dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
5020
atodorovic
join:2011-11-14
Kitchener, ON

atodorovic

Member

[HELP] Cisco Router Config (2811) with two ISPs

Hi Everyone,
I've been stuck trying to get my new router configured properly, I have a 2811 with an ADSL WIC that's working perfectly, I'd like to add a link from the local FE0/1 to another ISP that's currently coming into the house (specifically Rogers / SMCD3GN Router).

I've connected the router port to the SMC router, and I can ping the router just fine from the cisco, but not from the internal network.

I've tried adding static routes in place with no change, the Rogers router is still out of reach.
      [Cable]
[192.168.0.0/24]                                  [ADSL]
     (FE0/1)                                      (ADSL WIC)
         |                                                 |
         |                                                 |
         -------------------------------------
                                 |
                                 |
                         [Cisco 2811]
                                 |
                                 |
                             (FE0/0)
                  [LAN 192.168.100.0/24]
 
Ideally I'd like to have host 192.168.100.200 only use the Cable path, while having all others use the ADSL interface.

Is this something that's possible to do, and if so how would I go about setting it up.

Many thanks,
--aleks
aryoba
MVM
join:2002-08-22

aryoba

MVM

Ideally with such setup, you have dedicated router for each ISP. Internally you split up your LAN into two where first half of the network uses first ISP as primary and second half of the network uses second ISP as primary. Should one ISP fail, your network will use the other ISP as backup to go out.
Bink
Villains... knock off all that evil
join:2006-05-14
Colorado

2 edits

Bink to atodorovic

Member

to atodorovic
I respectfully disagree with aryoba See Profile—using multiple routers makes things messy—as modern routing equipment tends to better support the “poor man’s” BGP/multi-WAN. That said, I suggest you read up on Cisco’s PfR/OER and Policy-Based Routing (PBR), which are probably the best/most flexible ways to do what you want.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to atodorovic

MVM

to atodorovic
Are you double NATing between the 2811 and the SMC -- ie FE0/1 is configured IP NAT outside?

Honestly I'd get Rogers to put the SMC into bridge mode so you have public IP addresses
on both your FE0/1 and ADSL interfaces, and as Bink has noted, use PfR/OER and PBR to
determine which ISP traffic should take.

Let us know if you need any help with the configs atodorovic.

Regards
atodorovic
join:2011-11-14
Kitchener, ON

atodorovic

Member

Thanks for the tips guys.

I stumbled across PBR last night during my search for a sample configuration and left it as something to read up on, so I'll definitely look into that.

As for the current configuration, yes FE0/1 is configured with IP NAT outside, but I haven't tried the bridge mode on the SMC, I can actually apply that myself I believe, as it's an option on the first configuration page of the SMC router.

I'll definitely set the router to bridge mode, and then see if I can use PBR to get rolling.

Many thanks,
--aleks
atodorovic

atodorovic

Member

Hi everyone,
Tried a few things, and it's still giving me a few issues. The SMC router is now in bridge mode, my FE0/1 interface has an external IP now. I've added the following to the config of the 2811

to the interface FE0/0 (internal network 192.168.100.254)
ip route-cache policy
ip policy route-map Rogers

then I created an access list like below, to only allow the one host

access-list 1 permit 192.168.100.201

and finally created the actual route map with the following:

route-map Rogers permit 10
match ip address 1
set ip next-hop (external ip of FE0/1 interface)

yet it's still not routing the traffic from that host out the FE0/1 interface.

Any suggestions?

Thanks,
--aleks
atodorovic

atodorovic

Member

could it be that my next-hop address is incorrect? I currently have it set to the FastEthernet 0/1 IP address, if that's indeed the case, how do I find out what the next-hop should be?

btw, I've attached a couple of debug log lines for (debug ip policy)

Nov 15 22:25:45 192.168.100.254 2865: IP: s=192.168.100.201 (FastEthernet0/0), d=137.122.187.16, len 64, FIB policy rejected(no match) - normal forwarding
Nov 15 22:25:45 192.168.100.254 2866: IP: s=192.168.100.201 (FastEthernet0/0), d=137.122.187.16, len 64, FIB policy rejected(no match) - normal forwarding
Nov 15 22:25:45 192.168.100.254 2867: IP: s=192.168.100.201 (FastEthernet0/0), d=137.122.187.16, len 64, FIB policy rejected(no match) - normal forwarding
Nov 15 22:25:45 192.168.100.254 2870: IP: s=192.168.100.201 (FastEthernet0/0), d=137.122.187.16, len 52, FIB policy rejected(no match) - normal forwarding
Nov 15 22:25:45 192.168.100.254 2871: IP: s=192.168.100.201 (FastEthernet0/0), d=137.122.187.16, len 52, FIB policy rejected(no match) - normal forwarding
Nov 15 22:25:45 192.168.100.254 2872: IP: s=192.168.100.201 (FastEthernet0/0), d=137.122.187.16, len 52, FIB policy rejected(no match) - normal forwarding
 

thanks,
--aleks
Racing2Fast
join:2011-11-16
3315

Racing2Fast to atodorovic

Member

to atodorovic
mind blowing configuration. i am having trouble with the 2811. so far i am doing it right now so far no other questions will im carefully analyzing everything.
cooldude9919
join:2000-05-29

cooldude9919 to atodorovic

Member

to atodorovic
said by atodorovic:

Hi everyone,
Tried a few things, and it's still giving me a few issues. The SMC router is now in bridge mode, my FE0/1 interface has an external IP now. I've added the following to the config of the 2811

to the interface FE0/0 (internal network 192.168.100.254)
ip route-cache policy
ip policy route-map Rogers

then I created an access list like below, to only allow the one host

access-list 1 permit 192.168.100.201

and finally created the actual route map with the following:

route-map Rogers permit 10
match ip address 1
set ip next-hop (external ip of FE0/1 interface)

yet it's still not routing the traffic from that host out the FE0/1 interface.

Any suggestions?

Thanks,
--aleks

Heres what i would suggest to be sure.

access-list 100 permit ip host 192.168.100.201 any

route-map Rogers permit 10
match ip addr 100
set ip default next-hop IP

Now for the IP, i think what you need is the default gateway that rogers would be handing you not the IP of the interface itself, hopefully you can find this IP out, worse case disable the dsl for a minute and try ip route 0.0.0.0 0.0.0.0 dhcp and see if its picks ip the gateway.

Reason for this is just sending it to the fa0/1 IP isnt enough if there is no default route anywhere for that connection, its not going to know where to send the packets from there besides its default route out the DSL, because you are just sending the packets to the router itself on a different interface, but its routing table still applies. On the otherhand if you send it to the gateway from rogers, your router knows that IP is on the same subnet as your IP on your fa0/1 interface, so it knows to send it that way, then obviously rogers knows where to send the packets from there.

This may provide a little more detail, notice in the example the next-hop is always the other side of the link, not the router ip that the traffic is comming from.

»www.cisco.com/en/US/tech ··· 54.shtml
atodorovic
join:2011-11-14
Kitchener, ON

atodorovic

Member

Hi cool,
thanks for the info, I finally got it to use the route-map late last night, but have run into a different issue, and it seems to be NAT related, here's the output from debug ip policy, and it's clearly being routed out the proper interface to the default gateway that I got from show dhcp lease yestarday

Nov 17 11:04:11 192.168.100.254 39430: Nov 17 16:04:11 UTC: IP: s=192.168.100.201 (FastEthernet0/0), d=70.38.0.136, len 60, FIB policy match
Nov 17 11:04:11 192.168.100.254 39431: Nov 17 16:04:11 UTC: IP: s=192.168.100.201 (FastEthernet0/0), d=70.38.0.136, len 60, PBR Counted
Nov 17 11:04:11 192.168.100.254 39432: Nov 17 16:04:11 UTC: IP: s=192.168.100.201 (FastEthernet0/0), d=70.38.0.136, g=99.236.70.1, len 60, FIB policy routed
 

when i look at show ip nat translations though

the inside global interface is wrong, it's showing it as my dialer0 (DSL) IP. I'm now reading a bunch of articles on NAT with route-maps, however the one example i tried didnt produce proper results

ip nat inside source route-map Rogers interface FastEthernet 0/1 overload

looking for more info as I type this.

Thanks,
--aleks
cooldude9919
join:2000-05-29

cooldude9919

Member

said by atodorovic:

Hi cool,
thanks for the info, I finally got it to use the route-map late last night, but have run into a different issue, and it seems to be NAT related, here's the output from debug ip policy, and it's clearly being routed out the proper interface to the default gateway that I got from show dhcp lease yestarday

Nov 17 11:04:11 192.168.100.254 39430: Nov 17 16:04:11 UTC: IP: s=192.168.100.201 (FastEthernet0/0), d=70.38.0.136, len 60, FIB policy match
Nov 17 11:04:11 192.168.100.254 39431: Nov 17 16:04:11 UTC: IP: s=192.168.100.201 (FastEthernet0/0), d=70.38.0.136, len 60, PBR Counted
Nov 17 11:04:11 192.168.100.254 39432: Nov 17 16:04:11 UTC: IP: s=192.168.100.201 (FastEthernet0/0), d=70.38.0.136, g=99.236.70.1, len 60, FIB policy routed
 

when i look at show ip nat translations though

the inside global interface is wrong, it's showing it as my dialer0 (DSL) IP. I'm now reading a bunch of articles on NAT with route-maps, however the one example i tried didnt produce proper results

ip nat inside source route-map Rogers interface FastEthernet 0/1 overload

looking for more info as I type this.

Thanks,
--aleks

Show me a

show ip nat stat
sh run | inc nat
cooldude9919

cooldude9919

Member

said by cooldude9919:

said by atodorovic:

Hi cool,
thanks for the info, I finally got it to use the route-map late last night, but have run into a different issue, and it seems to be NAT related, here's the output from debug ip policy, and it's clearly being routed out the proper interface to the default gateway that I got from show dhcp lease yestarday

Nov 17 11:04:11 192.168.100.254 39430: Nov 17 16:04:11 UTC: IP: s=192.168.100.201 (FastEthernet0/0), d=70.38.0.136, len 60, FIB policy match
Nov 17 11:04:11 192.168.100.254 39431: Nov 17 16:04:11 UTC: IP: s=192.168.100.201 (FastEthernet0/0), d=70.38.0.136, len 60, PBR Counted
Nov 17 11:04:11 192.168.100.254 39432: Nov 17 16:04:11 UTC: IP: s=192.168.100.201 (FastEthernet0/0), d=70.38.0.136, g=99.236.70.1, len 60, FIB policy routed
 

when i look at show ip nat translations though

the inside global interface is wrong, it's showing it as my dialer0 (DSL) IP. I'm now reading a bunch of articles on NAT with route-maps, however the one example i tried didnt produce proper results

ip nat inside source route-map Rogers interface FastEthernet 0/1 overload

looking for more info as I type this.

Thanks,
--aleks

Show me a

show ip nat stat
sh run | inc nat

In the mean time ill guess.

I think your nat is getting hit on the wrong access list. nat with route-maps really isnt much different. Your rogers should look something like this.

access-list 100 permit ip host 192.168.100.201 any
ip nat inside source list 100 int fa0/1 over
int fa0/1
ip nat out

Whatever nat you have for your dsl should exclude 192.168.100.201, for example

Ip nat inside soruce list 101 int dialer0 over

access-list 101 deny ip host 192.168.100.201 any
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
atodorovic
join:2011-11-14
Kitchener, ON

atodorovic

Member

you Sir are a genius!

you were correct that it was the access list

I had the following defined:

access-list 5 permit 192.168.100.201 (route map ACL)
access-list 100 permit ip 192.168.100.0 0.0.0.0 any
access-list 100 deny ip any any

changed it to :

access-list 5 permit 192.168.100.201

access-list 100 deny ip 192.168.100.201 0.0.0.0 any
access-list 100 permit ip 192.168.100.0 0.0.0.0 any
access-list 100 deny ip any any

and BAM! things started working as they should.

Many thanks for all your help cooldude9919.

much appreciated,
--aleks

TomS_
Git-r-done
MVM
join:2002-07-19
London, UK

TomS_

MVM

said by atodorovic:

access-list 100 deny ip any any

You can drop that rule, unless you want it specifically for accounting ACL entry hits.

All ACLs have an implicit "deny any any" at the end, so its not necessary to explicitly state it - that is to say, if a packet doesnt match against any rules, it gets denied.