cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
2403
Views
18
Helpful
5
Replies
Crag Muer
Beginner

Two internet connections: How to use secondary internet for one specific host?

I have two internet connections, one primary and one secondary:  The primary internet is static IP from a cable modem and the secondary internet is an MPLS connection.  Each connection terminates at its own ASA 5550 on the same local subnet (192.168.0.0/24).  I need one internet connection (the MPLS connection) to be reserved for a specific server (192.168.0.100) while the primary connection continues to serve as the default internet for the rest of the network.  My current topology looks something like this:

 
 

192.168.0.100

           ↕

192.168.0.0/24       192.168.0.1                                             →      Building #2 192.168.1.0/24

Building #1     ↔     Gateway     ↔     Private IP       ↔          →      Building #3 192.168.3.0/24

4500e/SUP6L-E     Cisco 2851                                              →      Building #4 192.168.5.0/24

    ↕               ↕

ASA#1      ASA#2

192.168.0.5   192.168.0.7

     ↕               ↕

 Cable        MPLS

 

The gateway for the 0 subnet is the 2851 router, and contains a default route to ASA#1 "route 0.0.0.0 0.0.0.0 192.168.0.5", so all internet traffic for the 0 subnet goes through ASA#1.  The problem is I need all internet traffic destined only for 192.168.0.100 to go through the secondary MPLS internet and ASA#2.  I can't use ASA#2 as the default gateway on that server as I then lose connectivity to the other buildings because the 2851 gateway is no longer in the picture.  I've tried a few things but all to no avail and I also can't just get rid of the cable internet at this time.  I also have limited access to the server and can only edit basic network settings, like IP/mask and gateway info.  I think I'm in over my head on this one and would love to hear from some more knowledgeable people.  Any help is much appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
vivek srivastava
Rising star

On 2851:

create a "extended ACL" to match traffic from source "host 192.168.0.100"

Create a "route-map <name>" and match the above ACL and give a exit interface via "set ip next-hop 192.168.0.7"

Apply the policy to the interface of 2851 where you are receiving the routes of "192.168.0.100" via "ip policy route-map <name>"

 

This is called PBR, for more details refer below cisco doc:

http://www.cisco.com/c/en/us/td/docs/ios/12_2/qos/configuration/guide/fqos_c/qcfpbr.html

 

Vivek

 

View solution in original post

5 REPLIES 5
vivek srivastava
Rising star

On 2851:

create a "extended ACL" to match traffic from source "host 192.168.0.100"

Create a "route-map <name>" and match the above ACL and give a exit interface via "set ip next-hop 192.168.0.7"

Apply the policy to the interface of 2851 where you are receiving the routes of "192.168.0.100" via "ip policy route-map <name>"

 

This is called PBR, for more details refer below cisco doc:

http://www.cisco.com/c/en/us/td/docs/ios/12_2/qos/configuration/guide/fqos_c/qcfpbr.html

 

Vivek

 

View solution in original post

Thank you very much for your reply, its already saved me a lot of time! I haven't yet had the chance to apply the configuration and test it, but will do so today. I'd just like to clarify my configuration as there was one unknown that I ran into.

When creating the extended ACL to match the traffic, I wasn't aware that I had to enter a destination. I assumed by what you typed that the ACL would only contain one entry (192.168.0.100), but I was forced to enter in a destination. I also assume that when you said to apply the policy to the interface of the 2851 where the routes for 192.168.0.100 are received means the LAN side connection of the router. So my eventual configuration looked like this:

  • access-list 100 permit ip host 192.168.0.100 host 192.168.0.7
  • route-map server permit 100
  • set ip next-hop 192.168.0.7
  • interface GigabitEthernet0/0 (192.168.0.1 255.255.255.0)
  • ip policy route-map server

I think you need to check the ACL.

access-list 100 permit ip host 192.168.0.100 any any

So I just applied the configuration but as soon as I applied the route-map to the interface I lost all communication with my other offices. I wasn't able to create the access-list specifically like mentioned above. It wouldn't take the second "any" argument, only the first. So the access-list looked like the following:

"access-list 100 permit ip host 192.168.0.100 any"

I'm not sure if the access-list was the cause of losing communication, but as soon as I issued the "ip policy route-map server" command it was like I lost all routing to my other offices. I've attached a text file with the router config as perhaps I did something wrong. Thanks a lot for your help with all of this, I really appreciate it!

Sorry, i think i missed something in the verification.

!
route-map server permit 100
set ip next-hop 192.168.0.7
!

route-map server permit 200

!

You need to add the above command to match all packets other than 192.168.0.100 any, else they will be blocked