Solved

Sharing two network connections with a Cisco 2611XM router

Posted on 2008-06-17
13
419 Views
Last Modified: 2008-09-08
I have a T-1 line coming into the office and now have a cable modem/router in the same office.  The current configuration is the T-1 goes into a Cisco 2524 router, the ethernet connection goes to a Netgear to do DHCP for the office.

Is there a way to use a 2611 router and use both the T-1 line and the cable line.  My goal is to be able to use both connections, especially if one connection goes down.  I'm not concerned with load balancing or anything else fancy like that, but do have servers inside the office that need to be reachable via the ip address of the T-1 only.

Thank you in advance for your comments.

-Scott
0
Comment
Question by:targetx
13 Comments
 
LVL 7

Expert Comment

by:mabutterfield
Comment Utility
Is the cable modem a static IP Address?
0
 

Author Comment

by:targetx
Comment Utility
No, it is a dynamic IP, but we can get a static ip if we need to.
0
 
LVL 7

Expert Comment

by:mabutterfield
Comment Utility

I think it would work better with a static IP than a dynamic.  I'm not sure if it would work at all with the dynamic, but i've never tried.

I did something similar to this years ago, and it worked OK, but not great.  

I had 2 cisco 2600 routers that each had a T1 to the internet, an a point-to-point between them.  If the internet T1 on either failed, it would route traffic out through the point-to-point and out the other router.

I used static routing with higher metrics for the 'backup' route.  I also had to apply an ACL / NAT to traffic that went through the backup route.  
The problem I ran into was that sometimes a T1 line would go down or have problems, but the router would not put the interface down, and not know to route out through the backup interface.  (we had a routing problem with our carrier, so traffic would go 1 hop and drop)


I'm not still at the place I had this working, so I don't have access to the actual config files, but could help figure it out with what i've got.  

basic config
route 0.0.0.0 0.0.0.0 T1IP 1
route 0.0.0.0 0.0.0.0 cableIP 10
ip nat source list {acl} interface {eth cable} overload

int ethernet (cable)
ip nat outside

int ethernet(inside)
ip nat inside

If you need more help let me know, and i'll dig up a couple routers and see what I can figure out.

0
 

Author Comment

by:targetx
Comment Utility
So, you basically took an ethernet cable from the cable modem and used another card for the T-1 and then used a weight on the two connections?

0
 
LVL 7

Expert Comment

by:mabutterfield
Comment Utility
In my situation i used 2 serial (t1) connections and 1 ethernet.  

For your situation i would use 2 Ethenet and 1 serial interface.

example:
use ser0/0 for  t1 interface
use eth0/0 for cable interface
use eth0/1 for internal network

0
 

Author Comment

by:targetx
Comment Utility
I can use the serial connection for the T-1, then take the ethernet line from the cable modem/router and set it up that way.

What if I have certain servers on my network that I only want to be accessed via the T-1?
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 7

Expert Comment

by:mabutterfield
Comment Utility
do you have a firewall behind the router, or is the router the only device?

if you don't have a firewall:

if you're using Internal addressing (192.168.x.x, 172.16-31.x.x, or 10.x.x.x) you can create a one-to-one (static) nat for the T1 to allow access to the servers from the internet via the T1, then create a hide (pool / overload) nat on the cable interface




0
 

Author Comment

by:targetx
Comment Utility
Can you also shape traffic?  Say I want all outbound FTP requests to go on the cable line, is that possible?

Do you have an example ACL?
0
 
LVL 7

Expert Comment

by:mabutterfield
Comment Utility
I believe you can send different traffic out different connections using policy based routing, but that is beyond my knowledge.  

I'll come up with some sample acls and post shortly
0
 
LVL 7

Accepted Solution

by:
mabutterfield earned 250 total points
Comment Utility
This will get you started.  I think the commands are correct, but i've been working on Pix alot more than IOS recently, so I had to try to remember some of the syntax.  This should get you pretty close, the rest should be just routing.  Let me know how it works.  If you need more help i'll dust off a couple routers and see what I can do.

ser0
description T1
ip address 1.0.0.1 255.255.255.0
access-group 100 in
ip nat outside

eth0
description cable
ip address 2.0.0.1 255.255.255.0
access-group 101 in
ip nat outside

eth1
description internal lan
ip address 3.0.0.1 255.255.255.0
ip nat inside


ip nat inside source static 3.0.0.2 1.0.0.2 extendable
ip nat inside source list 1 int ser0 overload
ip nat inside source list 1 int eth0 overload


access-list 1 permit 1.0.0.0 0.0.0.255



ip access-list extended 100
remark inbound acl for T1
remark drop traffic for internal IP addresses (shouldn't be routed on internet)
deny ip any 192.168.0.0 0.0.255.255
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.0.15.255
deny ip any 169.254.0.0 0.0.255.255
deny ip 192.168.0.0 0.0.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.0.15.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip 240.0.0.0 15.255.255.255 any
remark drop unwanted traffic
deny   udp any any eq netbios-ns                                
deny   udp any any eq netbios-ss                                
deny   udp any any eq netbios-dgm    
remark drop traffic from local address (to prevent spoofing)
deny ip any 1.0.0.0 0.0.0.255
remark permit services to servers
permit tcp any host 1.0.0.2 eq 80
permit tcp any host 1.0.0.2 eq 25
remark allow return traffic
permit ip any 1.0.0.0 0.0.0.255 established
remark cleanup
deny ip any any

ip access-list extended 101
remark inbound acl for cable
remark drop traffic for internal IP addresses (shouldn't be routed on internet)
deny ip any 192.168.0.0 0.0.255.255
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.0.15.255
deny ip any 169.254.0.0 0.0.255.255
deny ip 192.168.0.0 0.0.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.0.15.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip 240.0.0.0 15.255.255.255 any
remark drop unwanted traffic
deny   udp any any eq netbios-ns                                
deny   udp any any eq netbios-ss                                
deny   udp any any eq netbios-dgm    
remark drop traffic from local address (to prevent spoofing)
deny ip any 2.0.0.0 0.0.0.255
remark allow return traffic
permit ip any 2.0.0.0 0.0.0.255 established
remark cleanup
deny ip any any


0
 

Author Comment

by:targetx
Comment Utility
This is a great starting point - THANK YOU.  I'm working on the config now and will update the thread.  Thanks again for your time today.  I'll leave this question open while I work on the project.

0
 

Assisted Solution

by:worsnoptr
worsnoptr earned 150 total points
Comment Utility
Here is an example of policy based routing for your FTP traffic this will send all of your FTP traffic out through your cable modem.

Int e0/1
description internal lan
ip policy route-map ftp

access-list ftp permit tcp any any eq ftp
access-list ftp permit tcp any any eq ftp-data
route-map ftp_policy permit 10
 match ip address ftp
 set ip next-hop x.x.x.x (IP of Cable modem)
0
 
LVL 15

Assisted Solution

by:wingatesl
wingatesl earned 100 total points
Comment Utility
You should builld the nat overloads with route maps as well. I have an example here.
http://www.inacom-sby.net/Shawn/post/2007/11/Getting-Dual-ISPs-running-on-Cisco-1811-and-above-routers(Part-1).aspx
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you …
New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now