05-13-2014 06:58 AM - edited 03-04-2019 10:58 PM
hi all. i have 2 ISPs 1st ISP provides Static IP and 2nd ISP provides dynamic IP. i want to setup router as all HTTP, HTTPs, SMTP, POP traffic go though 2nd ISP and remaining traffice go through 1st ISP. if 2nd ISP goes down then HTTP, HTTPs, SMTP, POP go through 1st ISP.
Thanks,
Solved! Go to Solution.
05-13-2014 07:42 AM
Hi ,
This can be achieved using following combination , with IP SLA Commands
Differing Next Hops
The following example illustrates how to route traffic for different destination ports to different places (next hops). Packets arriving to destination ports http , https, POP, SMMTP are sent to the next hop at 3.3.3.3; packets arriving to other destination port are sent to the next hop at 3.3.3.5.
!
interface fastethernet 3/1
ip policy route-map Texas
!
route-map Texas permit 10
match ip address test
set ip next-hop 3.3.3.3
! if you use IP SLA
set ip next-hop verify-availability 3.3.3.3 10 track 123
set ip next-hop verify-availability 3.3.3.5 20 track 124
( look into URL for IP SLA configuration )
http://www.cisco.com/c/en/us/support/docs/ip/ip-routed-protocols/48003-pbrtracking.html
!
route-map Texas permit 20
match ip address test2
set ip next-hop 3.3.3.5
! if you use IP SLA
set ip next-hop verify-availability 3.3.3.5 10 track 124
set ip next-hop verify-availability 3.3.3.3 20 track 123
ip access-list extended test
permit tcp any any eq wwW
permit tcp any any eq https
permit tcp any any eq 25
permit tcp any any eq 995
deny tcp any any
ip access-list extended test2
deny tcp any any eq wwW
deny tcp any any eq https
deny tcp any any eq 25
deny tcp any any eq 995
permit tcp any any
HTH
Sandy.
05-14-2014 10:14 AM
Hi,
Write separate ACL for NAT allowing everything
access-list 7 permit 192.168.3.0 0.0.0.255
access-list 7 permit 192.168.4.0 0.0.0.255
access-list 7 permit 192.168.5.0 0.0.0.255
ip nat inside source list 7 interface FastEthernet0/0/0 overload
ip nat inside source list 7 interface FastEthernet0/0/1 overload
Similarly perform testing by bringing down your primary link .
Kindly let me know once you done
HTH
sandy
05-13-2014 07:42 AM
Hi ,
This can be achieved using following combination , with IP SLA Commands
Differing Next Hops
The following example illustrates how to route traffic for different destination ports to different places (next hops). Packets arriving to destination ports http , https, POP, SMMTP are sent to the next hop at 3.3.3.3; packets arriving to other destination port are sent to the next hop at 3.3.3.5.
!
interface fastethernet 3/1
ip policy route-map Texas
!
route-map Texas permit 10
match ip address test
set ip next-hop 3.3.3.3
! if you use IP SLA
set ip next-hop verify-availability 3.3.3.3 10 track 123
set ip next-hop verify-availability 3.3.3.5 20 track 124
( look into URL for IP SLA configuration )
http://www.cisco.com/c/en/us/support/docs/ip/ip-routed-protocols/48003-pbrtracking.html
!
route-map Texas permit 20
match ip address test2
set ip next-hop 3.3.3.5
! if you use IP SLA
set ip next-hop verify-availability 3.3.3.5 10 track 124
set ip next-hop verify-availability 3.3.3.3 20 track 123
ip access-list extended test
permit tcp any any eq wwW
permit tcp any any eq https
permit tcp any any eq 25
permit tcp any any eq 995
deny tcp any any
ip access-list extended test2
deny tcp any any eq wwW
deny tcp any any eq https
deny tcp any any eq 25
deny tcp any any eq 995
permit tcp any any
HTH
Sandy.
05-14-2014 08:47 AM
Hi,
Please see following config, if i allow 80 on 1st ISP (Fa 0/0/0) then browsing works, but it does not work on 2nd ISP (Fa 0/0/1).
track 10 ip sla 1 reachability
delay down 1 up 1
!
track 20 ip sla 2 reachability
delay down 1 up 1
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/0.3
description Voice-Vlan
encapsulation dot1Q 3
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.4
description Servers-&-Switches-Vlan
encapsulation dot1Q 4
ip address 192.168.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.5
description NCS-Vlan
encapsulation dot1Q 5
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map PBR
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface FastEthernet0/0/0
description "Nexlinx Fiber Link 2Mbps"
ip address 116.58.63.34 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/0/1
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source route-map Nexlinx-nat interface FastEthernet0/0/0 overload
ip nat inside source route-map PTCL-nat interface FastEthernet0/0/1 overload
ip route 0.0.0.0 0.0.0.0 116.58.63.33 track 10
!
ip access-list extended acl_Nexlinx
deny tcp any any eq www
deny tcp any any eq 443
deny tcp any any eq smtp
deny tcp any any eq 995
permit tcp any any
ip access-list extended acl_PTCL
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq smtp
permit tcp any any eq 995
deny tcp any any
!
ip sla 1
icmp-echo 116.58.63.33 source-interface FastEthernet0/0/0
threshold 500
timeout 500
frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 192.168.1.1 source-interface FastEthernet0/0/1
threshold 500
timeout 500
frequency 3
!
!
!
!
route-map Nexlinx-nat permit 10
match ip address acl_Nexlinx
match interface FastEthernet0/0/0
route-map PBR permit 10
match ip address acl_PTCL
set ip next-hop verify-availability 192.168.1.1 10 track 10
set ip next-hop verify-availability 116.58.63.33 20 track 20
!
route-map PBR permit 20
match ip address acl_Nexlinx
set ip next-hop verify-availability 116.58.63.33 10 track 20
set ip next-hop verify-availability 192.168.1.1 20 track 10
set ip next-hop 116.58.63.33
!
route-map PTCL-nat permit 20
match ip address acl_PTCL
match interface FastEthernet0/0/1
05-14-2014 10:14 AM
Hi,
Write separate ACL for NAT allowing everything
access-list 7 permit 192.168.3.0 0.0.0.255
access-list 7 permit 192.168.4.0 0.0.0.255
access-list 7 permit 192.168.5.0 0.0.0.255
ip nat inside source list 7 interface FastEthernet0/0/0 overload
ip nat inside source list 7 interface FastEthernet0/0/1 overload
Similarly perform testing by bringing down your primary link .
Kindly let me know once you done
HTH
sandy
05-14-2014 10:37 AM
Hi Sandy,
WOW, its working now. but i could not understand, how separate ACL affected this problem? can you please give me teeny weeny info on this :)
05-14-2014 10:49 AM
Hi ,
Look into below post of more understanding .
short about route-map & ACL
HTH
Sandy
please make sure to rate all helpful posts.
05-14-2014 10:53 AM
Thanks Sandy for you kind support.
05-14-2014 11:01 AM
i cannot access (telnet) router through public ip. is ACL blocking it? i dont see it.
05-15-2014 07:13 AM
Hi ,
Share me line vty output .
HTH
Sandy
05-16-2014 01:58 PM
line vty 0 4
no login
transport input telnet
transport output none
05-17-2014 05:10 AM
Hi ,
I dont see password on your line vty configuration , have you enabled aaa-new model ?? along with username and password ?? if not configure password on your line vty .
Meanwhile check have you configured any ACL on your interface which you are trying to access .
HTH
Sandy
05-17-2014 05:17 AM
no i did not enabled aaa-new model on it. i dont have any extra ACL except showing above in my config.
05-17-2014 05:26 AM
Hi ,
To which IP address you are trying to do telnet ?? LAN IP/WAN IP .
Look like NAT is not allowing to login into router .
Try to do telnet with LAN IP address and let me know if it works
HTH
Sandy
05-17-2014 05:51 AM
i can telnet through LAN, but i cannot telnet WAN IP.
05-17-2014 08:07 AM
Thanks. it is working now. can please tell me how i can block all torrent softwares and some websites like facebook, youtube, etc.. on cisco router.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide