Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1081
Views
0
Helpful
7
Replies

PBR multi WAN links

Mubeen
Level 1
Level 1

‎04-09-2019 08:25 AM

Hi,

 

I have 2 ISP's. Cisco 3825 router and Cisco 3750 as core switch. 

 

WAN SIDE

Have terminated both ISP's in Cisco 3750 on different Vlans (101 and 201). From there made a trunk of both vlans and connected it on Cisco 3825 by making sub-interfaces. 

 

LAN SIDE

The other port of the router is access port and is terminated on 3750 with vlan 301.

 

Question.

 

How would I

 

send traffic destined to 145.77.X.X  from ISP 1 except FTP traffic and send rest of the traffic including FTP from ISP 2.

If ISP 1 fails all the traffic including traffic destined to 145.77.X.X is routed through ISP 2

Labels:
0 Helpful
7 Replies 7

Georg Pauwen
VIP
VIP

‎04-09-2019 08:42 AM

Hello,

 

a simple PBR with route maps should be able to accomplish this. Post the configuration of the 3750 that terminates both ISPs...

0 Helpful

Mubeen
Level 1
Level 1
In response to Georg Pauwen

‎04-09-2019 08:57 AM 

vlan internal allocation policy ascending
!
!
!
interface GigabitEthernet1/0/10
 description Access from Router
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 301
 switchport mode trunk
!
interface GigabitEthernet1/0/12
 description Trunk from Router
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 101,201
 switchport mode trunk
!
interface GigabitEthernet1/0/13
 description Uplink-to-ISP 2
 switchport access vlan 101
 switchport mode access
!
interface GigabitEthernet1/0/14
 description Uplink-to-ISP 2
 switchport access vlan 201
 switchport mode access
!
interface GigabitEthernet1/0/16
 description Uplink-for-Access-Switch-1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 300
 switchport mode trunk
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Mubeen

‎04-09-2019 12:03 PM

Thank you for posting the partial config of the switch. Based on your description of the environment that LAN connection was access I am a bit surprised that Gig1/0/10 is a trunk which allows only a single vlan 301. And that G1/0/16 is a trunk which allows only a single vlan 300. Perhaps if you post the config of the router we may be able to understand this better.

 

I do agree with Georg that a simple configuration of Policy Based Routing should achieve your requirements. When we understand your environment better we may be able to give you better advice.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Mubeen
Level 1
Level 1
In response to Richard Burts

‎04-09-2019 12:50 PM

Sorry that was also vlan 301 not 300

 

Well I tried implementing PRB but not sure if that is the correct way, also facing issue that if ISP 2 goes down, destination based routes which were suppose to go from ISP 1 also goes down. (but when both ISP's are up, I'm sure traffic is routing correctly)

 

Pasting the router configs

ip dhcp pool dhcp
   network 192.168.31.0 255.255.255.0
   default-router 192.168.31.1
   dns-server 8.8.8.8
   lease 0 0 30
!
!
ip domain name Router.com
ip name-server 8.8.8.8
no ipv6 cef
multilink bundle-name authenticated
!

!
voice-card 0

!
!

archive
 log config
  hidekeys
!
!
ip ssh version 2
!
class-map match-any ftp
 match protocol ftp
 match protocol secure-ftp
class-map match-any voice
 match protocol h323
 match protocol mgcp
 match protocol sip
 match protocol rtcp
 match protocol rtp
!
!
policy-map ftp-policy
 class ftp
policy-map voice-policy
 class voice
  set ip dscp ef
!
!
!
!
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/0.1
 description CONNECTION_TO_ISP1
 encapsulation dot1Q 101
 ip address 192.168.40.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
!
interface GigabitEthernet0/0.2
 description CONNECTION_TO_ISP2
 encapsulation dot1Q 201
 ip address 116.X.X.243 255.255.255.248
 ip nat outside
 ip virtual-reassembly
!
interface GigabitEthernet0/1
 no ip address
 ip nat inside
 ip virtual-reassembly
 ip policy route-map asterik
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1.301
 description CONNECTION_TO_INTERNAL_NETWORK
 encapsulation dot1Q 301
 ip address 192.168.31.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map asterik
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.40.1
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map ISP 1 interface GigabitEthernet0/0.2 overload
ip nat inside source route-map ISP 2 interface GigabitEthernet0/0.1 overload
!
access-list 101 permit ip 192.168.41.0 0.0.0.255 any
access-list 150 permit ip any host 145.77.X.X

!
route-map ISP 2 permit 10
 match ip address 101
 match interface GigabitEthernet0/0.1
!
route-map ftp permit 10
 match policy-list ftp-policy
 set ip next-hop 182.176.X.X
!
route-map ISP 1 permit 10
 match ip address 101
 match interface GigabitEthernet0/0.2
!
route-map asterik permit 10
 match ip address 150
 set ip next-hop 116.X.X.241

 

0 Helpful

Mubeen
Level 1
Level 1
In response to Richard Burts

‎04-09-2019 04:22 PM

Sorry that was vlan 301 not 300

 

I did tried to configure PBR but facing issue like if ISP 2 goes down,  destination based traffic to ISP 2 also stops routing where as if both ISP's are up traffic is routing as it should be

 

ip dhcp pool dhcp
   network 192.168.31.0 255.255.255.0
   default-router 192.168.31.1
   dns-server 8.8.8.8
   lease 0 0 30
!
!
ip domain name Router.com
ip name-server 8.8.8.8
no ipv6 cef
multilink bundle-name authenticated
!

!
voice-card 0

!
!

archive
 log config
  hidekeys
!
!
ip ssh version 2
!
class-map match-any ftp
 match protocol ftp
 match protocol secure-ftp
class-map match-any voice
 match protocol h323
 match protocol mgcp
 match protocol sip
 match protocol rtcp
 match protocol rtp
!
!
policy-map ftp-policy
 class ftp
policy-map voice-policy
 class voice
  set ip dscp ef
!
!
!
!
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/0.1
 description CONNECTION_TO_ISP1
 encapsulation dot1Q 101
 ip address 192.168.40.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
!
interface GigabitEthernet0/0.2
 description CONNECTION_TO_ISP2
 encapsulation dot1Q 201
 ip address 116.X.X.243 255.255.255.248
 ip nat outside
 ip virtual-reassembly
!
interface GigabitEthernet0/1
 no ip address
 ip nat inside
 ip virtual-reassembly
 ip policy route-map asterik
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1.301
 description CONNECTION_TO_INTERNAL_NETWORK
 encapsulation dot1Q 301
 ip address 192.168.31.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip policy route-map asterik
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.40.1
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map ISP 1 interface GigabitEthernet0/0.2 overload
ip nat inside source route-map ISP 2 interface GigabitEthernet0/0.1 overload
!
access-list 101 permit ip 192.168.41.0 0.0.0.255 any
access-list 150 permit ip any host 145.77.X.X

!
route-map ISP 2 permit 10
 match ip address 101
 match interface GigabitEthernet0/0.1
!
route-map ftp permit 10
 match policy-list ftp-policy
 set ip next-hop 182.176.X.X
!
route-map ISP 1 permit 10
 match ip address 101
 match interface GigabitEthernet0/0.2
!
route-map asterik permit 10
 match ip address 150
 set ip next-hop 116.X.X.241
0 Helpful

Georg Pauwen
VIP
VIP
In response to Mubeen

‎04-10-2019 01:42 AM

Hello,

 

there are multiple issues with the configuration you have posted. The NAT cannot work because the access list 101 does not specify an existing inside subnet. The ftp route map is not applied anywhere. The next hops specified in the route maps do not match any ip address space on any existing interface. The policy map (what is that for) is not applied anywhere with a service policy. In short, it is hard to figure out what you want to accomplish and how to fix your configuration: can you post a schematic drawing including IP addresses ?

0 Helpful

Georg Pauwen
VIP
VIP
In response to Georg Pauwen

‎04-10-2019 09:17 AM

Hello,

 

I have made some changes to your configuration, implement those and test:

 

ip dhcp excluded-address 192.168.31.1
!
ip dhcp pool dhcp
network 192.168.31.0 255.255.255.0
default-router 192.168.31.1
dns-server 8.8.8.8
lease 0 0 30
!
interface GigabitEthernet0/0.1
description CONNECTION_TO_ISP1
encapsulation dot1Q 101
ip address 192.168.40.2 255.255.255.0
ip nat outside
ip virtual-reassembly
!
interface GigabitEthernet0/0.2
description CONNECTION_TO_ISP2
encapsulation dot1Q 201
ip address 116.X.X.243 255.255.255.248
ip nat outside
ip virtual-reassembly
!
interface GigabitEthernet0/1.301
description CONNECTION_TO_INTERNAL_NETWORK
encapsulation dot1Q 301
ip address 192.168.31.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map PBR
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source route-map ISP_1 interface GigabitEthernet0/0.2 overload
ip nat inside source route-map ISP_2 interface GigabitEthernet0/0.1 overload
!
access-list 101 permit ip 192.168.31.0 0.0.0.255 any
access-list 102 permit ip 192.168.31.0 0.0.0.255 host 145.77.1.1 eq ftp
!
route-map ISP_1 permit 10
match ip address 101
match interface GigabitEthernet0/0.2
!
route-map ISP_2 permit 10
match ip address 101
match interface GigabitEthernet0/0.1
!
route-map PBR permit 10
match ip address 102
set ip next-hop 192.168.40.1
!
route-map PBR permit 20
match ip address 101
set ip next-hop 116.1.1.244
!
route-map PBR permit 30

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card