Solved

Dual Homed Cisco Router Configuration

Posted on 2006-06-11
13
2,486 Views
Last Modified: 2012-08-13
I have a question regarding routing and using 2 seperate ISP's with an 1800 series Cisco Router.  I am a Cisco newbie and just looking for some good information regarding how to accomplish this.

Details
Network A 192.168.1.0
Network B 192.168.2.0
Network C 172.16.1.0
ISP 1 67.xx.xx.xx
ISP 2 69.xx.xx.xx
VLAN 1 = 192.168.1.1
switchport access fe2

VLAN 2 = 192.168.2.1
switchport access fe3

VLAN 3 = 172.16.1.1
switchport access fe4

FEO = ISP1
FE1 = ISP2

I have NAT configured and minimal access list rules for testing and what I would like to do is setup the routing so that network B, C packets are forwarded through ISP 1 and network A goes through ISP 2.  I have tried this a few differnt ways with no success and I'm not sure why.

using route command

route <network A> 255.255.255.0 <ISP 2>
route <network B> 255.255.255.0 <ISP 1>
route <network A> 255.255.255.0 <ISP 3>

I'm sorry I don't have access to my running-config at the moment but basic information that can get me to issolate the issue would be great.  

-Sam
0
Comment
Question by:hexfusion
13 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 16882929
So you have something like:


NETA -->\
                \                              /--- ISP 1
                 \---|                     /  
NETB ----------> Cicso 1800 <
                 /---|                     \
                /                             \---- ISP 2
NETC -->/              
         

You want all traffic that comes from NETA and NETC to go via ISP1 and all traffic that comes from NETB to go via ISP2.

Is this right?  This means you are attempting to do routing via the source IP address instead of the desitination IP address, which is how routing normally works.  I'm not saying that this is not possible, but not normal.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 16884481
Sounds like you're looking for Policy Based Routing.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt1/qcfpbr.htm

Something like this:

int f0/2 (net a)
ip policy route-map ISP-2

access-list 5 permit 192.168.1.0 0.0.0.255

route-map ISP-2
 match ip address 5
 set interface serial 0/0 (interface to isp 2)
 
0
 
LVL 2

Author Comment

by:hexfusion
ID: 16885189
Don PBR looks very promising as long as nat is configured it seems that should work let me do some more research and testing.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 16897884
If you use the next-hop IP address in your route map (assuming you know what it is and it's stable) you can even configure failover like this:

Assume these are the ip addresses at the ISP end of your WAN links:
ISP-1 next hop 1.1.1.1
ISP-2 next hop 2.2.2.2

Then modifying Don's example slightly:
route-map ISP-2
 match ip address 5
 set ip next-hop 2.2.2.2 1.1.1.1

If traffic is sourced from 192.168.1.0/24, the policy map will look for 1.1.1.1 and if that link is down it will try the other ISP.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 16897891
Sorry, that's backwards. It will first try ISP2 at 2.2.2.2 and then try 1.1.1.1   :-}
0
 
LVL 2

Author Comment

by:hexfusion
ID: 16904757
I am having some issues setting this up and I am sure that it is something simple but I can't seem to isolate it.

FE0----->ISP1
FEO1--->ISP2
FE2--->VLAN1
FE3--->VLAN2

Sorry for these apparent newbie questions

Just want to verify which interface am I supposed to attach the policy route map for say ISP1 FE0 or VLAN1?

Also I currently have a route line that reads like this

ip classless
ip route 0.0.0.0 0.0.0.0 ISP1

Should ip route be completly removed or do I need to revise this entry, I assumed it must be removed as it contradicts with the PBR map,

Also Have a question regarding NAT I now have a line which reads
ip nat inside source list 1  interface FE0 overload (where access list 1 is for  map ISP1)  So is this wrong for my config I understand that there would need to be one for my access list 2 (ISP2 clients) but I feel that somewhere along the line NAT is at fault here.  Any help with how NAT should look would be appreaciated.

My final question is in regards to next hop per mikebernhardt:  If next hop isn't set for example how is it possible for the map to forward the packets to the ISP.  It seems to me that I either am missing route entries or without next hop set there is no way that the packets would get properly forwarded to the ISP that they would only end up at the interface FEO.

Thanks in advance for your time

-Sam
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 28

Expert Comment

by:mikebernhardt
ID: 16905009
Don's example told those packets to exit a particualr interface. Mine set the next IP hop. But his also assumed that you had a serial interface where "what goes in must come out." If your outside interface is ethernet you have to use next hop because the device on the other end may not forward packets not specifically sent to it (proxy arp on Cisco).

The default route is fine, because any traffic that DOESN'T match the policy map will be forwarded via normal routing. If you want the traffic normally destined for ISP1 to fail over to ISP2 then you should also add a floating static route to ISP2:
ip route 0.0.0.0 0.0.0.0 ISP2 250

Set the map on the Layer 3 interface for the LAN, whether that's FE2 or VLAN1 I don't know without seeing the config.

For NAT, both interface need to NAT and both should have the same access lists, which translate anything. But of course they'll only translate the traffic they are sent.
0
 
LVL 2

Author Comment

by:hexfusion
ID: 16905395
I noticed I had one error right of the bat I set interface and next hop on the map.

My Setup is  ethernet connected to the internet via vsat modem
FEO--->ISP1
nat outside
FE1---->ISP2
nat outside

VLAN1-->FE2
nat inside
VLAN2-->FE3
nat inside

So in this case I believe I would set the map to VLANx

ip classless
ip route 0.0.0.0 0.0.0.0 ISP1
ip route 0.0.0.0 0.0.0.0 ISP2 250

##Is this right???  I swear this is my problem
ip nat inside source list 1 interface FE0 overload ' had this
ip nat inside source list 2 interface FE1 overload 'added this


access-list 1 permit network A
access-list 1 permit network C
access-list 2 permit network B

route-map ISP-1
 match ip address 1
 set ip next-hop ISP1 ISP2

route-map ISP-2
 match ip address 2
 set ip next-hop ISP2 ISP1

I think thats all i need right ?
0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 500 total points
ID: 16905554
>Is this right???
That's correct

You don't need route map ISP-1, because you want Networks B and C to follow normal default routing- which you define with the default routes. I would do this:
ip route 0.0.0.0 0.0.0.0 ISP1
ip route 0.0.0.0 0.0.0.0 ISP2 250

ip nat inside source list 1 interface FE0 overload
ip nat inside source list 1 interface FE1 overload

access-list 1 permit any
access-list 2 permit network A

route-map ISP-2
 match ip address 2
 set ip next-hop ISP2 ISP1

interface vlan1
 ip policy route-map ISP-2

Now, there is one other potential problem, which is, how will your router know whether ISP1 is up? If there is ethernet link, the router will consider the default route good. That doesn't mean that ISP1 is actually reachable though. For that you need a feature called Service Assurance Agent (SAA). It can actually ping out and check, and take down the default route if it doesn't get a response:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide_chapter09186a00800ca63e.html
0
 
LVL 2

Author Comment

by:hexfusion
ID: 16978501
Sorry for the delay in reply I have been pulling my hair out trying to get this to work.  In every config I have tried packets will always follow the default path I am still testing but is there anything else that needs to be setup for this to work ex.) RIP etc.  PBR must be the solution though it just makes sence.

This was a typo right mike

ip nat inside source list 1 interface FE0 overload
ip nat inside source list 1 interface FE1 overload

must be

ip nat inside source list 1 interface FE0 overload
ip nat inside source list 2<-- interface FE1 overload

any help is GA
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 17085298
I was away on vacation for 2 weeks, sorry! No, the NAT command is correct- for simplicitty you want either interface to NAT anything that somes it's way.

What should be happening is that Network A should go to ISP2 and networks B and C should use default routing to ISP1. Try "debug ip policy" along with "term mon" (if you're in a telnet session) to see what's going on. I'm going to check a little further also.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 17085327
What exactly do you have in your access lists? It should be something like
access-list 2 permit 192.168.1.0 0.0.0.255
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now