05-26-2017 03:33 PM - edited 03-08-2019 10:45 AM
hi guys i am a rookie in CCNA and still learning
i just have one question before do a maze with my Switch Catalyst 3750, can i do more than one ip route for a same vlan, and i meant the whole network, something like this;
# ip route 0.0.0.0 0.0.0.0 192.168.18.250 /// Main Server
# ip route 0.0.0.0 0.0.0.0 192.168.18.18 //// backup server
i need to set up a gateway like a backup service, in case the main server goes down, both of them are Virtual machines but in diferents physical server, the entire network point to the main server (sophos UTM 9) this one is my gateway, and firewall
the second one (ClearOS 7) is just for have internet service, no more than that, i dont care if we dont have firewall and all those service, is only for have time for work with the main one and do some support, about 30 min and we will be fine
all is fine but the physical servers are to old and we had crashes before, so we need to have an another for the users can keep working during the crashes
thanks in advance and best regards.
Solved! Go to Solution.
06-12-2017 06:37 AM
i was reading my last post and i thougt i was clearer But, on second thought, I do not think so. when i said
" The 2 ISPs are managed by the UTM and the nat is done mostly by the interface of the Primary ISP, only access to our School platform has Nat through the 2 ISPs at the same time, the secondary ISP interface is in Standby mode , Waiting for the first one fail in some how "
in all that, I was talking about interfaces in the UTM Sophos server ! all is managed by the UTM, i have not any kindn of nat in any other device, in the future i want the secondary server do the same job, but for now i only need to made a transparent gateway
¿would you mind to check if the config in the Catalyst 3750 i posted is correct for do this?, if it is, then i can forget the switch and go to the second server and focus on it
thanks and regards.
06-12-2017 07:32 AM
Thank you Luis
It is clear now, your configuration looks fine, I think you are connecting the ISPs using the vlan 18
Now, have you trying removing the primary default route
ip route 0.0.0.0 0.0.0.0 192.168.18.250 name main_internet
Just for testing purposes?
06-12-2017 02:08 PM
I am sorry but No, the Vlan 18 is for Servers, only local network for server´s, but the ISP´s have a Vlan each one of them and they are vlan 200 for the main ISP and 201 for the Backup (standby internet)
I dont have those vlan´s defined in the server´s, the IP´s were configured directly in the interfaces, these particular vlans are only defined in the switch,To have the facility of vlan's with direct internet using public addresses without going through the Firewall
do you think is something wrong on that config ?
I gonna be able to test what you ask before just until tomorrow at 16:00
I will let you know how is it goes, thanks and regards.
06-13-2017 07:14 AM
Do you have a diagram to see how they are connected physically? Your config looks fine.
I usually receive the ISPs on a switch using different vlans as you mentioned previously.
Please let me share an example how I see your topology.
06-15-2017 11:36 AM
i am posting this , again, because do it by an email doenst work since last Tuesday;
there you have a diagram, I think this is more accurate, I guess you are confused, at the beginning we were confused to, but all the design for the network structure it was not made by us, it was a provider and it correspond at what we needed in that moment, maybe 10 year ago with a lot of changes in meantime !!
in some point, we just avoided work with providers and try to do all the config by our self, trying to keep the structure, we dont know if this structure is the best in this moment, but it is what it is, if is not please feel free to made some advices
Thanks and regards.
PD: by the way, we are having performance issues with our internet service, we are pretty sure it is something in our network, Not the ISP performance, if you think it could be related to this structure please let me know, maybe this is the real problem
06-15-2017 12:10 PM
Thank you Luis,
It is very useful, please let me analyze it and share my thoughts.
06-19-2017 09:24 AM
any new idea ?
06-20-2017 07:06 AM
I have created the attached topology to provide more details about how the redundancy with floating static routes works.
Basically Router 1 and 2 have:
- Configured NAT
- Routes in order to know the internal networks
- Are connected to one ISP.
If the Link 1 is down all the traffic will be moved to the Router 2 because the Internal network router has a default route with a higher administrative distance.
Internal network router:
ip route 0.0.0.0 0.0.0.0 <Router's 1 IP address>
ip route 0.0.0.0 0.0.0.0 <Router's 2 IP address> 20 <---administrative distance
If the link between Router 1 and ISP 1 is down, the redundancy will not take effect unless you have configured an IP SLA + EEM script on the Internal network router.
Take in consideration both edge routers (in this case both servers) should have similar configuration to work as redundancy. But remember the redundancy with floating static routes will work if the connected link is down.
06-20-2017 10:26 AM
ok, now I have homework !!
I need to study about "IP SLA + EEM script" I dont know what is all that about ,can you point me to a Manual about this? if is possible in Spanish !
I will let you know how is going, regards.
06-22-2017 08:42 PM
Apologies for the late response, there is a book about scripting:
Also Im going to provide you an example of how you could configure your devices.
06-23-2017 06:05 AM
Again I can't see my last post, is happening a lot, I don’t know why is it happen, they appear when I do them, but in some point they disappear
again this is the last post
Ok, voy a hacer este post en español por que hacer todo esto no parece tan sencillo y además implica conocimiento previo que tampoco domino, después de revisar algunos manuales de cisco en línea llego a la conclusión de que esta es la configuración que supongo debo tener para que mi servidor de backup de internet entre en funcionamiento cuando el primario falle, espero no tener errores;
Paso 1) HSRP y SLA
#ip sla 1
#icmp-echo 192.168.18.250 //servidor Primario
#threshold 500 //esto aún no me queda claro para que es
#ip sla schedule 1 life forever start-time now
#track 1 ip sla 1 reachability // se asigna el track 1 al objeto sla 1
En este segundo grupo de instrucciones no me queda claro si debo asignar forzosamente una ip a un puerto del switch en una interfaz con la vlan 18 (como el ejemplo de abajo) o tomando en cuenta que en mi caso son servidores y no solo puertos del mismo switch hacia el Router del ISP debo hacerlo de un modo diferente, ¡modo que en este momento no imagino!, ¿puedes aclararme este detalle?
Paso 2) Asignar el SLA y track a un puerto
#interface vlan 18 // se entra en modo de conf de la interfaz
#ip address 192.168.18.13 255.255.255.0 // se asigna la ip y mascara a la interfaz
#standby 1 priority 110 // se establece la prioridad del router de standby (ISP secundaria)
#stabdby 1 track 1 decrement 50 // se establece el objeto track y el decremento sobre el servidor standby
#no shutdown // evitamos que el Puerto se apague, esto me pareció importante
Sobre lo anterior, todavía estoy estudiando el parámetro decrement, aun no me queda claro su función
Paso 3) Asignar al IP Route
no ip route 0.0.0.0 0.0.0.0 192.168.18.250 name main_internet // se necesita borrar todo lo anterior
ip route 0.0.0.0 0.0.0.0 192.168.18.250 name main_internet track 1 state is [up] // se asigna el nuevo ip-route con SLA
sobre esto solo tengo una duda; ¿puedo escribir todos los parámetros en una sola línea como está arriba o debo hacer una línea para el IP Route con su nombre y otra más para agregar el track?
Asumo que con lo anterior quedaría listo la parte sobre HSRP + SLA, mas asignar el IP Route con la nueva configuración en mi catalyst 3750, solo tengo que ver lo que falta sobre EEM que sugeriste, pero, aunque no lo he visto a fondo veo que es sobre recibir alertas de algún tipo cuando sucede alguna falla, esa parte no me es urgente así que por favor primero ayúdame con esta parte y luego estudiare EEM, voy a esperar tus comentarios antes de probar las configuraciones ya que no puedo trastear con el switch sin estar seguro de lo que estoy haciendo
Nuevamente te agradezco tu ayuda y quedo en espera de tus comentarios.
PD: I hope not provoke a disturb in this community about this post is in spanish, if it is, please let me know about
06-13-2017 06:43 AM
i think i am having troubles, this is the second time i posted this answer but i cant see it on the page, anyway
answering the last post ,,,actually No, we use the vlan 18 exclusively for servers in local network, we have the vlan 200 and 201 for exclusively ISPs, main one and backup respectively, the ip for these ISP interfaces are directly configured in the ip config module for each server, i mean that these vlans are not in any of server for have some firewall rules o web filtering, nat or whatever, just the ip so that the interfaces can work
the goal for that config is to have a directly internet conecction (with static ip and or DHCP, it depends by the ISP ) without firewall restrictions or do speed internet testing from any point of the LAN by setting the port in whatever of the 12 switches that we have Scattered in 9 sites in the whole campus
thanks and regard.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: