Secondary IP Route

[JrZDevil11]

I have 2 connections to the internet in my company. I want to set it up so that if DSL line #1 goes down, DSL line #2 kicks on and lets all out going traffic to the net so that it looks like the dsl lines never went down....I believe it is done like this, but I am not a 100% sure...

ip route 0.0.0.0 0.0.0.0 1.2.3.4
ip route 0.0.0.0 0.0.0.0 4.5.6.7 secondary


Anyone know if this is right....

 

[sobak]

Try this....

ip route 0.0.0.0 0.0.0.0 1.2.3.4
ip route 0.0.0.0 0.0.0.0 4.5.6.7 100

Adding an administrative cost of 100 will allow the first route (1.2.3.4) to be the primary since it has a lower "cost". When that one goes down the second route (4.5.6.7) will become active. When the original primary route comes back on-line then it will roll over to that route.

I use this in a configuration where I have a T1 and a DSL backup. It works great for basic internet routing. Now if you're running a VPN like I am on both connections, there is a lot more configuration that you have to do. For basic internet routing the above solution should work for you..

david e
*end users are just like computers, some you can work with...others just need a simple reBOOTing to fix their problems.*

 

[JrZDevil11]

Thanks so much, I will try it...

 

[JrZDevil11]

how come if I try to ping e0/2 (which correspondes to my secondary route statement) I don't get any reply....also, how long does it take for the secondary IP Route to take over when the first route fails??

 

[sobak]

I've never timed the changeover but I never have any issues with web browsing. Usually (during my tests) my browser would pause then the page would pull up.

Try to run a trace to the E0/2 Interface from a Desktop (make sure you're not blocking ICMP packets) that will tell you where the problem is.

A good test that you can do is shutdown the interface that you primary route is going out, or disconnect the ethernet cable (or serial). Open a browser window then see if you can browse web sites. Also run a Trace from a desktop to see where you packets are heading to. Once you're satified with the connection, bring up the primary interface and then check to see if it rolls over.

You can also take a look at the routing table (sho ip route) with the primary interface up and with the primary interface down. Your "Gateway of last resort" should be the primary hop when it's up and the secondary hop when it's down.



david e
*end users are just like computers, some you can work with...others just need a simple reBOOTing to fix their problems.*

 

[JrZDevil11]

Gateway of last resort did what you thought it would do when I shutdown the one device, but I couldn't get out through the net...any ideas why the traffic didnt go anywhere??

 

[sobak]

Make sure your interface for your backup DSL line is up and correctly working. Try to do an extended ping, with an extended ping you can ping from an interface directly. Get an IP address of a server that you know will respond (I choose Yahoo.com)

On the router type "Ping IP"
Type in your Destination Address #.#.#.#
Leave repeat count at 5
Leave Datagram size at 100
Leave Timeout at 2 seconds
On "Extended Commands" choose "Y"
On Source Address or Interface, Type in the interface number or the interface IP Address.
at this point you can hit enter on all the next set of questions. When the system sends the ping packet out it will send it from the interface that you specify.

Another check you can do is verify you have all the information on the Interface. If you do a show int E#/# make sure your line protocol is up and your interface is up. Without both being up your wont be passing any traffic.

Also make sure you're not running into a DNS issue as well. Even though you said you couldn't get to the internet make sure it's not a DNS issue. Remove the dns issue by downing your primary interface then go to a desktop and ping an IP Address. If you can ping an IP Address then try to ping a Domain Name. You may need to use a DNS server from your primary connection and use a DNS server of your backup connection as a secondary on your desktops....

Once you get all this information, update your thread here and I can troubleshoot a little further with you.....





david e
*end users are just like computers, some you can work with...others just need a simple reBOOTing to fix their problems.*

 

[JrZDevil11]

I am using an internal dns server and I have eliminated the DNS possibility by shuting down the one interface and doing a ping..This is the result..

Pinging 65.2.208.61 with 32 bytes of data:

Reply from 192.168.100.28: Destination host unreachable.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 65.2.208.61:
Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

When I use just one IP Route statement (doesn't matter which line) it works just fine..When I add the ip route statements, the e0/2 will not ping and once e0/1 is shutdown, that one will not work either...

 

[sobak]

hummmmm.....

Can you post both interface sections of your config file (removing your ip addesses of course)? Let me take a look at how the interfaces are configured....

Thanks

David
david e
*end users are just like computers, some you can work with...others just need a simple reBOOTing to fix their problems.*

 

[JrZDevil11]

interface Ethernet0/1
description AT&T
ip address <address withheld>
no ip proxy-arp
ip accounting output-packets
ip nat outside
no ip route-cache
no ip mroute-cache
ip policy route-map static
half-duplex
no cdp enable
crypto map cntmap
!
interface Ethernet0/2
description UUNet
ip address <address witheld>
no ip proxy-arp
ip accounting output-packets
ip nat outside
no ip route-cache
no ip mroute-cache
half-duplex
no cdp enable

 

[sobak]

Okay, I was thinking if you were running nat on the interface that could be the issue. But....I see from the interface commands that they are configured correctly......

How are the routes setup....

ip route 0.0.0.0 0.0.0.0 e0/1
ip route 0.0.0.0 0.0.0.0 100 e1/2

or

ip route 0.0.0.0 0.0.0.0 <next hop>
ip route 0.0.0.0 0.0.0.0 100 <next hop>

I have mine set to the second option and it works without a flaw. If not set yours up to the second and then try it again. If they are already let me know...I will dig around in my brain for something else...


david e
*end users are just like computers, some you can work with...others just need a simple reBOOTing to fix their problems.*

 

[JrZDevil11]

when setting up the route...does the 100 come before or after the 0.0.0.0 's???

I currently have them setup like this

ip route 0.0.0.0 0.0.0.0 <next hop>
ip route 0.0.0.0 0.0.0.0 <next hop> 100

 

[sobak]

Sorry, it goes after the next hop.....My typo....

Give me a few minutes to pick my brain.



david e
*end users are just like computers, some you can work with...others just need a simple reBOOTing to fix their problems.*

 

[JrZDevil11]

I think I figured out my problem....my second DSL line isn't working and I think it has something to do with this line...

ip nat inside source route-map nonat interface Ethernet0/1 overload

If i change it to Ether0/2 then my second interface will work....

any ideas??

 

[sobak]

Okay, that makes some sense. Here are the lines I have on my configuration exactly like you want to do....

interface Ethernet0/1 <--- Primary interface
description -- Ethernet to Intelispace --
ip address 10.10.10.10 255.255.255.240
ip access-group nyc-inet-security in
ip access-group nyc-lan-security out
no ip directed-broadcast
ip nat outside
no ip route-cache
no ip mroute-cache
crypto map combined


interface Ethernet1/0 <--- Secondary interface
description -- Ethernet to MegaPath --
ip address 10.10.10.11 255.255.255.248
ip access-group nyc-inet-security in
ip access-group nyc-lan-security out
no ip directed-broadcast
ip nat outside
no ip route-cache
no ip mroute-cache
crypto map backup


My Nat Pool
ip nat pool NYC 10.10.10.12 10.10.10.13 netmask 255.255.255.240
ip nat inside source list 2 pool NYC overload


My Access list 2
access-list 2 permit 172.16.30.0 0.0.0.255

The pool with the access list should allow anyone sitting on the 172.16.30.0 subnet access to the pool to the outside world.

Let me know if this helps you any???


david e
*end users are just like computers, some you can work with...others just need a simple reBOOTing to fix their problems.*