gstanciel
asked on
Configure Cisco 871 for failover with dual wan and broadband card
I have a cisco router which I want to configure to failover to the broadband card from AT&T then to the second Wan port (T-1 line). I have tried several configurations but cannot get the automatic failover to work.
Current configuration
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname myserver
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable password
!
aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.10.1 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1189660641
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1189660641
!
!
crypto pki certificate chain TP-self-signed-1189660641
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313839 36363036 3431301E 170D3130 31303238 30363432
32335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31383936
36303634 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BB4B 981B88BA 040FC86B 9403826E D232FD4E F00C4F34 D655C87B 36BBFA29
B2888FED C10791CA 834B9B9F A70A7D23 D0F49087 B248F9D4 6E6F53D2 A8C58D6D
BC9FD779 725648D1 460387B9 D53B75EE 7F14FB75 22D7723E 70480B75 DC599481
96889048 1B48712E 7E350E6A 5CEBB0AB 2BE176B0 8BC873C2 6ADE81B0 1FFD146A
4B610203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 1495E905 626DBB5F B9447A15 A664B829 0346D9B4
1B301D06 03551D0E 04160414 95E90562 6DBB5FB9 447A15A6 64B82903 46D9B41B
300D0609 2A864886 F70D0101 04050003 81810021 43A56CC9 1EB9AC87 8E0B57AA
9A402C8C D2143367 0E7BC228 1D6A5632 276D20E6 AD6210D3 380155F3 ECB3E74E
3F2C62C0 84817FFF F02E4885 0DCDC5C0 258B19B5 C9F95B0D 5DD1BF0E 12AFAEDA
CFBD7726 F90E635A F4BC9DF9 41AB1D3B 00621764 D11F5BF7 BDF429F5 32F714C5
5065649C 2DD5F156 52C88A36 6641F977 0FEA02
quit
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.10.1 192.168.10.10
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool vlan1
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 4.2.2.2 8.8.8.8 75.75.75.75
!
!
ip domain name yourdomain.com
ip name-server 4.2.2.2
ip name-server 75.75.75.75
ip name-server 8.8.8.8
!
!
!
username ******* privilege 15 secret ******!
!
archive
log config
hidekeys
!
!
!
track 1 rtr 1
!
track 2 rtr 2
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$$ES_WAN$
ip address 67.200.250.154 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan2
description $ES_LAN$
ip address 192.168.20.199 255.255.255.0
ip nat outside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.20.1 track 1
ip route 0.0.0.0 0.0.0.0 67.200.250.153 100 track 2
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip route 4.2.2.2 255.255.255.255 192.168.20.1
ip route 8.8.8.8 255.255.255.255 67.200.250.153
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map backup interface FastEthernet4 overload
ip nat inside source route-map primary interface Vlan2 overload
!
ip access-list standard youtube
remark CCP_ACL Category=1
deny 74.125.227.12 log
permit any log
!
ip sla 1
icmp-echo 8.8.8.8 source-interface FastEthernet4
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 4.2.2.2 source-interface Vlan2
frequency 5
ip sla schedule 2 life forever start-time now
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 192.168.10.0 0.0.0.255
no cdp run
!
!
route-map backup permit 10
match ip address 1
match interface FastEthernet4
!
route-map primary permit 10
match ip address 1
match interface Vlan2
!
radius-server local
nas 192.168.10.1 key ******
group rad_eap
!
!
radius-server host 192.168.10.1 auth-port 1812 acct-port 1813 key ******!
control-plane
Current configuration
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname myserver
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable password
!
aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.10.1 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1189660641
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1189660641
!
!
crypto pki certificate chain TP-self-signed-1189660641
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313839 36363036 3431301E 170D3130 31303238 30363432
32335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31383936
36303634 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BB4B 981B88BA 040FC86B 9403826E D232FD4E F00C4F34 D655C87B 36BBFA29
B2888FED C10791CA 834B9B9F A70A7D23 D0F49087 B248F9D4 6E6F53D2 A8C58D6D
BC9FD779 725648D1 460387B9 D53B75EE 7F14FB75 22D7723E 70480B75 DC599481
96889048 1B48712E 7E350E6A 5CEBB0AB 2BE176B0 8BC873C2 6ADE81B0 1FFD146A
4B610203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 1495E905 626DBB5F B9447A15 A664B829 0346D9B4
1B301D06 03551D0E 04160414 95E90562 6DBB5FB9 447A15A6 64B82903 46D9B41B
300D0609 2A864886 F70D0101 04050003 81810021 43A56CC9 1EB9AC87 8E0B57AA
9A402C8C D2143367 0E7BC228 1D6A5632 276D20E6 AD6210D3 380155F3 ECB3E74E
3F2C62C0 84817FFF F02E4885 0DCDC5C0 258B19B5 C9F95B0D 5DD1BF0E 12AFAEDA
CFBD7726 F90E635A F4BC9DF9 41AB1D3B 00621764 D11F5BF7 BDF429F5 32F714C5
5065649C 2DD5F156 52C88A36 6641F977 0FEA02
quit
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.10.1 192.168.10.10
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool vlan1
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 4.2.2.2 8.8.8.8 75.75.75.75
!
!
ip domain name yourdomain.com
ip name-server 4.2.2.2
ip name-server 75.75.75.75
ip name-server 8.8.8.8
!
!
!
username ******* privilege 15 secret ******!
!
archive
log config
hidekeys
!
!
!
track 1 rtr 1
!
track 2 rtr 2
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$$ES_WAN$
ip address 67.200.250.154 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan2
description $ES_LAN$
ip address 192.168.20.199 255.255.255.0
ip nat outside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.20.1 track 1
ip route 0.0.0.0 0.0.0.0 67.200.250.153 100 track 2
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip route 4.2.2.2 255.255.255.255 192.168.20.1
ip route 8.8.8.8 255.255.255.255 67.200.250.153
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map backup interface FastEthernet4 overload
ip nat inside source route-map primary interface Vlan2 overload
!
ip access-list standard youtube
remark CCP_ACL Category=1
deny 74.125.227.12 log
permit any log
!
ip sla 1
icmp-echo 8.8.8.8 source-interface FastEthernet4
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 4.2.2.2 source-interface Vlan2
frequency 5
ip sla schedule 2 life forever start-time now
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 192.168.10.0 0.0.0.255
no cdp run
!
!
route-map backup permit 10
match ip address 1
match interface FastEthernet4
!
route-map primary permit 10
match ip address 1
match interface Vlan2
!
radius-server local
nas 192.168.10.1 key ******
group rad_eap
!
!
radius-server host 192.168.10.1 auth-port 1812 acct-port 1813 key ******!
control-plane
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There's many free DNS servers you can use besides 4.2.2.2 and 8.8.8.8. You could fix the issue by creating two more floating static routes to those servers so when one of the internet circuits is down, you can still reach those servers through the other circuit. That may make things more confusing for you though.
Current
ip route 4.2.2.2 255.255.255.255 192.168.20.1
ip route 8.8.8.8 255.255.255.255 67.200.250.153
Add:
ip route 4.2.2.2 255.255.255.255 67.200.250.153 10
ip route 8.8.8.8 255.255.255.255 192.168.20.1 10
Also when you shut down VLAN 2, is that the output you saw in the sh track?
And the sh ip route output was from the period when vlan 2 was shutdown?
Current
ip route 4.2.2.2 255.255.255.255 192.168.20.1
ip route 8.8.8.8 255.255.255.255 67.200.250.153
Add:
ip route 4.2.2.2 255.255.255.255 67.200.250.153 10
ip route 8.8.8.8 255.255.255.255 192.168.20.1 10
Also when you shut down VLAN 2, is that the output you saw in the sh track?
And the sh ip route output was from the period when vlan 2 was shutdown?
ASKER
The track output was before the shutdown. The sh ip was after. I have not been able to try your solution yet. I will work on it tomorrow and let you know.
ASKER
The solution pointed me in the right direction. I had to remove the track settings to get it to work properly.
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
instead of
track 1 rtr 1
!
track 2 rtr 2
Remove:
ip route 0.0.0.0 0.0.0.0 192.168.20.1
Issue show track and paste output. What happens when you shut down the primary interface? Issue show ip route after you shut down the vlan 2 svi. Everything else regarding the IP SLA looks okay.