Solved: How can I upgrade router-on-a-stick redundancy?

Kevin Cummins · ‎06-28-2011

Hello,

I need some help with a configuration.

I have a Cisco 1812-J and two Catalyst 2960 switches. I have 4 VLANs.
The two Catalyst 2960 switches have their respective Gigabitethernet ports 23 and 24 connected to each other. (23->23 and 24->24) They are configured in trunk, nonegotiate, and channel-group 1. (For redundancy)

The 1812-J has FE0 connected to the internet modem (PPPOE) and FE1 has subinterfaces configured for VLAN 1,2,3, and 4. FE1 is also physically connected to Port 21 of the switch.

Currently, everything works fine in this router-on-a-stick setup (devices in separate VLANs can ping each other), but is it possible for me to have another connectioin from my router to the second switch for more redundancy?

I have this now:

1812-J
   |
   |
   |
   |
2960 ==== 2960

What I would like is this:

1812-J -------
   |              |
   |              |
   |              |
   |              |
2960 ==== 2960

I have 8 switch ports on the 1812-J that are not in use.
I'm stuck on what I should do....if it is posible....

Please see the attached picture (Ignore that ports 23 an 24 are crossed between switches. I won't be doing that).

Latchum Naidu · ‎06-29-2011

Hi Kevin,

1. If I configure the port on the 1812-J router to be a trunk port, I will also need to configure the port on the switch I connect it to to be a trunk port. Correct?
Yes, you need to configure the uplink ports at both end (Router & Switch) as trunk ports to carry forward the vlan's

2. Do I need to specify the VLANs on this trunk port like I did for FE1 on the router? (I can't seem to configure subinterfaces on those ports - only seems to let me add subinterfaces for FE0 and FE1)
The 8 ports you have are switch ports not routed ports so you can not configure sub-interfaces.

3. That the devices on the second switch will still be able to access the internet if switch 1 is down.
Yes.

Please rate the helpfull posts.
Regards,
Naidu.

View solution in original post

Latchum Naidu · ‎06-28-2011

Hi Kevin,

You can use one of your switch port out of 8 switch ports on the 1812-J.
Make sure you do this port as trunk port.

Please rate the helpfull posts.
Regards,
Naidu.

Kevin Cummins · ‎06-28-2011

Ok. I will try it.

Just to clear up a few more points:

1. If I configure the port on the 1812-J router to be a trunk port, I will also need to configure the port on the switch I connect it to to be a trunk port. Correct?

2. Do I need to specify the VLANs on this trunk port like I did for FE1 on the router? (I can't seem to configure subinterfaces on those ports - only seems to let me add subinterfaces for FE0 and FE1)

3. That the devices on the second switch will still be able to access the internet if switch 1 is down.

Here's my current router config, please let me know what commands I need to put the trunk on port 7 of the router:

router#sh run
Building configuration...

Current configuration : 4551 bytes
!
version 12.4
service tcp-keepalives-in
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login XAUTH group radius local
aaa authentication login LOCALAUTHEN local
aaa authorization network LOCALAUTHOR local
!
aaa session-id common
!
resource policy
!
clock timezone JST 9
!
!
ip cef
!
!
ip domain name xxxxxxx.com
ip name-server x.x.x.x
ip name-server x.x.x.x
ip ssh version 2
login block-for 600 attempts 3 within 10
login quiet-mode access-class 140
login on-failure log
vpdn enable
!
!
!
!
username cisco password 7 xxxxxxxxxxxxxx

!
!
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group xxxxxxxxxxx

key xxxxxxxxx
dns x.x.x.x x.x.x.x

wins 10.10.33.10
domain xxxxx.com
pool xxxxxx-REMOTE-VPN-POOL
acl VPN-SPLIT-TUNNELS
crypto isakmp profile VTI-ISAKMP-PROFILE
   match identity group xxxxxxxxx-RA-VPN
   client authentication list XAUTH
   isakmp authorization list LOCALAUTHOR
   client configuration address respond
   virtual-template 100
!
!
crypto ipsec transform-set DYNAMIC-TSET esp-aes esp-sha-hmac
!
crypto ipsec profile DYNAMIC-IPSEC-PROFILE
set transform-set DYNAMIC-TSET
!
!
!
!
!
interface FastEthernet0
no ip address
ip nat outside
ip virtual-reassembly
shutdown
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet1.1
encapsulation dot1Q 1 native
ip address 10.10.33.1 255.255.255.0
no snmp trap link-status
!
interface FastEthernet1.2
encapsulation dot1Q 2
ip address 10.10.34.1 255.255.255.0
no snmp trap link-status
!
interface FastEthernet1.3
encapsulation dot1Q 3
ip address 10.10.35.1 255.255.255.0
no snmp trap link-status
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
no cdp enable
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
switchport mode trunk
!
interface FastEthernet8

!
interface FastEthernet9
!
interface Virtual-Template100 type tunnel
ip unnumbered Dialer1
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile DYNAMIC-IPSEC-PROFILE
!
interface Dialer1
description Connected to WAN
mtu 1454
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username xxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxxx

!
ip local pool xxxxxxxx-REMOTE-VPN-POOL 10.10.100.0 10.10.100.254
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
!
no ip http server
no ip http secure-server
ip nat inside source list 150 interface Dialer1 overload
!
ip access-list extended VPN-SPLIT-TUNNELS
remark ACL for VPN client split tunnel networks
permit ip 10.10.33.0 0.0.0.255 any
!
access-list 140 remark access-list defining only xx remote network can access this line
access-list 140 permit tcp host x.x.x.x any eq 22
access-list 140 permit tcp host x.x.x.x any eq 22
access-list 140 remark access-list defining only xx remote network can access this line
access-list 150 deny ip 10.10.33.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 150 permit ip 10.10.33.0 0.0.0.255 any
access-list 160 permit ip 10.10.33.0 0.0.0.255 10.10.100.0 0.0.0.255
!
!
!
!
!
radius-server host 10.10.33.10 auth-port 1645 acct-port 1646
radius-server key 7 xxxxxxxxxxxxxx

!
control-plane
!
banner login ^CC

WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your
actions may be monitored if unauthorized usage is suspected.

^C
!
line con 0
exec-timeout 5 0
logging synchronous
stopbits 1
line aux 0
line vty 0 3
exec-timeout 30 0
logging synchronous
login authentication LOCALAUTHEN
transport input ssh
line vty 4
access-class 140 in
exec-timeout 30 0
logging synchronous
login authentication LOCALAUTHEN
transport input ssh
!
scheduler max-task-time 5000
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

router#

harsingh2 · ‎06-28-2011

Kevin Cummins wrote:
Ok. I will try it.
Just to clear up a few more points:
1. If I configure the port on the 1812-J router to be a trunk port, I will also need to configure the port on the switch I connect it to to be a trunk port. Correct?
2. Do I need to specify the VLANs on this trunk port like I did for FE1 on the router? (I can't seem to configure subinterfaces on those ports - only seems to let me add subinterfaces for FE0 and FE1)
3. That the devices on the second switch will still be able to access the internet if switch 1 is down.
Here's my current router config, please let me know what commands I need to put the trunk on port 7 of the router:

To Answer your Queries:

1) Yes you would have to configure both ends as Trunk ports (Switch & Router)

2) 1841 has the limitation that you get only 2 routed ports. (F0/0 and F0/1). The 8 port Module only provides switchports and you would not be able to configure sub interfaces.

3) Configuring the Trunk between Switch and the Router does not buy you anything in your case. If Switch 1 is down you would not be able to get thru Switch2.

In order to have redundancy Either you would have to upgrade your Router or get Layer 3/Multilayer switches.

Latchum Naidu · ‎06-29-2011

Hi Kevin,

1. If I configure the port on the 1812-J router to be a trunk port, I will also need to configure the port on the switch I connect it to to be a trunk port. Correct?
Yes, you need to configure the uplink ports at both end (Router & Switch) as trunk ports to carry forward the vlan's

2. Do I need to specify the VLANs on this trunk port like I did for FE1 on the router? (I can't seem to configure subinterfaces on those ports - only seems to let me add subinterfaces for FE0 and FE1)
The 8 ports you have are switch ports not routed ports so you can not configure sub-interfaces.

3. That the devices on the second switch will still be able to access the internet if switch 1 is down.
Yes.

Please rate the helpfull posts.
Regards,
Naidu.

harsingh2 · ‎06-29-2011

3. That the devices on the second switch will still be able to access the internet if switch 1 is down.
Yes.

Naidu, I beg to differ with you on this. As sub interfaces are configured on the directly connected interface F0/1 to Switch A from router, if switch A goes down hosts on Switch B would not be able to access Internet.