Solved: NAT with 2 ISPs

Safar Safarov · ‎10-05-2011

Hello.

We are two Organizations set in one office.

We utilize one Cisco 2821 Router with etherswitch module both.

Each Organization has own subnet and Organizations are separated via VLans.

The question is how can we make sure that

Organization #1 set to VLAN100 is routed to internet via GigabitEthernet 0/0 (ISP 1)

Organization #2 set to VLAN200 is routed to internet via GigabitEthernet 0/1 (ISP 2)

Both Organizations use NAT to connect to the internet.

Jon Marshall · ‎10-05-2011

Safar

This is more a PBR issue ie.

vlan 100 = 192.168.5.0/24

vlan 200 = 192.168.6.0/24

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

access-list 102 permit ip 192.168.6.0 0.0.0.255 any

route-map PBR1 permit 10

match ip address 101

set ip next-hop <-- where x.x.x.x is the ISP1 next-hop address

route-map PBR2 permit 10

match ip address 102

set ip next-hop y.y.y.y <--- where y.y.y.y is the ISP2 next-hop address

int vlan 100

ip policy route-map PBR1

ip nat inside

int vlan 200

ip policy route-map PBR2

ip nat inside

int gi0/0

ip nat outside

int gi0/1

ip nat outside

Note if you want each customer to be able to failover to the other link if their ISP goes down then it gets more complicated. Let us know if this is what you want.

Jon

View solution in original post

Jon Marshall · ‎10-05-2011

Safar

Ahh yes, because of your description i didn't think you needed to allow for inter-organization routing. My apologies for not explaining clearly enough.

Yes if you want to allow inter-organisation traffic without being PBR'd then with your acls you need to have deny statements first so

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

access-list 102 deny ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 102 permit ip 192.168.6.0 any

The deny statements tell the router not to use PBR for this traffic and use the routing table instead.

Note you don't actually need these lines for the acls in use in the NAT statements, you need them for use in the PBR acls. In my previous example i used the same acls for both the PBR route-map and the nat config. They are not needed for NAT assuming inter-organisation traffic does not go via the outside interfaces ie. gi0/0 and gi0/1. I generally use different acls for NAT and PBR but that may just be me

So if you wanted to you could have acl 103 and acl 104 for the PBR route-maps which would look like the above and then have acls 101 and 102 for the NAT. However it should still work if you just use acls 101 and 102 in both PBR and NAT.

Once again, apologies for disrupting your network.

Jon

View solution in original post

Jon Marshall · ‎10-05-2011

Safar

This is more a PBR issue ie.

vlan 100 = 192.168.5.0/24

vlan 200 = 192.168.6.0/24

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

access-list 102 permit ip 192.168.6.0 0.0.0.255 any

route-map PBR1 permit 10

match ip address 101

set ip next-hop <-- where x.x.x.x is the ISP1 next-hop address

route-map PBR2 permit 10

match ip address 102

set ip next-hop y.y.y.y <--- where y.y.y.y is the ISP2 next-hop address

int vlan 100

ip policy route-map PBR1

ip nat inside

int vlan 200

ip policy route-map PBR2

ip nat inside

int gi0/0

ip nat outside

int gi0/1

ip nat outside

Note if you want each customer to be able to failover to the other link if their ISP goes down then it gets more complicated. Let us know if this is what you want.

Jon

cadet alain · ‎10-05-2011

Hi Jon,

I think you forgot the NAT part in your solution.

route-map NATISP1

match interface g0/0

route-map NATISP2

match interface g0/1

ip nat inside source route-map NATISP1 interface g0/0

ip nat inside source route-map NATISP2 interface g0/1

Regards.

Alain.

Don't forget to rate helpful posts.

Jon Marshall · ‎10-05-2011

Alain

Thank you, i did.

I'm not sure in this case though that you need the route-maps NATISP1 and NATISP2. You may do if you you wanted failover but i was thinking of something like -

ip nat inside source list 101 interface gi0/0 overload

ip nat inside source list 102 interface gi0/1 overload

simply because PBR will send the traffic to the right interface anyway and the source IPs being Natted are always different for each vlan.

To be totally honest i have never really got it exactly right in my head as to when to use the match interface and use route-maps with NAT because in my example i don't think you need to but i may well be wrong. Certainly with failover i think it's needed.

I keep meaning to fire this up on GNS3 and do some extensive testing but i never seem to get around to it ie. something more interesting always comes up

Be interested to hear your thoughts ?

Jon

cadet alain · ‎10-05-2011

Hi jon,

yes effectively I think you're right if the 2 inside addresses are different then you wouldn't need the route-map for NAT just the 2 ACLs. I answered a bit too fast, I'll lab it up just to be sure but I'm almost certain you're right on the spot.

Regards.

Alain.

Don't forget to rate helpful posts.

Safar Safarov · ‎10-05-2011

Hi Jon many thanks for your reply.

You solution did the work for me however I lost inter-VLan routing between Organizations.

I guess I may restore it by adding permitted ip addresses into ACLs... but any easy way?

Jon Marshall · ‎10-05-2011

Safar

Ahh yes, because of your description i didn't think you needed to allow for inter-organization routing. My apologies for not explaining clearly enough.

Yes if you want to allow inter-organisation traffic without being PBR'd then with your acls you need to have deny statements first so

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

access-list 102 deny ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 102 permit ip 192.168.6.0 any

The deny statements tell the router not to use PBR for this traffic and use the routing table instead.

Note you don't actually need these lines for the acls in use in the NAT statements, you need them for use in the PBR acls. In my previous example i used the same acls for both the PBR route-map and the nat config. They are not needed for NAT assuming inter-organisation traffic does not go via the outside interfaces ie. gi0/0 and gi0/1. I generally use different acls for NAT and PBR but that may just be me

So if you wanted to you could have acl 103 and acl 104 for the PBR route-maps which would look like the above and then have acls 101 and 102 for the NAT. However it should still work if you just use acls 101 and 102 in both PBR and NAT.

Once again, apologies for disrupting your network.

Jon

Safar Safarov · ‎10-05-2011

Jon,

thanks again. Now everything work fine. Just wondering if I had to have 5 Organization to setup to one ISP and 5 Organizations to setup to second ISP and each Organization had to have around 5 VLans and Inter-VLan should be enabled for all VLans in the network... What setup would look like? :-) I mean is there really no other way to forward only necessary traffic to ISP, or for example do it versa, deny only ISP traffic (assuming that in that case it will reach the correct destination) and then permit ip any any ?

Jon Marshall · ‎10-05-2011

Denying ISP traffic in your NAT acls certainly wouldn't work and it wouldn't with PBR either because by denying you are telling the router to use the routing table and how would the router know which ISP to send a specific organizations traffic to.

PBR is pretty much the way to go with this. Your setup would look similiar to what you now have except you would need more route-maps and access-lists. Note you can just have one route-map with multiple permit statements and apply the same route-map to each vlan interface but this doesn't really cut down on your config that much.

So unfortunately yes it just means more configuration.

The alternative is to use vrf-lite (if supported on your router). Vrf-lite would allow you to have 2 separate routing tables so in one routing table you point the default-route to ISP1 and in the other you point to ISP2. Then you simply assign the vlan interfaces into the relevant vrf. However because you need inter-organisation traffic you would then need to setup route-leaking so that the organisations could route to each other and so your config becomes more complex again.

I haven't used vrf-lite this way so it may be that the config is more compact but i wouldn't like to say for sure.

Jon

Safar Safarov · ‎10-05-2011

Thanks for the explanation, Jon. Good to know