Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1352
Views
5
Helpful
7
Replies

Dual LAN to Dual ISP

Go to solution
7plivingstone
Level 1
Level 1

‎09-13-2017 05:06 AM - edited ‎03-08-2019 12:00 PM

Hi team,

I have a problem which were trying to iron out.

We have a router with 2 internal LAN interfaces and 2 ADSL ISP interfaces.

Were trying to set this up so that each LAN interface maps directly to an individual WAN interface as its default route.

A nice to have would be to enable some form of failover should the default ISP go down but thats further on as we havent been able to get the thing working at its most basic.

We have the following config:

 

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname office-adsl
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 512000 debugging
enable secret xxxxxxxxxxx.
!
no aaa new-model
no network-clock-participate slot 1 
no network-clock-participate wic 0 
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip dhcp use vrf connected
!
ip dhcp pool pollux
   network 192.168.200.0 255.255.255.0
   default-router 192.168.200.1 
   dns-server 62.6.40.178 62.6.40.162 
!
ip dhcp pool castor
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1 
   dns-server 62.6.40.178 62.6.40.162 
!
!
ip flow-cache timeout active 1
ip name-server 212.159.13.49
ip name-server 212.159.13.50
ip name-server 141.1.1.1
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-281403735
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-281403735
 revocation-check none
 rsakeypair TP-self-signed-281403735
!
!
archive
 log config
  hidekeys
!
!
! 
!
!
!
interface ATM0/0
 description btbusiness
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 dsl operating-mode itu-dmt 
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface ATM0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 dsl operating-mode itu-dmt 
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 2
 !
!
interface FastEthernet0/1
 ip address 192.168.200.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Dialer0
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname somebody@somewhere
 ppp chap password xxxxxxxxxxxx
!
interface Dialer1
 description btbusiness
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 shutdown
 dialer pool 2
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname somebody@somewhere
 ppp chap password xxxxxxxxxxxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source list 12 interface Dialer0 overload
ip nat inside source list 22 interface Dialer1 overload
!
access-list 12 permit 192.168.1.0 0.0.0.255
access-list 22 permit 192.168.200.0 0.0.0.255
!
!
control-plane
!
!
!
alias exec arp tclsh flash:arp.tcl
alias exec shutnoshut tclsh flash:shutnoshut.tcl
!
line con 0
line aux 0
!
end

 

Any pointers as to why its not working?

thanks,

Paula

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Predrag Jovic
Level 3
Level 3

‎09-13-2017 07:19 AM - edited ‎09-13-2017 07:21 AM

As it is already pointed out, having 2 equal cost default routes can be problematic.

 

Also, the way NAT statement is currently configured you will never have successful failover.

To be able to successfully perform failover you need to configure route-maps in NAT statements and match interfaces also (not just match IP addresses for NAT statement).

You can use this Cisco's NAT failover with DUAL ISP on a router Configuration Example as guide

 

 

View solution in original post

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni
In response to 7plivingstone

‎09-13-2017 07:46 AM - edited ‎09-13-2017 07:54 AM

Hi

By default the neworks created on the router should communicate, Try modifying the ACLs, I would like to suggest use prefix-list instead ACL:

 

access-list 112 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 112 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.15.255.255

access-list 112 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 112 permit ip 192.168.1.0 0.0.0.255 any



access-list 122 deny ip 192.168.200.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 122 deny ip 192.168.200.0 0.0.0.255 172.16.0.0 0.15.255.255

access-list 122 deny ip 192.168.200.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 122 permit ip 192.168.200.0 0.0.0.255  any


route-map pollux permit 22
match ip address 122
set interface Dialer1
!
route-map castor permit 12
match ip address 112
set interface Dialer0
 

 

 

 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni

‎09-13-2017 06:13 AM - edited ‎09-13-2017 06:23 AM

Hi

At simple sight you have 2 static default routes with the same administrative distance, you should select one to be primary and increase the AD for the backup. Now and please correct me if I am understanding wrong the question but if you want to manipulate traffic LANs to reach Internet through their specific providers you could.

1) Configure the primary default route. 

ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 Dialer1 20 name backup

 

2) Leave the LAN (who use the Dialer0) without any modification.

 

3) Configure and apply the following to the other LAN (We can say LAN 2)

 

access-list 100 permit (LAN 2 with its wildcard), example:

access-list 100 permit 192.168.1.0 0.0.0.255  any

 

route-map LAN2-DIALER1 permit 5

match ip address 100

set ip next-hop <Next Hop IP for Dialer 1, ISP side>

 

int fa0/0

ip policy route-map LAN2-DIALER1

 

Hope it is useful

:-)

 

 

 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
nimay
Level 1
Level 1

‎09-13-2017 06:47 AM

Can you double check your atm/adsl interface status as well as Authentication status??    You have dialer1 shutdown.   With description btbusiness.  But atm0 referencing dialer0 also with description btbusiness.  

The 2 up route default route statements should cause per flow load balancing via the cef table.  Simply set 1 as higher admin distance to achieve failover.

Also the acl for the Nat overload statements.  You will blackhole half your traffic with current ACL  .  If u want load balance and failover then simply use single ACL with 2 match statements for both lan subnets for each Nat overload acl.  Traffic flow I'll work itself out based on incoming lan interface.  

0 Helpful

Go to solution
Predrag Jovic
Level 3
Level 3

‎09-13-2017 07:19 AM - edited ‎09-13-2017 07:21 AM

As it is already pointed out, having 2 equal cost default routes can be problematic.

 

Also, the way NAT statement is currently configured you will never have successful failover.

To be able to successfully perform failover you need to configure route-maps in NAT statements and match interfaces also (not just match IP addresses for NAT statement).

You can use this Cisco's NAT failover with DUAL ISP on a router Configuration Example as guide

 

 

Go to solution
7plivingstone
Level 1
Level 1

‎09-13-2017 07:33 AM

Hi guys, thanks for your help so far. I have it close to working now. Im using the following configuration:

 

Both LANs can communicate out using their own ISP but the final part I cant get is the routing between the two LANs which are NAT inside. I have set up router rip but this doesnt seem to make a difference.

 

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname office-adsl
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 512000 debugging
enable secret xxx
!
no aaa new-model
no network-clock-participate slot 1 
no network-clock-participate wic 0 
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip dhcp use vrf connected
!
ip dhcp pool pollux
   network 192.168.200.0 255.255.255.0
   default-router 192.168.200.1 
   dns-server 62.6.40.178 62.6.40.162 
!
ip dhcp pool castor
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1 
   dns-server 62.6.40.178 62.6.40.162 
!
!
ip flow-cache timeout active 1
ip name-server 212.159.13.49
ip name-server 212.159.13.50
ip name-server 141.1.1.1
!
!
!
archive
 log config
  hidekeys
!
!
! 
!
!
!
interface ATM0/0
 description sse
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 dsl operating-mode itu-dmt 
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip policy route-map castor
 duplex auto
 speed auto
!
interface ATM0/1
 description btbusiness
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 dsl operating-mode itu-dmt 
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 2
 !
!
interface FastEthernet0/1
 ip address 192.168.200.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map pollux
 duplex auto
 speed auto
!
interface Dialer0
description sse
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xxxx
 ppp chap password xxxx
!
interface Dialer1
 description btbusiness
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 2
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xxxx
 ppp chap password xxxx
!
router rip
 version 2
 network 192.168.1.0
 network 192.168.200.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.88.0 255.255.255.0 192.168.200.2
ip route 212.159.13.49 255.255.255.255 Dialer1
ip route 212.159.13.50 255.255.255.255 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source list 12 interface Dialer0 overload
ip nat inside source list 22 interface Dialer1 overload
!
access-list 12 permit 192.168.1.0 0.0.0.255
access-list 22 permit 192.168.200.0 0.0.0.255
route-map pollux permit 22
 match ip address 22
 set interface Dialer1
!
route-map castor permit 12
 match ip address 12
 set interface Dialer0
!
!
!
control-plane
!
!
!
alias exec arp tclsh flash:arp.tcl
alias exec shutnoshut tclsh flash:shutnoshut.tcl
!
line con 0
line aux 0
ntp clock-period 17207966
ntp server 85.119.80.233
!
end

 

0 Helpful

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni
In response to 7plivingstone

‎09-13-2017 07:46 AM - edited ‎09-13-2017 07:54 AM

Hi

By default the neworks created on the router should communicate, Try modifying the ACLs, I would like to suggest use prefix-list instead ACL:

 

access-list 112 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 112 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.15.255.255

access-list 112 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 112 permit ip 192.168.1.0 0.0.0.255 any



access-list 122 deny ip 192.168.200.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 122 deny ip 192.168.200.0 0.0.0.255 172.16.0.0 0.15.255.255

access-list 122 deny ip 192.168.200.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 122 permit ip 192.168.200.0 0.0.0.255  any


route-map pollux permit 22
match ip address 122
set interface Dialer1
!
route-map castor permit 12
match ip address 112
set interface Dialer0
 

 

 

 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
Predrag Jovic
Level 3
Level 3
In response to 7plivingstone

‎09-13-2017 07:46 AM - edited ‎09-13-2017 07:50 AM 

no ip nat inside source list 12 interface Dialer0 overload
no ip nat inside source list 22 interface Dialer1 overload

you need to use route-maps in NAT statements

ip nat inside source route-map pollux interface Dialer0 overload
ip nat inside source route-map castor interface Dialer1 overload

 However, route map statements (or ACLs) will need some changes regarding to how it is currently written to be able to perform successfully failover. Currently you are matching only one IP address range with one interface, during failover address range that is not matched will not be natted.

 

0 Helpful

Go to solution
7plivingstone
Level 1
Level 1

‎09-13-2017 08:41 AM

Hi guys,

 

Thank you all so much. I dont know who to mark as the solution as you all helped me to get it working. Im going to post the working config here so that anybody else who is trying to do this might be helped:

 

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname office-adsl
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 512000 debugging
enable secret xxxxxxx
!
no aaa new-model
no network-clock-participate slot 1 
no network-clock-participate wic 0 
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip dhcp use vrf connected
!
ip dhcp pool pollux
   network 192.168.200.0 255.255.255.0
   default-router 192.168.200.1 
   dns-server 62.6.40.178 62.6.40.162 
!
ip dhcp pool castor
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1 
   dns-server 62.6.40.178 62.6.40.162 
!
!
ip flow-cache timeout active 1
ip name-server 212.159.13.49
ip name-server 212.159.13.50
ip name-server 141.1.1.1
!
!
!
archive
 log config
  hidekeys
!
!
! 
!
!
!
interface ATM0/0
 description btbusiness
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 dsl operating-mode itu-dmt 
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip policy route-map castor
 duplex auto
 speed auto
!
interface ATM0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 dsl operating-mode itu-dmt 
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 2
 !
!
interface FastEthernet0/1
 ip address 192.168.200.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map pollux
 duplex auto
 speed auto
!
interface Dialer0
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xxxxxxx
 ppp chap password xxxxxxx
!
interface Dialer1
 description btbusiness
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 2
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xxxxxxx
 ppp chap password xxxxxxx
!
router rip
 version 2
 network 192.168.1.0
 network 192.168.200.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.88.0 255.255.255.0 192.168.200.2
ip route 212.159.13.49 255.255.255.255 Dialer1
ip route 212.159.13.50 255.255.255.255 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source list 12 interface Dialer0 overload
ip nat inside source list 22 interface Dialer1 overload
ip nat inside source route-map castor interface Dialer1 overload
ip nat inside source route-map pollux interface Dialer0 overload
!
access-list 12 permit 192.168.1.0 0.0.0.255
access-list 22 permit 192.168.200.0 0.0.0.255
access-list 112 deny   ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 112 deny   ip 192.168.1.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 112 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 112 permit ip 192.168.1.0 0.0.0.255 any
access-list 122 deny   ip 192.168.200.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 122 deny   ip 192.168.200.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 122 deny   ip 192.168.200.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 122 permit ip 192.168.200.0 0.0.0.255 any
route-map pollux permit 22
 match ip address 122
 set interface Dialer1
!
route-map castor permit 12
 match ip address 112
 set interface Dialer0
!
!
!
control-plane
!
!
!
alias exec arp tclsh flash:arp.tcl
alias exec shutnoshut tclsh flash:shutnoshut.tcl
!
line con 0
line aux 0
line vty 0 4
 access-class 12 in
 password xxxxx
 login
 transport input telnet
!
ntp clock-period 17207966
ntp server 85.119.80.233
!
end
0 Helpful
Customers Also Viewed These Support Documents