Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1879
Views
0
Helpful
6
Replies

Cisco 2901 Dual WAN, VRF, Vlan Isolation configuration help

ckxen8401
Level 1
Level 1

‎11-16-2014 11:16 PM - edited ‎03-07-2019 09:32 PM

I'm very new to Cisco iOS, so please forgive me. I know what I'm trying to accomplish, but perhaps not best at describing.

I have two ISPs 1) Fiber with Static Range 2) Cable with 1 Static address.

Tasks:

Assign GigE0/0 to Fiber

Assign GigE0/1 to Cable

Create Vlan10 for Fiber connectivity and Static Range (aaa.bbb.ccc.145 - aaa.bbb.ccc.150)

Create Vlan20 for Cable connectivity with ip address 10.10.0.0

Assign GigE0/1/0 - GigE0/1/4 for each static IP address in Fiber range (aaa.bbb.ccc.145 - aaa.bbb.ccc.150) Vlan10

Assign GigE0/1/5 to Cable Vlan20

Expected end result, GigE0/1/0 - 0/1/4 will use Fiber. GigE0/1/5 will use Cable, no failover's.

I have been able to get Fiber connectivity working fine, can ping Vlan and is online. I have been able to get Cable Vlan working fine, but cannot get online. If I ping using a device on a separate network I can hit both Fiber and Cable statically set ip addresses, so WAN config seems to be fine. Internally, Cisco can ping Google from Fiber only, but not from Cable. This is where my i'm new, from my reading it appears as though either PBR or VRF should enable this functionality since the router seems to be unable to redirect traffic for Cable requests. I used this tutorial as my guide (https://learningnetwork.cisco.com/thread/70882), but it's getting lost in translation when trying to actually implement.

Building configuration...

Current configuration : 2905 bytes
!
! Last configuration change at 06:48:54 UTC Mon Nov 17 2014
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco2901
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 password
enable password 7 password
!
no aaa new-model
memory-size iomem 5
!
ip cef
ip cef load-sharing algorithm original
!         
!         
!         
ip vrf FIBER
ip vrf CABLE
!         
no ip dhcp use vrf connected
!         
ip dhcp pool VLAN10
 network aaa.bbb.ccc.144 255.255.255.248
 default-router aaa.bbb.ccc.145 
 dns-server 8.8.8.8 8.8.4.4 
 class Fiber_Class
  address range aaa.bbb.ccc.145 aaa.bbb.ccc.150
!         
ip dhcp pool VLAN20
 network 10.10.0.0 255.255.255.0
 default-router 10.10.0.1 
 dns-server 8.8.8.8 8.8.4.4 
!         
!         
ip dhcp class Fiber_Class
!         
!         
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!         
multilink bundle-name authenticated
!         
!         
!         
!         
license udi pid CISCO2921/K9 sn FTX1828AKAY
!         
!         
archive   
 log config
  hidekeys
!         
redundancy
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
interface Embedded-Service-Engine0/0
 no ip address
 shutdown 
!         
interface GigabitEthernet0/0
 ip address eee.fff.ggg.58 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!         
interface GigabitEthernet0/1
 ip address hhh.iii.jjj.86 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!         
interface GigabitEthernet0/2
 no ip address
 shutdown 
 duplex auto
 speed auto
!         
interface GigabitEthernet0/1/0
 switchport access vlan 10
 ip vrf forwarding FIBER
 no ip address
!         
interface GigabitEthernet0/1/1
 switchport access vlan 10
 ip vrf forwarding FIBER
 no ip address
!         
interface GigabitEthernet0/1/2
 switchport access vlan 10
 ip vrf forwarding FIBER
 no ip address
!         
interface GigabitEthernet0/1/3
 switchport access vlan 10
 ip vrf forwarding FIBER
 no ip address
!         
interface GigabitEthernet0/1/4
 switchport access vlan 10
 ip vrf forwarding FIBER
 no ip address
!         
interface GigabitEthernet0/1/5
 switchport access vlan 20
 ip vrf forwarding CABLE
 no ip address
!         
interface GigabitEthernet0/1/6
 no ip address
!         
interface GigabitEthernet0/1/7
 no ip address
!         
interface Vlan1
 no ip address
!         
interface Vlan10
 ip address pool VLAN10
 ip nat inside
 ip virtual-reassembly in
!         
interface Vlan20
 ip address pool VLAN20
 ip nat inside
 ip virtual-reassembly in
!         
ip forward-protocol nd
!         
no ip http server
no ip http secure-server
!         

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
!         
!         
!         
snmp-server community WWM_Cisco2901 RO
snmp-server enable traps entity-sensor threshold
!         
control-plane
!         
!         
!         
line con 0
line aux 0
line 2    
 no activation-character
 no exec  
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 password 7 password
 login    
 transport input all
!         
scheduler allocate 20000 1000
!         
end  

Labels:
0 Helpful
6 Replies 6

paul driver
VIP
VIP

‎11-17-2014 08:04 AM

Hello

A couple of things stand out here:

1) you have NAT enabled but no translation defined

2) Your SVI interfaces (int vlan10-20) are not assigned to the VRF's

 

try this:( note I have used different lan subnets only for clarity)

ip dhcp excluded-address 10.10.10.254
ip dhcp excluded-address 10.10.20.254


ip dhcp pool LANUSERS
import all
network 10.10.10.0 255.255.255.0
network 10.10.20.0 255.255.255.0 secondary
override default-router 10.10.20.254
default-router 10.10.10.254
dns-server 8.8.8.8
lease 0 8

ip vrf A
 rd 1:10

ip vrf B
 rd 1:20

interface Vlan10
 ip vrf forwarding A
 ip address 10.10.10.254 255.255.255.0

interface Vlan20
 ip vrf forwarding B
 ip address 10.10.20.254 255.255.255.0

ip route 0.0.0.0 0.0.0.0 x.x.x.x (ISP1)
ip route 0.0.0.0 0.0.0.0 x.x.x.x (ISP2)
ip route 10.10.10.0 255.255.255.0 Vlan10
ip route 10.10.20.0 255.255.255.0 Vlan20
ip route vrf A 10.10.10.0 255.255.255.0 Null0
ip route vrf B 10.10.20.0 255.255.255.0 Null0

 

access-list 10 permit 10.10.10.0 0.0.0.255
access-list 20 permit 10.10.20.0 0.0.0.255

route-map VlAN10 permit 10
match ip address 10
match interface gig0/0

route-map VlAN20 permit 10
match ip address 20
match interface gig0/1

ip nat inside source  route-map VlAN10 interface gig0/0 overload
ip nat inside source  route-map VlAN20 interface gig0/1 overload

 

res

Paul


 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

ckxen8401
Level 1
Level 1
In response to paul driver

‎11-17-2014 02:59 PM

Thanks for your assistance, much appreciated. So I adjusted per your recommendation, and in the process lost Fiber connectivity. Perhaps I misunderstood a suggestion? This is my current (failing) config:

 

Building configuration...

Current configuration : 2905 bytes
!
! Last configuration change at 06:48:54 UTC Mon Nov 17 2014
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco2901
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 password
enable password 7 password
!
no aaa new-model
memory-size iomem 5
!
ip cef
ip cef load-sharing algorithm original
!         
!         
!         
ip vrf CABLE
 rd 1:20  
!         
ip vrf FIBER
 rd 1:10  
!         
no ip dhcp use vrf connected
ip dhcp excluded-address aaa.bbb.ccc.145
ip dhcp excluded-address 10.10.0.1
!         
ip dhcp pool VLAN10
 network aaa.bbb.ccc.144 255.255.255.248
 default-router aaa.bbb.ccc.145 
 dns-server 8.8.8.8 8.8.4.4 
 class Fiber_Class
  address range aaa.bbb.ccc.145 aaa.bbb.ccc.150
!         
ip dhcp pool VLAN20
 network 10.10.0.0 255.255.255.0
 default-router 10.10.0.1 
 dns-server 8.8.8.8 8.8.4.4 
!
ip dhcp pool LANUSERS
 import all
 network aaa.bbb.ccc.0 255.255.255.0
 network 10.10.0.0 255.255.255.0 secondary
   override default-router 10.10.0.1 
 default-router aaa.bbb.ccc.145 
 dns-server 8.8.8.8 8.8.4.4 
 lease 0 8         
!         
ip dhcp class Fiber_Class
!         
!         
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!         
multilink bundle-name authenticated
!         
!         
!         
!         
license udi pid CISCO2921/K9 sn FTX1828AKAY
!         
!         
archive   
 log config
  hidekeys
!         
redundancy
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
interface Embedded-Service-Engine0/0
 no ip address
 shutdown 
!         
interface GigabitEthernet0/0
 ip address eee.fff.ggg.58 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!         
interface GigabitEthernet0/1
 ip address hhh.iii.jjj.86 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!         
interface GigabitEthernet0/2
 no ip address
 shutdown 
 duplex auto
 speed auto
!         
interface GigabitEthernet0/1/0
 switchport access vlan 10
 ip vrf forwarding FIBER
 no ip address
!         
interface GigabitEthernet0/1/1
 switchport access vlan 10
 ip vrf forwarding FIBER
 no ip address
!         
interface GigabitEthernet0/1/2
 switchport access vlan 10
 ip vrf forwarding FIBER
 no ip address
!         
interface GigabitEthernet0/1/3
 switchport access vlan 10
 ip vrf forwarding FIBER
 no ip address
!         
interface GigabitEthernet0/1/4
 switchport access vlan 10
 ip vrf forwarding FIBER
 no ip address
!         
interface GigabitEthernet0/1/5
 switchport access vlan 20
 ip vrf forwarding CABLE
 no ip address
!         
interface GigabitEthernet0/1/6
 no ip address
!         
interface GigabitEthernet0/1/7
 no ip address
!         
interface Vlan1
 no ip address         
!         
interface Vlan10
 ip vrf forwarding FIBER
 ip address aaa.bbb.ccc.145 255.255.255.248
 ip nat inside
 ip virtual-reassembly in
!         
interface Vlan20
 ip vrf forwarding CABLE
 ip address 10.10.0.0 255.0.0.0
 ip nat inside
 ip virtual-reassembly in
!        
ip forward-protocol nd
!         
no ip http server
no ip http secure-server
!         
ip nat inside source route-map VLAN10 interface GigabitEthernet0/0 overload
ip nat inside source route-map VLAN20 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 aaa.bbb.ccc.145
ip route 10.10.0.0 255.255.255.0 Vlan20
ip route aaa.bbb.ccc.0 255.255.255.0 Vlan10
ip route vrf FIBER aaa.bbb.ccc.0 255.255.255.0 Null0
ip route vrf CABLE 10.10.0.0 255.255.255.0 Null0
!         
access-list 10 permit aaa.bbb.ccc.0 0.0.0.255
access-list 20 permit 10.10.0.0 0.0.0.255
!         
route-map VLAN10 permit 10
 match ip address 10
 match interface GigabitEthernet0/0
!         
route-map VLAN20 permit 20
 match ip address 20
 match interface GigabitEthernet0/1

!         
!         
!         
snmp-server community WWM_Cisco2901 RO
snmp-server enable traps entity-sensor threshold
!         
control-plane
!         
!         
!         
line con 0
line aux 0
line 2    
 no activation-character
 no exec  
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 password 7 password
 login    
 transport input all
!         
scheduler allocate 20000 1000
!         
end  

 

0 Helpful

paul driver
VIP
VIP
In response to ckxen8401

‎11-18-2014 12:23 AM

Hello

 

The accesss port Dont require VRF - However the Gig0/0 and Gig0/1 do

I would also remove the duplicate dhcp scopes also.

 

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

ckxen8401
Level 1
Level 1
In response to paul driver

‎11-18-2014 01:06 PM

Unfortunately, i'm still having online connectivity problems with my FIBER

Updated config:

 

Building configuration...

Current configuration : 3532 bytes
!
! Last configuration change at 20:45:42 UTC Tue Nov 18 2014
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco2901
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$tRa4$A1YArArUoS9gGRA7dAY.S0
enable password 7 1414420903083E
!
no aaa new-model
memory-size iomem 5
!
ip cef
ip cef load-sharing algorithm original
!         
!         
!         
ip vrf CABLE
 rd 1:20  
!         
ip vrf FIBER
 rd 1:10  
!         
no ip dhcp use vrf connected
ip dhcp excluded-address aaa.bbb.ccc.145
ip dhcp excluded-address 10.10.0.1
!         
ip dhcp pool LANUSERS
 import all
 network aaa.bbb.ccc.0 255.255.255.0
 network 10.10.0.0 255.255.255.0 secondary
   override default-router 10.10.0.1 
 default-router aaa.bbb.ccc.145 
 dns-server 8.8.8.8 8.8.4.4 
 lease 0 8
 class Fiber_Class
  address range aaa.bbb.ccc.145 aaa.bbb.ccc.150
!         
!         
ip dhcp class Fiber_Class
!         
!         
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!         
multilink bundle-name authenticated
!         
!         
!         
!         
license udi pid CISCO2921/K9 sn FTX1828AKAY
!         
!         
archive   
 log config
  hidekeys
!         
redundancy
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
interface Embedded-Service-Engine0/0
 no ip address
 shutdown 
!         
interface GigabitEthernet0/0
 ip vrf forwarding FIBER
 ip address eee.fff.ggg.58 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!         
interface GigabitEthernet0/1
 ip vrf forwarding CABLE
 ip address hhh.iii.jjj.86 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!         
interface GigabitEthernet0/2
 no ip address
 shutdown 
 duplex auto
 speed auto
!         
interface GigabitEthernet0/1/0
 switchport access vlan 10
 no ip address
!         
interface GigabitEthernet0/1/1
 switchport access vlan 10
 no ip address
!         
interface GigabitEthernet0/1/2
 switchport access vlan 10
 no ip address
!         
interface GigabitEthernet0/1/3
 switchport access vlan 10
 no ip address
!         
interface GigabitEthernet0/1/4
 switchport access vlan 10
 no ip address
!         
interface GigabitEthernet0/1/5
 switchport access vlan 20
 no ip address
!         
interface GigabitEthernet0/1/6
 no ip address
 shutdown 
!         
interface GigabitEthernet0/1/7
 no ip address
 shutdown 
!         
interface Vlan1
 no ip address
!         
interface Vlan10
 ip vrf forwarding FIBER
 ip address aaa.bbb.ccc.145 255.255.255.248
 ip nat inside
 ip virtual-reassembly in
!         
interface Vlan20
 ip vrf forwarding CABLE
 ip address 10.10.0.0 255.0.0.0
 ip nat inside
 ip virtual-reassembly in
!         
ip forward-protocol nd
!         
no ip http server
no ip http secure-server
!         
ip nat inside source route-map VLAN10 interface GigabitEthernet0/0 overload
ip nat inside source route-map VLAN20 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 aaa.bbb.ccc.145
ip route 10.10.0.0 255.255.255.0 Vlan20
ip route aaa.bbb.ccc.0 255.255.255.0 Vlan10
ip route vrf CABLE 10.10.0.0 255.255.255.0 Null0
ip route vrf FIBER aaa.bbb.ccc.0 255.255.255.0 Null0
!         
access-list 10 permit aaa.bbb.ccc.0 0.0.0.255
access-list 20 permit 10.10.0.0 0.0.0.255
!         
route-map VLAN10 permit 10
 match ip address 10
 match interface GigabitEthernet0/0
!         
route-map VLAN20 permit 20
 match ip address 20
 match interface GigabitEthernet0/1
!         
!         
snmp-server community WWM_Cisco2901 RO
snmp-server enable traps entity-sensor threshold
!         
control-plane
!         
!         
!         
line con 0
line aux 0
line 2    
 no activation-character
 no exec  
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 password 7 06055F2343421D405447435D
 login    
 transport input all
!         
scheduler allocate 20000 1000
!         
end  

0 Helpful

paul driver
VIP
VIP
In response to ckxen8401

‎11-19-2014 01:54 PM

Hello

"Unfortunately, i'm still having online connectivity problems with my FIBER"

what exactly are you experiencing?

 

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

ckxen8401
Level 1
Level 1
In response to paul driver

‎11-20-2014 11:29 AM

Internally, the Cisco VLAN's are working, I can easily ping every device and server within the VLAN, however when trying to echo google from a station behind the FIBER VLAN I cannot get a response. I tested and it seems that when the ip vrf forwarding command is used on the ISP port no external device can reach my router.

Example:

interface GigabitEthernet0/0
 ip vrf forwarding FIBER
 ip address eee.fff.ggg.58 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!  

 

From external device:

ping eee.fff.ggg.58(eee.fff.ggg.58)56(84) bytes of data.

-- eee.fff.ggg.58 ping statistics --

16 packets transmitted, 0 received, 100% packet loss, time 15161ms

 

 

interface GigabitEthernet0/0
 ip address eee.fff.ggg.58 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!  

PING eee.fff.ggg.58(eee.fff.ggg.58)56(84) bytes of data
64 bytes from eee.fff.ggg.58:
icmp_seq=2 ttl=239 time=98.5ms
64 bytes from eee.fff.ggg.58:
icmp_seq=3 ttl=239 time=50.2ms
64 bytes from eee.fff.ggg.58:
icmp_seq=4 ttl=239 time=238ms
 
-- eee.fff.ggg.58 ping statistics --
4 packets transmitted, 3 received, 25% packet loss, time 3025ms
min=50.201 ms
avg=128.956 ms
max=238.098 ms
mdev=79.661 ms
0 Helpful
Customers Also Viewed These Support Documents