255 172.25.160.0 0.0.31.255

access-list 102 permit ip 172.25.160.0 0.0.31.255 any

access-list 102 permit ip 192.168.20.0 0.0.0.255 any

Note:

I have used a greater range to include all the existing IP subnets in SiteA you can use multiple ranges instead if you like.

The first lines that are denied are not blocking traffic but they are preventing NAT from happening.

Actually, NAT is triggered when going from nat inside to nat outside interface so the above ACL is in part redundant when describing the inter site traffic but it is useful for documentation purposes.

NAT change

ip nat inside source list 102 interface fas0/0 overload

RB

ip route 172.25.160.0 255.224.0.0 192.168.1.1

ip route 0.0.0.0 0.0.0.0.0 192.168.1.1 220

interface fas0/0

ip nat inside

ip nat inside source list 102 interface fas0/2 overload

the same ACL can be deployed here to configure NAT

Edit:

As explained by Ryan you can use IP SLA to track the primary static route in each site. This would allow to detect indirect failures.

Hope to help

Giuseppe

Hi Giuseppe,

There are some queries with your solution:                

1. I am confuse with same AD value given by you at both site static route i.e 220.

    I think value should be different, i am not sure about this , am i right or wrong ?

2.  Can i write in this way ?

    Site A Router =>

      ip route 0.0.0.0  0.0.0.0  122.55.66.76  219       

     ip route 0.0.0.0 0.0.0.0 192.168.1.2  220

     Site  Router=>

     ip route 0.0.0.0  0.0.0.0  78.87.23.3   219

     ip route 0.0.0.0  0.0.0.0.0  192.168.1.1   220

3.  I do not have 172.160.X.X  subnet then what need of these ACL's

access-list 102 deny ip 172.25.160.0 0.0.31.255 192.168.20.0 0.0.0.255

access-list 102 deny ip 172.25.160.0 0.0.31.255 192.168.1.0 0.0.0.255

access-list 102 deny ip 192.168.20.0 0.0.0.255 172.25.160.0 0.0.31.255

access-list 102 deny ip 192.168.1.0 0.0.0.255 172.25.160.0 0.0.31.255

access-list 102 permit ip 172.25.160.0 0.0.31.255 any

4.  I read out many posts where Administrative value of static route is 1.  what does meant of it ??

Hi,

1. I am confuse with same AD value given by you at both site static route i.e 220.

    I think value should be different, i am not sure about this , am i right or wrong ?

What counts is that the floating static route has a higher AD than the primary one and these static routes are only locally significant so you can use same AD on both sites

2.  Can i write in this way ?

    Site A Router =>

      ip route 0.0.0.0  0.0.0.0  122.55.66.76  219       

     ip route 0.0.0.0 0.0.0.0 192.168.1.2  220

     Site  Router=>

     ip route 0.0.0.0  0.0.0.0  78.87.23.3   219

     ip route 0.0.0.0  0.0.0.0.0  192.168.1.1   220

Yes it's correct but you can leave the default AD of the static route for primary which is 1

4.  I read out many posts where Administrative value of static route is 1.  what does meant of it ??

It means that when you don't specify an AD for a static route it is equal to 1 by default, just do a sh ip route static and you'll see it.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hello Kuldeep,

1)   I only wrote the backup default static route. Starting from your configuration template I assumed primary static route with default AD 1, the use of AD 220 for the floating static route is just a choice that makes this static route less preferred then any info coming from a routing protocol if any.

And you need also static routes for inter site communication as I have explained,

2)  as explained above I would not specify the AD for the primary route in each site using the default value of 1. However, the configuration that you have proposed would work. For primary routes a real improvement is given by object tracking as proposed by Ryan.

3) 

I have used the address range 172.25.160.0/19 meaning from 172.25.60.0 to 172.25.191.255 to represent your IP subnets in site A.

The ACL written in this way may be of help in troubleshooting however you can use your ACL 101 instead if you like.

4) with AD 1 a static route is preferred over any other routing information except connected routes.

Hope to help

Giuseppe

Hi Giuseppe,

                    can i use different AD values at both sites like as :

                    Site A:

                    ip route 0.0.0.0 0.0.0.0 192.168.1.2 220

                    Site B:

                    ip route 0.0.0.0 0.0.0.0.0 192.168.1.1 222

Hello Kuldeep,

yes you can if this gives you some benefit at least for documentation purposes

Hope to help

Giuseppe

Hi Kuldeep,

You can have a PBR against your default route to make the redundancy to work between the sites for internet. Please make sure that you use the default next hop method so that it will take the default route as a primary route and if that fails it will take the policy based route.

For site A and Site B communication you can have the static route....

Please do rate if the given information helps.

By

Karthik

Hello Kuldeep,

As reviewed

1.  In my current setup, suppose isp1 goes down, that time Site A user can not access internet. suppose isp2 goes down,

     that time Site B user can not  access internet.

As suggested above, IPsla will do this for you. Let us know if you need any clarifications here.

    a.

can i use different AD values at both sites like as :

                    Site A:

                    ip route 0.0.0.0 0.0.0.0 192.168.1.2 220

                    Site B:

                    ip route 0.0.0.0 0.0.0.0.0 192.168.1.1 222

Ans:  Yes you can use.. Administrative distance

is the metric cal. used  to select the best path when there are two or more different routes to the same destination.

2. Site-A's LAN should be communicate with Site-B's LAN   and   Site-B's LAN should be communicate with Site-A's LAN

yes please make sure that you doesnt nat internal comincation and the same is been clearly pointed out by

Giuseppe. Please follow it

3.

Site A Router

interface fe0/2

ip nat inside

Site B Router

interface fe0/0

ip nat inside

Yes

a) As suggested you in other other post (https://supportforums.cisco.com/message/3743193#3743193) here we are not using the common sharing or single ISP point  for the two sites and  have the seperate ISP line for each. then to make the  respective sites use the connected ISP link then you should specify the natting on it.

b) If any of the ISP link goes down the IP-SLA will remove the default route from routing table and hence all the traffic is moved via floating route i.e traffic to be routed over the point to point link.

Regards

srikanth

Hi Srikanth,

                     i am unable to getting this line written by you :

                    " yes please make sure that you doesnt nat internal comincation"

                     where i m doing this,u r talking about which site and which subnet.

                     can u plz explain in simple way with config so that

                     i can easily understand.....

Hello Kuldeep,

I mean to say what an expert :Giuseppe as suggested you to do for the siteA and siteB lan communication and vice versa.

Below is his suggestions with the configurations:

you need additional static routes and you need to modify ACLs used for NAT in order to provide correct behaviour.

RA.

You need to provide routing information to reach Site B local subnets and to configure a backup default static route that is a floating static route with an increased AD as you noted.

ip route 192.168.20.0 255.255.255.0 192.168.1.2

ip route 0.0.0.0 0.0.0.0 192.168.1.2 220

interface fas0/2

ip nat inside

! it is needed to provide internet access failover

NAT access-list has to be modified to take in account inter site traffic that doesn't need to be NATTED

access-list 102 deny ip 172.25.160.0 0.0.31.255 192.168.20.0 0.0.0.255

access-list 102 deny ip 172.25.160.0 0.0.31.255 192.168.1.0 0.0.0.255

access-list 102 deny ip 192.168.20.0 0.0.0.255 172.25.160.0 0.0.31.255

access-list 102 deny ip 192.168.1.0 0.0.0.255 172.25.160.0 0.0.31.255

access-list 102 permit ip 172.25.160.0 0.0.31.255 any

access-list 102 permit ip 192.168.20.0 0.0.0.255 any

Note:

I have used a greater range to include all the existing IP subnets in SiteA you can use multiple ranges instead if you like.

The first lines that are denied are not blocking traffic but they are preventing NAT from happening.

Actually, NAT is triggered when going from nat inside to nat outside interface so the above ACL is in part redundant when describing the inter site traffic but it is useful for documentation purposes.

NAT change

ip nat inside source list 102 interface fas0/0 overload

RB

ip route 172.25.160.0 255.224.0.0 192.168.1.1

ip route 0.0.0.0 0.0.0.0.0 192.168.1.1 220

interface fas0/0

ip nat inside

ip nat inside source list 102 interface fas0/2 overload

the same ACL can be deployed here to configure NAT

Edit:

As explained by Ryan you can use IP SLA to track the primary static route in each site. This would allow to detect indirect failures.

Hope to help

Giuseppe

      

Thats it, above all suggestions by expert will meet all your requirements, keep us posted, If you have any queries in implementing it.

Regards,

srikanth

Hi Srikanth,

I have little confusion plz rectify :

Site A =>

1. ip route 0.0.0.0 0.0.0.0 122.55.66.76

2. ip route 0.0.0.0 0.0.0.0 192.168.1.2 220

3. ip route 192.168.20.0 255.255.255.0 192.168.1.2 ( is there any need of this static route

   bcoz second route(2) command is sufficient for both internet + communicate to site B)

Site B:=>

1. ip route 0.0.0.0 0.0.0.0 78.87.23.3

2. ip route 0.0.0.0 0.0.0.0.0 192.168.1.1 220

3. ip route 172.25.160.0 255.224.0.0 192.168.1.1 ( ( is there any need of this static route

   bcoz second route (2) command is sufficient for both internet + communicate to site A)