Dual active WAN on 1811 using PBR

Mike Bowers · ‎10-30-2015

I’m dying for some help regarding setting up Dual active WANs on an 1811.

Attached current configuration of 1811 Router (I already started making changes for adding second WAN, which is Comcast on FE1, but it is currently not plugged in and still plugged into the ASA. I’m looking for help setting up NAT and adapting the PBR to send out the Comcast Interface on the 1811 instead of forwarding it to the ASA as it is currently doing. Attached a pic of the current set up using PBR between an 1811 and ASA 5510.

With the really shoddy and thrown together layout of the network and the 1811 Config attached, what other changes would be necessary before we plug the Comcast Feed into the 1811 and have them both accessible? The workstations and the Web server(.14) will still need to be accessible on ISP2, and the Mail Server(.10) will still need to be accessible through ISP1. I created the static for the Web Server on the Comcast side, but before I start putting anything else in, I’d really appreciate any configuration help!

Note: Web server is statically reachable through Comcast Feed and mail Server is statically reachable through ISP1.

This will be a temporary set up until a new device to replace the 1811 and 5510 is ordered.

I do have the ACL for the Comcast completely open just to make sure any troubleshooting wouldn’t have to do with ACL permissions before locking it down.

Masoud Pourshabanian · ‎10-31-2015

Hello,

Please take a look at the link below. Very nice explanation.

https://supportforums.cisco.com/document/32186/dual-internet-links-nating-pbr-and-ip-sla

Mike Bowers · ‎11-01-2015

Hello Masoud and thanks for the response!

I had seen that previously but I still had some questions if I had it down or not.

Based on the current config attached above, I think these are the only commands I'll need to enter, but if you could verify or see if I'm missing something, I'd really appreciate it!

Do I need two default routes using this set up? Since everything will be forwarded to the comcast modem if they aren't denied in the PBR ACL. Those IPs denied go out the other ISP.

route-map natlist permit 10
match ip address natlist
match interface Fastethernet0

route-map comcast permit 10
match ip address natlist
match interface Fastethernet1

ip nat inside source route-map natlist interface FastEthernet0 overload
ip nat inside source route-map comcast interface FastEthernet1 overload

route-map pbr permit 10
match ip address pbr
set ip next-hop verify-availability 111.111.253.222 1 track 455

no ip route 111.111.253.222 255.255.255.255 192.168.1.253
no ip route 111.111.253.221 255.255.255.255 192.168.1.253

Thanks for the consideration!

Masoud Pourshabanian · ‎11-01-2015

Hello,

1- If you want to load balance across two WAN interfaces, you need to set two default routes with the same meric. You also need to confugure two IP SLAs, then add them to the default routes.

2- If you want to set your link to ISP2 active and link to ISP1 backup (Plus some servers on ISP1), you need to configure one IP SLA for ISP2 and two default routes. First default route toward ISP2 with lower metric with IP SLA(ISP2) and other with higher metric without IP SLA.

You also need to configure one IP SLA for ISP1 to apply it on route-map for your serves(you already did)

Default route toward ISP2 with lower metric sits inside routing table. when ISP2 is disconnected, its default route will be removed from routing table and default route to ISP1 sits inside the routing table.

In both case, you need to configure a policy-map(as you did) to dirrect the traffic of your serversto ISP1. Your route-map is correct and you need to apply it under the interface where traffics of servers are comming. You need to permit the IP addresses of your server and deny some destination addresses (if your servers see some destinations internally) in access-list under PBR.

I did not check your IP addresses and access-lists throughly, but your NATs seem to be correct.

Hope it helps,

Masoud

Mike Bowers · ‎11-02-2015

Hi Masoud! Thanks again for the information and help.

I do have some questions though if you don't mind! Since currently the PBR is routing using the PBR ACL by directing certain IP addresses and ranges to be PBR'd or to not be in the PBR ACL, is multiple default routes required? Those that match the PBR route-map have the next hop set, and if this next hop is set to ISP2, then all workstations and servers that need to go out ISP2 will be sent to ISP2's modem, which is the equivalent to "ip route 0.0.0.0 0.0.0.0 111.111.253.222" for those devices that are matched in the PBR ACL. Is that correct?

The "set ip next-hop verify-availability 111.111.253.222 1 track 455" is being tracked in the PBR route-map, so if that SLA is not accessible, this is removed and the default route that is currently in the router which is "ip route 0.0.0.0 0.0.0.0 11.11.144.1" will be used, so ISP2 will go down, and ISP1 will take over for everything.

So, my question is do I really need to have two SLAs and two default routes considering this?