cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

423
Views
5
Helpful
58
Replies
Highlighted
Beginner

No Internet access from second provider ISP

Hello,

I have 3 days in this and I need some help of you.

 

I have 2 layer 3 switch doing standby. This is working. But, I have a second ISP for Internet. I have done all the static route but it doesn't working when I down the interface of my principal isp for Internet; it must enter the second layer 3 switch by standby protocol as active to start using the Internet of my second ISP2.

 

I put a static route in the layer 3 switch connect with the router of my ISP-2. The speed is sum together. But no Internet access if I down the interface of my principal ISP-1.

 

Router of my second ISP-2 is a ZTE. But router of my principal ISP-1 is a Cisco 800, both layer 3 switch are Cisco 3760.

58 REPLIES 58
VIP Mentor

Re: No Internet access from second provider ISP

Hello,

 

post the configs of both your L3 switches...

Beginner

Re: No Internet access from second provider ISP

Layer 3 switch connect to ISP-1)

spanning-tree vlan 100 priority 24576
!
track 1 ip sla 1 reachability
!
interface GigabitEthernet3/0/1
shutdown
!
interface GigabitEthernet3/0/2
!
interface GigabitEthernet3/0/3
description Link to Router
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet3/0/4
description Link to SW-PRINCIPAL
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,100,101,199,208
switchport mode trunk
!
interface Vlan1
ip address 190.191.192.105 255.255.255.0
!
interface Vlan100
description HRSP-PROTOCOL
ip address 190.191.100.3 255.255.255.240
standby 1 ip 190.191.100.1
standby 1 priority 150
standby 1 preempt delay minimum 240 reload 300
standby 1 track 1 decrement 50
!
interface Vlan199
ip address 190.191.199.10 255.255.255.0
!
!
router eigrp 1
network 0.0.0.0
eigrp stub connected summary
!
no ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 190.191.192.101
!
ip sla 1
icmp-echo 8.8.8.8
timeout 9000
frequency 15
ip sla schedule 1 life forever start-time now
ip sla enable reaction-alerts

 

(Layer 3 switch connect to ISP-2)

spanning-tree vlan 100 priority 28672
!
vlan internal allocation policy ascending
!
!
class-map match-any P2P-PROTOCOL
class-map match-all ANY-TRAFFIC
match access-group name ANY-TRAFFIC
!
policy-map RATE-LIMIT
class ANY-TRAFFIC
police 1000000 8000 exceed-action drop
!
interface GigabitEthernet2/0/1
description Link-To-ISP2-Delancer
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
switchport port-security maximum 2
!
interface GigabitEthernet2/0/2
!
interface GigabitEthernet2/0/26
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,100,101,196-199,204-208,211-213,215
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet2/0/27
!
interface GigabitEthernet2/0/28
!
interface Vlan1
description ACCESS-INTERNET
ip address 190.191.192.108 255.255.255.0
!
interface Vlan100
description HSRP-PROTOCOL
ip address 190.191.100.2 255.255.255.240
standby 1 ip 190.191.100.1
standby 1 priority 110
standby 1 preempt
!
!
router eigrp 1
network 0.0.0.0
eigrp stub connected summary
!
no ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 190.191.192.101
ip route 0.0.0.0 0.0.0.0 190.191.192.102
!
ip access-list extended ANY-TRAFFIC
permit ip any any
!
access-list 101 deny tcp any any eq www
access-list 101 deny tcp any any eq telnet
!
end

 

Config static route of modern/router ZTE:

190.191.197.0/30 via 190.191.100.1 dev br0 onlink
190.191.206.0/29 via 190.191.100.1 dev br0 onlink
190.191.208.0/28 via 190.191.100.1 dev br0 onlink
190.191.192.0/24 dev br0 proto kernel scope link src 190.191.192.102

 

Thanks,

Beginner

Re: No Internet access from second provider ISP

Hello,

Layer 3 switch connect to ISP-1

spanning-tree vlan 100 priority 24576
!
track 1 ip sla 1 reachability
!
interface GigabitEthernet3/0/1
shutdown
!
interface GigabitEthernet3/0/2
!
interface GigabitEthernet3/0/3
description Link to Router
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet3/0/4
description Link to SW-PRINCIPAL
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,100,101,199,208
switchport mode trunk
!
interface Vlan1
ip address 190.191.192.105 255.255.255.0
!
interface Vlan100
description HRSP-PROTOCOL
ip address 190.191.100.3 255.255.255.240
standby 1 ip 190.191.100.1
standby 1 priority 150
standby 1 preempt delay minimum 240 reload 300
standby 1 track 1 decrement 50
!
interface Vlan199
ip address 190.191.199.10 255.255.255.0
!
!
router eigrp 1
network 0.0.0.0
eigrp stub connected summary
!
no ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 190.191.192.101
!
ip sla 1
icmp-echo 8.8.8.8
timeout 9000
frequency 15
ip sla schedule 1 life forever start-time now
ip sla enable reaction-alerts

 

Layer 3 switch connect to ISP-2

spanning-tree vlan 100 priority 28672
!
vlan internal allocation policy ascending
!
!
class-map match-any P2P-PROTOCOL
class-map match-all ANY-TRAFFIC
match access-group name ANY-TRAFFIC
!
policy-map RATE-LIMIT
class ANY-TRAFFIC
police 1000000 8000 exceed-action drop
!
interface GigabitEthernet2/0/1
description Link-To-ISP2-Delancer
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
switchport port-security maximum 2
!
interface GigabitEthernet2/0/2
!
interface GigabitEthernet2/0/26
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,100,101,196-199,204-208,211-213,215
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet2/0/27
!
interface GigabitEthernet2/0/28
!
interface Vlan1
description ACCESS-INTERNET
ip address 190.191.192.108 255.255.255.0
!
interface Vlan100
description HSRP-PROTOCOL
ip address 190.191.100.2 255.255.255.240
standby 1 ip 190.191.100.1
standby 1 priority 110
standby 1 preempt
!
!
router eigrp 1
network 0.0.0.0
eigrp stub connected summary
!
no ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 190.191.192.101
ip route 0.0.0.0 0.0.0.0 190.191.192.102
!
ip access-list extended ANY-TRAFFIC
permit ip any any
!
access-list 101 deny tcp any any eq www
access-list 101 deny tcp any any eq telnet
!
end

 

Config modern/router ZTE (static route)

190.191.197.0/30 via 190.191.100.1 dev br0 onlink
190.191.206.0/29 via 190.191.100.1 dev br0 onlink
190.191.208.0/28 via 190.191.100.1 dev br0 onlink
190.191.192.0/24 dev br0 proto kernel scope link src 190.191.192.102

VIP Mentor

Re: No Internet access from second provider ISP

Your Zyxel is using the internal standby IP as the next hop. Provide a schematic drawing of your physical and logical setup so we can figure out what is connected to what...

VIP Mentor

Re: No Internet access from second provider ISP

Hello,

 

try and configure the IP SLA on both switches as below (marked in bold):

 

Layer 3 switch connect to ISP-1)

 

spanning-tree vlan 100 priority 24576
!
track 1 ip sla 1 reachability
!
interface GigabitEthernet3/0/1
shutdown
!
interface GigabitEthernet3/0/2
!
interface GigabitEthernet3/0/3
description Link to Router
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet3/0/4
description Link to SW-PRINCIPAL
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,100,101,199,208
switchport mode trunk
!
interface Vlan1
ip address 190.191.192.105 255.255.255.0
!
interface Vlan100
description HRSP-PROTOCOL
ip address 190.191.100.3 255.255.255.240
standby 1 ip 190.191.100.1
standby 1 priority 150
standby 1 preempt delay minimum 240 reload 300
standby 1 track 1 decrement 50
!
interface Vlan199
ip address 190.191.199.10 255.255.255.0
!
router eigrp 1
network 0.0.0.0
eigrp stub connected summary
!
no ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 190.191.192.101 track 1
ip route 0.0.0.0 0.0.0.0 190.191.192.102 250
!
ip sla 1
icmp-echo 8.8.8.8
timeout 9000
frequency 15
ip sla schedule 1 life forever start-time now
ip sla enable reaction-alerts

 

(Layer 3 switch connect to ISP-2)

 

spanning-tree vlan 100 priority 28672
!
track 1 ip sla 1 reachability
!
vlan internal allocation policy ascending
!
class-map match-any P2P-PROTOCOL
class-map match-all ANY-TRAFFIC
match access-group name ANY-TRAFFIC
!
policy-map RATE-LIMIT
class ANY-TRAFFIC
police 1000000 8000 exceed-action drop
!
interface GigabitEthernet2/0/1
description Link-To-ISP2-Delancer
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
switchport port-security maximum 2
!
interface GigabitEthernet2/0/2
!
interface GigabitEthernet2/0/26
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,100,101,196-199,204-208,211-213,215
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet2/0/27
!
interface GigabitEthernet2/0/28
!
interface Vlan1
description ACCESS-INTERNET
ip address 190.191.192.108 255.255.255.0
!
interface Vlan100
description HSRP-PROTOCOL
ip address 190.191.100.2 255.255.255.240
standby 1 ip 190.191.100.1
standby 1 priority 110
standby 1 preempt
!
router eigrp 1
network 0.0.0.0
eigrp stub connected summary
!
no ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 190.191.192.101 250
ip route 0.0.0.0 0.0.0.0 190.191.192.102 track 1
!
ip sla 1
icmp-echo 8.8.8.8
timeout 9000
frequency 15
ip sla schedule 1 life forever start-time now
ip sla enable reaction-alerts
!
ip access-list extended ANY-TRAFFIC
permit ip any any
!
access-list 101 deny tcp any any eq www
access-list 101 deny tcp any any eq telnet
!
end

 

Config static route of modern/router ZTE:

190.191.197.0/30 via 190.191.100.1 dev br0 onlink
190.191.206.0/29 via 190.191.100.1 dev br0 onlink
190.191.208.0/28 via 190.191.100.1 dev br0 onlink
190.191.192.0/24 dev br0 proto kernel scope link src 190.191.192.102

Beginner

Re: No Internet access from second provider ISP

Hello,

I tested what you said but it didn't work. If I down ISP-1 interface from the switch layer 3, ip sla continue working, a mean:

SW-ISP-1#sh track
Track 1
IP SLA 1 reachability
Reachability is Up
276 changes, last change 00:03:04
Latest operation return code: OK
Latest RTT (millisecs) 58
Tracked by:
HSRP Vlan100 1

 

I put you the config of my PRINCIPAL switch layer 3. This switch has all the interface vlan and the dhcp for vlan.

 

Check the config:

ISP-1 connect to switch:

track 1 ip sla 1 reachability
!
interface GigabitEthernet3/0/1
shutdown
!
interface GigabitEthernet3/0/2
!
interface GigabitEthernet3/0/3
description Link to Router
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet3/0/4
description Link to SW-PRINCIPAL
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,100,101,199,208
switchport mode trunk
!
interface Vlan1
ip address 190.191.192.105 255.255.255.0
!
interface Vlan100
description HRSP-PROTOCOL
ip address 190.191.100.3 255.255.255.240
standby 1 ip 190.191.100.1
standby 1 priority 150
standby 1 preempt delay minimum 240 reload 300
standby 1 track 1 decrement 50
!
interface Vlan199
ip address 190.191.199.10 255.255.255.0
!
!
router eigrp 1
network 0.0.0.0
eigrp stub connected summary
!
no ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 190.191.192.101 track 1
ip route 0.0.0.0 0.0.0.0 190.191.192.102 250
!
ip sla 1
icmp-echo 8.8.8.8
timeout 9000
frequency 15
ip sla schedule 1 life forever start-time now
ip sla enable reaction-alerts
!
end

 

ISP-2 connect to other switch layer 3:

track 1 ip sla 1 reachability
!
!
class-map match-any P2P-PROTOCOL
class-map match-all ANY-TRAFFIC
match access-group name ANY-TRAFFIC
!
policy-map RATE-LIMIT
class ANY-TRAFFIC
police 1000000 8000 exceed-action drop
!
interface GigabitEthernet2/0/1
description Link-To-ISP2-Delancer
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
switchport port-security maximum 2
!
interface GigabitEthernet2/0/25
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,101,197,199,204,207,208,213
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet2/0/26
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,100,101,196-199,204-208,211-213,215
switchport mode trunk
switchport nonegotiate
!
interface Vlan1
description ACCESS-INTERNET
ip address 190.191.192.108 255.255.255.0
!
interface Vlan100
description HSRP-PROTOCOL
ip address 190.191.100.2 255.255.255.240
standby 1 ip 190.191.100.1
standby 1 priority 110
standby 1 preempt
!
!
router eigrp 1
network 0.0.0.0
eigrp stub connected summary
!
no ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 190.191.192.102 track 1
ip route 0.0.0.0 0.0.0.0 190.191.192.101 250
!
ip access-list extended ANY-TRAFFIC
permit ip any any
!
ip sla 1
icmp-echo 8.8.8.8
timeout 9000
frequency 15
ip sla schedule 1 life forever start-time now
ip sla enable reaction-alerts
!

 

SW-PRINCIPAL:

ip dhcp pool 208
network 190.191.208.0 255.255.255.240
default-router 190.191.100.1
dns-server 200.88.127.22 200.88.127.23
!
ip dhcp pool 206
network 190.191.206.0 255.255.255.248
default-router 190.191.100.1
dns-server 200.88.127.22 200.88.127.23
!
ip dhcp pool 215
network 190.191.215.0 255.255.255.224
default-router 190.191.100.1
dns-server 200.88.127.22 200.88.127.23
!
!
power redundancy-mode redundant
spanning-tree mode pvst
spanning-tree extend system-id
!
interface GigabitEthernet1/5
description Link to Layer-3-Switch as ISP1
switchport trunk allowed vlan 1,100,101,199,208
switchport mode trunk
!
interface GigabitEthernet1/6
description Link to SW-CAJAS-INTERNET P13
switchport trunk allowed vlan 1,101,213,217
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/7
description Link to SW-CAJAS P9
switchport trunk allowed vlan 1,101,195,202
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/9
description Link to SW-USUARIOS P13
switchport trunk allowed vlan 1,101,196,197,207,208,210-212,215-217
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/11
description Link to SW-CONTAB P1
switchport trunk allowed vlan 1,100-102,195-199,202-208,211-213,215-217
switchport mode trunk
switchport nonegotiate
!
interface Vlan1
ip address 190.191.192.107 255.255.255.0
!
interface Vlan206
description RED-AD
ip address 190.191.206.1 255.255.255.248
!
!
interface Vlan208
description VLAN-USUARIOS CON INTERNET
ip address 190.191.208.1 255.255.255.240
!
!
router eigrp 1
network 0.0.0.0
!
no ip http server
no ip http secure-server
ip forward-protocol nd
!
ip route 0.0.0.0 0.0.0.0 190.191.192.105 (To switch layer 3 ISP-1)
ip route 0.0.0.0 0.0.0.0 190.191.192.108 (To Switch layer 3 ISP-2)

 

Thanks,

Contributor

Re: No Internet access from second provider ISP

That would mean that the switch still can ping 8.8.8.8. You can place a static route to 8.8.8.8 out SP1 to resolve the issue. You may even have to have a secondary null route when the SP1 interface is down.

 

Please rate helpful posts.

Beginner

Re: No Internet access from second provider ISP

I don't understand: "You can place a static route to 8.8.8.8 out SP1 to resolve the issue".
VIP Mentor

Re: No Internet access from second provider ISP

Post a drawing of your network that shows how everyting is connected...

Beginner

Re: No Internet access from second provider ISP

Hello,

I attached a drawing of my network:

ISP-1-Router To SW-ISP-1 (Here is the HRSP as ACTIVE and ip sla)

SW-ISP-1 To SW-Principal (Here is all the inerface vlans, etc)

SW-Principal To SW-CONTAB

SW-CONTAB To SW-ISP-2

 

ISP-2-ZTE-Router To SW-ISP-2 (HRSP as standby and ip sla)

SW-ISP-2 To others SWs by fiber.

 

Thanks,

Contributor

Re: No Internet access from second provider ISP

Ip route 8.8.8.8 255.255.255.255 ISP1IPAddressHere
Ip route 8.8.8.8 255.255.255.255 null0 250
Please rate helpful posts.
VIP Mentor

Re: No Internet access from second provider ISP

Hello,

 

on your SW-Principal, when the ICMP fails, you need to point the static route to the Vlan 1 interface of the other switch:

 

ip route 0.0.0.0 0.0.0.0 190.191.192.101 track 1
ip route 0.0.0.0 0.0.0.0 190.191.192.108 50

 

Since you are using EIGRP, I changed the admin dstance on the secon default route to 50...

Beginner

Re: No Internet access from second provider ISP

I tested and the speed of my two ISP is not sum. That's good. But I continue without Internet when I down the interface on my ISP-1. From SW-Principal, ICMP continues fails.

 

Those are the route on my SW-Principal:

 

ip route 0.0.0.0 0.0.0.0 190.191.192.101 track 1
ip route 0.0.0.0 0.0.0.0 190.191.192.105 (If I delete this route, I don't have Internet)
ip route 0.0.0.0 0.0.0.0 190.191.192.108 50

 

Thanks,

 

VIP Mentor

Re: No Internet access from second provider ISP

Hello,

 

where in your drawing is 101, 105, and 108 ?

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards