Re: Cisco 1100 Router - Dual WAN Configuration - Page 2

alexander2003 · ‎01-14-2023

Hello,
I have a question.
Currently I am trying to configure my new Cisco 1111 router.

Now to my problem:
I have two internet connections from two ISP. I would like to bundle both connections and get a load balancing, and therefore also reach the double speed (both connections are 300 Mbit each).

So far I haven't really found a way to configure this.

Would it be possible to connect a 3rd WAN port and route only one specific IP over this WAN?

Thanks

alexander2003 · ‎01-16-2023

Hello,

thank you very much for your help! But it does not want to work.

Attached again the current config, maybe I have an error somewhere?

Current configuration : 6744 bytes
!
! Last configuration change at 14:15:08 UTC Mon Jan 16 2023 by webui
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
no ip domain lookup
ip dhcp excluded-address 10.60.1.1
ip dhcp excluded-address 10.127.1.1
ip dhcp excluded-address 10.128.1.1
ip dhcp excluded-address 10.42.1.1
!
ip dhcp pool dpool_IP_Device
network 10.60.0.0 255.255.254.0
default-router 10.60.1.1
domain-name network.intern
dns-server 8.8.8.8
!
ip dhcp pool dpool_IP_Service
network 10.127.0.0 255.255.254.0
default-router 10.127.1.1
domain-name network.intern
dns-server 8.8.8.8
!
ip dhcp pool dpool_Guest
network 10.42.1.0 255.255.255.0
default-router 10.42.1.1
domain-name guest.intern
dns-server 8.8.8.8
!
ip dhcp pool dpool_Camera
network 10.128.1.0 255.255.255.128
default-router 10.128.1.1
domain-name network.intern
dns-server 8.8.8.8
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid C1111-8P sn FCZ4710345N
!
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
username admin privilege 15 password 0 cisco
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
vlan 1034,1063,1184,2114
!
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description ISP 1 WAN INNONET
ip address dhcp
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
description ISP 2 WAN Magenta
ip address dhcp
ip nat outside
negotiation auto
!
interface GigabitEthernet0/1/0
switchport access vlan 1034
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1034
ip address 10.60.1.1 255.255.254.0
ip nat inside
ip policy route-map TO_ISP_1_PBR
!
interface Vlan1063
ip address 10.127.1.1 255.255.254.0
ip nat inside
ip policy route-map TO_ISP_1_PBR
!
interface Vlan1184
ip address 10.128.1.1 255.255.255.128
ip nat inside
ip policy route-map TO_ISP_2_PBR
!
interface Vlan2114
ip address 10.42.1.1 255.255.255.0
ip nat inside
ip policy route-map TO_ISP_2_PBR
!
ip nat inside source route-map ISP_1 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map ISP_2 interface GigabitEthernet0/0/1 overload
ip forward-protocol nd
ip tcp synwait-time 5
ip http server
ip http authentication local
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1
!
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/0
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/1
ip sla schedule 2 life forever start-time now
access-list 101 permit ip 10.60.0.0 0.0.1.255 any
access-list 101 permit ip 10.127.0.0 0.0.1.255 any
access-list 101 permit ip 10.128.0.0 0.0.127.255 any
access-list 101 permit ip 10.42.0.0 0.0.127.255 any
access-list 102 permit ip 10.60.0.0 0.0.1.255 any
access-list 102 permit ip 10.127.0.0 0.0.1.255 any
access-list 103 permit ip 10.128.0.0 0.0.127.255 any
access-list 103 permit ip 10.42.0.0 0.0.127.255 any
!
!
route-map ISP_1 permit 10
match ip address 101
match interface GigabitEthernet0/0/0
!
route-map ISP_2 permit 10
match ip address 101
match interface GigabitEthernet0/0/1
!
route-map TO_ISP_2_PBR permit 10
match ip address 103
set interface GigabitEthernet0/0/1
!
route-map TO_ISP_2_PBR permit 20
!
route-map TO_ISP_1_PBR permit 10
match ip address 102
set interface GigabitEthernet0/0/0
!
route-map TO_ISP_1_PBR permit 20
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
login
!
!
!
!
!
event manager applet ISP_1_UP
event track 1 state up
action 1.1 cli command "enable"
action 1.2 cli command "conf t"
action 1.3 cli command "ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0"
action 1.4 cli command "ip nat inside source route-map ISP_1 interface GigabitEthernet0/0/0 overload"
action 1.5 cli command "interface vlan1034"
action 1.6 cli command "ip policy route-map TO_ISP_1_PBR"
action 1.7 cli command "exit"
action 1.8 cli command "interface vlan1063"
action 1.9 cli command "ip policy route-map TO_ISP_1_PBR"
action 2.0 cli command "exit"
action 2.1 cli command "end"
action 3.0 cli command "clear ip nat translation *"
event manager applet ISP_1_DOWN
event track 1 state down
action 1.1 cli command "enable"
action 1.2 cli command "conf t"
action 1.3 cli command "no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0"
action 1.4 cli command "no ip nat inside source route-map ISP_1 interface GigabitEthernet0/0/0 overload"
action 1.5 cli command "interface vlan1034"
action 1.6 cli command "no ip policy route-map TO_ISP_1_PBR"
action 1.7 cli command "exit"
action 1.8 cli command "interface vlan1063"
action 1.9 cli command "no ip policy route-map TO_ISP_1_PBR"
action 2.0 cli command "exit"
action 2.1 cli command "end"
action 3.0 cli command "clear ip nat translation *"
event manager applet ISP_2_UP
event track 2 state up
action 1.1 cli command "enable"
action 1.2 cli command "conf t"
action 1.3 cli command "ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1"
action 1.4 cli command "ip nat inside source route-map ISP_2 interface GigabitEthernet0/0/1 overload"
action 1.5 cli command "interface vlan1184"
action 1.6 cli command "ip policy route-map TO_ISP_2_PBR"
action 1.7 cli command "exit"
action 1.8 cli command "interface vlan2114"
action 1.9 cli command "ip policy route-map TO_ISP_2_PBR"
action 2.0 cli command "exit"
action 2.1 cli command "end"
action 3.0 cli command "clear ip nat translation *"
event manager applet ISP_2_DOWN
event track 2 state down
action 1.1 cli command "enable"
action 1.2 cli command "conf t"
action 1.3 cli command "no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1"
action 1.4 cli command "no ip nat inside source route-map ISP_2 interface GigabitEthernet0/0/1 overload"
action 1.5 cli command "interface vlan1034"
action 1.6 cli command "no ip policy route-map TO_ISP_2_PBR"
action 1.7 cli command "exit"
action 1.8 cli command "interface vlan1063"
action 1.9 cli command "no ip policy route-map TO_ISP_2_PBR"
action 2.0 cli command "exit"
action 2.1 cli command "end"
action 3.0 cli command "clear ip nat translation *"
!

In your configuration you had one ".0" (you wrote access-list 101 permit ip 10.60.1.0.0 0.0.1.255 any ) too much in the ACLs, it gave me this as an error at startup.... I have adjusted it. Can the error be here?

This message also came:

%Default route without gateway, if not a point-to-point interface, may impact performance%Default route without gateway, if not a point-to-point interface, may impact performance%Warning:Use P2P interface for routemap setinterface clause
%Warning:Use P2P interface for routemap setinterface clause

Warning: Assumed end-quote for quoted string
Warning: Assumed end-quote for quoted string
Warning: Assumed end-quote for quoted string
Warning: Assumed end-quote for quoted string

I can only say thank you again for your help.

MHM Cisco World · ‎01-16-2023

may be I late but why we need EEM in this case ??

MHM Cisco World · ‎01-16-2023

ip nat inside source route-map ISP_1 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map ISP_2 interface GigabitEthernet0/0/1 overload
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 100
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1
!
route-map TO_ISP_1_PBR permit 10
match ip address 102
set interface GigabitEthernet0/0/0

great thanks to @paul driver I learn from him this way,

now VLAN1,2 use PBR
VLAN3,4,5 use RIB

now vlan if g0/0/0 is up then VLAN1,2 will use PBR for traffic
if the g0/0/0 is down the VLAN1,2 will use RIB (path via g0/0/1 prefer than path via g0/0/0)

other vlan will always use RIB and hence we make path prefer via g0/0/1 than g0/0/0 so the traffic will go via g0/0/1

if the g0/0/1 is down then the all vlan (via PBR & RIB) will use g0/0/0.

alexander2003 · ‎01-17-2023

Does anyone have an idea or can help me implement it?

thank you

alex

Joseph W. Doherty · ‎01-17-2023

Firstly, what specific model 1100, what specific IOS version, and what specific IOS features/licenses (if applicable).

What have you done/tried, to date?

At the simplest, default routes to each ISP will (statically) load balance. If a link fails, and detected by the router, that default route (for down port) will become inactive. (NB: In-flight traffic that went out one port [natted], though, will not find it's way back to the other port, if down port's IP is the destination. Likely in-flight sessions, that used down port, will fail.)

If one port's "path" is broken, but port/link still up, then dealing with that is much more involved, so, I would suggest, we first work getting your multiple links to carry traffic, then we can work on "advanced" fault recovery.

Do understand, without having a public IP used by multiple ISPs, in-flight sessions, that went across the failed path, are likely to fail. New sessions should go out remaining good paths, but if a failed path recovers, only more new sessions will use it.

As getting a true public IP might be problematic for you, you might consult whether your existing ISPs can provide redundancy to your site (i.e. using the IP they provide).

MHM Cisco World · ‎01-17-2023

are you check my comment above ?

alexander2003 · ‎01-20-2023

Hello again,
I have uploaded my current Config again in the attachment. Maybe someone of you will find an error.

The vlans work without problems, but I am not able to come externally. A ping from the router to 8.8.8.8 also fails. I think there is a problem somewhere in the static routing!

Thank you all!
PS: I'm in the learning process right now, so apologies if I'm stupid. Thanks

@MHM Cisco World I have tried, but unfortunately not managed. What exactly do I have to change or delete in the config?

@Joseph W. Doherty Thank you for your explanation. I have a Cisco 1111 8-port with the following licenses:
appxk9, securityk9, ipbase
IOS version: 16.06.05

Current Config:

version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
ip name-server 8.8.8.8
ip dhcp excluded-address 10.60.4.1
ip dhcp excluded-address 10.127.8.1
ip dhcp excluded-address 10.128.1.1
ip dhcp excluded-address 10.42.1.1
!
ip dhcp pool dpool_IP_Device
network 10.60.4.0 255.255.254.0
default-router 10.60.4.1
dns-server 8.8.8.8
domain-name network.intern
!
ip dhcp pool dpool_IP_Service
network 10.127.8.0 255.255.254.0
default-router 10.127.8.1
dns-server 8.8.8.8
domain-name network.intern
!
ip dhcp pool dpool_Camera
network 10.128.1.0 255.255.255.128
default-router 10.128.1.1
dns-server 8.8.8.8
domain-name network.intern
!
ip dhcp pool dpool_Guest
network 10.42.1.0 255.255.255.0
default-router 10.42.1.1
dns-server 8.8.8.8
domain-name guest.intern
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
multilink bundle-name authenticated
!
!
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
vlan 1034,1063,1184,2114
!
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description ISP 1 WAN INNONET
ip address dhcp
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
description ISP 2 WAN Magenta
ip address dhcp
ip nat outside
negotiation auto
!
interface GigabitEthernet0/1/0
switchport access vlan 1034
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
no ip address
!
interface Vlan1034
ip address 10.60.4.1 255.255.254.0
ip nat inside
ip policy route-map TO_ISP_1_PBR
!
interface Vlan1063
ip address 10.127.8.1 255.255.254.0
ip nat inside
ip policy route-map TO_ISP_1_PBR
!
interface Vlan1184
ip address 10.128.1.1 255.255.255.128
ip nat inside
ip policy route-map TO_ISP_2_PBR
!
interface Vlan2114
ip address 10.42.1.1 255.255.255.0
ip nat inside
ip policy route-map TO_ISP_2_PBR
!
ip nat inside source route-map ISP_1 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map ISP_2 interface GigabitEthernet0/0/1 overload
ip forward-protocol nd
ip tcp synwait-time 5
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1
!
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/0
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/1
ip sla schedule 2 life forever start-time now
access-list 101 permit ip 10.60.4.0 0.0.1.255 any
access-list 101 permit ip 10.127.8.0 0.0.1.255 any
access-list 101 permit ip 10.128.1.0 0.0.0.127 any
access-list 101 permit ip 10.42.1.0 0.0.0.255 any
access-list 102 permit ip 10.60.4.0 0.0.1.255 any
access-list 102 permit ip 10.127.0.0 0.0.1.255 any
access-list 103 permit ip 10.128.1.0 0.0.0.127 any
access-list 103 permit ip 10.42.1.0 0.0.0.255 any
!
!
route-map ISP_1 permit 10
match ip address 101
match interface GigabitEthernet0/0/0
!
route-map ISP_2 permit 10
match ip address 101
match interface GigabitEthernet0/0/1
!
route-map TO_ISP_2_PBR permit 10
match ip address 103
set interface GigabitEthernet0/0/1
!
route-map TO_ISP_2_PBR permit 20
!
route-map TO_ISP_1_PBR permit 10
match ip address 102
set interface GigabitEthernet0/0/0
!
route-map TO_ISP_1_PBR permit 20
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
login
length 0
!
!
!
!
!
event manager applet ISP_1_UP
event track 1 state up
action 1.1 cli command "enable"
action 1.2 cli command "conf t"
action 1.3 cli command "ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0"
action 1.4 cli command "ip nat inside source route-map ISP_1 interface GigabitEthernet0/0/0 overload"
action 1.5 cli command "interface vlan1034"
action 1.6 cli command "ip policy route-map TO_ISP_1_PBR"
action 1.7 cli command "exit"
action 1.8 cli command "interface vlan1063"
action 1.9 cli command "ip policy route-map TO_ISP_1_PBR"
action 2.0 cli command "exit"
action 2.1 cli command "end"
action 3.0 cli command "clear ip nat translation *"
event manager applet ISP_1_DOWN
event track 1 state down
action 1.1 cli command "enable"
action 1.2 cli command "conf t"
action 1.3 cli command "no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0"
action 1.4 cli command "no ip nat inside source route-map ISP_1 interface GigabitEthernet0/0/0 overload"
action 1.5 cli command "interface vlan1034"
action 1.6 cli command "no ip policy route-map TO_ISP_1_PBR"
action 1.7 cli command "exit"
action 1.8 cli command "interface vlan1063"
action 1.9 cli command "no ip policy route-map TO_ISP_1_PBR"
action 2.0 cli command "exit"
action 2.1 cli command "end"
action 3.0 cli command "clear ip nat translation *"
event manager applet ISP_2_UP
event track 2 state up
action 1.1 cli command "enable"
action 1.2 cli command "conf t"
action 1.3 cli command "ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1"
action 1.4 cli command "ip nat inside source route-map ISP_2 interface GigabitEthernet0/0/1 overload"
action 1.5 cli command "interface vlan1184"
action 1.6 cli command "ip policy route-map TO_ISP_2_PBR"
action 1.7 cli command "exit"
action 1.8 cli command "interface vlan2114"
action 1.9 cli command "ip policy route-map TO_ISP_2_PBR"
action 2.0 cli command "exit"
action 2.1 cli command "end"
action 3.0 cli command "clear ip nat translation *"
event manager applet ISP_2_DOWN
event track 2 state down
action 1.1 cli command "enable"
action 1.2 cli command "conf t"
action 1.3 cli command "no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1"
action 1.4 cli command "no ip nat inside source route-map ISP_2 interface GigabitEthernet0/0/1 overload"
action 1.5 cli command "interface vlan1034"
action 1.6 cli command "no ip policy route-map TO_ISP_2_PBR"
action 1.7 cli command "exit"
action 1.8 cli command "interface vlan1063"
action 1.9 cli command "no ip policy route-map TO_ISP_2_PBR"
action 2.0 cli command "exit"
action 2.1 cli command "end"
action 3.0 cli command "clear ip nat translation *"
!
end

Richard Burts · ‎01-21-2023

Alex

I have several comments. First is that you describe 4 vlans. But the config you post has a single port assigned to any of those vlans. Is there a device connected to G0/1/0? And if so is it receiving an appropriate IP address? Are the other vlans to be implemented later?

Your static default routes specify only the outbound interface. When applied for an Ethernet interface there are several possible issues. One of which is that it requires the connected device to support proxy arp. Is it possible that your ISPs do not support proxy arp? To test that I suggest running debug ip packet and attempt access to Internet. You should see an arp request. The important thing is whether you also see an arp response.

Both of the route maps used for PBR has stanza 10 which uses an acl to identify specific traffic to be forwarded to that ISP and have stanza 20 which has no match statement. The effect of this is that all traffic that was not selected in 10 will now be selected. I am puzzled why @Georg Pauwen suggested doing this and believe that it defeats the purpose of using PBR. I suggest removing that stanza.

The configuration for nat uses extended access lists which specify destination of any. I have seen situations where that causes issues. And I see no benefit of using an extended acl here. I suggest changing to use standard acl to specify the source networks.

HTH

Rick

MHM Cisco World · ‎01-21-2023

@alexander2003 friend I run lab and success do load with NAT overload

!
track 1 ip sla 1 reachability
!
interface FastEthernet0/0
no ip address
duplex half
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map mhm10
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 20.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map mhm20
!
interface Serial1/0
ip address 100.0.0.1 255.255.255.0
ip nat outside
ip virtual-reassembly
serial restart-delay 0
!
interface Serial1/1
ip address 110.0.0.1 255.255.255.0
ip nat outside
ip virtual-reassembly
serial restart-delay 0
!
ip nat inside source route-map mhm10nat interface Serial1/0 overload
ip nat inside source route-map mhm20nat interface Serial1/1 overload
ip route 0.0.0.0 0.0.0.0 Serial1/1 track 1
ip route 0.0.0.0 0.0.0.0 Serial1/0 100
ip route 110.0.0.3 255.255.255.255 Serial1/1 permanent
!
ip sla 1
icmp-echo 110.0.0.3 source-interface Serial1/1
ip sla schedule 1 life forever start-time now
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 20.0.0.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
no cdp log mismatch duplex
!
route-map mhm20nat permit 10
match interface Serial1/1
!
route-map mhm10nat permit 10
match interface Serial1/0
!
route-map mhm10 permit 10
match ip address 100
set interface Serial1/0
!
route-map mhm20 permit 10
set default interface Serial1/0

Georg Pauwen · ‎01-27-2023

Hello,

I have done some extensive lab testing, and I think the below should work:

Last configuration change at 20:18:02 UTC Wed Jan 25 2023
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
ip name-server 8.8.8.8
ip dhcp excluded-address 10.60.4.1
ip dhcp excluded-address 10.127.8.1
ip dhcp excluded-address 10.128.1.1
ip dhcp excluded-address 10.42.1.1
!
ip dhcp pool dpool_IP_Device
network 10.60.4.0 255.255.254.0
default-router 10.60.4.1
dns-server 8.8.8.8
domain-name network.intern
!
ip dhcp pool dpool_IP_Service
network 10.127.8.0 255.255.254.0
default-router 10.127.8.1
dns-server 8.8.8.8
domain-name network.intern
!
ip dhcp pool dpool_Camera
network 10.128.1.0 255.255.255.128
default-router 10.128.1.1
dns-server 8.8.8.8
domain-name network.intern
!
ip dhcp pool dpool_Guest
network 10.42.1.0 255.255.255.0
default-router 10.42.1.1
dns-server 8.8.8.8
domain-name guest.intern
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-3433423209
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3433423209
revocation-check none
rsakeypair TP-self-signed-3433423209
!
crypto pki certificate chain TP-self-signed-3433423209
!
license udi pid C1111-8P sn FCZ2240122N
!
diagnostic bootup level minimal
spanning-tree extend system-id
!
username webui privilege 15 password 0 cisco
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
vlan 1034,1063,1184,2114
!
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
interface GigabitEthernet0/0/0
description ISP 1 WAN INNONET
ip address dhcp
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
description ISP 2 WAN Magenta
ip address dhcp
ip nat outside
negotiation auto
!
interface GigabitEthernet0/1/0
switchport access vlan 1034
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
no ip address
!
interface Vlan1034
ip address 10.60.4.1 255.255.254.0
ip nat inside
ip policy route-map TO_ISP_1_PBR
!
interface Vlan1063
ip address 10.127.8.1 255.255.254.0
ip nat inside
ip policy route-map TO_ISP_1_PBR
!
interface Vlan1184
ip address 10.128.1.1 255.255.255.128
ip nat inside
ip policy route-map TO_ISP_2_PBR
!
interface Vlan2114
ip address 10.42.1.1 255.255.255.0
ip nat inside
ip policy route-map TO_ISP_2_PBR
!
ip forward-protocol nd
ip tcp synwait-time 5
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map ISP_1 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map ISP_2 interface GigabitEthernet0/0/1verload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 8.8.4.4 255.255.255.255 GigabitEthernet0/1
ip route 8.8.8.8 255.255.255.255 192.168.1.1
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/0
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.8.4.4 source-interface GigabitEthernet0/0/1
ip sla schedule 2 life forever start-time now
access-list 101 permit ip 10.60.4.0 0.0.1.255 any
access-list 101 permit ip 10.127.8.0 0.0.1.255 any
access-list 101 permit ip 10.128.1.0 0.0.0.127 any
access-list 101 permit ip 10.42.1.0 0.0.0.255 any
access-list 102 permit ip 10.60.4.0 0.0.1.255 any
access-list 102 permit ip 10.127.0.0 0.0.1.255 any
access-list 103 permit ip 10.128.1.0 0.0.0.127 any
access-list 103 permit ip 10.42.1.0 0.0.0.255 any
!
route-map ISP_1 permit 10
match ip address 101
match interface GigabitEthernet0/0/0
!
route-map ISP_2 permit 10
match ip address 101
match interface GigabitEthernet0/0/1
!
route-map TO_ISP_2_PBR permit 10
match ip address 103
set interface GigabitEthernet0/0/1
!
route-map TO_ISP_2_PBR permit 20
!
route-map TO_ISP_1_PBR permit 10
match ip address 102
set interface GigabitEthernet0/0/0
!
route-map TO_ISP_1_PBR permit 20
!
control-plane
!
line con 0
transport input none
stopbits 1
line vty 0 4
login
!
event manager applet ISP_1_UP
event track 1 state up
action 1.1 cli command "enable"
action 1.2 cli command "conf t"
action 1.3 cli command "ip route 0.0.0.0 0.0.0.0 192.168.1.1"
action 1.4 cli command "interface GigabitEthernet0/0/0"
action 1.5 cli command "shut"
action 1.6 cli command "do clear ip nat translation *"
action 1.7 cli command "no shut"
action 1.8 cli command "exit"
action 1.9 cli command "ip nat inside source route-map ISP_1 interface GigabitEthernet0/0/0 overload"
action 2.0 cli command "interface vlan1034"
action 2.1 cli command "ip policy route-map TO_ISP_1_PBR"
action 2.2 cli command "exit"
action 2.3 cli command "interface vlan1063"
action 2.4 cli command "ip policy route-map TO_ISP_1_PBR"
action 2.5 cli command "exit"
action 2.6 cli command "end"
action 3.0 cli command "clear ip nat translation *"
event manager applet ISP_2_UP
event track 2 state up
action 1.1 cli command "enable"
action 1.2 cli command "conf t"
action 1.3 cli command "ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1"
action 1.4 cli command "interface GigabitEthernet0/0/1"
action 1.5 cli command "shut"
action 1.6 cli command "do clear ip nat translation *"
action 1.7 cli command "no shut"
action 1.8 cli command "exit"
action 1.9 cli command "ip nat inside source route-map ISP_2 interface GigabitEthernet0/0/1 overload"
action 2.0 cli command "interface vlan1184"
action 2.1 cli command "ip policy route-map TO_ISP_2_PBR"
action 2.2 cli command "exit"
action 2.3 cli command "interface vlan2114"
action 2.4 cli command "ip policy route-map TO_ISP_2_PBR"
action 2.5 cli command "exit"
action 2.6 cli command "end"
action 3.0 cli command "clear ip nat translation *"
event manager applet ISP_2_DOWN
event track 2 state down
action 1.1 cli command "enable"
action 1.2 cli command "conf t"
action 1.3 cli command "no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1"
action 1.4 cli command "interface GigabitEthernet0/0/1"
action 1.5 cli command "shut"
action 1.6 cli command "do clear ip nat translation *"
action 1.7 cli command "no shut"
action 1.8 cli command "exit"
action 1.9 cli command "no ip nat inside source route-map ISP_2 interface GigabitEthernet0/0/1 overload"
action 2.0 cli command "interface vlan1184"
action 2.1 cli command "no ip policy route-map TO_ISP_2_PBR"
action 2.2 cli command "exit"
action 2.3 cli command "interface vlan2114"
action 2.4 cli command "no ip policy route-map TO_ISP_2_PBR"
action 2.5 cli command "exit"
action 2.6 cli command "end"
action 3.0 cli command "clear ip nat translation *"
event manager applet ISP_1_DOWN
event track 1 state down
action 1.1 cli command "enable"
action 1.2 cli command "conf t"
action 1.3 cli command "no ip route 0.0.0.0 0.0.0.0 192.168.1.1"
action 1.4 cli command "interface GigabitEthernet0/0/0"
action 1.5 cli command "shut"
action 1.6 cli command "do clear ip nat translation *"
action 1.7 cli command "no shut"
action 1.8 cli command "exit"
action 1.9 cli command "no ip nat inside source route-map ISP_1 interface GigabitEthernet0/0/0 overload"
action 2.0 cli command "vlan1034"
action 2.1 cli command "no ip policy route-map TO_ISP_1_PBR"
action 2.2 cli command "exit"
action 2.3 cli command "interface vlan1063"
action 2.4 cli command "no ip policy route-map TO_ISP_1_PBR"
action 2.5 cli command "exit"
action 2.6 cli command "end"
action 3.0 cli command "clear ip nat translation *"

Richard Burts · ‎01-28-2023

It is a minor point, but I wonder why the suggested route map for PBR includes a second stanza

route-map TO_ISP_2_PBR permit 20

The first stanza will use special forwarding for all traffic that matches its acl and all other traffic will use regular forwarding.

HTH

Rick

alexander2003 · ‎01-28-2023

Hello,

thank you for your help.
But it still doesn't work, unfortunately.
You wrote: "ip route 8.8.4.4 255.255.255 GigabitEthernet0/1" - but I don't have this interface.

I think you mean GigabitEthernet0/0/1 instead?

Thanks
Alex

MHM Cisco World · ‎01-29-2023

I share lab with you, do take look, the idea if lab is
using PBR for some vlan
using RIB for other vlan

the issue I see when I do lab how we make failover for both cases ?
for vlan using PBR, if the interface is down the PBR by default will use RIB to forward traffic

for vlan using RIB, here the trick, we must use keyword "default" in set command of PBR, we add this keyword before interface.
what default keywords do, is make router use RIB first and if it failed then it will use the interface in set command.

that it,

for NAT only using route-map with match interface will do job.

for more detail check my lab above.
again make it simple no need EEM.