Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1040
Views
5
Helpful
3
Replies

Cisco Router PBR

VyacheslavTuchkov94367
Level 1
Level 1

‎12-06-2021 04:10 AM

Hello

There is a local network (10.36.0.0/16). There is a router (R1), to which two providers were connected (ISP1 (Dialer1) - the main provider, ISP2 (Dialer2) - the backup provider). The network diagram is attached.

ISP1 connection is used for Internet access by users, in addition, access to the mail server is published through it (TCP 25, 430, 587).
Due to the larger channel capacity, the ISP2 connection was given to Site to Site VPN. Also, remote users must connect through it via L2TP VPN.

Configured L2TP VPN on ISP2. But then a problem arose - this vpn works if only ISP1 is in the off state. How can you get L2TP to work without shutting down the first provider? Next year it is planned to connect a third provider and completely transfer all remote access of clients to it. In the meantime, I want to solve the problem with two providers.

Have you encountered a similar decision? The current config is attached.

Perhaps this problem can be solved using PBR, but I can not find a suitable configuration.

I would be glad for any help!

Preview file
5 KB
Preview file
50 KB
3 Replies 3

Georg Pauwen
VIP
VIP

‎12-06-2021 04:45 AM

Hello,

 

the reason it does only work when the primary ISP is down is, because of the IP SLA and the tracked route, all routing will go through the ISP1 link, until that link goes down, then all routing will go through the ISP2 link.

 

I'll need to do some testing, in any case, both links need to be active, so you cannot use the IP SLA...

0 Helpful

Karsten Iwen
VIP
VIP

‎12-06-2021 04:49 AM

This can be solved with "local PBR":

ip local policy route-map XYZ

The route-map matches on the L2TP-traffic and sets the next-hop to ISP2.

0 Helpful

paul driver
VIP
VIP

‎12-06-2021 04:55 AM - edited ‎12-06-2021 04:56 AM

Hello

Just like to add it is just vpn clients that want policy routed if not then a policy needs to be applied for any internal hosts.

Also this below isnt applicable

no ip nat inside source list NAT-ACL interface GigabitEthernet0/0/1 overload
no ip route 0.0.0.0 0.0.0.0 Dialer2 track 2

Lastly to implement PBR create an extended access-list <sip><dip> and apply it to the lan interface you wish you push via dialer 2 interface.

 

Example:
ip access-list extended PBR_ACL
permit tcp host 10.36.2.10 any eq www
permit tcp host 10.36.2.11 any eq 443
permit ip 10.36.3.0 0.0.0.255  any

 

route-map PBR
match ip address PBR_ACL
set ip next-hop verify-availability x.x.x. 1 track 2

or
set interface dialer 2

 

int vlan 2 /  3
ip policy route-map PBR



kind regards
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents