Toon posts:

Cisco 1801 Dual WAN failover configuratie

Pagina: 1
Acties:

zaterdag 24 november 2012 16:29

Acties:
  • 0 Henk 'm!

Anoniem: 484671

Topicstarter
Beste tweakers,

Introductie

Ik heb een Cisco 1801 router. Binnenkort ga ik overschakelen naar Telenet (kabelprovider) als primaire ISP
De 2de ISP wil ik echter behouden (voor als telenet wegvalt). De 2de ISP is Scarlet. Dit betreft een ADSL lijn.

Op dit moment ziet mijn running config er zo uit:

code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco1801
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret *****
enable password *****
!
aaa new-model
!
!
!
!
aaa session-id common
no ip source-route
!
!
ip cef
!
!
ip tcp synwait-time 10
ip ftp username Administrator
ip ftp password *****
no ip bootp server
no ip domain lookup
ip domain name scarlet.be
ip name-server 193.74.208.65
ip name-server 194.119.228.67
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect max-incomplete high 800
ip inspect max-incomplete low 700
ip inspect one-minute low 500
ip inspect one-minute high 600
ip inspect udp idle-time 20
ip inspect tcp idle-time 60
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 0
ip inspect name firewall tcp timeout 3600
ip inspect name firewall udp timeout 15
ip inspect name firewall icmp
ip inspect name firewall ftp timeout 3600
ip inspect name firewall ssh
ip inspect name firewall telnet timeout 3600
ip inspect name firewall exec
ip inspect name firewall echo timeout 3600
ip inspect name firewall smtp
ip inspect name firewall sqlnet timeout 3600
ip inspect name firewall tftp timeout 3600
ip inspect name firewall rcmd timeout 3600
ip inspect name firewall snmp
ip inspect name firewall http timeout 3600
ip inspect name firewall h323 timeout 3600
ip inspect name firewall dns timeout 3600
ip inspect name firewall ms-sql timeout 3600
ip inspect name firewall mysql timeout 3600
ip inspect name firewall https timeout 3600
ip inspect name firewall pop3 timeout 3600
ip inspect name firewall ftps timeout 3600
ip inspect name firewall ldap timeout 3600
ip inspect name firewall ldaps timeout 3600
ip inspect name firewall ldap-admin timeout 3600
ip inspect name firewall netbios-ns timeout 3600
ip inspect name firewall netbios-ssn timeout 3600
ip inspect name firewall telnets timeout 3600
ip inspect name firewall wins timeout 3600
ip inspect name firewall vdolive timeout 3600
ip inspect name firewall bittorrent timeout 3600
ip inspect name firewall finger timeout 3600
ip inspect name firewall imap timeout 3600
ip inspect name firewall imaps timeout 3600
!
multilink bundle-name authenticated
vpdn enable
!
!
crypto pki trustpoint TP-self-signed-4270858707
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4270858707
 revocation-check none
 rsakeypair TP-self-signed-4270858707
!
!
crypto pki certificate chain TP-self-signed-4270858707
 certificate self-signed 01
  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 34323730 38353837 3037301E 170D3039 30393134 31343130 
  32365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32373038 
  35383730 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100DD86 F2180A01 52D5C609 CD77A5FD 250F173B 4F6A4F0A 1F6016FE 56AC862E 
  DF622CA3 DFD25FB0 5718276C 23F9D1CB 6D1A009A 9AF3BC16 4FA5B6A4 65A3DD4B 
  765B3CF0 3E325D9C 7C66D26E 9387B4FC 893C4DFA AB96C7C7 C1A15E7C 2ED97549 
  F3B6E09D 9A3C6FC5 05187204 91EABC28 1149DD85 B4678C29 EA90048B F601D776 
  256F0203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603 
  551D1104 18301682 14436973 636F3138 30312E73 6361726C 65742E62 65301F06 
  03551D23 04183016 80149A65 AE2E55C9 ACCA71D0 97210FD4 87CFAF7C 1008301D 
  0603551D 0E041604 149A65AE 2E55C9AC CA71D097 210FD487 CFAF7C10 08300D06 
  092A8648 86F70D01 01040500 03818100 8199022F 55DB4FBD 5EADB1C8 2D652A74 
  3C352E84 A809999C 0C346284 D31C9234 FDCDCFA3 56FC7770 0FF1E458 3F4A1E07 
  9D00770C E88FF993 8890A2A6 6F59FDED 57BCF82F FB17C22B 3D4066C2 663A1A84 
  FB90C278 39693635 3F03AE67 A0487BE9 5DED9D2A 79392955 9D87987D 53D23FA7 
  D55DCAD0 8EB7BD2C 8BDF45B8 E357D998
  quit
!
!
username *** privilege 15 secret ****
username **** privilege 15 secret *****
!
!
class-map match-any SDM-Transactional-1
 match  dscp af21 
 match  dscp af22 
 match  dscp af23 
class-map match-any SDM-Signaling-1
 match  dscp cs3 
 match  dscp af31 
class-map match-any SDM-Routing-1
 match  dscp cs6 
class-map match-any SDM-Voice-1
 match  dscp ef 
class-map match-any SDM-Management-1
 match  dscp cs2 
!
!
policy-map SDM-QoS-Policy-1
 class SDM-Voice-1
  priority percent 33
 class SDM-Signaling-1
  bandwidth percent 5
 class SDM-Routing-1
  bandwidth percent 5
 class SDM-Management-1
  bandwidth percent 5
 class SDM-Transactional-1
  bandwidth percent 5
 class class-default
  fair-queue
  random-detect
!
! 
!
!
!
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
 description De buitenwereld WAN
 no ip address
 no atm ilmi-keepalive
 pvc 8/35 
  pppoe-client dial-pool-number 1
 !
 dsl operating-mode auto 
 hold-queue 224 in
!
interface Vlan1
 description Intern Lan
 ip address 10.10.10.1 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip inspect firewall in
 ip inspect firewall out
 ip virtual-reassembly
 ip route-cache same-interface
 ip tcp adjust-mss 1452
!
interface Dialer0
 ip address negotiated
 ip access-group 120 in
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname ******@SCARLET
 ppp chap password ******
 ppp pap sent-username *****@SCARLET password ******
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool NAT-POOL 10.10.10.0 10.10.10.255 netmask 255.255.255.0
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static tcp 10.10.10.80 3389 interface Dialer0 3389
ip nat inside source static tcp 10.10.10.80 21 interface Dialer0 21
ip nat inside source static tcp 10.10.10.80 110 interface Dialer0 110
ip nat inside source static tcp 10.10.10.80 1987 interface Dialer0 1987
ip nat inside source static tcp 10.10.10.80 1433 interface Dialer0 1433
ip nat inside source static tcp 10.10.10.80 443 interface Dialer0 443
ip nat inside source static tcp 10.10.10.80 25 interface Dialer0 25
ip nat inside source static tcp 10.10.10.80 80 interface Dialer0 80
ip nat inside source static tcp 10.10.10.80 3306 interface Dialer0 3306
ip nat inside source static tcp 10.10.10.80 1311 interface Dialer0 1311
ip nat inside source static tcp 10.10.10.80 8098 interface Dialer0 8098
!
logging trap debugging
access-list 101 permit tcp 10.0.0.0 0.255.255.255 any
access-list 101 permit udp 10.0.0.0 0.255.255.255 any
access-list 101 permit icmp 10.0.0.0 0.255.255.255 any
access-list 101 remark ACL om spoofing van andere netwerken tegen te gaan
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 deny   ip any any
access-list 120 permit tcp any 0.0.0.0 255.255.255.0 established
access-list 120 permit tcp host 10.10.10.3 any eq telnet
access-list 120 permit tcp host 10.10.10.3 any eq 22
access-list 120 deny   tcp any any eq 12345
access-list 120 deny   tcp any any eq 12348
access-list 120 deny   tcp any any eq 27374
access-list 120 deny   tcp any any eq 31337
access-list 120 deny   tcp any any eq lpd
access-list 120 deny   tcp any any eq cmd
access-list 120 deny   tcp any any eq whois
access-list 120 deny   udp any any eq snmptrap
access-list 120 deny   tcp any any eq telnet
access-list 120 deny   tcp any any eq 1080
access-list 120 deny   tcp any any eq 135
access-list 120 deny   tcp any any eq 137
access-list 120 deny   tcp any any eq 138
access-list 120 deny   tcp any any eq 22
access-list 120 deny   tcp any any eq discard
access-list 120 deny   tcp any any eq chargen
access-list 120 deny   udp any any eq snmp
access-list 120 deny   tcp any any eq 139
access-list 120 deny   tcp any any eq finger
access-list 120 deny   ip 127.0.0.0 0.255.255.255 any
access-list 120 deny   ip 192.168.0.0 0.0.0.255 any
access-list 120 deny   ip 172.16.0.0 0.0.255.255 any
access-list 120 deny   ip 224.0.0.0 31.255.255.255 any
access-list 120 deny   tcp any any eq exec
access-list 120 deny   icmp any any redirect
access-list 120 deny   tcp any any eq 6667
access-list 120 deny   tcp any any eq login
access-list 120 deny   tcp any any eq 631
access-list 120 deny   tcp any any eq 1214
access-list 120 deny   icmp any any echo
access-list 120 deny   udp any any gt 32768
access-list 120 deny   tcp any any eq echo
access-list 120 deny   udp any any eq echo
access-list 120 deny   tcp any any eq 1243
access-list 120 deny   tcp any any eq 3128
access-list 120 permit tcp any any
access-list 120 permit udp any any
access-list 120 permit ip any any
access-list 120 permit icmp any any
access-list 120 deny   ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee

banner motd C
======================================================
Alleen voor bevoegd personeel! Niet bevoegd? Oprotten!
======================================================
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 privilege level 15
 password ***
 transport input ssh
!
end


Om Telenet geconfigureerd te krijgen op de router heb ik het volgende in elkaar gestoken. Op dit moment heb ik nog geen telenet (wordt pas opgeleverd 3 december) maar ik wil de router configuratie alvast in orde hebben.

code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309

Building configuration...

Current configuration : 10469 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco1801
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret ***
enable password ***
!
no aaa new-model
no ip source-route
!
ip cef
ip dhcp excluded-address 10.10.10.1
!
!
ip tcp synwait-time 10
ip ftp username Administrator
ip ftp password ****
no ip domain lookup
ip domain name telenet.be
ip name-server 193.74.208.65
ip name-server 194.119.228.67
ip ssh time-out 60
ip ssh authentication-retries 3
ip inspect max-incomplete high 800
ip inspect max-incomplete low 700
ip inspect one-minute low 500
ip inspect one-minute high 600
ip inspect udp idle-time 20
ip inspect tcp idle-time 60
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 0
ip inspect name firewall tcp timeout 3600
ip inspect name firewall udp timeout 15
ip inspect name firewall icmp
ip inspect name firewall ftp timeout 3600
ip inspect name firewall ssh
ip inspect name firewall telnet timeout 3600
ip inspect name firewall exec
ip inspect name firewall echo timeout 3600
ip inspect name firewall smtp
ip inspect name firewall sqlnet timeout 3600
ip inspect name firewall rcmd timeout 3600
ip inspect name firewall dns timeout 3600
ip inspect name firewall ms-sql timeout 3600
ip inspect name firewall mysql timeout 3600
ip inspect name firewall pop3 timeout 3600
ip inspect name firewall ftps timeout 3600
ip inspect name firewall ldap timeout 3600
ip inspect name firewall ldaps timeout 3600
ip inspect name firewall ldap-admin timeout 3600
ip inspect name firewall vdolive timeout 3600
ip inspect name firewall bittorrent timeout 3600
ip inspect name firewall imap timeout 3600
ip inspect name firewall imaps timeout 3600
ip inspect name firewall http timeout 3600
ip inspect name firewall https timeout 3600
!
multilink bundle-name authenticated
vpdn enable
!
!
crypto pki trustpoint TP-self-signed-4270858707
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4270858707
 revocation-check none
 rsakeypair TP-self-signed-4270858707
!
!
crypto pki certificate chain TP-self-signed-4270858707
 certificate self-signed 01
  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34323730 38353837 3037301E 170D3039 30393134 31343130
  32365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32373038
  35383730 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100DD86 F2180A01 52D5C609 CD77A5FD 250F173B 4F6A4F0A 1F6016FE 56AC862E
  DF622CA3 DFD25FB0 5718276C 23F9D1CB 6D1A009A 9AF3BC16 4FA5B6A4 65A3DD4B
  765B3CF0 3E325D9C 7C66D26E 9387B4FC 893C4DFA AB96C7C7 C1A15E7C 2ED97549
  F3B6E09D 9A3C6FC5 05187204 91EABC28 1149DD85 B4678C29 EA90048B F601D776
  256F0203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
  551D1104 18301682 14436973 636F3138 30312E73 6361726C 65742E62 65301F06
  03551D23 04183016 80149A65 AE2E55C9 ACCA71D0 97210FD4 87CFAF7C 1008301D
  0603551D 0E041604 149A65AE 2E55C9AC CA71D097 210FD487 CFAF7C10 08300D06
  092A8648 86F70D01 01040500 03818100 8199022F 55DB4FBD 5EADB1C8 2D652A74
  3C352E84 A809999C 0C346284 D31C9234 FDCDCFA3 56FC7770 0FF1E458 3F4A1E07
  9D00770C E88FF993 8890A2A6 6F59FDED 57BCF82F FB17C22B 3D4066C2 663A1A84
  FB90C278 39693635 3F03AE67 A0487BE9 5DED9D2A 79392955 9D87987D 53D23FA7
  D55DCAD0 8EB7BD2C 8BDF45B8 E357D998
  quit
!
!
username *** privilege 15 secret **
username *** privilege 15 secret ***
!
!
class-map match-any SDM-Transactional-1
 match  dscp af21
 match  dscp af22
 match  dscp af23
class-map match-any SDM-Signaling-1
 match  dscp cs3
 match  dscp af31
class-map match-any SDM-Routing-1
 match  dscp cs6
class-map match-any SDM-Voice-1
 match  dscp ef
class-map match-any SDM-Management-1
 match  dscp cs2
!
!
policy-map SDM-QoS-Policy-1
 class SDM-Voice-1
  priority percent 33
 class SDM-Signaling-1
  bandwidth percent 5
 class SDM-Routing-1
  bandwidth percent 5
 class SDM-Management-1
  bandwidth percent 5
 class SDM-Transactional-1
  bandwidth percent 5
 class class-default
fair-queue
  random-detect
!
!
!
!
!
!
interface FastEthernet0
ip address dhcp
ip access-group 120 in
description De buitenwereld WAN
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
 shutdown
 no ip address
 no atm ilmi-keepalive
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
 dsl operating-mode auto
 hold-queue 224 in
!
interface Vlan1
 description Intern LAN
 ip address 10.10.10.1 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip inspect firewall in
 ip virtual-reassembly
 ip route-cache same-interface
 ip tcp adjust-mss 1452
!
no interface Dialer0
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool NAT-POOL 10.10.10.0 10.10.10.255 netmask 255.255.255.0
ip nat inside source list 101 interface FastEthernet0 overload
ip nat inside source static tcp 10.10.10.80 3389 interface FastEthernet0 3389
ip nat inside source static tcp 10.10.10.80 21 interface FastEthernet0 21
ip nat inside source static tcp 10.10.10.80 110 interface FastEthernet0 110
ip nat inside source static tcp 10.10.10.80 1987 interface FastEthernet0 1987
ip nat inside source static tcp 10.10.10.80 1433 interface FastEthernet0 1433
ip nat inside source static tcp 10.10.10.80 443 interface FastEthernet0 443
ip nat inside source static tcp 10.10.10.80 25 interface FastEthernet0 25
ip nat inside source static tcp 10.10.10.80 80 interface FastEthernet0 80
ip nat inside source static tcp 10.10.10.80 3306 interface FastEthernet0 3306
ip nat inside source static tcp 10.10.10.80 1311 interface FastEthernet0 1311
ip nat inside source static tcp 10.10.10.80 8098 interface FastEthernet0 8098
!
logging trap debugging
access-list 1 permit any
access-list 101 deny   ip any host 85.17.79.115
access-list 101 permit tcp host 10.10.10.3 any eq telnet
access-list 101 permit tcp host 10.10.10.3 any eq 22
access-list 101 permit tcp host 10.10.10.80 any eq telnet
access-list 101 permit tcp host 10.10.10.80 any eq 22
access-list 101 deny   tcp any any eq telnet
access-list 101 deny   tcp any any eq 22
access-list 101 permit tcp 10.0.0.0 0.255.255.255 any
access-list 101 permit udp 10.0.0.0 0.255.255.255 any
access-list 101 permit icmp 10.0.0.0 0.255.255.255 any
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 remark ACL om spoofing van andere netwerken tegen te gaan
access-list 101 deny   ip any any
access-list 120 permit tcp any 0.0.0.0 255.255.255.0 established
access-list 120 permit tcp host 10.10.10.3 any eq telnet
access-list 120 permit tcp host 10.10.10.3 any eq 22
access-list 120 deny   ip any host 85.17.79.115
access-list 120 deny   tcp any any eq 12345
access-list 120 deny   tcp any any eq 12348
access-list 120 deny   tcp any any eq 27374
access-list 120 deny   tcp any any eq 31337
access-list 120 deny   tcp any any eq lpd
access-list 120 deny   tcp any any eq cmd
access-list 120 deny   tcp any any eq whois
access-list 120 deny   udp any any eq snmptrap
access-list 120 deny   tcp any any eq telnet
access-list 120 deny   tcp any any eq 1080
access-list 120 deny   tcp any any eq 135
access-list 120 deny   tcp any any eq 137
access-list 120 deny   tcp any any eq 138
access-list 120 deny   tcp any any eq 22
access-list 120 deny   tcp any any eq discard
access-list 120 deny   tcp any any eq chargen
access-list 120 deny   udp any any eq snmp
access-list 120 deny   tcp any any eq 139
access-list 120 deny   tcp any any eq finger
access-list 120 deny   ip 127.0.0.0 0.255.255.255 any
access-list 120 deny   ip 192.168.0.0 0.0.0.255 any
access-list 120 deny   ip 172.16.0.0 0.0.255.255 any
access-list 120 deny   ip 224.0.0.0 31.255.255.255 any
access-list 120 deny   tcp any any eq exec
access-list 120 deny   icmp any any redirect
access-list 120 deny   tcp any any eq 6667
access-list 120 deny   tcp any any eq login
access-list 120 deny   tcp any any eq 631
access-list 120 deny   tcp any any eq 1214
access-list 120 deny   icmp any any echo
access-list 120 deny   udp any any gt 32768
access-list 120 deny   tcp any any eq echo
access-list 120 deny   udp any any eq echo
access-list 120 deny   tcp any any eq 1243
access-list 120 deny   tcp any any eq 3128
access-list 120 permit tcp any any
access-list 120 permit udp any any
access-list 120 permit ip any any
access-list 120 permit icmp any any
access-list 120 deny   ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
bridge 1 protocol ieee

banner motd ^CC
======================================================
Alleen voor bevoegd personeel! Niet bevoegd? Oprotten!
======================================================^C
!
line con 0
 login local

 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 password ****
 login local
 transport input telnet ssh
!
end


Ik zou echter mijn ADSL lijn willen gebruiken als failover. Indien Telenet wegvalt moet Scarlet het overnemen.

Ik heb reeds een aantal zaken gevonden zoals onderstaande configuratie waar ik een aantal zaken uit kan gebruiken:

code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

interface FastEthernet0/0

Description Primary link ISP1

ip address 12.x.x.x 255.255.255.240

ip nat outside


interface FastEthernet1/0

Description Secondary link ISP2

ip address 76.x.x.x. 255.255.255.0

ip nat outside


interface FastEthernet1/1

Description Inside LAN segment

ip address 172.168.60.1 255.255.255.0

ip nat inside


access-list 100 permit ip 172.168.60.0 0.0.0.255 any


route-map isp1 permit 10

match ip address 100

match interface FastEthernet0/0


route-map isp2 permit 10

match ip address 100

match interface FastEthernet1/0


ip nat inside source route-map isp1 interface FastEthernet0/0 overload

ip nat inside source route-map isp2 interface FastEthernet1/0 overload


ip route 0.0.0.0 0.0.0.0 12.y.y.y -----> Primary Default route pointing towards Next hop ip of ISP1

ip route 0.0.0.0 0.0.0.0 76.y.y.y 10 -----> Backup Default route with higher AD (10) pointing towards Next hop ip of ISP2


        the above example shows how we can perform Failover for PAT (Port Address Translation) for the traffic going out to Internet. By using route-maps and "match interface" option, we can achieve failover for Static NAT translation as well which is generally configured when services are hosted out to the internet like webserver or exchange server hosted inside accessible from Internet 


route-map isp1static permit 10

match interface FastEthernet0/0


route-map isp2static permit 10

match interface FastEthernet1/0


ip nat inside source static 172.168.60.2 12.x.x.x route-map isp1static

ip nat inside source static 172.168.60.2 76.x.x.x route-map isp2static


Onderstaande links zijn ook interresant:Vragen:

Wat ik niet snap:
  • Hoe zit het dan met de access-lists? Nu pas je een access-list toe op een interface. Hoe dien in dit te doen als ik met 2 ISP's ga werken
  • Wat met de portforwards? Mijn server moet wel bereikbaar blijven indien Telenet wegvalt (hier draait een dyndns client op dus dit mag geen probleem vormen).
Kunnen jullie mij opweg helpen om van mijn huidige configuratie een goede failover configuratie te maken.
(helpen met onbouwen). Indien jullie een aantal voorbeelden geven met extra uitleg dan kom ik al een heel eind verder.

Alvast bedankt om de TS door te lezen en voor de medewerking. Indien er nog extra info nodig is dan vraag je dit maar!

crash_burn

zondag 25 november 2012 18:59

Acties:
  • 0 Henk 'm!
  • Pieter Kimpen
  • Registratie: Juni 2007
  • Laatst online: 23-11-2024

Pieter Kimpen

Niet meer van toepassing. Als iemand nog ideeën heeft laat maar gerust weten.

[ Voor 115% gewijzigd door Pieter Kimpen op 25-11-2012 19:01 ]

maandag 26 november 2012 10:57

Acties:
  • 0 Henk 'm!
  • Bl@ckbird
  • Registratie: November 2000
  • Niet online

Bl@ckbird

Je kan eens kijken naar Cisco Performance Routing. Je kan daarmee outbound loadbalancen over verschillende verbindingen op basis van bepaalde parameters, zoals beschikbare bandbreedte, latency, etc.
http://www.cisco.com/go/pfr

~ Voordelig Zelf Vliegen? ~ Sent using RFC 1149. Note: No animals were harmed during this data transfer. ~

maandag 26 november 2012 18:22

Acties:
  • 0 Henk 'm!

Anoniem: 484671

Topicstarter
Bedankt voor je reactie Bl@ckbird.
Ik wil echter geen loadbalancing doen, maar zuiver failover.
(De Scarlet ADSLlijn is een lijntje van 6 mbps down / 1 mbps up. De Telenet verbinding heeft betere waarden: namelijk 80 mbps down / 5 mbit up.)

Kan ik hiervoor Cisco Performance routing ook gebruiken? Ik kan dit niet echt afleiden uit de documenten op de Cisco website. (via de link die je me gaf.)

maandag 26 november 2012 20:39

Acties:
  • 0 Henk 'm!
  • Bl@ckbird
  • Registratie: November 2000
  • Niet online

Bl@ckbird

Voor puur failover, zoek even op static routing met enhanced object tracking. Hiermee geef je een object op (bijvoorbeeld de DNS server van je ISP) Deze objecten worden gepingt door de router. Werkt dit niet, dan wordt de verbinding omgezet.

~ Voordelig Zelf Vliegen? ~ Sent using RFC 1149. Note: No animals were harmed during this data transfer. ~

maandag 26 november 2012 21:41

Acties:
  • 0 Henk 'm!

Anoniem: 484671

Topicstarter
OK. Net zoals hierboven in mijn TS al aangegeven staat. (bij wat ik gevonden heb).
Maar kan ik dan diezelfde ACL gebruiken of dien ik er meerdere te definieren en wat met de poortmappings?

woensdag 28 november 2012 18:06

Acties:
  • 0 Henk 'm!

Anoniem: 484671

Topicstarter
Iemand nog tips of mogelijke oplossingen?
Pagina: 1
Reageer

Apple iPhone 16e LG OLED evo G5 Google Pixel 10 Samsung Galaxy S25 Star Wars: Outlaws Nintendo Switch 2 Apple AirPods Pro (2e generatie) Sony PlayStation 5 Pro

Tweakers is onderdeel van DPG Media B.V.
Alle rechten voorbehouden - Auteursrecht © 1998 - 2025 Hosting door TrueFullstaq