11-23-2019 02:40 AM
Hi,
i’am new in this forum and pretty new to Cisco network devices and configuring them (I just started learning for CCENT1) :-)
I need to configure a Cisco Router (Cisco 892) which ís connected to two ISP’s (no Loadbalancing) with two networks.
For example:
VLAN1 will be passed by ISP1 and VLAN2 will be passed by ISP2
Devices in VLAN1 and VLAN2 should not be able to communicate with each other.
ISP1----------------| |-------------------VLAN1
+------R1------+
ISP2----------------| |-------------------VLAN2
ISP1 is connected to R1 Fe0 (IPv4 received by DHCP)
ISP2 is connected to R1 Fe1 (IPv4 received by DHCP)
VLAN1 172.16.1.0/24
VLAN2 172.16.2.0/24
I already read that PBR and NAT is the keyword here, but I did not find a solution for my problem yet.
Can you maybe help me out?
This is my first post here. Please let me know if you need more information.
Thank you.
11-23-2019 03:21 AM
There is other post looking to achieve the same (dont like to reinvent the wheel). replace the 10.x.x address to your 172.x network
change the ISP address as per the requirement.
here is config suggested :
interface GigabitEthernet0/0
description ISP1
nameif ISP1
security-level 0
ip address 100.100.100.1 255.255.255.252
!
interface GigabitEthernet0/1
description ISP2
nameif ISP2
security-level 0
ip address 200.200.200. 1 255.255.255.252
!
interface GigabitEthernet0/2
description OFFICE
nameif office
security-level 100
ip address 10.0.1.1 255.255.255.0
policy-route route-map PRIORITY_ISP1_RM
!
interface GigabitEthernet0/3
description VOICE
nameif voice
security-level 100
ip address 10.0.2.1 255.255.255.0
policy-route route-map PRIORITY_ISP2_RM
!
bject network obj_10.0.1.0
subnet 10.0.1.0 255.255.255.0
description OFFICE_SUBNET
!
object network obj_10.0.2.0
subnet 10.0.2.0 255.255.255.0
description VOICE_SUBNET
!
route-map PRIORITY_ISP1_RM permit 10
match ip address PRIORITY_ISP1_ACL
set ip next-hop verify-availability 100.100.100.2 1 track 1
!
route-map PRIORITY_ISP2_RM permit 10
match ip address PRIORITY_ISP2_ACL
set ip next-hop verify-availability 200.200.200.2 2 track 2
!
access-list PRIORITY_ISP1_ACL extended permit ip object obj_10.0.1.0 any
access-list PRIORITY_ISP2_ACL extended permit ip object obj_10.0.2.0 any
!
route ISP1 0.0.0.0 0.0.0.0 100.100.100.2 1 track 1
route ISP2 0.0.0.0 0.0.0.0 200.200.200.2 2 track 2
!
object-group network ISP1_NAT
network-object obj_10.0.1.0
network-object obj_10.0.2.0
nat (any,ISP1) ISP1_NAT interface
!
object-group network ISP2_NAT
network-object obj_10.0.2.0
network-object obj_10.0.1.0
nat (any,ISP2) dynamic ISP2_NAT
!
event manager applet CLEAR_NAT_ISP1
event track 1 state down
action 1.0 cli command “enable”
action 2.0 cli command “clear xlate interface ISP1 *”
!
event manager applet CLEAR_NAT_ISP2
event track 2 state down
action 1.0 cli command “enable”
action 2.0 cli command “clear xlate interface ISP2 *”
11-23-2019 05:35 AM
Thank you for your reply.
I will try that :-)
11-23-2019 05:48 AM
Hello,
the configuration below should work. It might look a bit complicated, but the EEM scripts take care of a possible failover in case one of the ISPs goes down.
On the 892, you need to create vlan 2 (config t/vlan 2).
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 892
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
no aaa new-model
!
ip cef
!
ip dhcp excluded-address 172.16.1.1
ip dhcp excluded-address 172.16.2.1
!
ip dhcp pool VLAN1
import all
network 172.16.1.0 255.255.255.0
default-router 172.16.1.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool VLAN2
import all
network 172.16.2.0 255.255.255.0
default-router 172.16.2.1
dns-server 8.8.8.8 8.8.4.4
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid CISCO892-K9 sn FCZ1714C2ZD
!
username admin privilege 15 secret 5 zsc1w55wVxL1behpFMAW8XrxKcVujVnNHLpMKP.ZgXk
!
redundancy
!
vlan 2
!
ip ssh version 2
!
track 1 ip sla 1 reachability
track 2 ip sla 2 reachability
!
interface FastEthernet0
description Link to ISP_1
ip address dhcp
ip nat outside
!
interface FastEthernet1
description Link to ISP_2
ip address dhcp
ip nat outside
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 2
!
interface FastEthernet4
switchport access vlan 2
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
no ip address
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map ISP_1_PBR
!
interface Vlan2
ip address 172.16.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map ISP_2_PBR
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip sla 1
icmp-echo 8.8.8.8 source-interface FastEthernet0
frequency 10
!
ip sla 2
icmp-echo 8.8.8.8 source-interface FastEthernet1
frequency 10
!
ip sla schedule 1 life forever start-time now
ip sla schedule 2 life forever start-time now
!
ip nat inside source route-map ISP_1 interface FastEthernet0 overload
ip nat inside source route-map ISP_2 interface FastEthernet1 overload
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0 dhcp
ip route 0.0.0.0 0.0.0.0 FastEthernet1 dhcp
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 any
access-list 102 permit ip 172.16.2.0 0.0.0.255 any
!
route-map TO_ISP_1 permit 10
match ip address 101
match interface FastEthernet0
!
route-map TO_ISP_2 permit 10
match ip address 101
match interface FastEthernet1
!
route-map ISP_1_PBR permit 10
match ip address 101
set interface FastEthernet0
!
route-map ISP_1_PBR permit 20
!
route-map ISP_2_PBR permit 10
match ip address 101
set interface FastEthernet1
!
route-map ISP_2_PBR permit 20
!
event manager applet ISP_1_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface Vlan 1"
action 4.0 cli command "no ip policy route-map ISP_1_PBR"
action 5.0 cli command "exit"
action 6.0 cli command "no access-list 102"
action 7.0 cli command "access-list 102 permit ip 172.16.1.0 0.0.0.255 any"
action 8.0 cli command "access-list 102 permit ip 172.16.2.0 0.0.0.255 any"
action 9.0 cli command "no ip route 0.0.0.0 0.0.0.0 FastEthernet0 dhcp"
action 9.1 cli command "no ip nat inside source route-map ISP_1 interface FastEthernet0 overload"
action 9.2 cli command "exit"
action 9.3 cli command "clear ip nat translation *"
action 9.4 cli command "end"
!
event manager applet ISP_1_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface Vlan 1"
action 4.0 cli command "ip policy route-map ISP_1_PBR"
action 5.0 cli command "exit"
action 6.0 cli command "no access-list 102"
action 7.0 cli command "access-list 102 permit ip 172.16.2.0 0.0.0.255 any"
action 8.0 cli command "ip route 0.0.0.0 0.0.0.0 FastEthernet0 dhcp"
action 9.0 cli command "ip nat inside source route-map ISP_1 interface FastEthernet0 overload"
action 9.1 cli command "exit"
action 9.2 cli command "clear ip nat translation *"
action 9.3 cli command "end"
!
event manager applet ISP_2_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface Vlan 2"
action 4.0 cli command "no ip policy route-map ISP_2_PBR"
action 5.0 cli command "exit"
action 6.0 cli command "no access-list 101"
action 7.0 cli command "access-list 101 permit ip 172.16.1.0 0.0.0.255 any"
action 8.0 cli command "access-list 101 permit ip 172.16.2.0 0.0.0.255 any"
action 9.0 cli command "no ip route 0.0.0.0 0.0.0.0 FastEthernet1 dhcp"
action 9.1 cli command "no ip nat inside source route-map ISP_2 interface FastEthernet1 overload"
action 9.2 cli command "exit"
action 9.3 cli command "clear ip nat translation *"
action 9.4 cli command "end"
!
event manager applet ISP_2_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "interface Vlan 2"
action 4.0 cli command "ip policy route-map ISP_2_PBR"
action 5.0 cli command "exit"
action 6.0 cli command "no access-list 101"
action 7.0 cli command "access-list 101 permit ip 172.16.1.0 0.0.0.255 any"
action 8.0 cli command "ip route 0.0.0.0 0.0.0.0 FastEthernet1 dhcp"
action 9.0 cli command "ip nat inside source route-map ISP_2 interface FastEthernet1 overload"
action 9.1 cli command "exit"
action 9.2 cli command "clear ip nat translation *"
action 9.3 cli command "end"
!
control-plane
!
mgcp profile default
!
line con 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 5 0
login local
transport input all
!
end
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: