04-09-2019 08:25 AM
Hi,
I have 2 ISP's. Cisco 3825 router and Cisco 3750 as core switch.
WAN SIDE
Have terminated both ISP's in Cisco 3750 on different Vlans (101 and 201). From there made a trunk of both vlans and connected it on Cisco 3825 by making sub-interfaces.
LAN SIDE
The other port of the router is access port and is terminated on 3750 with vlan 301.
Question.
How would I
send traffic destined to 145.77.X.X from ISP 1 except FTP traffic and send rest of the traffic including FTP from ISP 2.
If ISP 1 fails all the traffic including traffic destined to 145.77.X.X is routed through ISP 2
04-09-2019 08:42 AM
Hello,
a simple PBR with route maps should be able to accomplish this. Post the configuration of the 3750 that terminates both ISPs...
04-09-2019 08:57 AM
vlan internal allocation policy ascending ! ! ! interface GigabitEthernet1/0/10
description Access from Router switchport trunk encapsulation dot1q switchport trunk allowed vlan 301 switchport mode trunk ! interface GigabitEthernet1/0/12
description Trunk from Router switchport trunk encapsulation dot1q switchport trunk allowed vlan 101,201 switchport mode trunk ! interface GigabitEthernet1/0/13 description Uplink-to-ISP 2 switchport access vlan 101 switchport mode access ! interface GigabitEthernet1/0/14 description Uplink-to-ISP 2 switchport access vlan 201 switchport mode access ! interface GigabitEthernet1/0/16 description Uplink-for-Access-Switch-1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 300 switchport mode trunk
04-09-2019 12:03 PM
Thank you for posting the partial config of the switch. Based on your description of the environment that LAN connection was access I am a bit surprised that Gig1/0/10 is a trunk which allows only a single vlan 301. And that G1/0/16 is a trunk which allows only a single vlan 300. Perhaps if you post the config of the router we may be able to understand this better.
I do agree with Georg that a simple configuration of Policy Based Routing should achieve your requirements. When we understand your environment better we may be able to give you better advice.
HTH
Rick
04-09-2019 12:50 PM
Sorry that was also vlan 301 not 300
Well I tried implementing PRB but not sure if that is the correct way, also facing issue that if ISP 2 goes down, destination based routes which were suppose to go from ISP 1 also goes down. (but when both ISP's are up, I'm sure traffic is routing correctly)
Pasting the router configs
ip dhcp pool dhcp network 192.168.31.0 255.255.255.0 default-router 192.168.31.1 dns-server 8.8.8.8 lease 0 0 30 ! ! ip domain name Router.com ip name-server 8.8.8.8 no ipv6 cef multilink bundle-name authenticated ! ! voice-card 0 ! ! archive log config hidekeys ! ! ip ssh version 2 ! class-map match-any ftp match protocol ftp match protocol secure-ftp class-map match-any voice match protocol h323 match protocol mgcp match protocol sip match protocol rtcp match protocol rtp ! ! policy-map ftp-policy class ftp policy-map voice-policy class voice set ip dscp ef ! ! ! ! ! interface GigabitEthernet0/0 no ip address duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/0.1 description CONNECTION_TO_ISP1 encapsulation dot1Q 101 ip address 192.168.40.2 255.255.255.0 ip nat outside ip virtual-reassembly ! interface GigabitEthernet0/0.2 description CONNECTION_TO_ISP2 encapsulation dot1Q 201 ip address 116.X.X.243 255.255.255.248 ip nat outside ip virtual-reassembly ! interface GigabitEthernet0/1 no ip address ip nat inside ip virtual-reassembly ip policy route-map asterik duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1.301 description CONNECTION_TO_INTERNAL_NETWORK encapsulation dot1Q 301 ip address 192.168.31.1 255.255.255.0 ip nat inside ip virtual-reassembly ip policy route-map asterik ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.40.1 no ip http server no ip http secure-server ! ! ip nat inside source route-map ISP 1 interface GigabitEthernet0/0.2 overload ip nat inside source route-map ISP 2 interface GigabitEthernet0/0.1 overload ! access-list 101 permit ip 192.168.41.0 0.0.0.255 any access-list 150 permit ip any host 145.77.X.X ! route-map ISP 2 permit 10 match ip address 101 match interface GigabitEthernet0/0.1 ! route-map ftp permit 10 match policy-list ftp-policy set ip next-hop 182.176.X.X ! route-map ISP 1 permit 10 match ip address 101 match interface GigabitEthernet0/0.2 ! route-map asterik permit 10 match ip address 150 set ip next-hop 116.X.X.241
04-09-2019 04:22 PM
Sorry that was vlan 301 not 300
I did tried to configure PBR but facing issue like if ISP 2 goes down, destination based traffic to ISP 2 also stops routing where as if both ISP's are up traffic is routing as it should be
ip dhcp pool dhcp network 192.168.31.0 255.255.255.0 default-router 192.168.31.1 dns-server 8.8.8.8 lease 0 0 30 ! ! ip domain name Router.com ip name-server 8.8.8.8 no ipv6 cef multilink bundle-name authenticated ! ! voice-card 0 ! ! archive log config hidekeys ! ! ip ssh version 2 ! class-map match-any ftp match protocol ftp match protocol secure-ftp class-map match-any voice match protocol h323 match protocol mgcp match protocol sip match protocol rtcp match protocol rtp ! ! policy-map ftp-policy class ftp policy-map voice-policy class voice set ip dscp ef ! ! ! ! ! interface GigabitEthernet0/0 no ip address duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/0.1 description CONNECTION_TO_ISP1 encapsulation dot1Q 101 ip address 192.168.40.2 255.255.255.0 ip nat outside ip virtual-reassembly ! interface GigabitEthernet0/0.2 description CONNECTION_TO_ISP2 encapsulation dot1Q 201 ip address 116.X.X.243 255.255.255.248 ip nat outside ip virtual-reassembly ! interface GigabitEthernet0/1 no ip address ip nat inside ip virtual-reassembly ip policy route-map asterik duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1.301 description CONNECTION_TO_INTERNAL_NETWORK encapsulation dot1Q 301 ip address 192.168.31.1 255.255.255.0 ip nat inside ip virtual-reassembly ip policy route-map asterik ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.40.1 no ip http server no ip http secure-server ! ! ip nat inside source route-map ISP 1 interface GigabitEthernet0/0.2 overload ip nat inside source route-map ISP 2 interface GigabitEthernet0/0.1 overload ! access-list 101 permit ip 192.168.41.0 0.0.0.255 any access-list 150 permit ip any host 145.77.X.X ! route-map ISP 2 permit 10 match ip address 101 match interface GigabitEthernet0/0.1 ! route-map ftp permit 10 match policy-list ftp-policy set ip next-hop 182.176.X.X ! route-map ISP 1 permit 10 match ip address 101 match interface GigabitEthernet0/0.2 ! route-map asterik permit 10 match ip address 150 set ip next-hop 116.X.X.241
04-10-2019 01:42 AM
Hello,
there are multiple issues with the configuration you have posted. The NAT cannot work because the access list 101 does not specify an existing inside subnet. The ftp route map is not applied anywhere. The next hops specified in the route maps do not match any ip address space on any existing interface. The policy map (what is that for) is not applied anywhere with a service policy. In short, it is hard to figure out what you want to accomplish and how to fix your configuration: can you post a schematic drawing including IP addresses ?
04-10-2019 09:17 AM
Hello,
I have made some changes to your configuration, implement those and test:
ip dhcp excluded-address 192.168.31.1
!
ip dhcp pool dhcp
network 192.168.31.0 255.255.255.0
default-router 192.168.31.1
dns-server 8.8.8.8
lease 0 0 30
!
interface GigabitEthernet0/0.1
description CONNECTION_TO_ISP1
encapsulation dot1Q 101
ip address 192.168.40.2 255.255.255.0
ip nat outside
ip virtual-reassembly
!
interface GigabitEthernet0/0.2
description CONNECTION_TO_ISP2
encapsulation dot1Q 201
ip address 116.X.X.243 255.255.255.248
ip nat outside
ip virtual-reassembly
!
interface GigabitEthernet0/1.301
description CONNECTION_TO_INTERNAL_NETWORK
encapsulation dot1Q 301
ip address 192.168.31.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map PBR
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source route-map ISP_1 interface GigabitEthernet0/0.2 overload
ip nat inside source route-map ISP_2 interface GigabitEthernet0/0.1 overload
!
access-list 101 permit ip 192.168.31.0 0.0.0.255 any
access-list 102 permit ip 192.168.31.0 0.0.0.255 host 145.77.1.1 eq ftp
!
route-map ISP_1 permit 10
match ip address 101
match interface GigabitEthernet0/0.2
!
route-map ISP_2 permit 10
match ip address 101
match interface GigabitEthernet0/0.1
!
route-map PBR permit 10
match ip address 102
set ip next-hop 192.168.40.1
!
route-map PBR permit 20
match ip address 101
set ip next-hop 116.1.1.244
!
route-map PBR permit 30
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide