Cisco configuration - Failover for outbout (Internet) traffic
Hello Cisco gurus, I need a third eye here. I am configuring a Cisco 1841 so that I can get failover for outbout (Internet) traffic when ISP link goes down. I decided to base my config on route-maps. I have installed a 3G card, and configured it to work with Safaricom. For some very strange reason (hence the third eye need) the automatic failover doesn't appear to work correctly. When I unplug the other ISP's cable, I can go out via 3G though. I am doubting my routes configuration, but I am not sure this is it: p route 0.0.0.0 0.0.0.0 JTL-GW-IP ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 10 " Having looked at safaricom's 3G IP assignments, I am wondering if instead of using "ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 10", I could just do "ip route 0.0.0.0 0.0.0.0 10.64.64.64 10" ?? Well, I am not even sure that is the problem. PS: Don't worry about the passwords. They are already obfuscated. Here is my whole config: Current configuration : 4601 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname C1841-FOOBAR ! boot-start-marker boot-end-marker ! enable secret 5 $1$S.xxxxxxxxxxxxxxxxxxxxxxxxxxx ! no aaa new-model dot11 syslog ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 192.168.0.1 192.168.0.10 ip dhcp excluded-address 192.168.0.210 192.168.0.254 ! ip dhcp pool FOOBAR network 192.168.0.0 255.255.255.0 netbios-name-server 192.168.0.2 domain-name FOOBAR.local default-router 192.168.0.1 dns-server 196.201.225.18 196.201.225.19 lease 0 2 ! ! ip domain name FOOBAR.local ip name-server 196.201.225.18 ip name-server 196.201.225.19 ip name-server 41.222.10.26 ! multilink bundle-name authenticated chat-script gsm "" "ATDT*99#" TIMEOUT 30 CONNECT ! ! ! ! username admin privilege 15 secret 5 $1$k8ao$InezrCcTAPQKNh1iVPhJH. username tech0 privilege 15 secret 5 $1$z0I3$ynm.qXVzt57atF1OZDSdG1 archive log config hidekeys ! ! ! ! ip ssh version 2 ! ! ! interface FastEthernet0/0 description lan ip address 192.168.40.250 255.255.255.0 no ip proxy-arp ip nat inside ip virtual-reassembly no ip route-cache cef no ip route-cache shutdown duplex auto speed auto no cdp enable ! interface FastEthernet0/1 description WAN - 2/2Mbps to JTL ip address NN.NN.NN.NN 255.255.255.252 ip nat outside ip virtual-reassembly shutdown duplex auto speed auto ! interface Cellular0/0/0 description 3G Internet with Safaricom ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp dialer in-band dialer idle-timeout 0 dialer string gsm dialer-group 1 async mode interactive ppp chap hostname saf ppp chap password 7 0000121205 ppp ipcp dns request ppp ipcp route default ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 JTL-GW-IP ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 10 ! ! no ip http server no ip http secure-server ip nat inside source route-map JTL interface FastEthernet0/1 overload ip nat inside source route-map SAFCOM interface Cellular0/0/0 overload ip nat inside source static tcp 192.168.0.2 1234 NN.NN.NN.NN 1234 extendable ip nat inside source static tcp 192.168.0.2 3389 NN.NN.NN.NN 3389 extendable ip nat inside source static tcp 192.168.0.2 8081 NN.NN.NN.NN 8081 extendable ip nat inside source static tcp 192.168.0.2 8082 NN.NN.NN.NN 8082 extendable ip nat inside source static tcp 192.168.0.2 8083 NN.NN.NN.NN 8083 extendable ! ip access-list extended netbios deny tcp any any eq 135 deny tcp any any eq 137 deny udp any any eq netbios-ss deny tcp any any eq 139 deny tcp any any eq 445 deny udp any any eq 445 deny udp any any eq 135 deny tcp any any eq 136 deny udp any any eq 136 deny udp any any eq netbios-ns deny tcp any any eq 138 deny udp any any eq netbios-dgm permit ip any any ! access-list 102 permit ip 192.168.0.0 0.0.0.255 any dialer-list 1 protocol ip list 1 ! ! route-map SAFCOM permit 10 match ip address 102 match interface Cellular0/0/0 ! route-map JTL permit 10 match ip address 102 match interface FastEthernet0/1 ! ! ! control-plane ! banner login ^C ******************************************************* ^C ! line con 0 logging synchronous login local line aux 0 line 0/0/0 exec-timeout 0 0 script dialer gsm login local modem InOut no exec transport preferred none transport output none line vty 0 4 password 7 005C4B32165A0510076523 login local transport input telnet ssh ! scheduler allocate 20000 1000 end -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 "I can't hear you -- I'm using the scrambler."
With this setup, failover will only work if the physical interrface connecting jtl is down which may never happen as the fiber switch may sit next to your router. Use ip sla to monitor downtime on your primary link Sent from my BlackBerry® smartphone from Zain Kenya -----Original Message----- From: Odhiambo Washington <odhiambo@gmail.com> Sender: skunkworks-bounces@lists.my.co.ke Date: Fri, 13 Dec 2013 19:53:46 To: Skunkworks Mailing List<skunkworks@lists.my.co.ke> Reply-To: Skunkworks Mailing List <skunkworks@lists.my.co.ke> Subject: [Skunkworks] Cisco configuration - Failover for outbout (Internet) traffic _______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://orion.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
Hi Tony, That explains it. Thanks. Let me rework this with ip sla monitoring. On 13 December 2013 21:15, <tonygacheru@gmail.com> wrote:
With this setup, failover will only work if the physical interrface connecting jtl is down which may never happen as the fiber switch may sit next to your router. Use ip sla to monitor downtime on your primary link
Sent from my BlackBerry® smartphone from Zain Kenya
-----Original Message----- From: Odhiambo Washington <odhiambo@gmail.com> Sender: skunkworks-bounces@lists.my.co.ke Date: Fri, 13 Dec 2013 19:53:46 To: Skunkworks Mailing List<skunkworks@lists.my.co.ke> Reply-To: Skunkworks Mailing List <skunkworks@lists.my.co.ke> Subject: [Skunkworks] Cisco configuration - Failover for outbout (Internet) traffic
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke _______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 "I can't hear you -- I'm using the scrambler."
Kind Regards, Wilson./ On 13 December 2013 19:53, Odhiambo Washington <odhiambo@gmail.com> wrote:
Hello Cisco gurus,
I need a third eye here. I am configuring a Cisco 1841 so that I can get failover for outbout (Internet) traffic when ISP link goes down. I decided to base my config on route-maps. I have installed a 3G card, and configured it to work with Safaricom. For some very strange reason (hence the third eye need) the automatic failover doesn't appear to work correctly. When I unplug the other ISP's cable, I can go out via 3G though.
I am doubting my routes configuration, but I am not sure this is it: p route 0.0.0.0 0.0.0.0 JTL-GW-IP ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 10 " Having looked at safaricom's 3G IP assignments, I am wondering if instead of using "ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 10", I could just do "ip route 0.0.0.0 0.0.0.0 10.64.64.64 10" ??
Well, I am not even sure that is the problem.
PS: Don't worry about the passwords. They are already obfuscated.
Here is my whole config:
Current configuration : 4601 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname C1841-FOOBAR ! boot-start-marker boot-end-marker ! enable secret 5 $1$S.xxxxxxxxxxxxxxxxxxxxxxxxxxx ! no aaa new-model dot11 syslog ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 192.168.0.1 192.168.0.10 ip dhcp excluded-address 192.168.0.210 192.168.0.254 ! ip dhcp pool FOOBAR network 192.168.0.0 255.255.255.0 netbios-name-server 192.168.0.2 domain-name FOOBAR.local default-router 192.168.0.1 dns-server 196.201.225.18 196.201.225.19 lease 0 2 ! ! ip domain name FOOBAR.local ip name-server 196.201.225.18 ip name-server 196.201.225.19 ip name-server 41.222.10.26 ! multilink bundle-name authenticated chat-script gsm "" "ATDT*99#" TIMEOUT 30 CONNECT ! ! ! ! username admin privilege 15 secret 5 $1$k8ao$InezrCcTAPQKNh1iVPhJH. username tech0 privilege 15 secret 5 $1$z0I3$ynm.qXVzt57atF1OZDSdG1 archive log config hidekeys ! ! ! ! ip ssh version 2 ! ! ! interface FastEthernet0/0 description lan ip address 192.168.40.250 255.255.255.0 no ip proxy-arp ip nat inside ip virtual-reassembly no ip route-cache cef no ip route-cache shutdown duplex auto speed auto no cdp enable ! interface FastEthernet0/1 description WAN - 2/2Mbps to JTL ip address NN.NN.NN.NN 255.255.255.252 ip nat outside ip virtual-reassembly shutdown duplex auto speed auto ! interface Cellular0/0/0 description 3G Internet with Safaricom ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp dialer in-band dialer idle-timeout 0 dialer string gsm dialer-group 1 async mode interactive ppp chap hostname saf ppp chap password 7 0000121205 ppp ipcp dns request ppp ipcp route default ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 JTL-GW-IP ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 10 ! ! no ip http server no ip http secure-server ip nat inside source route-map JTL interface FastEthernet0/1 overload ip nat inside source route-map SAFCOM interface Cellular0/0/0 overload ip nat inside source static tcp 192.168.0.2 1234 NN.NN.NN.NN 1234 extendable ip nat inside source static tcp 192.168.0.2 3389 NN.NN.NN.NN 3389 extendable ip nat inside source static tcp 192.168.0.2 8081 NN.NN.NN.NN 8081 extendable ip nat inside source static tcp 192.168.0.2 8082 NN.NN.NN.NN 8082 extendable ip nat inside source static tcp 192.168.0.2 8083 NN.NN.NN.NN 8083 extendable ! ip access-list extended netbios deny tcp any any eq 135 deny tcp any any eq 137 deny udp any any eq netbios-ss deny tcp any any eq 139 deny tcp any any eq 445 deny udp any any eq 445 deny udp any any eq 135 deny tcp any any eq 136 deny udp any any eq 136 deny udp any any eq netbios-ns deny tcp any any eq 138 deny udp any any eq netbios-dgm permit ip any any ! access-list 102 permit ip 192.168.0.0 0.0.0.255 any dialer-list 1 protocol ip list 1 ! ! route-map SAFCOM permit 10 match ip address 102 match interface Cellular0/0/0 ! route-map JTL permit 10 match ip address 102 match interface FastEthernet0/1 ! ! ! control-plane ! banner login ^C ******************************************************* ^C ! line con 0 logging synchronous login local line aux 0 line 0/0/0 exec-timeout 0 0 script dialer gsm login local modem InOut no exec transport preferred none transport output none line vty 0 4 password 7 005C4B32165A0510076523 login local transport input telnet ssh ! scheduler allocate 20000 1000 end
@Wash IP SLA will never fail you :). Be sure to track a host that is reliable. I noted unicast IPs like 4.2.2.2 sometimes are horible and may give you false alarms.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 "I can't hear you -- I'm using the scrambler."
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
participants (3)
-
Odhiambo Washington -
Thuo Wilson -
tonygacheru@gmail.com