05-13-2015 03:23 PM - edited 03-08-2019 12:00 AM
I have two internet connections, one primary and one secondary: The primary internet is static IP from a cable modem and the secondary internet is an MPLS connection. Each connection terminates at its own ASA 5550 on the same local subnet (192.168.0.0/24). I need one internet connection (the MPLS connection) to be reserved for a specific server (192.168.0.100) while the primary connection continues to serve as the default internet for the rest of the network. My current topology looks something like this:
192.168.0.100
↕
192.168.0.0/24 192.168.0.1 → Building #2 192.168.1.0/24
Building #1 ↔ Gateway ↔ Private IP ↔ → Building #3 192.168.3.0/24
4500e/SUP6L-E Cisco 2851 → Building #4 192.168.5.0/24
↕ ↕
ASA#1 ASA#2
192.168.0.5 192.168.0.7
↕ ↕
Cable MPLS
The gateway for the 0 subnet is the 2851 router, and contains a default route to ASA#1 "route 0.0.0.0 0.0.0.0 192.168.0.5", so all internet traffic for the 0 subnet goes through ASA#1. The problem is I need all internet traffic destined only for 192.168.0.100 to go through the secondary MPLS internet and ASA#2. I can't use ASA#2 as the default gateway on that server as I then lose connectivity to the other buildings because the 2851 gateway is no longer in the picture. I've tried a few things but all to no avail and I also can't just get rid of the cable internet at this time. I also have limited access to the server and can only edit basic network settings, like IP/mask and gateway info. I think I'm in over my head on this one and would love to hear from some more knowledgeable people. Any help is much appreciated.
Solved! Go to Solution.
05-13-2015 09:19 PM
On 2851:
create a "extended ACL" to match traffic from source "host 192.168.0.100"
Create a "route-map <name>" and match the above ACL and give a exit interface via "set ip next-hop 192.168.0.7"
Apply the policy to the interface of 2851 where you are receiving the routes of "192.168.0.100" via "ip policy route-map <name>"
This is called PBR, for more details refer below cisco doc:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/qos/configuration/guide/fqos_c/qcfpbr.html
Vivek
05-13-2015 09:19 PM
On 2851:
create a "extended ACL" to match traffic from source "host 192.168.0.100"
Create a "route-map <name>" and match the above ACL and give a exit interface via "set ip next-hop 192.168.0.7"
Apply the policy to the interface of 2851 where you are receiving the routes of "192.168.0.100" via "ip policy route-map <name>"
This is called PBR, for more details refer below cisco doc:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/qos/configuration/guide/fqos_c/qcfpbr.html
Vivek
05-18-2015 03:07 AM
Thank you very much for your reply, its already saved me a lot of time! I haven't yet had the chance to apply the configuration and test it, but will do so today. I'd just like to clarify my configuration as there was one unknown that I ran into.
When creating the extended ACL to match the traffic, I wasn't aware that I had to enter a destination. I assumed by what you typed that the ACL would only contain one entry (192.168.0.100), but I was forced to enter in a destination. I also assume that when you said to apply the policy to the interface of the 2851 where the routes for 192.168.0.100 are received means the LAN side connection of the router. So my eventual configuration looked like this:
05-18-2015 04:02 AM
I think you need to check the ACL.
access-list 100 permit ip host 192.168.0.100 any any
05-18-2015 02:22 PM
So I just applied the configuration but as soon as I applied the route-map to the interface I lost all communication with my other offices. I wasn't able to create the access-list specifically like mentioned above. It wouldn't take the second "any" argument, only the first. So the access-list looked like the following:
"access-list 100 permit ip host 192.168.0.100 any"
I'm not sure if the access-list was the cause of losing communication, but as soon as I issued the "ip policy route-map server" command it was like I lost all routing to my other offices. I've attached a text file with the router config as perhaps I did something wrong. Thanks a lot for your help with all of this, I really appreciate it!
05-18-2015 09:38 PM
Sorry, i think i missed something in the verification.
!
route-map server permit 100
set ip next-hop 192.168.0.7
!
route-map server permit 200
!
You need to add the above command to match all packets other than 192.168.0.100 any, else they will be blocked
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide