cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
781
Views
0
Helpful
8
Replies

1 LAN, two ISPs

riley.porter
Level 1
Level 1

We're needing to run a testbed with a new ISP, but only want to do it for a certain amount of PCs AND without disturbing the existing LAN/WAN. How can I effectively "split" the traffic without reconfiguring our entire network? The testbed PCs will still need LAN access, but I want to shove all of the testbed web traffic out to the new ISP.

Current setup is:

PC-->Core (3650)-->Firewall1-->Router1 (1811)-->ISP1

Right now, the Core's default gateway is firewall1.

I have another firewall and router to use for the new ISP.

I need it to look similar to this:



Firewall 1 --->Router 1 --->ISP 1
PC --->Core ---<




Firewall 2 --->Router 2 --->ISP 2

I can think of a bunch of oddball ACL setups that could possibly work, but I know there is probably a better way to set this up. In my scribblings, I've come up with this very-simplistic interpretation:




Internal Traffic routed back to core ---v
PC --->New VLAN on Core --->Router 2 subinterface ---<





External traffic out to new firewall --->ISP 2

With, obvoiusly, various ACLs setup. Anyone else have a better/more efficient idea?

8 Replies 8

Renan Abreu
Cisco Employee
Cisco Employee

Are those 2 different ISPs?

You want to load-balance taking into consideration source IPs?

That would be easier for destination IPs, but for source ones I believe PBR would save your problems.

http://www.cisco.com/en/US/products/ps6599/products_white_paper09186a00800a4409.shtml

PBR was also something that came to mind, but I don't have too much experience with it (yet). And yes, they are two separate ISPs. I don't want to load-balance, however. I just want to allow, say VLAN 10, to go out the new ISP and the rest of the LAN to continue on the existing ISP. I'm definitely going to look at PBR and see if it's my most viable solution, thanks!

cadet alain
VIP Alumni
VIP Alumni

Hi,

if I understand correctly what you want to achieve, that is some PCs need outside connectivity through second ISP so second firewall and others still continue to use existing gateway( your firewall going to ISP1), then just allocate a different default gateway( firewall) to some PCs via DHCP.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Wat i suggest

You Can Split Your IP Subnet

Half for isp1 and half for isp2

ON cORE

Create Two access list

Acl1 for subnet 1

acl2 for subnet 2

Create Route MAP

Router-MAP Route-Traffic permit 10

match ip address Acl1

set ip next hope (FW1)

Router-MAP Route-Traffic permit 20

match ip address Acl2

set ip next hope (FW2)

Apply that Route MAP to Core Vlan

Int Vlan 1

ip policy Route-map Route-Traffic

Jawad

This would work if we didn't have the entire core defaulted to the primary firewall and I didn't have to have these "testbed" PCs still get internal access. If it was a straight shot to the internet, then it wouldn't be a problem.

Still have this problem?

How are your firewalls configured?

If they are in active/standby and the traffic needs to pass through them, I don't think you're gonna achieve what you want without manipulating the router facing ISP.

You have many possibilities there, you should evaluate the one you like the most.

How you're receiving router? BGP? who will be indeed your edge device against ISP? will it be the two routers?

will it be the same router?

Other (broken) things came up that took me away from this project, so I haven't had time to test it out yet. But, thinking about it yesterday and talking with others, I'm wondering if we could get away with either the ACLs/route map that Jawad mentioned or by tricking the core with an extra route statement, similar to ip route 10.15.0.0 0.0.255.255 10.2.124.119 1 . But, will that work when I have that VLAN 15 (10.15.0.0/16) already created on the Core?

I'm hoping today will be slow-enough to do some testing on secondary hardware.

Sure, What he did was to create a PBR.

It will work IF the firewalls are not in standby/active, you need to have firewalls separate from each other or at least a different context in one of them for internet access.

If all firewall facing router's interfaces are L3, I would apply the PBR in outgoing interface, this way, you would need to send traffic to the RP (L3) processor everytime you have intra VLAN communication.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco