Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1048
Views
10
Helpful
7
Replies

Dual WAN depending on source IP (800 Series)

DeWitt
Level 1
Level 1

‎09-21-2018 06:03 AM

Hi !

I have to ISP, one slow ISPSlow, one fast ISPFast.

I want only some computer (range 192.168.2.224 0.0.0.7) to have access to ISPFast - fast one.

 

But I can't manage to get it work

Every thing goes to ISPSlow, until I had the static route to ISPFast, and then no one have access.

 

Connectivity is OK, because I manage to have all the traffic routed to ISPFast.

 

Here is my config. Thanks for your help !

Current configuration : 6408 bytes
!
! Last configuration change at 13:58:15 Suisse Fri Sep 21 2018 by catalifaud
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname dewittfw01
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no logging reload
enable secret 5 <SECRET>
!
aaa new-model
!
!
aaa authentication login sslvpn local
!
!
!
!
!
aaa session-id common
clock timezone Suisse 1 0
clock summer-time Suisse recurring last Sun Mar 2:00 last Sun Oct 2:00
!
crypto pki trustpoint Trustpoint-dewittfw01
enrollment selfsigned
serial-number
subject-name CN=<certif>
revocation-check crl
rsakeypair RSA-key-dewittfw01
!
!
crypto pki certificate chain Trustpoint-dewittfw01
certificate self-signed <selfsignedcert>
        quit
!
!
!
!


!
!
!
!
ip domain name <domainname>
ip accounting-list 192.168.2.0 0.0.0.255
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C881-K9 sn <sn>
license accept end user agreement
!
!
!
interface FastEthernet0
switchport access vlan 10
no ip address
!
interface FastEthernet1
switchport access vlan 11
no ip address
load-interval 60
!
interface FastEthernet2
switchport access vlan 12
no ip address
!
interface FastEthernet3
no ip address
shutdown
!
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan10
description ISPSlow
ip address 212.147.69.146 255.255.255.248
ip accounting output-packets
ip nat outside
ip virtual-reassembly in max-fragments 64
ip tcp adjust-mss 1414
!
interface Vlan11
description LAN
ip address 192.168.2.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
!
interface Vlan12
description ISPFast
ip address 192.168.8.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
ip local pool webvpn-pool 192.168.10.50 192.168.10.70
ip forward-protocol nd
ip http server
ip http secure-server
!
!
ip nat inside source route-map RISPSlow interface Vlan10 overload
ip nat inside source route-map RISPFast interface Vlan12 overload
ip route 0.0.0.0 0.0.0.0 212.147.69.145
ip route 0.0.0.0 0.0.0.0 192.168.8.1
!
!
route-map RISPSlow permit 10
match ip address 101
match interface Vlan10
!
route-map RISPFast permit 10
match ip address 114
match interface Vlan12
!
snmp-server community public RO
snmp-server community private RW
access-list 23 permit 164.14.3.58
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 101 deny ip 192.168.2.224 0.0.0.7 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 permit ip 192.168.3.0 0.0.0.255 any
access-list 101 deny   ip any any log
access-list 114 permit ip host 192.168.2.225 any log
access-list 114 permit ip 192.168.2.224 0.0.0.7 any log
access-list 114 deny   ip any any log
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
no vstack
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
transport input ssh
transport output all
!
scheduler allocate 20000 1000
!
!
!
end
Labels:
0 Helpful
7 Replies 7

ssjknight
Level 1
Level 1

‎09-21-2018 06:22 AM

Hi,

You need to configure PBR. see the attached article

https://community.cisco.com/t5/network-architecture-documents/how-to-configure-pbr/ta-p/3122774

 

DeWitt
Level 1
Level 1
In response to ssjknight

‎09-21-2018 07:08 AM

Hi !
Thanks for your suggestion. I already tried, so I tried again. Here are the differences :

interface Vlan11
 description LAN
 ip address 192.168.2.1 255.255.255.0
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map PBR
!



route-map PBR permit 10
 match ip address 101
 set ip next-hop 212.147.69.145
 set interface Vlan10
 set default interface Vlan10
!
route-map PBR permit 20
 match ip address 114
 set ip next-hop 192.168.8.1
 set interface Vlan12
!

Si I get this :

(config)#do sho ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 212.147.69.145 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 212.147.69.145
                [1/0] via 192.168.8.1
      192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.2.0/24 is directly connected, Vlan11
L        192.168.2.1/32 is directly connected, Vlan11
      192.168.8.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.8.0/24 is directly connected, Vlan12
L        192.168.8.2/32 is directly connected, Vlan12
      212.147.69.0/24 is variably subnetted, 3 subnets, 2 masks
C        212.147.69.144/29 is directly connected, Vlan10
L        212.147.69.146/32 is directly connected, Vlan10
L        212.147.69.148/32 is directly connected, Vlan10




(config)#do sh route-map
route-map PBR, permit, sequence 10
  Match clauses:
    ip address (access-lists): 101
  Set clauses:
    ip next-hop 212.147.69.145
    interface Vlan10
    default interface Vlan10
  Policy routing matches: 85982 packets, 17242172 bytes
route-map PBR, permit, sequence 20
  Match clauses:
    ip address (access-lists): 114
  Set clauses:
    ip next-hop 192.168.8.1
    interface Vlan12
  Policy routing matches: 306 packets, 36142 bytes

So everything seems OK, but my VIP network doesn't have access to internet...

 

Thanks

0 Helpful

ssjknight
Level 1
Level 1
In response to DeWitt

‎09-21-2018 07:54 AM

I would use
set ip default next-hop NOT set ip next-hop

I would also create 2 separate policy map statements not combined. 1 for each interface
0 Helpful

paul driver
VIP
VIP
In response to ssjknight

‎09-21-2018 08:32 AM - edited ‎09-21-2018 08:43 AM

Hello

@ssjknight wrote:
I would use
set ip default next-hop NOT set ip next-hop

Default next hop is only applicable if no fesible entry exists in the route table - meaning if you have a default route the pbr with default next hop will not be used 

 

Suggest remove one of the default  static routes as you don’t require both in the route table to perform PBR  and all the other set commands other than ip next hop and test again

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ssjknight
Level 1
Level 1
In response to paul driver

‎09-24-2018 12:51 AM

Yes I meant to say remove the default routes from the configuration. It was late Friday and my taxi was waiting so I was a little rushed. :-)

0 Helpful

DeWitt
Level 1
Level 1
In response to DeWitt

‎09-24-2018 03:08 AM

Thanks a lot for your answers.

I will use them for optimisation and clarity.

 

However, the real issue was relative to NAT.

I added

route-map ISP4G permit 10
 match ip address 23
 match interface Vlan12
!
route-map ISPADSL permit 10
 match ip address 23
 match interface Vlan10
!

and modified the NAT overloads :

ip nat inside source route-map ISP4G interface Vlan12 overload
ip nat inside source route-map ISPADSL interface Vlan10 overload

and now it works !

0 Helpful

Georg Pauwen
VIP
VIP

‎09-21-2018 08:00 AM

Hello,

 

access-list 101 deny ip any any log

access-list 114 permit ip host 192.168.2.225 any log
access-list 114 permit ip 192.168.2.224 0.0.0.7 any log
access-list 114 deny ip any any log

 

The 'log' keyword at the end of your access lists effectively kills your NAT. Remove the 'log' and check if the makes a difference:

 

access-list 101 deny ip any any 

access-list 114 permit ip host 192.168.2.225 any 
access-list 114 permit ip 192.168.2.224 0.0.0.7 any
access-list 114 deny ip any any

0 Helpful
Customers Also Viewed These Support Documents