Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1052
Views
0
Helpful
4
Replies

1 router, 2 ISP: Routing specfic IP addresses out specific ISP interface

Go to solution
gkeel
Level 1
Level 1

‎08-22-2011 11:32 AM - edited ‎03-04-2019 01:21 PM

I originally had a single ISP for accessing the internet from my internal network.  The Cisco 3845 router has an interface that is connected directly to my ASA for access the the ISP.

I have now added a second ISP for access to the internet which is located on another site on my MPLS WAN which has greater bandwidth.  I want to router almost all of my users internet request out that MPLS WAN interface, but I also have a few hosts on my internal network that still need to access the internet using the original ISP link.

My initial thought was to create an access-list of the IP addresses of the hosts that I needed to access the internet thru the original ISP.  The access-list would be to allow those IP addresses to my internal network but deny to everything else and then apply that access-group to the interface going to to internal WAN MPLS.   I would also create two default routes with the one to the WAN MPLS as the primary and the second with a higher cost as pointing to my original ISP interface.  My thought being that when the IP addresses in the access-list attempted to go out the main WAN MPLS interface, they would be denied and would then try to go out the original ISP interface.

I don't know for sure this would work and since it is production, can't do too much playing except at night or during the weekend. 

Does anyone know if this would work?  Or better, does anyone have a better (or at least maybe different) way of doing this?

Any help would be appreciated!

Gene 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to gkeel

‎08-22-2011 12:08 PM

Gene

Yes, you should reverse the acl ie. for the destination subnets you do not want to policy route then use deny entries in your acl and then have the permit statement at the end.

Jon

View solution in original post

0 Helpful

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to gkeel

‎08-22-2011 12:13 PM

Gene,

You are correct, my apologies.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎08-22-2011 11:38 AM

The right approach is configuring PBR (Policy Based Routing).

Configure an access-list to match the hosts destined to the local ISP and change the next hop.

Other hosts will use the MPLS WAN.

for instance:

access-list 101 permit ip [hosts] any

access-list 101 deny ip [hosts] [MPLS WAN subnets]

route-map NETPRO permit 10

match ip address 101

set ip next-hop [ISP_Link]

interface fax/x

description inside interface

ip policy-map route-map NETPRO

0 Helpful

Go to solution
gkeel
Level 1
Level 1
In response to Edison Ortiz

‎08-22-2011 12:05 PM

That sounds like a much better solution.   However, as I read the access-list, the hosts would be the IP addresses of the machines I want to go out the original ISP link.  If [hosts] represents the IP addres of the hosts I want to go out the original ISP in both statements, then those hosts would never get to the second line to match it.  Shouldn't the two lines of the access-list be reversed so that if my hosts was were going to one of my internal subnets on the WAN that it would be a match to deny and would not therefore go to the new next hop.  But if the IP address did not match the deny, it would go on and would be matched by the next line as a permit.  As I read the access-list, the [hosts] ip addresses would really never get to the second line of the access-list.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to gkeel

‎08-22-2011 12:08 PM

Gene

Yes, you should reverse the acl ie. for the destination subnets you do not want to policy route then use deny entries in your acl and then have the permit statement at the end.

Jon

0 Helpful

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to gkeel

‎08-22-2011 12:13 PM

Gene,

You are correct, my apologies.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card