What is IP SLA. i dont know anything about that. can you help me on that?

Hello,

I have made some changes to your config (marked in bold), make sure that you implement those and check if it works:

chat-script lte "" "AT!CALL1" TIMEOUT 60 "OK"
!
redundancy
mode none
!
controller Cellular 0/2/0
lte modem link-recovery disable
!
vlan internal allocation policy ascending
no cdp run
!
track 1 ip sla 1 reachability
delay down 1 up 1
!
interface GigabitEthernet0/0/0
description Primary
ip address 10.134.199.108 255.255.255.248
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
ip address 172.19.0.1 255.255.0.0
ip nat inside
negotiation auto
!
interface Cellular0/2/0
description Backup
ip address negotiated
ip nat outside
dialer in-band
dialer idle-timeout 0
dialer-group 1
ipv6 address autoconfig
pulse-time 1
!
interface Cellular0/2/1
no ip address
!
interface Vlan1
no ip address
!
ip nat inside source route-map PRIMARY interface GigabitEthernet0/0/0 overload
ip nat inside source route-map BACKUP interface Cellular0/2/0 overload
!
ip forward-protocol nd
no ip http server
ip http secure-server
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/0
threshold 1000
timeout 1000
frequency 5
!
ip sla schedule 1 life forever start-time now
!
ip route 0.0.0.0 0.0.0.0 10.134.199.106 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0/2/0
!
route-map PRIMARY permit 10
match ip address 1
match interface GigabitEthernet0/0/0
!
route-map BACKUP permit 10
match ip address 1
match interface Cellular0/2/0
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
access-list 1 permit 172.19.0.0 0.0.255.255
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipv6 permit
!
event manager applet CLEAR_NAT
event track 1 state any
action 1.0 cli command “enable”
action 2.0 cli command “clear ip nat translation *”

Thanks,

I think its working now.

what if i wanted to add another internet connection, but i have only two gigabit interfaces, 1 for LAN and 1 already occupied by the previous network.

Hello,

you could consider subinterfaces, however, I am not sure your ISP supports that...

My ISP supports sub-interfacing. but am confused with the NAT and Routing rules when using sub-interfaces

As far as NAT and routing are concerned they work just the same whether it is on a physical interface or is on a sub interface. 

For NAT you need to identify the various interfaces that functions as inside and which function as outside. If there is more than one interface acting as outside you need to use route maps to control address translation so that you can match the particular outside interface as well as matching the ACL. Nothing in that is different if there is a sub interface involved.

For static routing you specify the destination network and mask and next hop and optionally the administrative distance. Nothing in that is different if there is a sub interface involved.

If you are still confused then please explain what it is that you are confused about.

HTH

Rick

Thanks,

How can i do the cabling and the VLAN thing on the router. I have 4 additional ports on the router but they are Layer 2 ports.

It is very helpful if your router has 4 additional ports, even if they are layer 2 ports. You had not mentioned this capability before. With these ports you would not need to use sub interfaces. What I suggest that you do is to select one of those layer 2 ports and connect the new connection to it. The layer 2 ports belong to vlan 1 by default. You would need to create a new vlan (perhaps vlan 2) and then assign the port with the new connection to vlan 2. Then configure interface vlan 2. This creates a layer 3 interface for the vlan. On this interface you would configure the information supplied by the provider (is the IP address assigned by DHCP or is it static - and if static what is the address and mask).

Once you have the interface configured then you would configure routing to use the new interface. Would you intend to keep it operating as primary and backup (or if you keep the cellular operating it might be primary, first backup, second backup) or would you want the two Ethernet outside connections active and try to do some type of load balancing?

Once you have the routing set up you would also need to configure address translation for the new interface. You would follow the implementation of a new route map for the new translation where the route map matches the new interface and matches the ACL.

The routing and the address translation will use the new layer 3 vlan interface and there would not be any need for sub interfaces.

HTH

Rick

Thanks,

following your instruction, i can ping 4.2.2.2 from the router, but i couldnt get internet from client pcs. below is my config. did i miss anything?

interface GigabitEthernet0/0/0
 description Primary
 ip address 10.134.199.108 255.255.255.248
 ip nat outside
 negotiation auto
!
interface GigabitEthernet0/0/1
 ip address 172.19.0.1 255.255.0.0
 ip nat inside
 negotiation auto
!
interface GigabitEthernet0/1/0
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Cellular0/2/0
 description Backup
 ip address negotiated
 ip nat outside
 dialer in-band
 dialer idle-timeout 0
 dialer-group 1
 ipv6 address autoconfig
 pulse-time 1
!
interface Cellular0/2/1
 no ip address
!
interface Vlan1
 no ip address
!
interface Vlan2
 ip address 10.134.49.251 255.255.240.0
 ip nat outside
!
ip nat inside source route-map BACKUP interface Cellular0/2/0 overload
ip nat inside source route-map Internet interface GigabitEthernet0/1/0 overload
ip nat inside source route-map PRIMARY interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 172.20.0.0 255.255.0.0 10.134.199.106 track 1
ip route 0.0.0.0 0.0.0.0 10.134.48.1
ip route 172.20.0.0 255.255.0.0 Cellular0/2/0
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip sla 1
 icmp-echo 172.20.0.27 source-interface GigabitEthernet0/0/0
 threshold 1000
 timeout 1000
 frequency 5
ip sla schedule 1 life forever start-time now
access-list 1 permit 0.0.0.0
access-list 2 permit 172.19.0.0 0.0.255.255
access-list 2 permit 172.20.0.0 0.0.255.255
access-list 10 permit 172.19.0.0 0.0.255.255
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipv6 permit
!
!
route-map BACKUP permit 10
 match ip address 1 10
 match interface Cellular0/2/0
!
route-map Internet permit 10
 match ip address 1
 match interface GigabitEthernet0/1/0
!
route-map PRIMARY permit 10
 match ip address 10
 match interface GigabitEthernet0/0/0

Can someone please help me on this

Thanks.

Hello,

post a brief schematic drawing of what your network looks like. What is Vlan 2 for ? And where is 172.20.0.0/16 ?

Actually, did you ever try to configure what I posted earlier ? This should work:

chat-script lte "" "AT!CALL1" TIMEOUT 60 "OK"
!
redundancy
mode none
!
controller Cellular 0/2/0
lte modem link-recovery disable
!
vlan internal allocation policy ascending
no cdp run
!
track 1 ip sla 1 reachability
delay down 1 up 1
!
interface GigabitEthernet0/0/0
description Primary
ip address 10.134.199.108 255.255.255.248
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
ip address 172.19.0.1 255.255.0.0
ip nat inside
negotiation auto
!
interface Cellular0/2/0
description Backup
ip address negotiated
ip nat outside
dialer in-band
dialer idle-timeout 0
dialer-group 1
ipv6 address autoconfig
pulse-time 1
!
interface Cellular0/2/1
no ip address
!
interface Vlan1
no ip address
!
ip nat inside source route-map PRIMARY interface GigabitEthernet0/0/0 overload
ip nat inside source route-map BACKUP interface Cellular0/2/0 overload
!
ip forward-protocol nd
no ip http server
ip http secure-server
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/0
threshold 1000
timeout 1000
frequency 5
!
ip sla schedule 1 life forever start-time now
!
ip route 0.0.0.0 0.0.0.0 10.134.199.106 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0/2/0
!
route-map PRIMARY permit 10
match ip address 1
match interface GigabitEthernet0/0/0
!
route-map BACKUP permit 10
match ip address 1
match interface Cellular0/2/0
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
access-list 1 permit 172.19.0.0 0.0.255.255
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipv6 permit
!
event manager applet CLEAR_NAT
event track 1 state any
action 1.0 cli command “enable”
action 2.0 cli command “clear ip nat translation *”

172.20.0.0/16 is a subnet for another branch office.

My router has 2 L3 ports (Gi0/0/0->Connect to MPLS Router) and (Gi0/0/1-> Connected to internal network) and 4 Layer 2 ports (Gi0/1/0->Connect to Internet).

Vlan 2 is created and assigned to Gi0/1/0 so that it can do routing.