Solved

Sharing two network connections with a Cisco 2611XM router

Posted on 2008-06-17
13
422 Views
Last Modified: 2008-09-08
I have a T-1 line coming into the office and now have a cable modem/router in the same office.  The current configuration is the T-1 goes into a Cisco 2524 router, the ethernet connection goes to a Netgear to do DHCP for the office.

Is there a way to use a 2611 router and use both the T-1 line and the cable line.  My goal is to be able to use both connections, especially if one connection goes down.  I'm not concerned with load balancing or anything else fancy like that, but do have servers inside the office that need to be reachable via the ip address of the T-1 only.

Thank you in advance for your comments.

-Scott
0
Comment
Question by:targetx
13 Comments
 
LVL 7

Expert Comment

by:mabutterfield
ID: 21805118
Is the cable modem a static IP Address?
0
 

Author Comment

by:targetx
ID: 21805227
No, it is a dynamic IP, but we can get a static ip if we need to.
0
 
LVL 7

Expert Comment

by:mabutterfield
ID: 21805321

I think it would work better with a static IP than a dynamic.  I'm not sure if it would work at all with the dynamic, but i've never tried.

I did something similar to this years ago, and it worked OK, but not great.  

I had 2 cisco 2600 routers that each had a T1 to the internet, an a point-to-point between them.  If the internet T1 on either failed, it would route traffic out through the point-to-point and out the other router.

I used static routing with higher metrics for the 'backup' route.  I also had to apply an ACL / NAT to traffic that went through the backup route.  
The problem I ran into was that sometimes a T1 line would go down or have problems, but the router would not put the interface down, and not know to route out through the backup interface.  (we had a routing problem with our carrier, so traffic would go 1 hop and drop)


I'm not still at the place I had this working, so I don't have access to the actual config files, but could help figure it out with what i've got.  

basic config
route 0.0.0.0 0.0.0.0 T1IP 1
route 0.0.0.0 0.0.0.0 cableIP 10
ip nat source list {acl} interface {eth cable} overload

int ethernet (cable)
ip nat outside

int ethernet(inside)
ip nat inside

If you need more help let me know, and i'll dig up a couple routers and see what I can figure out.

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:targetx
ID: 21805633
So, you basically took an ethernet cable from the cable modem and used another card for the T-1 and then used a weight on the two connections?

0
 
LVL 7

Expert Comment

by:mabutterfield
ID: 21805662
In my situation i used 2 serial (t1) connections and 1 ethernet.  

For your situation i would use 2 Ethenet and 1 serial interface.

example:
use ser0/0 for  t1 interface
use eth0/0 for cable interface
use eth0/1 for internal network

0
 

Author Comment

by:targetx
ID: 21805832
I can use the serial connection for the T-1, then take the ethernet line from the cable modem/router and set it up that way.

What if I have certain servers on my network that I only want to be accessed via the T-1?
0
 
LVL 7

Expert Comment

by:mabutterfield
ID: 21805905
do you have a firewall behind the router, or is the router the only device?

if you don't have a firewall:

if you're using Internal addressing (192.168.x.x, 172.16-31.x.x, or 10.x.x.x) you can create a one-to-one (static) nat for the T1 to allow access to the servers from the internet via the T1, then create a hide (pool / overload) nat on the cable interface




0
 

Author Comment

by:targetx
ID: 21805966
Can you also shape traffic?  Say I want all outbound FTP requests to go on the cable line, is that possible?

Do you have an example ACL?
0
 
LVL 7

Expert Comment

by:mabutterfield
ID: 21806231
I believe you can send different traffic out different connections using policy based routing, but that is beyond my knowledge.  

I'll come up with some sample acls and post shortly
0
 
LVL 7

Accepted Solution

by:
mabutterfield earned 250 total points
ID: 21806350
This will get you started.  I think the commands are correct, but i've been working on Pix alot more than IOS recently, so I had to try to remember some of the syntax.  This should get you pretty close, the rest should be just routing.  Let me know how it works.  If you need more help i'll dust off a couple routers and see what I can do.

ser0
description T1
ip address 1.0.0.1 255.255.255.0
access-group 100 in
ip nat outside

eth0
description cable
ip address 2.0.0.1 255.255.255.0
access-group 101 in
ip nat outside

eth1
description internal lan
ip address 3.0.0.1 255.255.255.0
ip nat inside


ip nat inside source static 3.0.0.2 1.0.0.2 extendable
ip nat inside source list 1 int ser0 overload
ip nat inside source list 1 int eth0 overload


access-list 1 permit 1.0.0.0 0.0.0.255



ip access-list extended 100
remark inbound acl for T1
remark drop traffic for internal IP addresses (shouldn't be routed on internet)
deny ip any 192.168.0.0 0.0.255.255
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.0.15.255
deny ip any 169.254.0.0 0.0.255.255
deny ip 192.168.0.0 0.0.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.0.15.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip 240.0.0.0 15.255.255.255 any
remark drop unwanted traffic
deny   udp any any eq netbios-ns                                
deny   udp any any eq netbios-ss                                
deny   udp any any eq netbios-dgm    
remark drop traffic from local address (to prevent spoofing)
deny ip any 1.0.0.0 0.0.0.255
remark permit services to servers
permit tcp any host 1.0.0.2 eq 80
permit tcp any host 1.0.0.2 eq 25
remark allow return traffic
permit ip any 1.0.0.0 0.0.0.255 established
remark cleanup
deny ip any any

ip access-list extended 101
remark inbound acl for cable
remark drop traffic for internal IP addresses (shouldn't be routed on internet)
deny ip any 192.168.0.0 0.0.255.255
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.0.15.255
deny ip any 169.254.0.0 0.0.255.255
deny ip 192.168.0.0 0.0.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.0.15.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip 240.0.0.0 15.255.255.255 any
remark drop unwanted traffic
deny   udp any any eq netbios-ns                                
deny   udp any any eq netbios-ss                                
deny   udp any any eq netbios-dgm    
remark drop traffic from local address (to prevent spoofing)
deny ip any 2.0.0.0 0.0.0.255
remark allow return traffic
permit ip any 2.0.0.0 0.0.0.255 established
remark cleanup
deny ip any any


0
 

Author Comment

by:targetx
ID: 21807286
This is a great starting point - THANK YOU.  I'm working on the config now and will update the thread.  Thanks again for your time today.  I'll leave this question open while I work on the project.

0
 

Assisted Solution

by:worsnoptr
worsnoptr earned 150 total points
ID: 21807674
Here is an example of policy based routing for your FTP traffic this will send all of your FTP traffic out through your cable modem.

Int e0/1
description internal lan
ip policy route-map ftp

access-list ftp permit tcp any any eq ftp
access-list ftp permit tcp any any eq ftp-data
route-map ftp_policy permit 10
 match ip address ftp
 set ip next-hop x.x.x.x (IP of Cable modem)
0
 
LVL 15

Assisted Solution

by:wingatesl
wingatesl earned 100 total points
ID: 21819008
You should builld the nat overloads with route maps as well. I have an example here.
http://www.inacom-sby.net/Shawn/post/2007/11/Getting-Dual-ISPs-running-on-Cisco-1811-and-above-routers(Part-1).aspx
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question