cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7200
Views
0
Helpful
15
Replies
Kuldeep singh
Beginner

2 Routers + 2 Sites + 2 ISP + Internet Failover without any Routing protocols

Hi Experts,

I want to configure simple Redundancy/Failover between these two sites only for internet access and each site have 1 mbps internet link of different ISP.

The distance between site A to site B is approximately 1 kms. Currently Both sites running Seperatly, there is no point to point connectivity but i drawn

in my attached network Diagram bcoz i will buy 2 mbps point to point LL with one Fastethernet HWIC card for each Router.

Plz see whole Network configuration below, i m not sure about that it is correct or not so make changes according to yourself.

Overall i need only two things with solution.

1.  In my current setup, suppose isp1 goes down, that time Site A user can not access internet. suppose isp2 goes down,

     that time Site B user can not  access internet.

     our requirement is, if isp1 goes to down, all internet traffic should go through isp2, if isp2 goes to down, all internet traffic should go through isp1.

     then isp1 get back to normal, the internet traffic should back to isp1. is there any need to configure "Administrative Distance" ?

2. Site-A's LAN should be communicate with Site-B's LAN   and   Site-B's LAN should be communicate with Site-A's LAN

Things to be remember :

-- Once see my attached network Diagram

-- I am using only default Routing at Both Sites

-- No any Routing protocol here and also do not want to configure any Routing protocols

-- Plz do not use words like Load Balancing/ Load Sharing, only simple setup with static route and AD if requird

============================================================

Router Site A Config=>

ip name-server 201.122.33.154

ip name-server 201.122.33.152

interface FastEthernet0/0

description $For WAN$

ip address 122.55.66.77 255.255.255.224

ip nat outside

interface FastEthernet0/1

description $For LAN$

ip address 172.25.182.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/2

description --- 2Mbps LL to SiteB Fe0/0 ---

ip address 192.168.1.1 255.255.255.0

ip nat inside (Yes or No)

ip route  ????????????????????

ip route 0.0.0.0 0.0.0.0 122.55.66.76

ip http server

ip nat inside source list 101 interface FastEthernet0/0 overload

!

access-list 101 permit ip any any

access-list 101 permit icmp any any

!

end

Router Site B Config=>

ip name-server 201.122.33.154

ip name-server 201.122.33.152

interface Fe0/0

description --- 2Mbps LL to SiteA Feo/2 ---

ip address 192.168.1.2 255.255.255.0

ip nat inside ( yes or no)

interface Fe0/1

description $For LAN$

ip address 192.168.20.1 255.255.255.0

ip nat inside

interface FastEthernet0/2

description $For WAN$

ip address 78.87.23.4 255.255.255.224

ip nat outside

=========================

ip classless

ip route ??????????????????????

ip route 0.0.0.0 0.0.0.0 78.87.23.3

=====================

ip http server

ip nat inside source list 101 interface FastEthernet0/2 overload

!

access-list 101 permit ip any any

access-list 101 permit icmp any any

!

end

3 ACCEPTED SOLUTIONS

Accepted Solutions
Ryan-Kramer
Beginner

You could try something like this.

IP SLA is used to verify downstream connectivity. In the example, we will send icmp-echo to public DNS servers every 5 seconds. If the router does not receive a response for 60 seconds, the ISP is presumed down and the route is removed from the routing table causing traffic to be routed over the point to point link. 

Also note that once the ISP connections comes back online the route is automatically inserted back into the routing table. 

In the example I have used public DNS servers (Google & OpenDNS), you can change this value to whatever you want. Ensure the IP you are sending pings too is extremely reliable, i.e never offline. I typically use my ISP DNS servers for example.

Site A


ip route 0.0.0.0 0.0.0.0 122.55.66.76 track 20

ip route 0.0.0.0 0.0.0.0 192.168.1.2 10                              - Floating Route with AD of 10

ip sla 20

icmp-echo 8.8.8.8 source-interface FastEthernet0/2

timeout 2000

threshold 2000

frequency 5

ip sla schedule 20 life forever start-time now

track 20 ip sla 20 reachability

delay down 60 up 60

Site B

ip route 0.0.0.0 0.0.0.0 78.87.23.3 track 20

ip route 0.0.0.0 0.0.0.0 192.168.1.1 10                              - Floating Route with AD of 10

ip sla 20

icmp-echo 208.67.222.22 source-interface FastEthernet0/0

timeout 2000

threshold 2000

frequency 5

ip sla schedule 20 life forever start-time now

track 20 ip sla 20 reachability

delay down 60 up 60

View solution in original post

Giuseppe Larosa
Hall of Fame Master

Hello Kuldeep,

you need additional static routes and you need to modify ACLs used for NAT in order to provide correct behaviour.

RA.

You need to provide routing information to reach Site B local subnets and to configure a backup default static route that is a floating static route with an increased AD as you noted.

ip route 192.168.20.0 255.255.255.0 192.168.1.2

ip route 0.0.0.0 0.0.0.0 192.168.1.2 220

interface fas0/2

ip nat inside

! it is needed to provide internet access failover

NAT access-list has to be modified to take in account inter site traffic that doesn't need to be NATTED

access-list 102 deny ip 172.25.160.0 0.0.31.255 192.168.20.0 0.0.0.255

access-list 102 deny ip 172.25.160.0 0.0.31.255 192.168.1.0 0.0.0.255

access-list 102 deny ip 192.168.20.0 0.0.0.255 172.25.160.0 0.0.31.255

access-list 102 deny ip 192.168.1.0 0.0.0.255 172.25.160.0 0.0.31.255

access-list 102 permit ip 172.25.160.0 0.0.31.255 any

access-list 102 permit ip 192.168.20.0 0.0.0.255 any

Note:

I have used a greater range to include all the existing IP subnets in SiteA you can use multiple ranges instead if you like.

The first lines that are denied are not blocking traffic but they are preventing NAT from happening.

Actually, NAT is triggered when going from nat inside to nat outside interface so the above ACL is in part redundant when describing the inter site traffic but it is useful for documentation purposes.

NAT change

ip nat inside source list 102 interface fas0/0 overload

RB

ip route 172.25.160.0 255.224.0.0 192.168.1.1

ip route 0.0.0.0 0.0.0.0.0 192.168.1.1 220

interface fas0/0

ip nat inside

ip nat inside source list 102 interface fas0/2 overload

the same ACL can be deployed here to configure NAT

Edit:

As explained by Ryan you can use IP SLA to track the primary static route in each site. This would allow to detect indirect failures.

Hope to help

Giuseppe

View solution in original post

Hi,

1. I am confuse with same AD value given by you at both site static route i.e 220.

    I think value should be different, i am not sure about this , am i right or wrong ?

What counts is that the floating static route has a higher AD than the primary one and these static routes are only locally significant so you can use same AD on both sites

2.  Can i write in this way ?

    Site A Router =>

      ip route 0.0.0.0  0.0.0.0  122.55.66.76  219       

     ip route 0.0.0.0 0.0.0.0 192.168.1.2  220

     Site  Router=>

     ip route 0.0.0.0  0.0.0.0  78.87.23.3   219

     ip route 0.0.0.0  0.0.0.0.0  192.168.1.1   220

Yes it's correct but you can leave the default AD of the static route for primary which is 1

4.  I read out many posts where Administrative value of static route is 1.  what does meant of it ??

It means that when you don't specify an AD for a static route it is equal to 1 by default, just do a sh ip route static and you'll see it.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

15 REPLIES 15
Ryan-Kramer
Beginner

You could try something like this.

IP SLA is used to verify downstream connectivity. In the example, we will send icmp-echo to public DNS servers every 5 seconds. If the router does not receive a response for 60 seconds, the ISP is presumed down and the route is removed from the routing table causing traffic to be routed over the point to point link. 

Also note that once the ISP connections comes back online the route is automatically inserted back into the routing table. 

In the example I have used public DNS servers (Google & OpenDNS), you can change this value to whatever you want. Ensure the IP you are sending pings too is extremely reliable, i.e never offline. I typically use my ISP DNS servers for example.

Site A


ip route 0.0.0.0 0.0.0.0 122.55.66.76 track 20

ip route 0.0.0.0 0.0.0.0 192.168.1.2 10                              - Floating Route with AD of 10

ip sla 20

icmp-echo 8.8.8.8 source-interface FastEthernet0/2

timeout 2000

threshold 2000

frequency 5

ip sla schedule 20 life forever start-time now

track 20 ip sla 20 reachability

delay down 60 up 60

Site B

ip route 0.0.0.0 0.0.0.0 78.87.23.3 track 20

ip route 0.0.0.0 0.0.0.0 192.168.1.1 10                              - Floating Route with AD of 10

ip sla 20

icmp-echo 208.67.222.22 source-interface FastEthernet0/0

timeout 2000

threshold 2000

frequency 5

ip sla schedule 20 life forever start-time now

track 20 ip sla 20 reachability

delay down 60 up 60

Hi Ryan,

             In your solution, no need to configure  IP NAT INSIDE on Site A Router Fe0/2 port    and 

             IP NAT INSIDE  on Site B Router Fe0/0 port..

             Am i right ?????

As Giuseppe mentioned, ip nat inside should be enabled on both interfaces.

Site A Router

interface fe0/2

ip nat inside

Site B Router

interface fe0/0

ip nat inside

Giuseppe Larosa
Hall of Fame Master

Hello Kuldeep,

you need additional static routes and you need to modify ACLs used for NAT in order to provide correct behaviour.

RA.

You need to provide routing information to reach Site B local subnets and to configure a backup default static route that is a floating static route with an increased AD as you noted.

ip route 192.168.20.0 255.255.255.0 192.168.1.2

ip route 0.0.0.0 0.0.0.0 192.168.1.2 220

interface fas0/2

ip nat inside

! it is needed to provide internet access failover

NAT access-list has to be modified to take in account inter site traffic that doesn't need to be NATTED

access-list 102 deny ip 172.25.160.0 0.0.31.255 192.168.20.0 0.0.0.255

access-list 102 deny ip 172.25.160.0 0.0.31.255 192.168.1.0 0.0.0.255

access-list 102 deny ip 192.168.20.0 0.0.0.255 172.25.160.0 0.0.31.255

access-list 102 deny ip 192.168.1.0 0.0.0.255 172.25.160.0 0.0.31.255

access-list 102 permit ip 172.25.160.0 0.0.31.255 any

access-list 102 permit ip 192.168.20.0 0.0.0.255 any

Note:

I have used a greater range to include all the existing IP subnets in SiteA you can use multiple ranges instead if you like.

The first lines that are denied are not blocking traffic but they are preventing NAT from happening.

Actually, NAT is triggered when going from nat inside to nat outside interface so the above ACL is in part redundant when describing the inter site traffic but it is useful for documentation purposes.

NAT change

ip nat inside source list 102 interface fas0/0 overload

RB

ip route 172.25.160.0 255.224.0.0 192.168.1.1

ip route 0.0.0.0 0.0.0.0.0 192.168.1.1 220

interface fas0/0

ip nat inside

ip nat inside source list 102 interface fas0/2 overload

the same ACL can be deployed here to configure NAT

Edit:

As explained by Ryan you can use IP SLA to track the primary static route in each site. This would allow to detect indirect failures.

Hope to help

Giuseppe

Hi Giuseppe,

There are some queries with your solution:                

1. I am confuse with same AD value given by you at both site static route i.e 220.

    I think value should be different, i am not sure about this , am i right or wrong ?

2.  Can i write in this way ?

    Site A Router =>

      ip route 0.0.0.0  0.0.0.0  122.55.66.76  219       

     ip route 0.0.0.0 0.0.0.0 192.168.1.2  220

     Site  Router=>

     ip route 0.0.0.0  0.0.0.0  78.87.23.3   219

     ip route 0.0.0.0  0.0.0.0.0  192.168.1.1   220

3.  I do not have 172.160.X.X  subnet then what need of these ACL's

access-list 102 deny ip 172.25.160.0 0.0.31.255 192.168.20.0 0.0.0.255

access-list 102 deny ip 172.25.160.0 0.0.31.255 192.168.1.0 0.0.0.255

access-list 102 deny ip 192.168.20.0 0.0.0.255 172.25.160.0 0.0.31.255

access-list 102 deny ip 192.168.1.0 0.0.0.255 172.25.160.0 0.0.31.255

access-list 102 permit ip 172.25.160.0 0.0.31.255 any

4.  I read out many posts where Administrative value of static route is 1.  what does meant of it ??