03-24-2018 03:48 AM - edited 03-05-2019 10:09 AM
Hi,
I have got one LAN behind NAT and two ISP connections. I want to route five prefixes through the First-ISP and the rest traffic through the Second-ISP. I tried configuring route-maps but still unsuccessful. Please view the config below. Help would be appreciated.
interface GigabitEthernet0/0
no ip address
ip flow ingress
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/0.10
description LAN
encapsulation dot1Q 10
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip virtual-reassembly in
ip verify unicast reverse-path
no cdp enable
!
interface GigabitEthernet0/1
description First-ISP
ip address 1.1.1.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
no lldp transmit
no lldp receive
no cdp enable
no mop enabled
!
interface GigabitEthernet0/2
description Second-ISP
ip address 9.9.9.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
no lldp transmit
no lldp receive
no cdp enable
no mop enabled
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat source list 1 interface GigabitEthernet0/1 overload
ip nat source list 1 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 0.0.0.0 0.0.0.0 9.9.9.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
ip access-list extended external
permit ip any any
ip access-list extended internal
permit ip any 1.1.1.0 0.0.0.255
permit ip any 2.2.2.0 0.0.0.255
permit ip any 3.3.3.0 0.0.0.255
permit ip any 4.4.4.0 0.0.0.255
permit ip any 5.5.5.0 0.0.0.255
!
route-map 1 permit 10
match ip address internal
set ip next-hop 1.1.1.1
!
route-map 1 permit 20
match ip address external
set ip next-hop 9.9.9.1
!
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
03-24-2018 07:41 AM
Hi,
Where is Route-map applied?
You must apply it under the LAN interface as below:
interface GigabitEthernet0/0.10
ip policy route-map 1
Regards,
Deepak Kumar
03-24-2018 12:01 PM
Hi Deepak,
Even after applying the policy route-map, the result is the same that internet is not working.
03-24-2018 08:49 PM
Mustafa,
As per the configs that you shared, it makes me understand that your Internal LAN subnet is of 192.168.0.0/24 subnet , as you are trying to route your internal lan pool towards First ISP I suggest you to make below corrections in config. Have ip policy route-map 1 statement as it is under interface GigabitEthernet0/0.10 and make below corrections.
no ip access-list extended internal
!
route-map 1 permit 10
match ip address 1
set ip next-hop 1.1.1.1
Rest of the config leave as it is.
Actually this enable's the first isp to be used by entire 192.168.0.0/24 subnet.
Give it a try and check.
03-25-2018 07:06 AM
Basically my aim was to route specific networks through the First-ISP and the remaining traffic through the Second-ISP and the following config helped me fix that issue.
Also please help me understand the difference between PBR and how can I make use of it in this situation.
interface GigabitEthernet0/0
no ip address
ip flow ingress
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/0.10
description LAN
encapsulation dot1Q 10
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip virtual-reassembly in
ip verify unicast reverse-path
no cdp enable
!
interface GigabitEthernet0/1
description First-ISP
ip address 1.1.1.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
no lldp transmit
no lldp receive
no cdp enable
no mop enabled
!
interface GigabitEthernet0/2
description Second-ISP
ip address 9.9.9.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
no lldp transmit
no lldp receive
no cdp enable
no mop enabled
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat source route-map 1 interface GigabitEthernet0/1 overload
ip nat source route-map 2 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 9.9.9.1
ip route 1.1.1.0 255.255.255.0 1.1.1.1
ip route 2.2.2.0 255.255.255.0 1.1.1.1
ip route 3.3.3.0 255.255.255.0 1.1.1.1
ip route 4.4.4.0 255.255.255.0 1.1.1.1
ip route 5.5.5.0 255.255.255.0 1.1.1.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
ip access-list extended external
permit ip any any
ip access-list extended internal
permit ip 1.1.1.0 0.0.0.255 any
permit ip 2.2.2.0 0.0.0.255 any
permit ip 3.3.3.0 0.0.0.255 any
permit ip 4.4.4.0 0.0.0.255 any
permit ip 5.5.5.0 0.0.0.255 any
!
route-map 1 permit 10
match ip address 1
set interface GigabitEthernet0/1
!
route-map 2 permit 10
match ip address 1
set interface GigabitEthernet0/2
!
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
03-25-2018 07:14 AM
Hi,
Currently, you configured NATing with PBR but the post was started with Routing with PBR.
More Information about NATig with PBR :
Regards,
Deepak Kumar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide