08-22-2011 11:32 AM - edited 03-04-2019 01:21 PM
I originally had a single ISP for accessing the internet from my internal network. The Cisco 3845 router has an interface that is connected directly to my ASA for access the the ISP.
I have now added a second ISP for access to the internet which is located on another site on my MPLS WAN which has greater bandwidth. I want to router almost all of my users internet request out that MPLS WAN interface, but I also have a few hosts on my internal network that still need to access the internet using the original ISP link.
My initial thought was to create an access-list of the IP addresses of the hosts that I needed to access the internet thru the original ISP. The access-list would be to allow those IP addresses to my internal network but deny to everything else and then apply that access-group to the interface going to to internal WAN MPLS. I would also create two default routes with the one to the WAN MPLS as the primary and the second with a higher cost as pointing to my original ISP interface. My thought being that when the IP addresses in the access-list attempted to go out the main WAN MPLS interface, they would be denied and would then try to go out the original ISP interface.
I don't know for sure this would work and since it is production, can't do too much playing except at night or during the weekend.
Does anyone know if this would work? Or better, does anyone have a better (or at least maybe different) way of doing this?
Any help would be appreciated!
Gene
Solved! Go to Solution.
08-22-2011 12:08 PM
Gene
Yes, you should reverse the acl ie. for the destination subnets you do not want to policy route then use deny entries in your acl and then have the permit statement at the end.
Jon
08-22-2011 12:13 PM
08-22-2011 11:38 AM
The right approach is configuring PBR (Policy Based Routing).
Configure an access-list to match the hosts destined to the local ISP and change the next hop.
Other hosts will use the MPLS WAN.
for instance:
access-list 101 permit ip [hosts] any
access-list 101 deny ip [hosts] [MPLS WAN subnets]
route-map NETPRO permit 10
match ip address 101
set ip next-hop [ISP_Link]
interface fax/x
description inside interface
ip policy-map route-map NETPRO
08-22-2011 12:05 PM
That sounds like a much better solution. However, as I read the access-list, the hosts would be the IP addresses of the machines I want to go out the original ISP link. If [hosts] represents the IP addres of the hosts I want to go out the original ISP in both statements, then those hosts would never get to the second line to match it. Shouldn't the two lines of the access-list be reversed so that if my hosts was were going to one of my internal subnets on the WAN that it would be a match to deny and would not therefore go to the new next hop. But if the IP address did not match the deny, it would go on and would be matched by the next line as a permit. As I read the access-list, the [hosts] ip addresses would really never get to the second line of the access-list.
08-22-2011 12:08 PM
Gene
Yes, you should reverse the acl ie. for the destination subnets you do not want to policy route then use deny entries in your acl and then have the permit statement at the end.
Jon
08-22-2011 12:13 PM
Gene,
You are correct, my apologies.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: