Cisco – Multiple WANs/Out-of-band (Cisco 1900)

ciscocisco-iosfailoveroobwan

I've got a Cisco 1900 router which connects to the Internet using a primary and a secondary WAN connection.
When the primary connection is up, all traffic use this link. When the primary connection is down, I use the secondary connection to connect to the router to troubleshoot why the primary link is down.

Sometimes I would also like the two connection to be up and running at the same time. I would then like to be able to access the router using SSH on either one of its public IP-addresses.

Is there any (easy) way of having both these interfaces accessible at the same time?

Best Answer

As long as both interfaces have public IP addresses, which it sounds like, you have two options:

1) IP SLA: outbound traffic will only use one interface at a time.

Essentially, you configure a static default route out the primary interface, which is tracked and a static default route out the secondary interface. If the tracking finds an issue, the tracked route is removed, making the default route out the secondary interface

IP SLA link

R1(config)# ip sla 1
R1(config)# icmp-echo $primaryNextHop source-interface $primaryInterface
R1(config)# timeout 1000
R1(config)# threshold 2
R1(config)# frequency 3
R1(config)# ip sla schedule 1 life forever start-time now
R1(config)# track 1 ip sla 1 reachability
R1(config)# ip route 0.0.0.0 0.0.0.0 $primaryNextHop track 1
R1(config)# ip route 0.0.0.0 0.0.0.0 $secondaryNextHop 10

2) BGP peer with ISPs: this can be configured to allow traffic outbound on both interfaces at the same time. You can also set this up to allow ISP1 to receive traffic for the secondary interface and vice versa (BGP Multihoming)

Related Solutions

Cisco – Policy Based Routing for VPN connections with VPN Client configuration

You can simply append the ACL "REDIRECT-VIA-FAST-WAN" to route IPSEC traffic out your "fast wan" interface.

ip access-list extended REDIRECT-VIA-FAST-WAN
deny   tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255
permit tcp host 10.10.0.43 eq 443 9675 any
permit ahp any any
permit esp any any

Or if your router does not have the "ahp" and "esp" options for an extended ACL, you can simply add in the specific ports that the ipsec client tunnels over, namely UDP ports 500, 10000, and 4500, and also TCP 4500 for good measure.

ip access-list extended REDIRECT-VIA-FAST-WAN
deny   tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255
permit tcp host 10.10.0.43 eq 443 9675 any
permit udp any any eq 500
permit udp any any eq 10000
permit udp any any eq 4500
permit tcp any any eq 4500

You may also have to append your "PERMIT-MNG" ACL to allow outbound IPSEC traffic (depending on what that ACL is configured to do) but you stripped it out of the running config so I can not fully comment on that.

Router – How to configure WAN backup with 2 ADSL boxes and 1 router

Currently, your router monitors WAN connections only on layer 1, i.e. if a link is up or down. In order to react to a broken WAN connection, your router should monitor on a higher layer.

There are 3 approaches:

a) You use a router with two interface directly conntected to the splitter or telephone jack. Your router could still be monitoring a WAN link on layer 1. But your router would dial up via PPPoA. You could monitor both the line and the registration of your router by each ISP's RADIUS or TACACS server. Either your DSL line is run by a protocol such as ADSL2+ and authentication is done by user/password or by a protocol such as VDSL2 and authentication is done by modem MAC address. In case of user/password all you need are login credentials. In case of MAC address you have to personally negiotiate the registration of your router with both ISPs.

b) Your router dials up via PPPoE without the need of using new WAN interfaces. This would allow you to monitor each WAN connection on layer 2 which is sufficient enough. Your router would become the gateway and you could reduce the modems to managing DSL lines. This requires both modems to run a firmware supporting dialup by another device.

c) Your router monitors by probing a host on the WAN. Usually, there is at least one core router. which replies to ICMP Echo. Try traceroute -I 8.8.8.8 with both connections. It changes the Type of Service field to request Echo-Reply messages from each hop during the trace. You should at least find one core router for each ISP which you can probe on a regular basis. Then, you have to reduce the TTL of that ping to prevent reaching that destination on detours when the monitored WAN link fails.

Best Answer

Related Solutions

Cisco – Policy Based Routing for VPN connections with VPN Client configuration

Router – How to configure WAN backup with 2 ADSL boxes and 1 router

Related Topic