cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3502
Views
15
Helpful
6
Replies
Highlighted
Beginner

Multiple VLAN, 2 WAN - Load Balance, Failover and NAT - Oh my

I'm bashing my head here trying to figure out something which I believe is really not as difficult as I'm making it out to be.

I have 3 VLANs (router on a stick setup) and 2 WAN interfaces on a single router.

VLAN1 -> ISP1

VLAN2, VLAN3 -> ISP2                  

How can I set this up so that VLAN1 uses ISP1 as it's primary internet connection?

How can I set this up so that VLAN2 and VLAN3 use ISP2 as their primary internet connection?

How can I set this up so that VLAN1 will use ISP2 if ISP1 fails?

How can I set this up so that VLAN2, VLAN3 will use ISP1 if ISP2 fails?

I ran into problems before with issues due to NAT - when trying to use IP SLA and event applets to just update route-map commands.  That failed horribly.  So I think I'll send this to the community since I'm at a loss and I need to have another set of eyes look at this -- if its something even possible using just a single router.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Advisor

Hi,

here is one way you can do:

ip access-list extended VL1_TRAFFIC

  permit ip 192.168.1.0 0.0.0.255 any

ip access-list extended VL23_TRAFFIC

  permit ip 192.168.2.0 0.0.0.255 any

  permit ip 192.168.3.0 0.0.0.255 any

ip sla 1

icmp-echo 8.8.8.8 source-interface s1/0

frequency 4

timeout 2000

ip sla 23

icmp-echo 8.8.8.8 source-interface s1/1

frequency 4

timeout 2000

ip sla schedule 1 start now life forever

ip sla schedule 23 start now life forever

track 1 ip sla 1

track 23 ip sla 23

1) VLan 1---> ISP1( Primary), ISP2( secondary)

route-map VL1_TRAFFIC permit 10

match ip address VL1_ACL

set ip next-hop x.x.x.x  verify-reachability track 1   # ISP1 next-hop

set ip next-hop x.x.x.x    # ISP2 next-hop

interface f0/0.1

ip nat in

ip policy route-map VL1_TRAFFIC

2) VLan 2,3---> ISP2( Primary), ISP1( secondary)

route-map VL1_TRAFFIC permit 10

match ip address VL23_ACL

set ip next-hop x.x.x.x  verify-reachability track 23   #ISP2 next-hop

set ip next-hop x.x.x.x    # ISP1 next-hop

interface f0/0.2

ip nat in

ip policy route-map VL23_TRAFFIC

interface f/0.3

ip nat in

ip policy route-map VL23_TRAFFIC

3) NAT overload:

route-map NAT_VL1 permit 10

match ip address VL1_TRAFFIC

match interface s1/0

route-map NAT_VL23 permit 10

match ip address VL23_TRAFFIC

match interface s1/1

ip nat inside source route-map NAT_VL1 interface s1/0    #ISP1

ip nat inside source route-map NAT_VL23 interface s1/1   #ISP2

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

6 REPLIES 6
Highlighted
Advisor

Hi,

here is one way you can do:

ip access-list extended VL1_TRAFFIC

  permit ip 192.168.1.0 0.0.0.255 any

ip access-list extended VL23_TRAFFIC

  permit ip 192.168.2.0 0.0.0.255 any

  permit ip 192.168.3.0 0.0.0.255 any

ip sla 1

icmp-echo 8.8.8.8 source-interface s1/0

frequency 4

timeout 2000

ip sla 23

icmp-echo 8.8.8.8 source-interface s1/1

frequency 4

timeout 2000

ip sla schedule 1 start now life forever

ip sla schedule 23 start now life forever

track 1 ip sla 1

track 23 ip sla 23

1) VLan 1---> ISP1( Primary), ISP2( secondary)

route-map VL1_TRAFFIC permit 10

match ip address VL1_ACL

set ip next-hop x.x.x.x  verify-reachability track 1   # ISP1 next-hop

set ip next-hop x.x.x.x    # ISP2 next-hop

interface f0/0.1

ip nat in

ip policy route-map VL1_TRAFFIC

2) VLan 2,3---> ISP2( Primary), ISP1( secondary)

route-map VL1_TRAFFIC permit 10

match ip address VL23_ACL

set ip next-hop x.x.x.x  verify-reachability track 23   #ISP2 next-hop

set ip next-hop x.x.x.x    # ISP1 next-hop

interface f0/0.2

ip nat in

ip policy route-map VL23_TRAFFIC

interface f/0.3

ip nat in

ip policy route-map VL23_TRAFFIC

3) NAT overload:

route-map NAT_VL1 permit 10

match ip address VL1_TRAFFIC

match interface s1/0

route-map NAT_VL23 permit 10

match ip address VL23_TRAFFIC

match interface s1/1

ip nat inside source route-map NAT_VL1 interface s1/0    #ISP1

ip nat inside source route-map NAT_VL23 interface s1/1   #ISP2

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

Highlighted

What is the VL1_ACL and VL23_ACL defined here?  Is this the same as VL1_TRAFFIC and VL23_TRAFFIC?

I experienced issues with trying to VPN to the network today.  It would not allow me to access the VL23_TRAFFIC subnets and I did include a permit for the VPN IP pool as well.  I just want to make sure I know what VL1_ACL/VL23_ACL was intended to be.

Highlighted

Hi,

I made a typo, there are only VL1_TRAFFIC and VL23_TRAFFIC so you'll have to change  in 1) and 2)  accordingly.

I'm really sorry.

Now if you've got a VPN too then you'll have to modify these ACLs to deny VPN traffic between distant subnets.

Can you tell us how you set your VPN and what about your routing needs for these VPNs ?

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Highlighted

Hello,

No need to apologize! 

VPN clients get an IP in the 172.18.1.1-25 range.  I should be able to ping/access from VPN client's system to VLAN2 or VLAN3.  My understanding is that ACL in the client configuration indicates which networks to split tunnel.

Here's IPSEC portion:

crypto isakmp client configuration group group1

key xxxxxx

dns 192.168.1.10 8.8.8.8

domain domain.local

pool group1pool

acl 101

save-password

crypto isakmp profile vpn1-ra

   match identity group group1

   client authentication list VPN_UserAuth

   isakmp authorization list VPN_GroupAuth

   client configuration address respond

   virtual-template 3

interface Virtual-Template3 type tunnel

! This is one of the two ISP interfaces.  I'm not sure if this could be causing some of the problems or

! not with being able to pass traffic (split) while VPN'd in

ip unnumbered Multilink2

ip virtual-reassembly in

tunnel mode ipsec ipv4

tunnel protection ipsec profile test-vti1

!

ip local pool group1pool 172.18.1.1 172.18.1.25

! ACL 101

access-list 101 permit ip 192.168.1.0 0.0.0.255 172.18.1.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 172.18.1.0 0.0.0.255

access-list 101 permit ip 192.168.3.0 0.0.0.255 172.18.1.0 0.0.0.255

I need the 172.18.1.x traffic to be able to pass to the VLAN2 and VLAN3 subnets.

I did deny the VPN network via ACL with the following ACL:

access-list 199 deny   ip any 192.168.1.0 0.0.0.255

access-list 199 deny   ip any 192.168.2.0 0.0.0.255

access-list 199 deny   ip any 192.168.3.0 0.0.0.255

access-list 199 deny   ip any 172.18.1.0 0.0.0.255

access-list 199 permit ip any any

This ACL is applied to the route-map I have placed on the inside interface.

Highlighted

VPN is working now however when testing failover it did not work.  I shutdown gigabitethernet0/0 interface (ISP2) and the VLAN23 did not route out the ISP1 interface Multilink2.

Any hints on what to look for.  I have 2 static routes on the router configured as so:

ip route 0.0.0.0 0.0.0.0 x.x.x.x (ISP#1 default gw)
ip route 0.0.0.0 0.0.0.0 x.x.x.x (ISP#2 default gw)

If I take those routes out, neither VLAN1, VLAN23 route-maps will move traffic to their correct path.  Seems like the route-map is not being applied on the gi0/1.100 and gi0/1.101 interfaces and is ignoring next-hop configured.

route-map plex_traffic, permit, sequence 10
  Match clauses:
    ip address (access-lists): plex_traffic
  Set clauses:
    ip next-hop verify-availability x.x.x.x 1 track 1  [up] #ISP1 GW
    ip next-hop verify-availability x.x.x.x 2 track 2  [up] #ISP2 GW
  Policy routing matches: 847943 packets, 473802683 bytes
route-map penn_traffic, permit, sequence 10
  Match clauses:
    ip address (access-lists): penn_traffic
  Set clauses:
    ip next-hop verify-availability x.x.x.x 1 track 2  [up] #ISP2 GW
    ip next-hop verify-availability x.x.x.x 2 track 1  [up] #ISP1 GW
  Policy routing matches: 1659871 packets, 746293419 bytes


plex_traffic route-map is applied to gi0/1.101 interface
penn_traffic route-map is applied to gi0/1.100 interface

route-map nat_plex, permit, sequence 10
  Match clauses:
    ip address (access-lists): plex_traffic
    interface Multilink2
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map nat_penn, permit, sequence 10
  Match clauses:
    ip address (access-lists): penn_traffic
    interface GigabitEthernet0/0
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes


Extended IP access list plex_traffic
    1 deny ip any 172.18.1.0 0.0.0.255 (68063 matches) #VPN TRAFFIC
    2 deny ip any 10.0.0.0 0.0.0.255 (108256 matches) #VLAN2
    3 deny ip any 10.3.0.0 0.0.0.255 #VLAN3
    10 permit ip 10.1.0.0 0.0.0.255 any (929831 matches) #VLAN1
Extended IP access list penn_traffic
    1 deny ip any 172.18.1.0 0.0.0.255 (113738 matches) #VPN TRAFFIC
    2 deny ip any 10.1.0.0 0.0.0.255 (111330 matches) #VLAN1
    3 deny ip any 10.3.0.0 0.0.0.255 #VLAN3
    10 permit ip 10.0.0.0 0.0.0.255 any (1719208 matches) #VLAN2

ip nat inside source route-map nat_penn interface GigabitEthernet0/0 overload

ip nat inside source route-map nat_plex interface Multilink2 overload

Highlighted

Hi,

when testing failover , could you  post output of sh track as well as sh ip sla statistics before and after failover

and also could you  do a debug track and post output.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.