Dual Homed Cisco Router Configuration

I have a question regarding routing and using 2 seperate ISP's with an 1800 series Cisco Router.  I am a Cisco newbie and just looking for some good information regarding how to accomplish this.

Details
Network A 192.168.1.0
Network B 192.168.2.0
Network C 172.16.1.0
ISP 1 67.xx.xx.xx
ISP 2 69.xx.xx.xx
VLAN 1 = 192.168.1.1
switchport access fe2

VLAN 2 = 192.168.2.1
switchport access fe3

VLAN 3 = 172.16.1.1
switchport access fe4

FEO = ISP1
FE1 = ISP2

I have NAT configured and minimal access list rules for testing and what I would like to do is setup the routing so that network B, C packets are forwarded through ISP 1 and network A goes through ISP 2.  I have tried this a few differnt ways with no success and I'm not sure why.

using route command

route <network A> 255.255.255.0 <ISP 2>
route <network B> 255.255.255.0 <ISP 1>
route <network A> 255.255.255.0 <ISP 3>

I'm sorry I don't have access to my running-config at the moment but basic information that can get me to issolate the issue would be great.  

-Sam
LVL 2
hexfusionAsked:
Who is Participating?
 
mikebernhardtCommented:
>Is this right???
That's correct

You don't need route map ISP-1, because you want Networks B and C to follow normal default routing- which you define with the default routes. I would do this:
ip route 0.0.0.0 0.0.0.0 ISP1
ip route 0.0.0.0 0.0.0.0 ISP2 250

ip nat inside source list 1 interface FE0 overload
ip nat inside source list 1 interface FE1 overload

access-list 1 permit any
access-list 2 permit network A

route-map ISP-2
 match ip address 2
 set ip next-hop ISP2 ISP1

interface vlan1
 ip policy route-map ISP-2

Now, there is one other potential problem, which is, how will your router know whether ISP1 is up? If there is ethernet link, the router will consider the default route good. That doesn't mean that ISP1 is actually reachable though. For that you need a feature called Service Assurance Agent (SAA). It can actually ping out and check, and take down the default route if it doesn't get a response:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide_chapter09186a00800ca63e.html
0
 
giltjrCommented:
So you have something like:


NETA -->\
                \                              /--- ISP 1
                 \---|                     /  
NETB ----------> Cicso 1800 <
                 /---|                     \
                /                             \---- ISP 2
NETC -->/              
         

You want all traffic that comes from NETA and NETC to go via ISP1 and all traffic that comes from NETB to go via ISP2.

Is this right?  This means you are attempting to do routing via the source IP address instead of the desitination IP address, which is how routing normally works.  I'm not saying that this is not possible, but not normal.
0
 
Don JohnstonInstructorCommented:
Sounds like you're looking for Policy Based Routing.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt1/qcfpbr.htm

Something like this:

int f0/2 (net a)
ip policy route-map ISP-2

access-list 5 permit 192.168.1.0 0.0.0.255

route-map ISP-2
 match ip address 5
 set interface serial 0/0 (interface to isp 2)
 
0
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

 
hexfusionAuthor Commented:
Don PBR looks very promising as long as nat is configured it seems that should work let me do some more research and testing.
0
 
mikebernhardtCommented:
If you use the next-hop IP address in your route map (assuming you know what it is and it's stable) you can even configure failover like this:

Assume these are the ip addresses at the ISP end of your WAN links:
ISP-1 next hop 1.1.1.1
ISP-2 next hop 2.2.2.2

Then modifying Don's example slightly:
route-map ISP-2
 match ip address 5
 set ip next-hop 2.2.2.2 1.1.1.1

If traffic is sourced from 192.168.1.0/24, the policy map will look for 1.1.1.1 and if that link is down it will try the other ISP.
0
 
mikebernhardtCommented:
Sorry, that's backwards. It will first try ISP2 at 2.2.2.2 and then try 1.1.1.1   :-}
0
 
hexfusionAuthor Commented:
I am having some issues setting this up and I am sure that it is something simple but I can't seem to isolate it.

FE0----->ISP1
FEO1--->ISP2
FE2--->VLAN1
FE3--->VLAN2

Sorry for these apparent newbie questions

Just want to verify which interface am I supposed to attach the policy route map for say ISP1 FE0 or VLAN1?

Also I currently have a route line that reads like this

ip classless
ip route 0.0.0.0 0.0.0.0 ISP1

Should ip route be completly removed or do I need to revise this entry, I assumed it must be removed as it contradicts with the PBR map,

Also Have a question regarding NAT I now have a line which reads
ip nat inside source list 1  interface FE0 overload (where access list 1 is for  map ISP1)  So is this wrong for my config I understand that there would need to be one for my access list 2 (ISP2 clients) but I feel that somewhere along the line NAT is at fault here.  Any help with how NAT should look would be appreaciated.

My final question is in regards to next hop per mikebernhardt:  If next hop isn't set for example how is it possible for the map to forward the packets to the ISP.  It seems to me that I either am missing route entries or without next hop set there is no way that the packets would get properly forwarded to the ISP that they would only end up at the interface FEO.

Thanks in advance for your time

-Sam
0
 
mikebernhardtCommented:
Don's example told those packets to exit a particualr interface. Mine set the next IP hop. But his also assumed that you had a serial interface where "what goes in must come out." If your outside interface is ethernet you have to use next hop because the device on the other end may not forward packets not specifically sent to it (proxy arp on Cisco).

The default route is fine, because any traffic that DOESN'T match the policy map will be forwarded via normal routing. If you want the traffic normally destined for ISP1 to fail over to ISP2 then you should also add a floating static route to ISP2:
ip route 0.0.0.0 0.0.0.0 ISP2 250

Set the map on the Layer 3 interface for the LAN, whether that's FE2 or VLAN1 I don't know without seeing the config.

For NAT, both interface need to NAT and both should have the same access lists, which translate anything. But of course they'll only translate the traffic they are sent.
0
 
hexfusionAuthor Commented:
I noticed I had one error right of the bat I set interface and next hop on the map.

My Setup is  ethernet connected to the internet via vsat modem
FEO--->ISP1
nat outside
FE1---->ISP2
nat outside

VLAN1-->FE2
nat inside
VLAN2-->FE3
nat inside

So in this case I believe I would set the map to VLANx

ip classless
ip route 0.0.0.0 0.0.0.0 ISP1
ip route 0.0.0.0 0.0.0.0 ISP2 250

##Is this right???  I swear this is my problem
ip nat inside source list 1 interface FE0 overload ' had this
ip nat inside source list 2 interface FE1 overload 'added this


access-list 1 permit network A
access-list 1 permit network C
access-list 2 permit network B

route-map ISP-1
 match ip address 1
 set ip next-hop ISP1 ISP2

route-map ISP-2
 match ip address 2
 set ip next-hop ISP2 ISP1

I think thats all i need right ?
0
 
hexfusionAuthor Commented:
Sorry for the delay in reply I have been pulling my hair out trying to get this to work.  In every config I have tried packets will always follow the default path I am still testing but is there anything else that needs to be setup for this to work ex.) RIP etc.  PBR must be the solution though it just makes sence.

This was a typo right mike

ip nat inside source list 1 interface FE0 overload
ip nat inside source list 1 interface FE1 overload

must be

ip nat inside source list 1 interface FE0 overload
ip nat inside source list 2<-- interface FE1 overload

any help is GA
0
 
mikebernhardtCommented:
I was away on vacation for 2 weeks, sorry! No, the NAT command is correct- for simplicitty you want either interface to NAT anything that somes it's way.

What should be happening is that Network A should go to ISP2 and networks B and C should use default routing to ISP1. Try "debug ip policy" along with "term mon" (if you're in a telnet session) to see what's going on. I'm going to check a little further also.
0
 
mikebernhardtCommented:
What exactly do you have in your access lists? It should be something like
access-list 2 permit 192.168.1.0 0.0.0.255
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.