Solved: Re: 897VA Multiple VLAN to Dual WAN Routing

Abe_00 · ‎04-27-2020

I have configured an 897VA with two WAN ports and 6 VLANs. What I'm trying to achieve is to have the connected hosts in VLAN 4 go out to the Internet via WAN 2, and all other VLANs go out via WAN 1. All VLANs should be able to communicate with each other as they do now (albeit I will look at a later date to lock down the GuestWiFi VLAN).

I've experimented a bit with Policy-Based Routing, but I haven't been able to get it to work.

Would someone be able to give me some advice please?

Here's the overall summary, actual config is below:

WAN 1 - VDSL connected to BT Infinity (tested ok)

WAN 2 - GE WAN connected to Huawei B535 and out to the Three 4G network

VLAN 2 - Cameras (192.168.2.0/24)

VLAN 3 - Users (192.168.3.0/24)

VLAN 4 - Secure (192.168.4.0/24) <---this is the VLAN I'd like to go out via WAN 2

VLAN 5 - Servers (192.168.5.0/24)

VLAN 6 - GuestWiFi (192.168.6.0/24)

VLAN 7 - Management (192.168.7.0/24)

!
! Last configuration change at 09:11:08 UTC Mon Apr 27 2020
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 xxxxx
enable password 7 xxxxx
!
no aaa new-model
ethernet lmi ce
!
!
ip dhcp excluded-address 192.168.2.1 192.168.2.99
ip dhcp excluded-address 192.168.2.240 192.168.2.254
ip dhcp excluded-address 192.168.3.1 192.168.3.99
ip dhcp excluded-address 192.168.3.240 192.168.3.254
ip dhcp excluded-address 192.168.4.1 192.168.4.99
ip dhcp excluded-address 192.168.4.240 192.168.4.254
ip dhcp excluded-address 192.168.5.1 192.168.5.99
ip dhcp excluded-address 192.168.5.200 192.168.5.254
ip dhcp excluded-address 192.168.6.1 192.168.6.39
ip dhcp excluded-address 192.168.6.240 192.168.6.254
ip dhcp excluded-address 192.168.7.1 192.168.7.99
ip dhcp excluded-address 192.168.7.240 192.168.7.254
!
ip dhcp pool Cameras
 import all
 network 192.168.2.0 255.255.255.0
 default-router 192.168.2.254 
 dns-server 192.168.2.254 
 lease 7
!
ip dhcp pool Users
 import all
 network 192.168.3.0 255.255.255.0
 default-router 192.168.3.254 
 dns-server 192.168.3.254 
 lease 7
!
ip dhcp pool Secure
 import all
 network 192.168.4.0 255.255.255.0
 default-router 192.168.4.254 
 dns-server 192.168.4.254 
 lease 7
!
ip dhcp pool Servers
 import all
 network 192.168.5.0 255.255.255.0
 default-router 192.168.5.254 
 dns-server 192.168.5.254 
 lease 7
!
ip dhcp pool GuestWiFi
 import all
 network 192.168.6.0 255.255.255.0
 default-router 192.168.6.254 
 dns-server 192.168.6.254 
!
ip dhcp pool Management
 import all
 network 192.168.7.0 255.255.255.0
 default-router 192.168.7.254 
 dns-server 192.168.7.254 
 lease 7
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
license udi pid C897VA-M-K9 sn xxxxx
!
!
vtp mode transparent
!
!
controller VDSL 0
!
vlan 2
 name Cameras
!
vlan 3
 name Users
!
vlan 4
 name Secure
!
vlan 5
 name Servers
!
vlan 6
 name GuestWiFi
!
vlan 7 
!
vlan 10
 name LAN-VRF01666
!
vlan 30
 name LAN-VRF01667
!
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Ethernet0
 no ip address
!
interface Ethernet0.101
 encapsulation dot1Q 101
 no ip redirects
 no ip proxy-arp
 ip virtual-reassembly in
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 switchport access vlan 2
 no ip address
!
interface GigabitEthernet3
 switchport access vlan 3
 no ip address
!
interface GigabitEthernet4
 switchport access vlan 4
 no ip address
!
interface GigabitEthernet5
 switchport access vlan 5
 no ip address
!
interface GigabitEthernet6
 switchport access vlan 6
 no ip address
!
interface GigabitEthernet7
 switchport access vlan 7
 no ip address
!
interface GigabitEthernet8
 ip address 192.168.8.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 no ip route-cache
 duplex auto
 speed auto
!
interface Vlan1
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan2
 ip address 192.168.2.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan3
 ip address 192.168.3.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan4
 ip address 192.168.4.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan5
 ip address 192.168.5.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan6
 ip address 192.168.6.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan7
 ip address 192.168.7.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer1
 description Dialer interface for VDSL
 mtu 1492
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication pap chap ms-chap callin
 ppp chap hostname bthomehub@btbroadband.com
 ppp chap password 7 xxxxx
 ppp ipcp address accept
 no cdp enable
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 1 interface GigabitEthernet8 overload
ip nat inside source list NAT interface Dialer1 overload
ip nat inside source list Secure interface Ethernet0.101 overload
ip nat inside source list nat interface Ethernet0.101 overload
ip route 0.0.0.0 0.0.0.0 192.168.8.1
!
ip access-list extended NAT
 permit ip 192.168.0.0 0.0.255.255 any
 remark Access list for NAT
!
!
access-list 1 permit 192.168.0.0 0.0.255.255
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
line con 0
 password 7 xxxxx
 login
 no modem enable
line aux 0
line vty 0
 exec-timeout 40 0
 privilege level 15
 password 7 xxxxx
 logging synchronous
 login
 transport input telnet
line vty 1 4
 privilege level 15
 password 7 xxxxx
 logging synchronous
 login
 transport input telnet
!
scheduler allocate 20000 1000
!
end

Richard Burts · ‎04-27-2020

Thanks for the clarification. I have no idea what is the story with your first posting but it was certainly visible to me. Without seeing the current config it is difficult to be sure but it certainly sounds like when you wrote the acl to identify traffic to be Policy Routed that you just did a permit 192.168.4.0 to any. And that results in all traffic from vlan 4 being forwarded to outside. If you want vlan 4 to communicate with other vlans then your acl needs to start by deny 192.168.4.0 to the subnets of the other vlans. This sometimes makes people nervous because it feels like you are denying the traffic to flow to the other vlans. But remember that this acl is not being applied to the interface to filter traffic but is being used only to identify traffic to be policy routed. So it is appropriate to deny vlan 4 to other vlans and then permit vlan 4 to any.

HTH

Rick

View solution in original post

Richard Burts · ‎04-27-2020

This is the second time today that you have posted this question. This is the later of the postings but I am not sure if it is any different. The first point that I would make is that if you want routing for traffic originating from vlan 4 to be routed differently from the other vlans then Policy Based Routing is what you need to implement. The second point I would make is that I do not see anything in the posted configuration that relates to PBR. The third point I would make is that in general if you want to do address translation for 2 outbound interfaces it is generally better to use route maps to control the translation and in the route map you can match on both the outbound interface and the acl to identify the traffic.

HTH

Rick

Abe_00 · ‎04-27-2020

Thanks Rick, yes this is the second time I've posted this. The first time it was marked as spam for some reason, so I thought no-one could see it.

I've got PBR working now for VLAN 4, in that the default route now points at Dialer 1 but internet-bound traffic coming from VLAN 4 goes out via the GE WAN.

However, I can no longer ping hosts on other VLANs from VLAN 4.

Richard Burts · ‎04-27-2020

Thanks for the clarification. I have no idea what is the story with your first posting but it was certainly visible to me. Without seeing the current config it is difficult to be sure but it certainly sounds like when you wrote the acl to identify traffic to be Policy Routed that you just did a permit 192.168.4.0 to any. And that results in all traffic from vlan 4 being forwarded to outside. If you want vlan 4 to communicate with other vlans then your acl needs to start by deny 192.168.4.0 to the subnets of the other vlans. This sometimes makes people nervous because it feels like you are denying the traffic to flow to the other vlans. But remember that this acl is not being applied to the interface to filter traffic but is being used only to identify traffic to be policy routed. So it is appropriate to deny vlan 4 to other vlans and then permit vlan 4 to any.

HTH

Rick

Abe_00 · ‎04-27-2020

You're a genius, updated the ACL and all working!

Final config below:

!
! Last configuration change at 17:19:44 UTC Mon Apr 27 2020
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 xxxxx
enable password 7 xxxxx
!
no aaa new-model
ethernet lmi ce
!
!
!
ip dhcp excluded-address 192.168.2.1 192.168.2.99
ip dhcp excluded-address 192.168.2.240 192.168.2.254
ip dhcp excluded-address 192.168.3.1 192.168.3.99
ip dhcp excluded-address 192.168.3.240 192.168.3.254
ip dhcp excluded-address 192.168.4.1 192.168.4.99
ip dhcp excluded-address 192.168.4.240 192.168.4.254
ip dhcp excluded-address 192.168.5.1 192.168.5.99
ip dhcp excluded-address 192.168.5.200 192.168.5.254
ip dhcp excluded-address 192.168.6.1 192.168.6.39
ip dhcp excluded-address 192.168.6.240 192.168.6.254
ip dhcp excluded-address 192.168.7.1 192.168.7.99
ip dhcp excluded-address 192.168.7.240 192.168.7.254
!
ip dhcp pool Cameras
 import all
 network 192.168.2.0 255.255.255.0
 default-router 192.168.2.254 
 dns-server 192.168.2.254 
 lease 7
!
ip dhcp pool Users
 import all
 network 192.168.3.0 255.255.255.0
 default-router 192.168.3.254 
 dns-server 192.168.3.254 
 lease 7
!
ip dhcp pool Secure
 import all
 network 192.168.4.0 255.255.255.0
 default-router 192.168.4.254 
 dns-server 192.168.4.254 
 lease 7
!
ip dhcp pool Servers
 import all
 network 192.168.5.0 255.255.255.0
 default-router 192.168.5.254 
 dns-server 192.168.5.254 
 lease 7
!
ip dhcp pool GuestWiFi
 import all
 network 192.168.6.0 255.255.255.0
 default-router 192.168.6.254 
 dns-server 192.168.6.254 
!
ip dhcp pool Management
 import all
 network 192.168.7.0 255.255.255.0
 default-router 192.168.7.254 
 dns-server 192.168.7.254 
 lease 7
!
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
license udi pid C897VA-M-K9 sn xxxxx
!
!
vtp mode transparent
!
!
controller VDSL 0
!
vlan 2
 name Cameras
!
vlan 3
 name Users
!
vlan 4
 name Secure
!
vlan 5
 name Servers
!
vlan 6
 name GuestWiFi
!
vlan 7 
!
vlan 10
 name LAN-VRF01666
!
vlan 30
 name LAN-VRF01667
!
! 
!
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Ethernet0
 no ip address
!
interface Ethernet0.101
 encapsulation dot1Q 101
 no ip redirects
 no ip proxy-arp
 ip virtual-reassembly in
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 switchport access vlan 2
 no ip address
!
interface GigabitEthernet3
 switchport access vlan 3
 no ip address
!
interface GigabitEthernet4
 switchport access vlan 4
 no ip address
!
interface GigabitEthernet5
 switchport access vlan 5
 no ip address
!
interface GigabitEthernet6
 switchport access vlan 6
 no ip address
!
interface GigabitEthernet7
 switchport access vlan 7
 no ip address
!
interface GigabitEthernet8
 ip address 192.168.8.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 no ip route-cache
 duplex auto
 speed auto
!
interface Vlan1
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan2
 ip address 192.168.2.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan3
 ip address 192.168.3.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan4
 ip address 192.168.4.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map Secure_to_ISP_2
!
interface Vlan5
 ip address 192.168.5.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan6
 ip address 192.168.6.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan7
 ip address 192.168.7.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer1
 description Dialer interface for VDSL
 mtu 1492
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication pap chap ms-chap callin
 ppp chap hostname bthomehub@btbroadband.com
 ppp chap password 7 xxxxx
 ppp ipcp address accept
 no cdp enable
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 1 interface GigabitEthernet8 overload
ip nat inside source list NAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended NAT
 permit ip 192.168.0.0 0.0.255.255 any
 remark Access list for NAT
!
!
route-map Secure_to_ISP_2 permit 10
 match ip address 100
 set ip next-hop 192.168.8.1
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
line con 0
 password 7 xxxxx
 login
 no modem enable
line aux 0
line vty 0
 exec-timeout 40 0
 privilege level 15
 password 7 xxxxx
 logging synchronous
 login
 transport input telnet
line vty 1 4
 privilege level 15
 password 7 xxxxx
 logging synchronous
 login
 transport input telnet
!
scheduler allocate 20000 1000
!
end

Richard Burts · ‎04-27-2020

I am glad that my suggestions pointed you in the right direction and that now it is working. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

Abe_00 · ‎04-28-2020

@Abzal and @paul driver this is the other duplicate discussion on the same topic you've both been helping me with.

I've attempted to close down the other one, but I'm still interested in your suggestions.

Many thanks,

Abe.