Dear Oleg,

  I have done that all things which have you mentioned. but my question is what access-list should be created for vlans to send them L3 switch to router. Otherwise how could be the router send vlan 10, 20  through ISP1 & vlan 30, 40 through ISP2...

Regards

Suhas

Example:

We have two VLAN at catalyst:

one - 192.168.1.0/24

two - 192.168.2.0/24

Outside interfaces

(in my example, it is two subinterfaces)

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

interface GigabitEthernet0/0.1

encapsulation dot1Q 1 native

ip address 172.16.4.112 255.255.255.0

ip nat outside

ip virtual-reassembly

no snmp trap link-status

Gateway for this interface is 172.16.4.1

interface GigabitEthernet0/0.2

encapsulation dot1Q 2

ip address 192.168.55.210 255.255.255.0

ip nat outside

ip virtual-reassembly

no snmp trap link-status

Gateway for this interface is 192.168.55.1

interface GigabitEthernet0/1

ip address 192.168.33.1 255.255.255.252

ip nat inside

ip virtual-reassembly

ip policy route-map VLANWEB

duplex auto

speed auto

It is interface to catalyst

route-map NATR1 permit 10

match ip address NATACL

match interface GigabitEthernet0/0.1

route-map NATR2 permit 10

match ip address NATACL

match interface GigabitEthernet0/0.2

route-map VLANWEB permit 10

match ip address VLAN1ACL

set ip next-hop 192.168.55.1

route-map VLANWEB permit 20

match ip address VLAN2ACL

set ip next-hop 172.16.4.1

ip access-list extended NATACL

permit ip 192.168.1.0 0.0.0.255 any

permit ip 192.168.2.0 0.0.0.255 any

ip access-list extended VLAN1ACL

permit ip 192.168.1.0 0.0.0.255 any

ip access-list extended VLAN2ACL

permit ip 192.168.2.0 0.0.0.255 any

ip nat inside source route-map NATR1 interface GigabitEthernet0/0.1 overload

ip nat inside source route-map NATR2 interface GigabitEthernet0/0.2 overload

ip route 192.168.1.0 255.255.255.0 192.168.33.2

ip route 192.168.2.0 255.255.255.0 192.168.33.2

Example debug out

*Aug  9 20:51:27.439: NAT*: s=192.168.2.18->172.16.4.112, d=8.8.8.8 [3643]

*Aug  9 20:53:21.899: NAT*: s=192.168.1.18->192.168.55.210, d=8.8.8.8 [4135]

But You need added in this example IP SLA tracker

And well be good if You, done this, public Your config in this forum

Thanks!

I modify config for support backup ISP

interface GigabitEthernet0/1

ip address 192.168.33.1 255.255.255.252

ip nat inside

ip policy route-map VLANWEB

interface GigabitEthernet0/0.1

encapsulation dot1Q 1 native

ip address 172.16.4.112 255.255.255.0

ip nat outside

ip virtual-reassembly in

interface GigabitEthernet0/0.2

encapsulation dot1Q 2

ip address 192.168.55.210 255.255.255.0

ip nat outside

ip virtual-reassembly in

ip sla 1

icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0.1

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0.2

ip sla schedule 2 life forever start-time now

track 123 ip sla 1 reachability

track 124 ip sla 2 reachability

ip access-list extended ISP1_SLA

permit icmp host 172.16.4.112 any

ip access-list extended ISP2_SLA

permit icmp host 192.168.55.210 any

route-map RMAP_SLA permit 10

match ip address ISP2_SLA

set ip next-hop 192.168.55.1

route-map RMAP_SLA permit 20

match ip address ISP1_SLA

set ip next-hop 172.16.4.1

ip local policy route-map RMAP_SLA

ip access-list extended VLAN1ACL

permit ip 192.168.1.0 0.0.0.255 any

ip access-list extended VLAN2ACL

permit ip 192.168.2.0 0.0.0.255 any

route-map VLANWEB permit 10

match ip address VLAN1ACL

set ip next-hop verify-availability 192.168.55.1 10 track 124

set ip next-hop verify-availability 172.16.4.1 20 track 123

route-map VLANWEB permit 20

match ip address VLAN2ACL

set ip next-hop verify-availability 172.16.4.1 10 track 123

set ip next-hop verify-availability 192.168.55.1 20 track 124

ip access-list extended NATACL

permit ip 192.168.1.0 0.0.0.255 any

permit ip 192.168.2.0 0.0.0.255 any

route-map NATR1 permit 10

match ip address NATACL

match interface GigabitEthernet0/0.1

route-map NATR2 permit 10

match ip address NATACL

match interface GigabitEthernet0/0.2

ip nat inside source route-map NATR1 interface GigabitEthernet0/0.1 overload

ip nat inside source route-map NATR2 interface GigabitEthernet0/0.2 overload

ip route 0.0.0.0 0.0.0.0 172.16.4.1 20 track 123

ip route 0.0.0.0 0.0.0.0 192.168.55.1 10 track 124

event manager applet ISPSW

event track 123 state any

action 1 cli command "enable"

action 2 cli command "clear ip nat trans forced"

event manager applet ISPSW2

event track 124 state any

action 1 cli command "enable"

action 2 cli command "clear ip nat trans forced"

Hi Oleg,

   What configuration should be done at L3 switch.

Regards

Suhas

HI Suhas,

You can use this simple concept:

http://glennmatthys.wordpress.com/2012/04/24/policy-based-routing-example-route-one-subnet-via-isp-a-and-another-via-isp-b/

Regards

At L3 switch You must have two SVI interfaces for each VLAN (IP ddress at this interfaces should be use as gateway for PC in this VLAN).

And You must set default route to Your router (ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx or ip default-gateway xx.xx.xx.xx (where xx.xx.xx.xx IP address of Your router)) and enable ip routing.

At L3 switch You must have two SVI interfaces for each VLAN (IP ddress at this interfaces should be use as gateway for PC in this VLAN).

And You must set default route to Your router (ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx or ip default-gateway xx.xx.xx.xx (where xx.xx.xx.xx IP address of Your router)) and enable ip routing.

Dear Sandeep, in Your example, You do not use backup route patch for each VLAN