Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7479
Views
15
Helpful
19
Replies

Cisco 2911 with multiple Internet connections

Go to solution
andy_4578
Level 1
Level 1

‎06-21-2012 08:02 AM - edited ‎03-04-2019 04:44 PM

I'm sure this question comes up alot but i cant find a deffinative answer.

We are about to install a cisco 2911 router to replace a linux based router.

The Cisco will have 5 gig ports, 4 ports connected to DSL modems each modem connected to a different ISP, and the last port connected to a Cisco LAN switch.

802.1q will be used on the internal router port to split the LAN segments up into VLAN's as the building contains lots of different businesses.

Each customer in the building has there own servers and set of public IP addresses assigned e.g

Customer A - ISP 1      uses  81.34.65.78 NAT'd to 10.0.0.1 Vlan 5 port 25 (SMTP)

Customer B - ISP 2     uses 217.23.67.87 NAT'd to 192.168.1.1 Vlan 6 port 25 (SMTP)

and so on

The outbound traffic also needs to go out of the correct DSL line which ever has been assigned to that customer.

Am i right in thinking the only way to do this will be to use "Route Maps" ??

(IP addresses above are made up, or at least not ours)

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to andy_4578

‎06-21-2012 01:42 PM

Please correct me if I'm wrong guys, but I believe you would add the route-map to your subinterfaces, since you're doing Routing on a stick.

access-list 115 permit ip 10.0.0.0 0.0.0.255 any

access-list 116 permit ip 192.168.1.0 0.0.0.255 any

route-map VLAN5-OUT permit 10

permit ip access-list 115

set ip next-hop 81.34.65.78

route-map VLAN6-out permit 20

permit ip access-list 116

set ip next-hop 217.23.67.87

int x/x.5

ip address 10.0.0.1 255.255.255.0

ip policy route-map VLAN5-OUT
int x/x.6

ip address 192.168.1.1 255.255.255.0

ip policy route-map VLAN6-OUT

And, you can leave your default route there if you want.

View solution in original post

0 Helpful

Go to solution
handoko wiyanto
Level 3
Level 3
In response to andy_4578

‎06-29-2012 07:08 AM

yes, under route map its match ip add 115,

when there are packet that match the access-list 115, then this packets will go to the address that you configure in set ip next-hop

if it doesnt match, it will check the other route map, of no other route map being matched, it will use the normal routing process.

regards,

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to andy_4578

‎06-29-2012 08:42 AM

permit ip access-list 115 is not accepted because permit is not a valid action in that part of the route map. In that part of the route map you can use match or you can use set, but permit is not a valid option. match ip address 115 is what you want to use and it will use access list 115 to identify the traffic to be policy routed.

And yes the IP address specified is the next hop address and not the outside interface address.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
19 Replies 19

Go to solution
JohnTylerPearce
Level 7
Level 7

‎06-21-2012 09:32 AM

I would configure PBR for this.

For example:

On the subinterface on the GigE port on the 2911 going to all LANs, for that specific vlan 10.0.0.1 I would create

a route map, and have a next-hop for the specific ISP.

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to JohnTylerPearce

‎06-21-2012 09:41 AM

PBR is certainly one possibility (and I believe that this is what the original poster was meaning when he talked about using route maps). I would think that another possibility would be to configure VRFs with a VLAN and an outside interface in a VRF for each of the customers.

HTH

Rick

HTH

Rick

Go to solution
handoko wiyanto
Level 3
Level 3
In response to Richard Burts

‎06-21-2012 10:17 AM

i would agree to all of you in using PBR. its much simpler.

@Richard,

have you implement vrf with vlan for these kind of situation? whats the advantage?

regards,

Go to solution
andy_4578
Level 1
Level 1

‎06-21-2012 01:25 PM

Could any one give me an example of how a PBR/Route Map would look assuming...

Vlan 5 - Subnet 10.0.0.0/24 needs to send all traffic out of External IP - 81.34.65.78

Vlan 6 - Subnet 192.168.1.0/24 needs to send all traffic out of External IP - 217.23.67.87

Am i right in thinking the route maps will apply before the default route..

ip route 0.0.0.0 0.0.0.0 87.34.43.2 gi0/0

Takes effect.

0 Helpful

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to andy_4578

‎06-21-2012 01:42 PM

Please correct me if I'm wrong guys, but I believe you would add the route-map to your subinterfaces, since you're doing Routing on a stick.

access-list 115 permit ip 10.0.0.0 0.0.0.255 any

access-list 116 permit ip 192.168.1.0 0.0.0.255 any

route-map VLAN5-OUT permit 10

permit ip access-list 115

set ip next-hop 81.34.65.78

route-map VLAN6-out permit 20

permit ip access-list 116

set ip next-hop 217.23.67.87

int x/x.5

ip address 10.0.0.1 255.255.255.0

ip policy route-map VLAN5-OUT
int x/x.6

ip address 192.168.1.1 255.255.255.0

ip policy route-map VLAN6-OUT

And, you can leave your default route there if you want.

0 Helpful

Go to solution
handoko wiyanto
Level 3
Level 3
In response to andy_4578

‎06-21-2012 02:07 PM

http://www.cisco.com/en/US/products/ps6599/products_white_paper09186a00800a4409.shtml#wp14019

http://www.ciscopress.com/articles/article.asp?p=102092

yes you are right, route map will be done before any routing decisions.

i think you want to use the set ip default network

after configuring this, you can check the traffic path by using traceroute from the user in vlan 5 and 6

regards,

0 Helpful

Go to solution
andy_4578
Level 1
Level 1

‎06-21-2012 01:48 PM

Thanks for the quick response John, i'm installing the router tomorrow morning i'll try it then and mark answers correct where applicable, looks good to me though

0 Helpful

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to andy_4578

‎06-21-2012 01:57 PM

No problem Andy, I ask for help as well sometimes. I figured if I ask for help, I might as well answer some questions too

0 Helpful

Go to solution
andy_4578
Level 1
Level 1

‎06-29-2012 04:48 AM

Finally getting round to trying this but get stuck when i try and enter..

route-map VLAN5-OUT permit 10

permit ip access-list 115

set ip next-hop 81.34.65.78

The part in bold is not accepted, any ideas?

0 Helpful

Go to solution
c.duck
Level 1
Level 1
In response to andy_4578

‎06-29-2012 06:04 AM

What part is being set in bold?

Curtis

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
andy_4578
Level 1
Level 1

‎06-29-2012 06:59 AM

The "permit ip access-list 115" is not an accepted command when i try and created the route-map.

I've used "match ip address 115" instead im guessing its the same thing.

The set ip next-hop x.x.x.x am i right in thinking that will be the IP address of the next router and not the outside interface address?

0 Helpful

Go to solution
handoko wiyanto
Level 3
Level 3
In response to andy_4578

‎06-29-2012 07:08 AM

yes, under route map its match ip add 115,

when there are packet that match the access-list 115, then this packets will go to the address that you configure in set ip next-hop

if it doesnt match, it will check the other route map, of no other route map being matched, it will use the normal routing process.

regards,

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to andy_4578

‎06-29-2012 08:42 AM

permit ip access-list 115 is not accepted because permit is not a valid action in that part of the route map. In that part of the route map you can use match or you can use set, but permit is not a valid option. match ip address 115 is what you want to use and it will use access list 115 to identify the traffic to be policy routed.

And yes the IP address specified is the next hop address and not the outside interface address.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
andy_4578
Level 1
Level 1

‎06-30-2012 04:04 AM

Thanks for all your help guys it's working perfectly, the old linux box can go in the bin!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card