Solved

Interface Requieremnets for Cisco 2600

Posted on 2006-10-27
9
277 Views
Last Modified: 2008-03-10
Hello I have a customer who has a 2610 with the configuration below. They currently have 2 ethernet modules and a serial interface (with t1). They would like to add a failover cable connection to a second isp. Currently one ethernet interface is handling the lan traffic while another is linked to the serial interface with ip unnumbered. Is the ip un numbered required for the vpn connections or some other reason? Can i free up that ethernet interface and use it for the cable modem?


Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname X
!
enable secret X
enable password X
!
!
ip subnet-zero
ip domain-name ALTER.NET
ip name-server 198.6.1.2
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key cmi42358 address 2xx.2xx.242.2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local vpn-pool
!
!
crypto ipsec transform-set company-vpn-transform esp-des esp-md5-hmac
!
crypto dynamic-map company-vpn-map 1
 set transform-set company-vpn-transform
!
!
crypto map vpnclient local-address Ethernet1/0
crypto map vpnclient client configuration address initiate
crypto map vpnclient client configuration address respond
crypto map vpnclient 20 ipsec-isakmp dynamic company-vpn-map
!
!
interface Tunnel0
 description Line Tunnel connection to Wisconsin
 ip address 30.0.0.1 255.255.255.0
 tunnel source 123.456.789.101 - (T1 VPN Source IP)
 tunnel destination (IP Remotesite1)
!
interface Tunnel1
 description Line Tunnel connection to Florida
 ip address 30.1.1.1 255.255.255.0
 tunnel source 123.456.789.101 - (T1 VPN Source IP)
 tunnel destination (IP Remotesite2)
!
interface Tunnel2
 ip address 30.2.2.1 255.255.255.0
 tunnel source 123.456.789.101 - (T1 VPN Source IP)
 tunnel destination (IP Remotesite3)
!
interface Tunnel3
 ip address 30.3.3.1 255.255.255.0
 tunnel source 123.456.789.101 - (T1 VPN Source IP)
 tunnel destination (IP Remotesite4)
!
interface Tunnel4
 description Line Tunnel connection to Houston
 ip address 30.4.4.1 255.255.255.0
 tunnel source 123.456.789.101 - (T1 VPN Source IP)
 tunnel destination  (IP Remotesite5)
!
interface Ethernet0/0
 description To Office Ethernet
 ip address 10.0.0.1 255.255.255.0
 ip access-group 101 in
 ip nat inside
!
interface Serial0/0
 description To WorldCom
 bandwidth 1536
 no ip address
 encapsulation frame-relay IETF
 no ip mroute-cache
 no fair-queue
 service-module t1 timeslots 1-24
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 description connected to Internet
 bandwidth 1536
 ip unnumbered Ethernet1/0
 ip access-group 106 in
 ip nat outside
 frame-relay interface-dlci 500
 crypto map vpnclient
!
interface Ethernet1/0
 ip address 123.456.789.101 - (T1 VPN Source IP) 255.255.255.240
 ip access-group 100 in
 ip nat outside
!
ip local pool vpn-pool 10.3.3.1 10.3.3.50
ip nat pool company 208.xxx.xxx.37 208.xxx.xxx.38 netmask 255.255.255.240
ip nat inside source list 1 pool company overload
ip nat inside source static 10.0.0.4 208.xxx.xxx.36
ip nat inside source static tcp 10.0.0.65 3389 208.xxx.xxx.40 3389 extendable
ip nat inside source static tcp 10.0.0.65 5631 208.xxx.xxx.40 5631 extendable
ip nat inside source static tcp 10.0.0.65 5632 208.xxx.xxx.40 5632 extendable
ip nat outside source static 10.0.0.4 208.xxx.xxx.36
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
ip route 10.1.1.0 255.255.255.0 Tunnel0
ip route 10.2.2.0 255.255.255.0 Tunnel1
ip route 10.4.4.0 255.255.255.0 Tunnel2
ip route 10.5.5.0 255.255.255.0 Tunnel3
ip route 10.6.6.0 255.255.255.0 Tunnel4
no ip http server
!
access-list 1 deny   10.0.0.11
access-list 1 deny   10.0.0.12
access-list 1 deny   10.0.0.2
access-list 1 deny   10.0.0.3
access-list 1 deny   10.0.0.4
access-list 1 deny   10.0.0.65
access-list 1 deny   10.0.0.68
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 2 permit 10.0.0.0 0.0.0.255
access-list 100 permit udp 0.0.0.0 255.255.252.0 any eq 135
access-list 100 permit udp 0.0.0.0 255.255.252.0 any eq 136
access-list 100 permit udp 0.0.0.0 255.255.252.0 any eq netbios-ns
access-list 100 permit udp 0.0.0.0 255.255.252.0 any eq netbios-dgm
access-list 100 permit udp 0.0.0.0 255.255.252.0 any eq netbios-ss
access-list 100 permit tcp 0.0.0.0 255.255.252.0 any eq 135
access-list 100 permit tcp 0.0.0.0 255.255.252.0 any eq 136
access-list 100 permit tcp 0.0.0.0 255.255.252.0 any eq 137
access-list 100 permit tcp 0.0.0.0 255.255.252.0 any eq 138
access-list 100 permit tcp 0.0.0.0 255.255.252.0 any eq 139
access-list 100 permit tcp 0.0.0.0 255.255.252.0 any eq 389
access-list 100 permit tcp 0.0.0.0 255.255.252.0 any eq 445
access-list 100 permit udp 0.0.0.0 255.255.252.0 any eq bootpc
access-list 100 permit udp 0.0.0.0 255.255.252.0 any eq 1434
access-list 100 deny   udp any any eq 135
access-list 100 deny   udp any any eq 136
access-list 100 deny   udp any any eq netbios-ns
access-list 100 deny   udp any any eq netbios-dgm
access-list 100 deny   udp any any eq netbios-ss
access-list 100 deny   tcp any any eq 135
access-list 100 deny   tcp any any eq 136
access-list 100 deny   tcp any any eq 137
access-list 100 deny   tcp any any eq 138
access-list 100 deny   tcp any any eq 139
access-list 100 deny   tcp any any eq 389
access-list 100 deny   tcp any any eq 445
access-list 100 deny   udp any any eq bootpc
access-list 100 deny   udp any any eq 1434
access-list 100 permit ip any any
access-list 101 deny   udp any any eq 1434
access-list 101 permit ip any any
access-list 106 permit tcp any any
access-list 106 permit udp any any
access-list 106 deny   53 any any
access-list 106 deny   55 any any
access-list 106 deny   77 any any
access-list 106 deny   pim any any
access-list 106 permit ip any any
access-list 120 deny   ip 10.0.0.0 0.0.0.255 10.3.3.0 0.0.0.255
access-list 120 permit ip 10.0.0.0 0.0.0.255 any
route-map nonat permit 10
 match ip address 120
!
snmp-server engineID local 0000000902000002166B5160
snmp-server community de6ad83d82 RO
snmp-server community public RO
snmp-server community RO RO
snmp-server enable traps snmp authentication linkdown linkup coldstart
!
!
!
line con 0
 password X
 login
 transport preferred none
 transport input none
line aux 0
 password X
 login
 modem InOut
 transport preferred none
 transport input all
 stopbits 1
 flowcontrol hardware
line vty 0 4
 password X
 login
 transport preferred none
!
end

0
Comment
Question by:Baran711
9 Comments
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17819239
Failover isn't that easy.  Read the numerous other threads in this category, in Networking, and in Networking/Broadband.  You have static NAT translations; you're not going to have easy failover.
0
 

Author Comment

by:Baran711
ID: 17819477
i am aware that it is not easy, i believe it can be accomplished with policy routing and route maps though, my question here is simply on the interface configuration and the ability of freeing up the ethernet interface that is currently being used to assign the serial connection with an ip address. I am trying to understand why it was done this way and not assigned to the serial interface directly, it may be the case this is required, that is what i am trying to find out.


0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 17820125
I see no reason to have it assigned to the ethernet interface and use "ip unnumbered" on the serial interface unless the Ethernet1/0 interface is a "perimeter LAN" or "DMZ" which contains publically addressed hosts but it doesn't look that way since you have NAT's to the inside Ethernet0/0 LAN.  Is the Ethernet1/0 interface even connected to anything (is it up)?  The Tunnel interface source will still remain the same IP address if it was assigned to the serial interface.  Unless I'm missing something, I don't see a specific need for the current configuration.  Choose a maintenance window, back up the running configuration, make the change and do extensive testing.  That will probably be your best option to move forward if you can't ask the one who designed it for insight as to why it was done this way.
0
 

Author Comment

by:Baran711
ID: 17820152
the use of ip un numbered requires that the associated interface be up (eth 01 is plugged into the lan, but its ip as u can see is actually a public ip address and therefore unreachable by anything in that switch). So i know they plugged it into the lan switch just to change its status to up, im a bit concerned that they did it for a reason im not seeing..
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 79

Expert Comment

by:lrmoore
ID: 17820353
Agree with JFrederick29. I see no reason to have that interface unused for anything other than ip unnumberd for the serial interface.
Either use a loopback interface for unnumbered, or simply assign the IP address to the serial physical interface, especially on a point-point frame-relay PVC.
0
 
LVL 12

Expert Comment

by:pjtemplin
ID: 17820956
Back to the failover: since the /28 is part of UUNet's aggregate blocks, your inbound traffic will always come in on UUNet.  There's no way to have those packets come in on ISP2 when UUNet is down.  Likewise, ISP2 will discard packets coming from subnets they haven't routed to you.
0
 

Author Comment

by:Baran711
ID: 17821023
Here is a very generic example i recieved from cisco after talking to them about this. The goal here isnt to maintain the same address space but  basically the point is to continue to recieve mail at their exchange server wich will be configured with a primary mx of an ip from isp 1 as well as a secondary mx with an ip from isp2...


interface Ethernet3

 ip address 172.68.1.100 255.255.255.0

 ip nat outside

!

interface Ethernet4

 ip address 192.68.1.100 255.255.255.0

 ip nat outside

!

interface Ethernet5

 ip address 11.1.1.100 255.255.255.0

 ip nat inside

!

router rip

 network 172.68.1.0

 network 192.68.1.0

!

 ip nat inside source static 11.1.1.2 192.68.1.21 route-map isp2

 ip nat inside source static 11.1.1.2 172.68.1.21 route-map isp1

 ip nat inside source static 11.1.1.1 192.68.1.11 route-map isp2

 ip nat inside source static 11.1.1.1 172.68.1.11 route-map isp1

 access-list 101 permit ip 11.1.1.0 0.0.0.255 172.0.0.0 0.255.255.255.

 access-list 102 permit ip 11.1.1.0 0.0.0.255 192.0.0.0 0.255.255.255

!

route-map isp2 permit 10

 match ip address 102

 set ip next-hop 192.68.1.1

!

route-map isp1 permit 10

 match ip address 101

 set ip next-hop 172.68.1.1

 
ip route 0.0.0.0 0.0.0.0 192.68.1.1
ip route 0.0.0.0 0.0.0.0 172.68.1.1 200


doesnt this address your concerns pjtemplin?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17972166
Thank you :)
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now