connecting Cisco 2821 Router to a second ISP for redundancy

denver218
denver218 used Ask the Experts™
on
I have a Cisco 2821 router.  I just got a cable modem to use as a second/redundant internet circuit.  I configured an interface for this circuit, but I can't even ping out of this interface.  I am eventually going to use PBR to route web traffic out of the cable modem, but at the moment I can't even ping out of this interface.  I did add a second ip route statement for this circuit, but I still can't ping out of this interface.  Below is my configuration:  Am I doing something wrong?

RTR#show run
Building configuration...

Current configuration : 1434 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR
!
boot-start-marker
boot system flash flash:c2800nm-advsecurityk9-mz.124-24.T4.bin
boot-end-marker
!
logging message-counter syslog
enable password
!
no aaa new-model
clock timezone est -5
clock summer-time EDT recurring
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
ip domain name cisco.com
!
multilink bundle-name authenticated
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 description TO_XO_ADTRAN_ROUTER
 ip address x.x.x.242 255.255.255.248
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description TO_ASA5510
 ip address x.x.x.130 255.255.255.248
 duplex auto
 speed auto
!
interface FastEthernet0/1/0
 description TO_COMCAST_CABLE MODEM
 ip address x.x.143.129 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/3/0
 no ip address
 shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.241
ip route 0.0.0.0 0.0.0.0 x.x.143.134 10
ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
control-plane
!
!
line con 0
 password
 login
line aux 0
line vty 0 4
 password
 login
!
scheduler allocate 20000 1000
end
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Network Architect
Commented:
Just to be clear, you're not even able to ping x.x.143.134? Have you power-cycled the cable box and verified the IP range with the provider?
Robert Sutton JrSenior Network Manager

Commented:
Do a:

sh ip nat trans

and post results back here.
Jody LemoineNetwork Architect

Commented:
Also, what model of Cable modem have they provided? It's equally possible that they've provided a modem/router that needs to be put into bridge mode to function.  Are you able to ping the x.x.143.134 from a computer if plugged in directly using the same IP settings?
The problem here is that NAT is going to have to be configured for the comcast connection. GE0/1 is going to need "ip nat inside" and you are going to have to put an overload statement in place. We will then need to track the availability of the primary connection and remove the route to fail over.
Here is what you will need to add
conf t
! Enable NAT on the inside interface (don't worry, it should not affect the other connection)
int gi 0/1
ip nat inside
!access list to use for nat overload
access-list 1 permit x.x.x.242 0.0.0.7
!Nat overload stement to support second connection
ip nat inside source list 1 interface fa 0/1/0 overload
!static route to prevent sla from flapping
ip route 4.2.2.2 255.255.255.2555 x.x.x.241
!sla to track availability of internet through primary connection
ip sla 1
icmp-echo 4.2.2.2 source-interface FastEthernet1
timeout 500
threshold 40
frequency 3
ip sla schedule 1 life forever start-time now
! tracking object
track 1 ip sla 1 reachability
!remove the old primary route and read with object tracking
no ip route 0.0.0.0 0.0.0.0 x.x.x.241
ip route 0.0.0.0 0.0.0.0 x.x.x.241 track 1

Open in new window

The previous post should allow you to get a failover and then a double natted connection on the comcast side. Nothing that you can do about that but move NAT to the router only. That is a topic for another post.
Jody LemoineNetwork Architect

Commented:
NAT is pretty much a non-issue until we can get basic IP connectivity. That said, it's certainly the next step once the basic are taken care of.
We never really received confirmation that he could not ping the gateway. There are only 3 things that can typically cause that(outside of a physical issue)
1. Comcast did not give a static
2. the ip address is wrong.
3. the cable modem firewall is enabled for the static IP (this is the default on the modem unless the cable tech is smart enough to turn it off)

We need a PC plugged in with the static IP on it to test.

I worked under the assumption that the attempt to ping was from the internal network after disconnecting the other circuit(based on the incomplete NAT configuration, it would fail)
Jody LemoineNetwork Architect

Commented:
Ah. Two different assumptions. I was assuming that he was pinging from the router. We can do pretty much any diagnosis necessary without hooking up a PC though.
Jody LemoineNetwork Architect

Commented:
Once we have the backup interface enabled, we can support NAT on both interfaces using "ip inside source route-map" rather than "up inside source list" and then use floating static routes in combination with your IP SLA tracking to give full failover... but one thing at a time. :)

Author

Commented:
Thanks.  Ok, I have come up with the below configuration.  I am pushing all port 80 and 443 traffic out of the cable modem, if the cable modem fails, all traffic will go out the main circuit.  If the main circuit fails I want all traffic to go out the cable modem.  If I get rid of
ip route 0.0.0.0 0.0.0.0 x.x.x.241, and add ip route 0.0.0.0 0.0.0.0 x.x.x.241 track102, VPN's go down I lose internet, etc.  If I take it out and add just ip route 0.0.0.0 0.0.0.0 x.x.x.241 everything works again.  I know my PBR is working, if I go to iptools, it show an IP Address of the cable modem.  I just need to get track 102 working.  Below is my configuration:

Router#show run
Building configuration...

Current configuration : 2720 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash flash:c2800nm-advsecurityk9-mz.124-24.T4.bin
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
clock timezone est -5
clock summer-time EDT recurring
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
ip domain name
!
multilink bundle-name authenticated
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
!
track 101 ip sla 1 reachability
!
track 102 ip sla 2 reachability
!
!
!
interface GigabitEthernet0/0
 description TO_XO_ADTRAN
 ip address x.x.x.242 255.255.255.248
 ip flow ingress
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description TO_ASA5510
 ip address x.x.x.130 255.255.255.248
 ip nat inside
 ip virtual-reassembly
 ip policy route-map CABLE-WEB
 duplex auto
 speed auto
!
interface FastEthernet0/1/0
 description TO_COMCAST_CABLE MODEM
 ip address x.x.x.129 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/3/0
 no ip address
 shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.241
ip route 0.0.0.0 0.0.0.0 x.x.x.134 10
ip route 4.2.2.2 255.255.255.255 x.x.x.129 permanent
ip route 8.8.8.8 255.255.255.255 x.x.x.134 permanent
ip http server
no ip http secure-server
!
ip flow-export source GigabitEthernet0/0
ip flow-export version 5 origin-as
ip flow-export destination 74.220.52.157 2055
!
ip nat inside source route-map cable-nat interface FastEthernet0/1/0 overload
!
ip access-list standard ACL_SNMP_ACCESS
 permit x.x.x.157
!
ip access-list extended HTTP
 permit tcp any any eq www
 permit tcp any any eq 443
!
ip sla 1
 icmp-echo 8.8.8.8 source-interface FastEthernet0/1/0
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 4.2.2.2 source-ip x.x.x.130
ip sla schedule 2 life forever start-time now
access-list 1 permit x.x.x.128 0.0.0.7
!
!
!
route-map CABLE-WEB permit 10
 match ip address HTTP
 set ip next-hop verify-availability x.x.x.134 50 track 101
 set ip next-hop x.x.x.134
!
route-map cable-nat permit 10
 match ip address 1
 match interface FastEthernet0/1/0
!
!
snmp-server group SNMP_RO_GROUP v3 auth match exact read SNMP_VIEW_RO access ACL
_SNMP_ACCESS
snmp-server view SNMP_VIEW_RO internet included
!
control-plane
!
!
line con 0
 login
line aux 0
line vty 0 4
 login
!
scheduler allocate 20000 1000
end
Jody LemoineNetwork Architect

Commented:
Rather than doing IP SLA against Google's and Level 3's name servers, I would consider doing your IP SLA against the default gateways provided by your ISPs.  Unless they've put a local router on-site, this will be sufficient to test the circuit's availability.

Take out the line "set ip next-hop x.x.x.134" from your CABLE-WEB route-map.  You've already got a next-hop tied to your IP SLA, so having this statement will force all traffic to x.x.x.134 even if your IP SLA track is down.

Are you able to ping the Comcast default router IP from the Cisco router yet?

Author

Commented:
Yes I can ping the comcast default gateway now.
Jody LemoineNetwork Architect

Commented:
What do you get when you do a "show track" and a "show ip sla statistics" at this point?
Jody, the CABLE-WEB route map is correct and should remain. the poster is not looking for just failover, but to force the web traffic out of the cable connection at all times. It is important to track items that are beyond your provider in order to overcome issues within that providers network.
Jody LemoineNetwork Architect

Commented:
@wingatesl: According to the poster's "I am pushing all port 80 and 443 traffic out of the cable modem, if the cable modem fails, all traffic will go out the main circuit." statement, traffic should only be policy routed out the cable connection if its link hasn't failed, which justifies the "set ip next-hop verify-availability x.x.x.134 50 track 101" statement, but not the "set ip next-hop x.x.x.134" statement that follows it.  With both in place, the traffic will be forced out the cable connection regardless of its state.  Removing the "set ip next-hop x.x.x.134" from the route map will cause traffic to fall back to the standard routing table if the cable link is unavailable, which meets the poster's stated outcome.

Author

Commented:
so right now if the cable modem fails, all traffic does go out the cable modem.  What I'm trying to do now is, if the main circuit fails all traffic will go out of the cable modem.  That way I have internet redundancy both ways.
Jody LemoineNetwork Architect

Commented:
Assuming your track 102 is working properly, you can accomplish this by removing your "ip route 0.0.0.0 0.0.0.0 x.x.x.241" statement and re-entering it as "ip route 0.0.0.0 0.0.0.0 x.x.x.241 track 102". This way, if the 102 track fails, the route will be removed until the track comes up again. When this happens, your "ip route 0.0.0.0 0.0.0.0 x.x.x.134 10" will become the active default route and direct traffic out the cable connection.

Author

Commented:
thanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial