Solved: Range of ip address on different WANs, source ip routing ? [cisco 891]

liteultom · ‎10-20-2015

Hello all !

Here I come again asking for help ! :)

Here is the goal : I want one set of computers to use one WAN and an other set using the other WAN, based on the IP Range.

I use a cisco 891 router. Fastethernet0 is one WAN, GigabitEthernet8 is the other WAN, and gigabitethernet 0 to 7 are 8 switch ports of the router.

As of now, I have my two internet access working fine, each one of them is plugged in one WAN port of my router. I have no problem have all of my computers using one WAN or the other, or even load balancing between them, but what I want is to fix some computers using one internet access and the other computer to use the other internet access.

I don't know how to do that, I was looking into routing by source IP but I don't really know how to do. I saw something about Policy based Routing but I can only apply these policy on incoming packets I don't seem to be able to apply these policy to one of the switch port of the router. I would need to use one of the WAN port to plug my incoming LAN in, but then I would not have enough WAN port for both of my internet connections.

Gateway of internet connection #1 is 172.26.2.254

Gateway of connection #2 is 192.168.1.254

Here is my actuel config :
I understand why I have poor connection whith this config since it is load balancing between the two default route and sending only to one of my two wan depending on the IP, but I don't know what to do to tell precilesy range of IP #1 to go there and range of IP #2 to go here.

Cisco891(config)#do sh run
Building configuration...

Current configuration : 3833 bytes
!
! Last configuration change at 15:11:43 UTC Tue Oct 20 2015 by ***********
! NVRAM config last updated at 14:58:11 UTC Tue Oct 20 2015 by ***************
! NVRAM config last updated at 14:58:11 UTC Tue Oct 20 2015 by **************
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco891
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret 5 ************************/
enable password ************************
!
no aaa new-model
!
!
!
!
!
!

!
ip dhcp excluded-address 172.26.1.1 172.26.1.49
ip dhcp excluded-address 172.26.1.100 172.26.1.254
ip dhcp excluded-address 10.10.20.1 10.10.20.49
ip dhcp excluded-address 10.10.20.100 10.10.20.254
!
ip dhcp pool vlan1pool
 network 172.26.1.0 255.255.255.0
 default-router 172.26.1.254
 dns-server 208.67.222.222 208.67.220.220
!
!
!
ip domain name lnc360.fr
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891F-K9 sn *******************************
!
!
username ******************** privilege 15 secret *************************************
!
!
!
!
!
no ip ftp passive
ip ssh time-out 60
ip ssh logging events
ip ssh version 2
!
!
!
!
!
!
!
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 ip address 192.168.1.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0
 switchport mode trunk
 no ip address
!
interface GigabitEthernet1
 switchport mode trunk
 no ip address
!
interface GigabitEthernet2
 switchport mode trunk
 no ip address
!
interface GigabitEthernet3
 switchport mode trunk
 no ip address
!
interface GigabitEthernet4
 switchport mode trunk
 no ip address
!
interface GigabitEthernet5
 switchport mode trunk
 no ip address
!
interface GigabitEthernet6
 switchport mode trunk
 no ip address
!
interface GigabitEthernet7
 switchport mode trunk
 no ip address
!
interface GigabitEthernet8
 ip address 172.26.2.10 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 ip address 172.26.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan2
 ip address 10.10.10.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Async3
 no ip address
 encapsulation slip
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list LAN_PCs interface GigabitEthernet8 overload
ip nat inside source list LAN_servers interface FastEthernet0 overload
ip route 0.0.0.0 0.0.0.0 172.26.2.254
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
ip access-list extended LAN_PCs
 deny   ip 172.26.1.0 0.0.0.31 any
 deny   ip 172.26.1.112 0.0.0.15 any
 deny   ip 172.26.1.240 0.0.0.15 any
 permit ip 172.26.1.0 0.0.0.255 any
ip access-list extended LAN_servers
 permit ip 10.10.10.0 0.0.0.255 any
 permit ip 172.26.1.0 0.0.0.31 any
 permit ip 172.26.1.112 0.0.0.15 any
 permit ip 172.26.1.240 0.0.0.15 any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
 no modem enable
line aux 0
line 3
 modem InOut
 speed 115200
 flowcontrol hardware
line vty 0 4
 privilege level 15
 password 7 ******************************************
 login local
 transport input ssh
 transport output ssh
line vty 5 15
 password 7 ***********************************************
 login local
 transport input telnet
 transport output telnet
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 0.europe.pool.ntp.org
!
end

Thanks !

paul driver · ‎10-21-2015

Hello

Apply the PBR policy on the SVI'sof the vlans

int vlan 1
ip policy route-map PBR

int vlan 2
ip policy route-map PBR

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎10-21-2015

Hello

Apply the PBR policy on the SVI'sof the vlans

int vlan 1
ip policy route-map PBR

int vlan 2
ip policy route-map PBR

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

liteultom · ‎10-21-2015

damn, I did not think to apply Policy to the vlan !

I have something working now but I like your solution better, I will try it this afternoon ! thanks !

liteultom · ‎10-21-2015

it works ! thanks a lot :D (conf file under)

The following conf file make things work that way :

I have two internet access (gateway 192.168.0.254 and 192.168.1.254).
Each internet access box is plugged on one WAN (192.168.0.254 on gigabitEthernet 8 and 192.168.1.254 on FastEthernet 0).
Port GigabitEthernet 0 to 7 are switch ports of the routers, not WAN
I have 2 external switches plugged together and then one of them plugged in one switch port (gigabitEthernet7) of the router. This is a router on a stick configuration.
I have two vlans (10.10.10.0/24 and 172.26.1.0/24).
DHCP on vlan 1 is defined on the router, DHCP on vlan 2 is an external machine in this vlan
Both vlans can access to internet
Vlan 1 and 2 can communicate between themselves
All the machines in vlan 2 (10.10.10.0/24) access the internet through 192.168.1.254
Machines in vlan 1 with IP in the following ranges access the internet through 192.168.0.254:
- 172.26.1.31 to 172.26.1.112
- 172.26.1.127 to 172.26.1.240
Other machines (ip not belonging to previous ranges) in vlan 1 access the internet through 192.168.1.254

conf file :

Current configuration : 3973 bytes
!
! Last configuration change at 12:14:03 UTC Wed Oct 21 2015 by **************
! NVRAM config last updated at 12:07:01 UTC Wed Oct 21 2015 by ***************
! NVRAM config last updated at 12:07:01 UTC Wed Oct 21 2015 by ******************
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco891
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret *******************************************
enable password ************************************************
!
no aaa new-model
!
!
!
!
!
!

!
ip dhcp excluded-address 172.26.1.1 172.26.1.49
ip dhcp excluded-address 172.26.1.100 172.26.1.254
!
ip dhcp pool vlan1pool
 network 172.26.1.0 255.255.255.0
 default-router 172.26.1.254
 dns-server 208.67.222.222 208.67.220.220
!
!
!
ip domain name lnc360.fr
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891F-K9 sn ************************************
!
!
username *************************** privilege 15 secret **********************************
!
!
!
!
!
no ip ftp passive
ip ssh time-out 60
ip ssh logging events
ip ssh version 2
!
!
!
!
!
!
!
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 ip address 192.168.1.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0
 switchport mode trunk
 no ip address
!
interface GigabitEthernet1
 switchport mode trunk
 no ip address
!
interface GigabitEthernet2
 switchport mode trunk
 no ip address
!
interface GigabitEthernet3
 switchport mode trunk
 no ip address
!
interface GigabitEthernet4
 switchport mode trunk
 no ip address
!
interface GigabitEthernet5
 switchport mode trunk
 no ip address
!
interface GigabitEthernet6
 switchport mode trunk
 no ip address
!
interface GigabitEthernet7
 switchport mode trunk
 no ip address
!
interface GigabitEthernet8
 ip address 192.168.0.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 ip address 172.26.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map PCs_ROUTE
!
interface Vlan2
 ip address 10.10.10.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Async3
 no ip address
 encapsulation slip
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list LAN_PCs interface GigabitEthernet8 overload
ip nat inside source list LAN_servers interface FastEthernet0 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
ip access-list extended LAN_PCs
 deny   ip 172.26.1.0 0.0.0.31 any
 deny   ip 172.26.1.112 0.0.0.15 any
 deny   ip 172.26.1.240 0.0.0.15 any
 permit ip 172.26.1.0 0.0.0.255 any
ip access-list extended LAN_servers
 permit ip 10.10.10.0 0.0.0.255 any
 permit ip 172.26.1.0 0.0.0.31 any
 permit ip 172.26.1.112 0.0.0.15 any
 permit ip 172.26.1.240 0.0.0.15 any
ip access-list extended vlan1_to_vlan2
 permit ip 172.26.1.0 0.0.0.255 10.10.10.0 0.0.0.255
!
!
route-map PCs_ROUTE permit 10
 match ip address vlan1_to_vlan2
!
route-map PCs_ROUTE permit 20
 match ip address LAN_PCs
 set ip next-hop 192.168.0.254
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
 no modem enable
line aux 0
line 3
 modem InOut
 speed 115200
 flowcontrol hardware
line vty 0 4
 privilege level 15
 password 7 *********************
 login local
 transport input ssh
 transport output ssh
line vty 5 15
 password 7 ****************************************
 login local
 transport input telnet
 transport output telnet
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 0.europe.pool.ntp.org
!
end