Solved: Hi,

Jonnyballgame34 · ‎01-21-2017

Greetings,

I can think of a couple of ways to do this, but I wondering if any had opinions on the best/easiest practice. I have a 2911 that is remote with no OOB access. It's current WAN interfaces is a multilink bundle of 8 T1's. I'm am switching it to an ethernet connection, which is now up. Router runs Eigrp.

The 0.0.0.0 0.0.0 route is pointed at the gateway for the multilink:

I need to login via the multilink, then change so that I can then access it via the Gi0/0 interface, so that I can go in and make the ethernet port the active port then shut down the multilink, move the DMVPN tunnels over to the Gi0/0, etc.

This is about a 30 second job with OOB access, unfortunately I don't have it. And I want to minimize outage time and any reboots on failed attempts. Any opinions would be appreciated. Thanks

interface Multilink1
ip address 67.148.xx.xx 255.255.255.252
ppp multilink
ppp multilink group 1

ip route 0.0.0.0 0.0.0.0 67.148.xx.xx name CENTURY-LINK-INTERNET

interface GigabitEthernet0/0
ip address 204.98.xx.xx 255.255.255.252
shutdown
duplex full
speed 100

Reza Sharifi · ‎01-22-2017

Hi Jon,

No problem. Glad to help as much as I can.

Regarding the reload and revert back solution. Unfortunately Cisco does not have a clean solution across platforms for this type issues. This is one of the great benefit of using a Juniper device. They have a command called "commit confirm". They way it works is that you make all the changes on the device you want. Once you are ready to save the changes you issue the commit confirm command and a time, say 5 minutes for example. So, the command is "commit confirm 5" which means if you get locked out of the device, after 5 minutes it will revert back the config you added and you have access to the device again. If you make the changes and you don't get locked out and you like the changes you made, all you do is issue "commit" within the 5 minute windows and all good.

For # 2, I would personally make the minimum change, which is the default route only. Once you get back to the device, you can always make the DMVPN changes later.

For # 3, I would not worry about making the ssh change too much, as the source interface is only used when you are SSHing from the device and not to it. So, this could also wait until you get back to the device.

For # 4, since you can only get to the device over the Internet, if there is a problem and you can't get back to it and if it does not reboot after the time expires, you will get locked out. The other option is to have someone from the office to go and reboot the device physically, as long as you don't save the config. I actually prefer to have someone there just in case something goes wrong.

HTH

View solution in original post

Reza Sharifi · ‎01-21-2017

Hi,

1-Contact the provider, open a ticket and let them know you plan to bring up the circuit.

You can also setup a time and have one of their engineers on the line while you when are doing this

2-Login to the router using address 67.148.xx.xx

3-Make sure the is no access blocking the new interface (g0/0) IP on the router.

4-Bring up interface g0/0 by issuing "no sh"

at this time, you will not lose connection, as the default route is still pointed to Internet using the multi-link interface

5-Verify you can ping the providers router IP 204.98.xx.xx and the provider can ping you.e

6-Add a higher AD to the current default route

ip route 0.0.0.0 0.0.0.0 67.148.xx.xx 50

At this time you should not lose connectivity as you only have one link point to Internet with higher AD. If you lose connectivity, you should be able to log back to the router.

7-change the default route to point to the provider's IP on the new link (204.98.xx.xx) with default AD.

ip route 0.0.0.0 0.0.0.0 204.98.xx.xx

At this time you will lose your session to the router. Once disconnected you should be able to log back in using the new IP on g0/0 on your router.

8-If all good, you can now make all the other changes on your router.

HTH

Jonnyballgame34 · ‎01-21-2017

HI---thanks for answering my question. So I'm not entirely sure I have this right. I'd done steps 1-5, so right now when I term up my g0/0 I can ping the ISP's adjacent router....so now I have

0.0.0.0 0.0.0.0 current provider, and nothing else, are you saying it sould be

0.0.0.0 0.0.0.0 50 current provider and have it be the only router then (via the current link)

add

0.0.0.0 0.0.0. 0 new provider ?

That would make sense---you're saying the 50 AD won't matter until I put in the other one as lower, correct?

Jonnyballgame34 · ‎01-21-2017

and do I need to worry about which way the ssh source interface is configured?

Reza Sharifi · ‎01-21-2017

If you have configured a source interface currently, you should change that to reflect the new ip/interface, if you don't have one than it does not matter. By default, the router uses the outgoing interface as the source unless you specify otherwise.

HTH

Reza Sharifi · ‎01-21-2017

One thing I forgot to mention is to make sure you do not save any changes and to make sure before you do step 6 configure a reboot with timer just in case something goes wrong, so you can get back to the router.

HTH

Jonnyballgame34 · ‎01-22-2017

Hi Reza-

Thank you again for all your input on this----I know I'm making a lot out of a simple change, but I've been out of this side of the business for a long time and am plenty rusty----which doesn't help confidence when you have no lab and no OOB access, (company works without a net). ...

1) Thanks for the reminder on the "don't save" reload---believe me, given the "no net" policy I live by the delayed reload.--and lately by the revert backed up by the delayed reload. I find the revert casuses shorted disruptions but isn't 100% reliable

2) The site has two DMVPN tunnels, (attached), if I change on of the source interfaces right before I add the second default router should it swap when I change that second default route?

3) I do have "ip ssh source-interface Multilink1" in there Should I replace this while I"m connected to the multilink address?

4) If I do run into a problem with part 3, should I be able to ssh across to the core than ssh in from the LAN? Pretty sure 3 and 4 are moot questions.

Thanks again, and if you don't have time---no worries, I appreciate all the help already.

Reza Sharifi · ‎01-22-2017

Hi Jon,

No problem. Glad to help as much as I can.

Regarding the reload and revert back solution. Unfortunately Cisco does not have a clean solution across platforms for this type issues. This is one of the great benefit of using a Juniper device. They have a command called "commit confirm". They way it works is that you make all the changes on the device you want. Once you are ready to save the changes you issue the commit confirm command and a time, say 5 minutes for example. So, the command is "commit confirm 5" which means if you get locked out of the device, after 5 minutes it will revert back the config you added and you have access to the device again. If you make the changes and you don't get locked out and you like the changes you made, all you do is issue "commit" within the 5 minute windows and all good.

For # 2, I would personally make the minimum change, which is the default route only. Once you get back to the device, you can always make the DMVPN changes later.

For # 3, I would not worry about making the ssh change too much, as the source interface is only used when you are SSHing from the device and not to it. So, this could also wait until you get back to the device.

For # 4, since you can only get to the device over the Internet, if there is a problem and you can't get back to it and if it does not reboot after the time expires, you will get locked out. The other option is to have someone from the office to go and reboot the device physically, as long as you don't save the config. I actually prefer to have someone there just in case something goes wrong.

HTH

Jonnyballgame34 · ‎01-23-2017

HI Reza-

I did this migration last night and it went off pretty much without a hitch. Only issue I bumped into was having to delete and re-add the tunnels with the new source interface. Thanks for all your help with the technical as well as the paranoia---the latter of which was probably more important.

Reza Sharifi · ‎01-23-2017

Hi Jon,

Thanks for the feedback!

I am really paranoid when I need to do this type of work on Cisco devices, as I really don't like to reboot and not know what can go wrong. Not sure why Cisco doesn't add such a simple tool to all platforms and make life easier for all of us.

I am glad it went well and good luck!

Reza

Reza Sharifi · ‎01-21-2017

Hi,

0.0.0.0 0.0.0.0 current provider, and nothing else, are you saying it sould be

0.0.0.0 0.0.0.0 50 current provider and have it be the only router then (via the current link)

That is correct. You just add 50 to the existing default route. You should not lose connectivity because you simply adding a 50. If you do, you should be able to log back in again.

Once you back on the router verify the current default router to make sure it does have AD of 50

Than add

0.0.0.0 0.0.0. 0 new provider

you're saying the 50 AD won't matter until I put in the other one as lower, correct?

Correct. once you add the new default route with no AD (which is by default 1) that will take precedence over the old one and so you will most likley lose your session, but you should be able to log back using the new IP.

HTH

Best way to swap active WAN interfaces remotely, (No OOB)