cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
411
Views
0
Helpful
3
Replies

multiple overload using vlan interface as alternate route

paulwhitecisco
Level 1
Level 1

Hello World

basically I've got 2 internet connections on the same 881 router.

I want my lan to use wan 1 but a specific host on the same lan to use wan2.

wan 1 is a physical interface fa4. Wan 2 is a vlan with a static ip address assigned to one of the switchports.

a bit more detail...

I've got an 881 router with fa4 already in use and configured with a static ip address as overloaded.

I've had an additional internet connection installed and decided to test this connection by creating a vlan (100) with the new external ip range and assigning this to fa3.

I can see this internet connection is live and routing traffic as if I put a static route pointing out to the new gateway traffic goes on it's merry way.

What I wanted to do was test from a specific host on the lan 10.0.0.100 (vlan1)

the steps I've followed are: -

crated new vlan, assigned wan ip to this vlan, added inspect and nat outside to this interface. (its now a working interface tested using static routes and trace-route from the lan)

created an extended acl (testacl) with the specific host I wanted to test with. (permit ip host 10.0.0.100 any)

created route map (test) to match the above acl and match the interface of the new vlan 100

I've then added a ip nat inside source of the route-map test to interface vlan 100 overloaded.

I've used this config before with physical interfaces and it's worked. I've had a look around but all I can find that includes Vlans/SVI's applies to backup wans failing over not alternative wan routes. I think that the first nat is still acting on the PBR. If I add a deny statement into the nat acl then I can't access the internet from the test host 10.0.0.100.

conf below --

interface FastEthernet3
 switchport access vlan 100
 no ip address
!
interface FastEthernet4
 ip address x.x.x.x 255.255.255.248
 ip access-group wan in
 ip flow ingress
 ip nat outside
 ip inspect inspect out
 ip virtual-reassembly in
!
interface Vlan1
 ip address 10.0.0.253 255.255.255.0
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan100
 ip address y.y.y.y 255.255.255.252
 ip access-group wan in
 ip flow ingress
 ip nat outside
 ip inspect inspect out
 ip virtual-reassembly in

ip nat inside source route-map wan interface FastEthernet4 overload
ip nat inside source route-map test interface Vlan100 overload

ip route 0.0.0.0 0.0.0.0 x.x.x.x(gw)
ip route 0.0.0.0 0.0.0.0 y.y.y.y(gw) 10

ip access-list extended nat
 permit ip 10.0.0.0 0.0.0.255 any

ip access-list extended testacl
 permit ip host 10.0.0.100 any

route-map test permit 10
 match ip address test
 match interface Vlan100
!
route-map wan permit 10
 match ip address nat
 match interface FastEthernet4

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

Few things.

Firstly is that just a typo ie. your acl is called testacl but your route map references an acl called test ?

Secondly and more importantly your route maps are being used for NAT which is correct but there is no PBR configuration so the default route via the existing ISP will always be used.

Jon

yes, typo! route map is correct in the config...

and secondly ... in context, how would you suggest it looks? (I've tried some variations but on the same route-map)

I've tried with

route-map test permit 10
 match ip address test
 set ip next-hop y.y.y.y(gw)

and

route-map test permit 10
 match ip address test
 match ip next-hop y.y.y.y(gw)

I've also defined a extended acl (testexternal) with the y.y.y.y(gw) address and used

route-map test permit 10
 match ip address test
 match ip address testexternal

So you need the route maps you already have for NAT. Then use the first route map example in your latest post and you need to apply that route map to the vlan 1 interface for it to take effect.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: