06-18-2010 02:03 AM - edited 03-04-2019 08:49 AM
Hello folks,
One of our customers have two internet connections (one for data and one for VoIP) that we have connected to the two routed interfaces to an ISR 1812W.
The goal is to seperate the data and VoIP traffic and send it out of their correct connection - is it NOT to be used for failover scenarios. Using the configuration below I can control which data should be routed/PAT'ed out of the VoIP interface by issuing a route command for each specific destination.
Is the configuration that I have made okay or is there a better approach? How would you do it?
I'm especially interested in hearing your comments about the route-maps and their associated access-lists.
Thank you for your input.
------------------------------
interface FastEthernet0
description DATA
ip address 95.201.113.242 255.255.255.248
ip access-group Outside in
no ip redirects
no ip proxy-arp
ip nat outside
ip inspect inside out
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map vpnmap
!
interface FastEthernet1
description VOIP
ip address 95.201.113.250 255.255.255.248
ip access-group Outside-f1 in
no ip redirects
no ip proxy-arp
ip nat outside
ip inspect inside out
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
interface Vlan1
ip address 192.168.6.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route 0.0.0.0 0.0.0.0 95.201.113.241
ip route 79.61.149.20 255.255.255.255 95.201.113.249
ip route 117.74.116.99 255.255.255.255 95.201.113.249
ip nat inside source route-map DATA interface FastEthernet0 overload
ip nat inside source route-map VOIP interface FastEthernet1 overload
route-map VOIP permit 10
match ip address VoIP-out
match interface FastEthernet1
route-map DATA permit 10
match ip address NatList
match interface FastEthernet0
ip access-list extended NatList
deny ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255 <-- VPN related
permit ip 192.168.6.0 0.0.0.255 any
ip access-list extended VoIP-out
permit ip 192.168.6.0 0.0.0.255 any
06-18-2010 03:03 AM
Hi Jesper
I could see a crypto map under fasteth0 which needs to be taken care when you want to divert your data traffic on fasteth1 incase of failures.
But i dont wont suggest that since it will definitely affect your voice traffic.
Since you data communication happens through the secure ipsec tunnel you need to make sure you create similar crypto map on both the ends with respective peer ip addresses on it.
Also i see you using the same subnet for both data and voice which will be another thing needs to be solved.
regds
06-18-2010 04:15 AM
Hi spremkumar,
Thank you for your reply. The crypto stuff is not an issue as the two WAN links are not to be used in any kind of failover scenarios (both links go to the same ISP). So the crypto is only needed on the data interface.
Yes, the data and voice traffic share the same IP subnet and VLAN. As of now it will hardly be possible to seperate the two.
07-06-2010 11:52 PM
Does anyone else have any comments on this?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide