cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1131
Views
0
Helpful
3
Replies

Comments on a dual WAN solution

jesper_petersen
Level 1
Level 1

Hello folks,

One of our customers have two internet connections (one for data and one for VoIP) that we have connected to the two routed interfaces to an ISR 1812W.

The goal is to seperate the data and VoIP traffic and send it out of their correct connection - is it NOT to be used for failover scenarios. Using the configuration below I can control which data should be routed/PAT'ed out of the VoIP interface by issuing a route command for each specific destination.

Is the configuration that I have made okay or is there a better approach? How would you do it?

I'm especially interested in hearing your comments about the route-maps and their associated access-lists.

Thank you for your input.

------------------------------

interface FastEthernet0
description DATA
ip address 95.201.113.242 255.255.255.248
ip access-group Outside in
no ip redirects
no ip proxy-arp
ip nat outside
ip inspect inside out
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map vpnmap
!
interface FastEthernet1
description VOIP
ip address 95.201.113.250 255.255.255.248
ip access-group Outside-f1 in
no ip redirects
no ip proxy-arp
ip nat outside
ip inspect inside out
ip virtual-reassembly
duplex auto
speed auto
no cdp enable

interface Vlan1
ip address 192.168.6.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly

ip route 0.0.0.0 0.0.0.0 95.201.113.241
ip route 79.61.149.20 255.255.255.255 95.201.113.249
ip route 117.74.116.99 255.255.255.255 95.201.113.249

ip nat inside source route-map DATA interface FastEthernet0 overload
ip nat inside source route-map VOIP interface FastEthernet1 overload

route-map VOIP permit 10
match ip address VoIP-out
match interface FastEthernet1

route-map DATA permit 10
match ip address NatList
match interface FastEthernet0

ip access-list extended NatList
deny   ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255 <-- VPN related
permit ip 192.168.6.0 0.0.0.255 any

ip access-list extended VoIP-out
permit ip 192.168.6.0 0.0.0.255 any

3 Replies 3

spremkumar
Level 9
Level 9

Hi Jesper

I could see a crypto map under fasteth0 which needs to be taken care when you want to divert your data traffic on fasteth1 incase of failures.

But i dont wont suggest that since it will definitely affect your voice traffic.

Since you data communication happens through the secure ipsec tunnel you need to make sure you create similar crypto map on both the ends with respective peer ip addresses on it.

Also i see you using the same subnet for both data and voice which will be another thing needs to be solved.

regds

Hi spremkumar,

Thank you for your reply. The crypto stuff is not an issue as the two WAN links are not to be used in any kind of failover scenarios (both links go to the same ISP). So the crypto is only needed on the data interface.

Yes, the data and voice traffic share the same IP subnet and VLAN. As of now it will hardly be possible to seperate the two.

jesper_petersen
Level 1
Level 1

Does anyone else have any comments on this?

Review Cisco Networking for a $25 gift card