01-01-2015 12:06 PM - edited 03-07-2019 10:03 PM
I'm looking to setup a dual ISP setup on a 3750 Layer 3 switch. One of the ISPs terminates directly into the 3750 on a VLAN and the other ISP will be behind two Routers/HSRP and terminates into an ASA on the other side. I'm looking for an option that wouldn't need routing based on subnet but rather percentages of traffic if that's possible. I've not tried to do anything like this before so I'm unsure of what would work exactly.
Thanks for your time
01-01-2015 01:19 PM
I find the explanation a bit confusing, especially the relationship of the 3750 with the dual router HSRP, ASA, and ISP. Perhaps you could provide some clarification?
For routing based on percentages it seems you might need something like Performance Based Routing, but I am not sure that this runs on 3750.
HTH
Rick
01-03-2015 06:55 AM
Sorry, yeah I mentioned the HSRP in case it might be relevant to the setup but it appears it's not. I set it up using route maps and sla. I'm tagging only outbound WWW traffic and making it go out of the other ISP. I'll update to whether this works for what we need.
Am I essentially doing Performance Based Routing by doing it this way? Or is there a better way to try and accomplish this. The normal default route for this network is to 172.16.1.1.
Config:
Layer 3/3750
track 10 ip sla 1 reachability
delay down 10 up 15
!
interface Vlan2
ip policy route-map TEST
!
ip sla 1
icmp-echo 10.100.100.3
timeout 500
frequency 1
ip sla schedule 1 life forever start-time now
!
access-list 151 permit tcp any any eq www
!
route-map TEST permit 10
match ip address 151
set ip next-hop verify-availability 10.100.100.3 1 track 10
3800 Router/10.100.100.3
track 10 ip sla 1 reachability
delay down 10 up 15
!
interface GigabitEthernet0/0.2004
encapsulation dot1Q 2004
ip address X.X.X.X X.X.X.X
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.100
ip nat inside
ip policy route-map TEST
!
ip nat inside source list 1 interface GigabitEthernet0/0.2004 overload
access-list 1 permit any
!
ip sla 1
icmp-echo X.X.X.X
frequency 5000
ip sla schedule 1 life forever start-time now
!
access-list 150 permit tcp any any eq www
!
route-map TEST permit 10
match ip address 150
set ip default next-hop X.X.X.X 172.16.1.1
01-03-2015 08:05 AM
What you are doing is not Performance Routing but is Policy Based Routing. I am a bit confused about what you are doing. In the most recent post you tell us that "The normal default route for this network is to 172.16.1.1" but in the PBR route map on the router that is the address that you are setting. In my experience PBR usually sets the next hop or default next hop to something different from the default. So I am confused about what you are trying to accomplish.
HTH
Rick
01-03-2015 09:24 AM
No. The reason I have it setup this way is when the packet comes through it comes through the 3750 and then, since HSRP is setup on the 3800 and another 2800 it picks the next hop. I setup the route map to only point at the 3800 in the 3750 for primary and then the HSRP address as the fail over. Then, now that the packet is in the 3800 I have it matching the ACL and NATing it out of the public IP that's directly connected I X'd the IP of the public out and the secondary IP of 172.16.1.1 is the fail over. Sorry for the confusion, hope this clarifies.
01-03-2015 12:32 PM
You could create two IPSLA tracked objects, one for each ISP; then add one static 0/0 route to ISP A, dependent on A's tracked object; and similar for B. Outbound traffic should balance as well as simple flow-hashing can balance. Then you don't need PBR.
For good measure, I'd add a third 0/0 route (distance 200) via either ISP (pick one) which doesn't depend on pings... just in case.
01-03-2015 01:07 PM
Looking at my answer, there may be a few cases where an application uses multiple udp or tcp flows as part of a single transaction, and the remote server expects them all to arrive from the same sourceIP.
These are pretty rare, and NAT-unfriendly to begin with. But if you wanted to be paranoid, you could stick with PBR, and direct hosts with even sourceIP out one ISP, and hosts with odd sourceIP out the other ISP:
no access-list 155
access-list 155 permit ip 0.0.0.0 255.255.255.254 any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide