Interface Requieremnets for Cisco 2600
Hello I have a customer who has a 2610 with the configuration below. They currently have 2 ethernet modules and a serial interface (with t1). They would like to add a failover cable connection to a second isp. Currently one ethernet interface is handling the lan traffic while another is linked to the serial interface with ip unnumbered. Is the ip un numbered required for the vpn connections or some other reason? Can i free up that ethernet interface and use it for the cable modem?
Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname X
!
enable secret X
enable password X
!
!
ip subnet-zero
ip domain-name ALTER.NET
ip name-server 198.6.1.2
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cmi42358 address 2xx.2xx.242.2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local vpn-pool
!
!
crypto ipsec transform-set company-vpn-transform esp-des esp-md5-hmac
!
crypto dynamic-map company-vpn-map 1
set transform-set company-vpn-transform
!
!
crypto map vpnclient local-address Ethernet1/0
crypto map vpnclient client configuration address initiate
crypto map vpnclient client configuration address respond
crypto map vpnclient 20 ipsec-isakmp dynamic company-vpn-map
!
!
interface Tunnel0
description Line Tunnel connection to Wisconsin
ip address 30.0.0.1 255.255.255.0
tunnel source 123.456.789.101 - (T1 VPN Source IP)
tunnel destination (IP Remotesite1)
!
interface Tunnel1
description Line Tunnel connection to Florida
ip address 30.1.1.1 255.255.255.0
tunnel source 123.456.789.101 - (T1 VPN Source IP)
tunnel destination (IP Remotesite2)
!
interface Tunnel2
ip address 30.2.2.1 255.255.255.0
tunnel source 123.456.789.101 - (T1 VPN Source IP)
tunnel destination (IP Remotesite3)
!
interface Tunnel3
ip address 30.3.3.1 255.255.255.0
tunnel source 123.456.789.101 - (T1 VPN Source IP)
tunnel destination (IP Remotesite4)
!
interface Tunnel4
description Line Tunnel connection to Houston
ip address 30.4.4.1 255.255.255.0
tunnel source 123.456.789.101 - (T1 VPN Source IP)
tunnel destination (IP Remotesite5)
!
interface Ethernet0/0
description To Office Ethernet
ip address 10.0.0.1 255.255.255.0
ip access-group 101 in
ip nat inside
!
interface Serial0/0
description To WorldCom
bandwidth 1536
no ip address
encapsulation frame-relay IETF
no ip mroute-cache
no fair-queue
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
description connected to Internet
bandwidth 1536
ip unnumbered Ethernet1/0
ip access-group 106 in
ip nat outside
frame-relay interface-dlci 500
crypto map vpnclient
!
interface Ethernet1/0
ip address 123.456.789.101 - (T1 VPN Source IP) 255.255.255.240
ip access-group 100 in
ip nat outside
!
ip local pool vpn-pool 10.3.3.1 10.3.3.50
ip nat pool company 208.xxx.xxx.37 208.xxx.xxx.38 netmask 255.255.255.240
ip nat inside source list 1 pool company overload
ip nat inside source static 10.0.0.4 208.xxx.xxx.36
ip nat inside source static tcp 10.0.0.65 3389 208.xxx.xxx.40 3389 extendable
ip nat inside source static tcp 10.0.0.65 5631 208.xxx.xxx.40 5631 extendable
ip nat inside source static tcp 10.0.0.65 5632 208.xxx.xxx.40 5632 extendable
ip nat outside source static 10.0.0.4 208.xxx.xxx.36
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
ip route 10.1.1.0 255.255.255.0 Tunnel0
ip route 10.2.2.0 255.255.255.0 Tunnel1
ip route 10.4.4.0 255.255.255.0 Tunnel2
ip route 10.5.5.0 255.255.255.0 Tunnel3
ip route 10.6.6.0 255.255.255.0 Tunnel4
no ip http server
!
access-list 1 deny 10.0.0.11
access-list 1 deny 10.0.0.12
access-list 1 deny 10.0.0.2
access-list 1 deny 10.0.0.3
access-list 1 deny 10.0.0.4
access-list 1 deny 10.0.0.65
access-list 1 deny 10.0.0.68
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 2 permit 10.0.0.0 0.0.0.255
access-list 100 permit udp 0.0.0.0 255.255.252.0 any eq 135
access-list 100 permit udp 0.0.0.0 255.255.252.0 any eq 136
access-list 100 permit udp 0.0.0.0 255.255.252.0 any eq netbios-ns
access-list 100 permit udp 0.0.0.0 255.255.252.0 any eq netbios-dgm
access-list 100 permit udp 0.0.0.0 255.255.252.0 any eq netbios-ss
access-list 100 permit tcp 0.0.0.0 255.255.252.0 any eq 135
access-list 100 permit tcp 0.0.0.0 255.255.252.0 any eq 136
access-list 100 permit tcp 0.0.0.0 255.255.252.0 any eq 137
access-list 100 permit tcp 0.0.0.0 255.255.252.0 any eq 138
access-list 100 permit tcp 0.0.0.0 255.255.252.0 any eq 139
access-list 100 permit tcp 0.0.0.0 255.255.252.0 any eq 389
access-list 100 permit tcp 0.0.0.0 255.255.252.0 any eq 445
access-list 100 permit udp 0.0.0.0 255.255.252.0 any eq bootpc
access-list 100 permit udp 0.0.0.0 255.255.252.0 any eq 1434
access-list 100 deny udp any any eq 135
access-list 100 deny udp any any eq 136
access-list 100 deny udp any any eq netbios-ns
access-list 100 deny udp any any eq netbios-dgm
access-list 100 deny udp any any eq netbios-ss
access-list 100 deny tcp any any eq 135
access-list 100 deny tcp any any eq 136
access-list 100 deny tcp any any eq 137
access-list 100 deny tcp any any eq 138
access-list 100 deny tcp any any eq 139
access-list 100 deny tcp any any eq 389
access-list 100 deny tcp any any eq 445
access-list 100 deny udp any any eq bootpc
access-list 100 deny udp any any eq 1434
access-list 100 permit ip any any
access-list 101 deny udp any any eq 1434
access-list 101 permit ip any any
access-list 106 permit tcp any any
access-list 106 permit udp any any
access-list 106 deny 53 any any
access-list 106 deny 55 any any
access-list 106 deny 77 any any
access-list 106 deny pim any any
access-list 106 permit ip any any
access-list 120 deny ip 10.0.0.0 0.0.0.255 10.3.3.0 0.0.0.255
access-list 120 permit ip 10.0.0.0 0.0.0.255 any
route-map nonat permit 10
match ip address 120
!
snmp-server engineID local 0000000902000002166B5160
snmp-server community de6ad83d82 RO
snmp-server community public RO
snmp-server community RO RO
snmp-server enable traps snmp authentication linkdown linkup coldstart
!
!
!
line con 0
password X
login
transport preferred none
transport input none
line aux 0
password X
login
modem InOut
transport preferred none
transport input all
stopbits 1
flowcontrol hardware
line vty 0 4
password X
login
transport preferred none
!
end
Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname X
!
enable secret X
enable password X
!
!
ip subnet-zero
ip domain-name ALTER.NET
ip name-server 198.6.1.2
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cmi42358 address 2xx.2xx.242.2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local vpn-pool
!
!
crypto ipsec transform-set company-vpn-transform esp-des esp-md5-hmac
!
crypto dynamic-map company-vpn-map 1
set transform-set company-vpn-transform
!
!
crypto map vpnclient local-address Ethernet1/0
crypto map vpnclient client configuration address initiate
crypto map vpnclient client configuration address respond
crypto map vpnclient 20 ipsec-isakmp dynamic company-vpn-map
!
!
interface Tunnel0
description Line Tunnel connection to Wisconsin
ip address 30.0.0.1 255.255.255.0
tunnel source 123.456.789.101 - (T1 VPN Source IP)
tunnel destination (IP Remotesite1)
!
interface Tunnel1
description Line Tunnel connection to Florida
ip address 30.1.1.1 255.255.255.0
tunnel source 123.456.789.101 - (T1 VPN Source IP)
tunnel destination (IP Remotesite2)
!
interface Tunnel2
ip address 30.2.2.1 255.255.255.0
tunnel source 123.456.789.101 - (T1 VPN Source IP)
tunnel destination (IP Remotesite3)
!
interface Tunnel3
ip address 30.3.3.1 255.255.255.0
tunnel source 123.456.789.101 - (T1 VPN Source IP)
tunnel destination (IP Remotesite4)
!
interface Tunnel4
description Line Tunnel connection to Houston
ip address 30.4.4.1 255.255.255.0
tunnel source 123.456.789.101 - (T1 VPN Source IP)
tunnel destination (IP Remotesite5)
!
interface Ethernet0/0
description To Office Ethernet
ip address 10.0.0.1 255.255.255.0
ip access-group 101 in
ip nat inside
!
interface Serial0/0
description To WorldCom
bandwidth 1536
no ip address
encapsulation frame-relay IETF
no ip mroute-cache
no fair-queue
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
description connected to Internet
bandwidth 1536
ip unnumbered Ethernet1/0
ip access-group 106 in
ip nat outside
frame-relay interface-dlci 500
crypto map vpnclient
!
interface Ethernet1/0
ip address 123.456.789.101 - (T1 VPN Source IP) 255.255.255.240
ip access-group 100 in
ip nat outside
!
ip local pool vpn-pool 10.3.3.1 10.3.3.50
ip nat pool company 208.xxx.xxx.37 208.xxx.xxx.38 netmask 255.255.255.240
ip nat inside source list 1 pool company overload
ip nat inside source static 10.0.0.4 208.xxx.xxx.36
ip nat inside source static tcp 10.0.0.65 3389 208.xxx.xxx.40 3389 extendable
ip nat inside source static tcp 10.0.0.65 5631 208.xxx.xxx.40 5631 extendable
ip nat inside source static tcp 10.0.0.65 5632 208.xxx.xxx.40 5632 extendable
ip nat outside source static 10.0.0.4 208.xxx.xxx.36
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
ip route 10.1.1.0 255.255.255.0 Tunnel0
ip route 10.2.2.0 255.255.255.0 Tunnel1
ip route 10.4.4.0 255.255.255.0 Tunnel2
ip route 10.5.5.0 255.255.255.0 Tunnel3
ip route 10.6.6.0 255.255.255.0 Tunnel4
no ip http server
!
access-list 1 deny 10.0.0.11
access-list 1 deny 10.0.0.12
access-list 1 deny 10.0.0.2
access-list 1 deny 10.0.0.3
access-list 1 deny 10.0.0.4
access-list 1 deny 10.0.0.65
access-list 1 deny 10.0.0.68
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 2 permit 10.0.0.0 0.0.0.255
access-list 100 permit udp 0.0.0.0 255.255.252.0 any eq 135
access-list 100 permit udp 0.0.0.0 255.255.252.0 any eq 136
access-list 100 permit udp 0.0.0.0 255.255.252.0 any eq netbios-ns
access-list 100 permit udp 0.0.0.0 255.255.252.0 any eq netbios-dgm
access-list 100 permit udp 0.0.0.0 255.255.252.0 any eq netbios-ss
access-list 100 permit tcp 0.0.0.0 255.255.252.0 any eq 135
access-list 100 permit tcp 0.0.0.0 255.255.252.0 any eq 136
access-list 100 permit tcp 0.0.0.0 255.255.252.0 any eq 137
access-list 100 permit tcp 0.0.0.0 255.255.252.0 any eq 138
access-list 100 permit tcp 0.0.0.0 255.255.252.0 any eq 139
access-list 100 permit tcp 0.0.0.0 255.255.252.0 any eq 389
access-list 100 permit tcp 0.0.0.0 255.255.252.0 any eq 445
access-list 100 permit udp 0.0.0.0 255.255.252.0 any eq bootpc
access-list 100 permit udp 0.0.0.0 255.255.252.0 any eq 1434
access-list 100 deny udp any any eq 135
access-list 100 deny udp any any eq 136
access-list 100 deny udp any any eq netbios-ns
access-list 100 deny udp any any eq netbios-dgm
access-list 100 deny udp any any eq netbios-ss
access-list 100 deny tcp any any eq 135
access-list 100 deny tcp any any eq 136
access-list 100 deny tcp any any eq 137
access-list 100 deny tcp any any eq 138
access-list 100 deny tcp any any eq 139
access-list 100 deny tcp any any eq 389
access-list 100 deny tcp any any eq 445
access-list 100 deny udp any any eq bootpc
access-list 100 deny udp any any eq 1434
access-list 100 permit ip any any
access-list 101 deny udp any any eq 1434
access-list 101 permit ip any any
access-list 106 permit tcp any any
access-list 106 permit udp any any
access-list 106 deny 53 any any
access-list 106 deny 55 any any
access-list 106 deny 77 any any
access-list 106 deny pim any any
access-list 106 permit ip any any
access-list 120 deny ip 10.0.0.0 0.0.0.255 10.3.3.0 0.0.0.255
access-list 120 permit ip 10.0.0.0 0.0.0.255 any
route-map nonat permit 10
match ip address 120
!
snmp-server engineID local 0000000902000002166B5160
snmp-server community de6ad83d82 RO
snmp-server community public RO
snmp-server community RO RO
snmp-server enable traps snmp authentication linkdown linkup coldstart
!
!
!
line con 0
password X
login
transport preferred none
transport input none
line aux 0
password X
login
modem InOut
transport preferred none
transport input all
stopbits 1
flowcontrol hardware
line vty 0 4
password X
login
transport preferred none
!
end
Failover isn't that easy. Read the numerous other threads in this category, in Networking, and in Networking/Broadband. You have static NAT translations; you're not going to have easy failover.
ASKER
i am aware that it is not easy, i believe it can be accomplished with policy routing and route maps though, my question here is simply on the interface configuration and the ability of freeing up the ethernet interface that is currently being used to assign the serial connection with an ip address. I am trying to understand why it was done this way and not assigned to the serial interface directly, it may be the case this is required, that is what i am trying to find out.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
the use of ip un numbered requires that the associated interface be up (eth 01 is plugged into the lan, but its ip as u can see is actually a public ip address and therefore unreachable by anything in that switch). So i know they plugged it into the lan switch just to change its status to up, im a bit concerned that they did it for a reason im not seeing..
Agree with JFrederick29. I see no reason to have that interface unused for anything other than ip unnumberd for the serial interface.
Either use a loopback interface for unnumbered, or simply assign the IP address to the serial physical interface, especially on a point-point frame-relay PVC.
Either use a loopback interface for unnumbered, or simply assign the IP address to the serial physical interface, especially on a point-point frame-relay PVC.
Back to the failover: since the /28 is part of UUNet's aggregate blocks, your inbound traffic will always come in on UUNet. There's no way to have those packets come in on ISP2 when UUNet is down. Likewise, ISP2 will discard packets coming from subnets they haven't routed to you.
ASKER
Here is a very generic example i recieved from cisco after talking to them about this. The goal here isnt to maintain the same address space but basically the point is to continue to recieve mail at their exchange server wich will be configured with a primary mx of an ip from isp 1 as well as a secondary mx with an ip from isp2...
interface Ethernet3
ip address 172.68.1.100 255.255.255.0
ip nat outside
!
interface Ethernet4
ip address 192.68.1.100 255.255.255.0
ip nat outside
!
interface Ethernet5
ip address 11.1.1.100 255.255.255.0
ip nat inside
!
router rip
network 172.68.1.0
network 192.68.1.0
!
ip nat inside source static 11.1.1.2 192.68.1.21 route-map isp2
ip nat inside source static 11.1.1.2 172.68.1.21 route-map isp1
ip nat inside source static 11.1.1.1 192.68.1.11 route-map isp2
ip nat inside source static 11.1.1.1 172.68.1.11 route-map isp1
access-list 101 permit ip 11.1.1.0 0.0.0.255 172.0.0.0 0.255.255.255.
access-list 102 permit ip 11.1.1.0 0.0.0.255 192.0.0.0 0.255.255.255
!
route-map isp2 permit 10
match ip address 102
set ip next-hop 192.68.1.1
!
route-map isp1 permit 10
match ip address 101
set ip next-hop 172.68.1.1
ip route 0.0.0.0 0.0.0.0 192.68.1.1
ip route 0.0.0.0 0.0.0.0 172.68.1.1 200
doesnt this address your concerns pjtemplin?
interface Ethernet3
ip address 172.68.1.100 255.255.255.0
ip nat outside
!
interface Ethernet4
ip address 192.68.1.100 255.255.255.0
ip nat outside
!
interface Ethernet5
ip address 11.1.1.100 255.255.255.0
ip nat inside
!
router rip
network 172.68.1.0
network 192.68.1.0
!
ip nat inside source static 11.1.1.2 192.68.1.21 route-map isp2
ip nat inside source static 11.1.1.2 172.68.1.21 route-map isp1
ip nat inside source static 11.1.1.1 192.68.1.11 route-map isp2
ip nat inside source static 11.1.1.1 172.68.1.11 route-map isp1
access-list 101 permit ip 11.1.1.0 0.0.0.255 172.0.0.0 0.255.255.255.
access-list 102 permit ip 11.1.1.0 0.0.0.255 192.0.0.0 0.255.255.255
!
route-map isp2 permit 10
match ip address 102
set ip next-hop 192.68.1.1
!
route-map isp1 permit 10
match ip address 101
set ip next-hop 172.68.1.1
ip route 0.0.0.0 0.0.0.0 192.68.1.1
ip route 0.0.0.0 0.0.0.0 172.68.1.1 200
doesnt this address your concerns pjtemplin?
Thank you :)