Solved: ISP load sharing based on subnets - Page 2

amr2020eg · ‎01-08-2017

i have 2 ISPs connected to my network and VPN connection with HQ

i have 2 subnets on this branch, i want 172.29.3.0 255.255.255.128 to go through dialer1 and 172.29.3.128 255.255.255.128 to go through FE0/1 which connected to adsl modem

below is configuration but its not working, Please amend if i have any problem with it

ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.29.3.1 172.29.3.10
ip dhcp excluded-address 172.29.3.129 172.29.3.139

!
ip dhcp pool Data
network 172.29.3.0 255.255.255.128
default-router 172.29.3.1
dns-server 192.168.0.29 192.168.0.2 4.2.2.2 4.2.2.3
!
ip dhcp pool Data2
network 172.29.3.128 255.255.255.128
default-router 172.29.3.129
dns-server 192.168.0.29 192.168.0.2 4.2.2.2 4.2.2.3
!
!
no ip domain lookup
no ipv6 cef

interface FastEthernet0/0.2
description <<DATA VLAN INTERFACE>>
encapsulation dot1Q 2
ip address 172.29.3.1 255.255.255.128
ip nat inside
ip virtual-reassembly
\
interface FastEthernet0/0.4
encapsulation dot1Q 4
ip address 172.29.3.129 255.255.255.128

ip nat inside
ip virtual-reassembly

interface Serial0/1/0.16 point-to-point

ip address 172.30.200.2 255.255.255.252
ip nat inside
ip virtual-reassembly
snmp trap link-status
frame-relay interface-dlci 16

interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication pap chap callin

ip policy route-map LO

interface FastEthernet0/1

ip address 192.168.100.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto

ip policy route-map CHEM

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 0.0.0.0 0.0.0.0 192.168.100.1
ip route 10.0.0.0 255.0.0.0 Serial0/1/0.16
ip route 172.16.0.0 255.248.0.0 Serial0/1/0.16

ip nat inside source route-map LO interface dialer1 overload
ip nat inside source route-map CHEM interface Ethernet0/1 overload

!
ip access-list extended ACL-LO
permit ip 172.29.3.0 0.0.0.127 any
ip access-list extended ACL-CHEM
permit ip 172.29.3.128 0.0.0.127 any
!
!
route-map LO permit 10
match ip address ACL-LO
set ip next-hop dialer1
!
route-map CHEM permit 20
match ip address ACL-CHEM
set ip next-hop FastEthernet0/1

Regards,

Amr

Richard Burts · ‎01-22-2017

Amr

I am not clear on exactly what has changed. Can you post the config of the branch router after the changes were made? That would help me to understand the current environment for that router.

HTH

Rick

HTH

Rick

amr2020eg · ‎01-22-2017

Dear Richard,

Please find below current configurations

ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.29.3.1 172.29.3.10
ip dhcp excluded-address 172.29.4.1 172.29.4.10
ip dhcp excluded-address 172.29.3.129 172.29.3.139
!
ip dhcp pool Voice
network 172.29.4.0 255.255.255.224
default-router 172.29.4.1
option 150 ip 172.25.1.250
!
ip dhcp pool Data
network 172.29.3.0 255.255.255.128
default-router 172.29.3.1
dns-server 192.168.0.29 192.168.0.2 4.2.2.2 4.2.2.3
!
ip dhcp pool Data2
network 172.29.3.128 255.255.255.128
default-router 172.29.3.129
dns-server 192.168.0.29 192.168.0.2 4.2.2.2 4.2.2.3
!
!
no ip domain lookup
no ipv6 cef

!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.2
description <<DATA VLAN INTERFACE>>
encapsulation dot1Q 2
ip address 172.29.3.1 255.255.255.128
ip nat inside
ip virtual-reassembly
ip policy route-map LO
!
interface FastEthernet0/0.3
description <<VOICE VLAN INTERFACE>>
encapsulation dot1Q 3
ip address 172.29.4.1 255.255.255.224
h323-gateway voip interface
h323-gateway voip bind srcaddr 172.29.4.1
!

!
interface FastEthernet0/0.4
encapsulation dot1Q 4
ip address 172.29.3.129 255.255.255.128
ip nat inside
ip virtual-reassembly
ip policy route-map CHEM
!
interface FastEthernet0/1
description "CHEM INTERNET 4MB"
ip address 172.31.0.1 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!

!
interface Serial0/1/0
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type q933a
!
interface Serial0/1/0.16 point-to-point
description "VPN: Royal cosmetic co.: Factory Branch VPN"
ip address 172.30.200.2 255.255.255.252
ip nat inside
ip virtual-reassembly
snmp trap link-status
frame-relay interface-dlci 16

interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
!

ip nat inside source route-map ALAM-INTERNET interface dialer1 overload
ip nat inside source route-map CHEM-INTERNET interface FastEthernet0/1 overload

!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 172.31.0.2
ip route 10.0.0.0 255.0.0.0 Serial0/1/0.16
ip route 172.16.0.0 255.248.0.0 Serial0/1/0.16
ip route 172.24.0.0 255.252.0.0 Serial0/1/0.16
ip route 172.28.0.0 255.255.0.0 Serial0/1/0.16
ip route 172.27.0.0 255.255.0.0 Serial0/1/0.16
ip route 172.25.0.0 255.255.0.0 Serial0/1/0.16
ip route 172.30.0.0 255.255.0.0 Serial0/1/0.16
ip route 192.168.0.0 255.255.0.0 Serial0/1/0.16
no ip http server
no ip http secure-server
!
!
ip access-list extended ACL-LO
deny ip 172.29.3.0 0.0.0.127 172.16.0.0 0.0.255.255
deny ip 172.29.3.0 0.0.0.127 172.24.0.0 0.0.255.255
deny ip 172.29.3.0 0.0.0.127 172.28.0.0 0.0.255.255
deny ip 172.29.3.0 0.0.0.127 172.29.0.0 0.0.255.255
deny ip 172.29.3.0 0.0.0.127 172.30.0.0 0.0.255.255
deny ip 172.29.3.0 0.0.0.127 192.168.0.0 0.0.255.255
deny ip 172.29.3.0 0.0.0.127 10.0.0.0 0.0.0.255
deny ip 172.29.3.0 0.0.0.127 172.27.0.0 0.0.255.255
deny ip 172.29.3.0 0.0.0.127 172.25.0.0 0.0.255.255
permit ip 172.29.3.0 0.0.0.127 any
ip access-list extended ACL-CHEM
deny ip 172.29.3.128 0.0.0.127 172.16.0.0 0.0.255.255
deny ip 172.29.3.128 0.0.0.127 172.24.0.0 0.0.255.255
deny ip 172.29.3.128 0.0.0.127 172.28.0.0 0.0.255.255
deny ip 172.29.3.128 0.0.0.127 172.29.0.0 0.0.255.255
deny ip 172.29.3.128 0.0.0.127 172.30.0.0 0.0.255.255
deny ip 172.29.3.128 0.0.0.127 192.168.0.0 0.0.255.255
deny ip 172.29.3.128 0.0.0.127 172.25.0.0 0.0.255.255
deny ip 172.29.3.128 0.0.0.127 10.0.0.0 0.0.0.255
deny ip 172.29.3.128 0.0.0.127 172.27.0.0 0.0.255.255
permit ip 172.29.3.128 0.0.0.127 any

route-map ALAM permit 10
match ip address ACL-LO
set interface dialer1
!
route-map CHEM permit 10
match ip address ACL-CHEM
set ip next-hop 172.30.0.2
!
route-map ALAM-INTERNET permit 10
match ip address ACL-LO
match interface dialer1
!
route-map CHEM-INTERNET permit 10
match ip address ACL-CHEM
match interface FastEthernet0/1

Regards,

Amr

Richard Burts · ‎01-23-2017

Amr

Thank you for posting the current config. It does help to see what is currently running. Am I correct in understanding that Internet access does work for the second subnet but that you can not reach HQ?

You state that you would reach HQ using the VPN. Am I correct in understanding that the VPN is on the serial interface? It is a bit confusing because this config does not have anything in it about VPN.

I do see these routes which use the serial interface. Are these the networks at HQ or is HQ some other addresses?

ip route 10.0.0.0 255.0.0.0 Serial0/1/0.16
ip route 172.16.0.0 255.248.0.0 Serial0/1/0.16
ip route 172.24.0.0 255.252.0.0 Serial0/1/0.16
ip route 172.28.0.0 255.255.0.0 Serial0/1/0.16
ip route 172.27.0.0 255.255.0.0 Serial0/1/0.16
ip route 172.25.0.0 255.255.0.0 Serial0/1/0.16
ip route 172.30.0.0 255.255.0.0 Serial0/1/0.16
ip route 192.168.0.0 255.255.0.0 Serial0/1/0.16

HTH

Rick

HTH

Rick

amr2020eg · ‎01-23-2017

Hello Richard,

1. You are right internet access is working on second subnet but can't reach HQ

2. VPN is working on serial 0/1/0

3. These routes are for all HQ networks

Regards,

Amr

Richard Burts · ‎01-24-2017

Amr

Thank you for confirming that the second subnet does have internet access but can not reach HQ and for confirming that these routes are the HQ networks.

I am still confused about the VPN on the serial interface. You talk about a VPN but I do not see anything in the config that relates to a VPN.

Am I correct in understanding that the first subnet does have access to HQ? Since they are configured very similar I am puzzled if one works and one does not.

In looking more closely at the config I do see an issue, though I am not sure if this issue is what is impacting subnet 2. The access lists used for PBR (and for NAT) treat the subnets at HQ as if they were /16. For example this line from the ACL

deny ip 172.29.3.0 0.0.0.127 172.16.0.0 0.0.255.255

But if you compare that with the route statement the subnet at HQ is not /16

ip route 172.16.0.0 255.248.0.0 Serial0/1/0.16

Both access lists need to be changed so that their mask corresponds to the mask used in the route statement.

HTH

Rick

HTH

Rick

amr2020eg · ‎01-09-2017

Hello Richard,

After applying the route-map on LAN sub-interfaces i can't access HQ VPN through Serial0/1/0.16. any help on that

Regards,

Amr

amr2020eg · ‎01-08-2017

Hello Paul,

You are okay with this NAT statements, its mistake from me.

Regards,

Amr

paul driver · ‎01-09-2017

Hello
I can see you are natting on the serial interface but dont specify any acl for the natting.

Also as Richard correctly pointed out, The route-map CHEM is being used for both the Natting AND PBR, which is incorrect.

As you main default route is to be the dialer1 interface then no need to PBR on ACL-LO, just give this default static admin preference.

I did a basic lab test of this and it seemed worked accordingly -

Try this-
ip local policy route-map CHEM

ip route 0.0.0.0 0.0.0.0 192.168.100.1 10

route-map LO permit 10
no set ip next-hop dialer1

route-map CHEM permit 20
match ip address ACL-CHEM
set ip next-hop 192.168.100.1

no ip nat inside source route-map CHEM interface fastEthernet0/1 overload
ip nat inside source list ACL-CHEM interface fastEthernet0/1 overload

if it isnt successful after this - please post or attache a currently running config
res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul