12-09-2012 12:54 PM - edited 03-04-2019 06:21 PM
I'm bashing my head here trying to figure out something which I believe is really not as difficult as I'm making it out to be.
I have 3 VLANs (router on a stick setup) and 2 WAN interfaces on a single router.
VLAN1 -> ISP1
VLAN2, VLAN3 -> ISP2
How can I set this up so that VLAN1 uses ISP1 as it's primary internet connection?
How can I set this up so that VLAN2 and VLAN3 use ISP2 as their primary internet connection?
How can I set this up so that VLAN1 will use ISP2 if ISP1 fails?
How can I set this up so that VLAN2, VLAN3 will use ISP1 if ISP2 fails?
I ran into problems before with issues due to NAT - when trying to use IP SLA and event applets to just update route-map commands. That failed horribly. So I think I'll send this to the community since I'm at a loss and I need to have another set of eyes look at this -- if its something even possible using just a single router.
Solved! Go to Solution.
12-09-2012 11:38 PM
Hi,
here is one way you can do:
ip access-list extended VL1_TRAFFIC
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VL23_TRAFFIC
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any
ip sla 1
icmp-echo 8.8.8.8 source-interface s1/0
frequency 4
timeout 2000
ip sla 23
icmp-echo 8.8.8.8 source-interface s1/1
frequency 4
timeout 2000
ip sla schedule 1 start now life forever
ip sla schedule 23 start now life forever
track 1 ip sla 1
track 23 ip sla 23
1) VLan 1---> ISP1( Primary), ISP2( secondary)
route-map VL1_TRAFFIC permit 10
match ip address VL1_ACL
set ip next-hop x.x.x.x verify-reachability track 1 # ISP1 next-hop
set ip next-hop x.x.x.x # ISP2 next-hop
interface f0/0.1
ip nat in
ip policy route-map VL1_TRAFFIC
2) VLan 2,3---> ISP2( Primary), ISP1( secondary)
route-map VL1_TRAFFIC permit 10
match ip address VL23_ACL
set ip next-hop x.x.x.x verify-reachability track 23 #ISP2 next-hop
set ip next-hop x.x.x.x # ISP1 next-hop
interface f0/0.2
ip nat in
ip policy route-map VL23_TRAFFIC
interface f/0.3
ip nat in
ip policy route-map VL23_TRAFFIC
3) NAT overload:
route-map NAT_VL1 permit 10
match ip address VL1_TRAFFIC
match interface s1/0
route-map NAT_VL23 permit 10
match ip address VL23_TRAFFIC
match interface s1/1
ip nat inside source route-map NAT_VL1 interface s1/0 #ISP1
ip nat inside source route-map NAT_VL23 interface s1/1 #ISP2
Regards.
Alain
Don't forget to rate helpful posts.
12-09-2012 11:38 PM
Hi,
here is one way you can do:
ip access-list extended VL1_TRAFFIC
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VL23_TRAFFIC
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any
ip sla 1
icmp-echo 8.8.8.8 source-interface s1/0
frequency 4
timeout 2000
ip sla 23
icmp-echo 8.8.8.8 source-interface s1/1
frequency 4
timeout 2000
ip sla schedule 1 start now life forever
ip sla schedule 23 start now life forever
track 1 ip sla 1
track 23 ip sla 23
1) VLan 1---> ISP1( Primary), ISP2( secondary)
route-map VL1_TRAFFIC permit 10
match ip address VL1_ACL
set ip next-hop x.x.x.x verify-reachability track 1 # ISP1 next-hop
set ip next-hop x.x.x.x # ISP2 next-hop
interface f0/0.1
ip nat in
ip policy route-map VL1_TRAFFIC
2) VLan 2,3---> ISP2( Primary), ISP1( secondary)
route-map VL1_TRAFFIC permit 10
match ip address VL23_ACL
set ip next-hop x.x.x.x verify-reachability track 23 #ISP2 next-hop
set ip next-hop x.x.x.x # ISP1 next-hop
interface f0/0.2
ip nat in
ip policy route-map VL23_TRAFFIC
interface f/0.3
ip nat in
ip policy route-map VL23_TRAFFIC
3) NAT overload:
route-map NAT_VL1 permit 10
match ip address VL1_TRAFFIC
match interface s1/0
route-map NAT_VL23 permit 10
match ip address VL23_TRAFFIC
match interface s1/1
ip nat inside source route-map NAT_VL1 interface s1/0 #ISP1
ip nat inside source route-map NAT_VL23 interface s1/1 #ISP2
Regards.
Alain
Don't forget to rate helpful posts.
12-17-2012 05:45 AM
What is the VL1_ACL and VL23_ACL defined here? Is this the same as VL1_TRAFFIC and VL23_TRAFFIC?
I experienced issues with trying to VPN to the network today. It would not allow me to access the VL23_TRAFFIC subnets and I did include a permit for the VPN IP pool as well. I just want to make sure I know what VL1_ACL/VL23_ACL was intended to be.
12-17-2012 06:34 AM
Hi,
I made a typo, there are only VL1_TRAFFIC and VL23_TRAFFIC so you'll have to change in 1) and 2) accordingly.
I'm really sorry.
Now if you've got a VPN too then you'll have to modify these ACLs to deny VPN traffic between distant subnets.
Can you tell us how you set your VPN and what about your routing needs for these VPNs ?
Regards.
Alain
Don't forget to rate helpful posts.
12-17-2012 10:59 AM
Hello,
No need to apologize!
VPN clients get an IP in the 172.18.1.1-25 range. I should be able to ping/access from VPN client's system to VLAN2 or VLAN3. My understanding is that ACL in the client configuration indicates which networks to split tunnel.
Here's IPSEC portion:
crypto isakmp client configuration group group1
key xxxxxx
dns 192.168.1.10 8.8.8.8
domain domain.local
pool group1pool
acl 101
save-password
crypto isakmp profile vpn1-ra
match identity group group1
client authentication list VPN_UserAuth
isakmp authorization list VPN_GroupAuth
client configuration address respond
virtual-template 3
interface Virtual-Template3 type tunnel
! This is one of the two ISP interfaces. I'm not sure if this could be causing some of the problems or
! not with being able to pass traffic (split) while VPN'd in
ip unnumbered Multilink2
ip virtual-reassembly in
tunnel mode ipsec ipv4
tunnel protection ipsec profile test-vti1
!
ip local pool group1pool 172.18.1.1 172.18.1.25
! ACL 101
access-list 101 permit ip 192.168.1.0 0.0.0.255 172.18.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 172.18.1.0 0.0.0.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 172.18.1.0 0.0.0.255
I need the 172.18.1.x traffic to be able to pass to the VLAN2 and VLAN3 subnets.
I did deny the VPN network via ACL with the following ACL:
access-list 199 deny ip any 192.168.1.0 0.0.0.255
access-list 199 deny ip any 192.168.2.0 0.0.0.255
access-list 199 deny ip any 192.168.3.0 0.0.0.255
access-list 199 deny ip any 172.18.1.0 0.0.0.255
access-list 199 permit ip any any
This ACL is applied to the route-map I have placed on the inside interface.
12-18-2012 06:10 AM
VPN is working now however when testing failover it did not work. I shutdown gigabitethernet0/0 interface (ISP2) and the VLAN23 did not route out the ISP1 interface Multilink2.
Any hints on what to look for. I have 2 static routes on the router configured as so:
ip route 0.0.0.0 0.0.0.0 x.x.x.x (ISP#1 default gw)
ip route 0.0.0.0 0.0.0.0 x.x.x.x (ISP#2 default gw)
If I take those routes out, neither VLAN1, VLAN23 route-maps will move traffic to their correct path. Seems like the route-map is not being applied on the gi0/1.100 and gi0/1.101 interfaces and is ignoring next-hop configured.
route-map plex_traffic, permit, sequence 10
Match clauses:
ip address (access-lists): plex_traffic
Set clauses:
ip next-hop verify-availability x.x.x.x 1 track 1 [up] #ISP1 GW
ip next-hop verify-availability x.x.x.x 2 track 2 [up] #ISP2 GW
Policy routing matches: 847943 packets, 473802683 bytes
route-map penn_traffic, permit, sequence 10
Match clauses:
ip address (access-lists): penn_traffic
Set clauses:
ip next-hop verify-availability x.x.x.x 1 track 2 [up] #ISP2 GW
ip next-hop verify-availability x.x.x.x 2 track 1 [up] #ISP1 GW
Policy routing matches: 1659871 packets, 746293419 bytes
plex_traffic route-map is applied to gi0/1.101 interface
penn_traffic route-map is applied to gi0/1.100 interface
route-map nat_plex, permit, sequence 10
Match clauses:
ip address (access-lists): plex_traffic
interface Multilink2
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map nat_penn, permit, sequence 10
Match clauses:
ip address (access-lists): penn_traffic
interface GigabitEthernet0/0
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Extended IP access list plex_traffic
1 deny ip any 172.18.1.0 0.0.0.255 (68063 matches) #VPN TRAFFIC
2 deny ip any 10.0.0.0 0.0.0.255 (108256 matches) #VLAN2
3 deny ip any 10.3.0.0 0.0.0.255 #VLAN3
10 permit ip 10.1.0.0 0.0.0.255 any (929831 matches) #VLAN1
Extended IP access list penn_traffic
1 deny ip any 172.18.1.0 0.0.0.255 (113738 matches) #VPN TRAFFIC
2 deny ip any 10.1.0.0 0.0.0.255 (111330 matches) #VLAN1
3 deny ip any 10.3.0.0 0.0.0.255 #VLAN3
10 permit ip 10.0.0.0 0.0.0.255 any (1719208 matches) #VLAN2
ip nat inside source route-map nat_penn interface GigabitEthernet0/0 overload
ip nat inside source route-map nat_plex interface Multilink2 overload
12-18-2012 06:39 AM
Hi,
when testing failover , could you post output of sh track as well as sh ip sla statistics before and after failover
and also could you do a debug track and post output.
Regards.
Alain
Don't forget to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide