Cisco ISR 4300 Dual Internet Connections

BSModlin
BSModlin used Ask the Experts™
on
I have 2 internet connections from the same ISP.  I am created 2 VLANs.... 10.55.20.0 and 10.55.30.0.  I would like VLAN 20 to route out Inetrnet Connection 1 and VLAN 30 route out Internet connection 2.

What is the best way to accomplish this with 1 router.

My router has an additional switchport card in it so I will be creating the VLANs and DHCP scopes directly on the router, along with terminating both internet connections.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Garry GlendownConsulting and Network/Security Specialist

Commented:
Simplest way would be to set up an additional VRF you put one of the VLANs and one of the Internet connections into ... that way, you have two separate routing tables and can easily keep the two apart ... using additional features like fallback routes, a bit of NAT etc. you could even add redundancy for outgoing access ...

Let me know if you need additional support or infos on setting it up ...
kevinhsiehNetwork Engineer

Commented:
I think using policy based routing might be better. It can route traffic based upon the more than just the destination address. I usually use PBR to route based upon the source IP. This way VLAN 20 and 30 can still talk internally, and you can send different traffic out different interfaces based upon source IP, protocol,  port, etc. PBR also has the flexibility to route traffic out one ISP interface or another depending upon IP SLA status. I use this to conditionally route traffic out the local cable connection only if I know it's good. PBR can be easily modified via single access list.

Author

Commented:
Thank you.  Can you please give me an example of what the PBR would look like?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Harold BowlinOwner/Network Architect

Commented:
Are these DIA through a provider? Are they letting you run BGP with them? Even if not, did they give you a single public IP space or 2 blocks? If they gave you 2 blocks and you want to run both VLANs as autonomous networks independent of one another, you can definitely do what was suggested earlier by using VRFs to keep the traffic separate. One thing I would do is not utilize the global table at all. This will allow you to properly label both routing tables. Example below.

vrf definition VLAN20
address-family ipv4
!
vrf definition VLAN30
address-family ipv4

Not sure how you are going to get the traffic to the router but it could look something like either of these below configurations.

int po1.20
vrf forwarding VLAN20
ip address 10.55.20.1 255.255.255.0
!
int ran g0/0/0-1
channel-group 1
!
int po1.30
vrf forwarding VLAN30
ip address 10.55.30.1 255.255.255.0
!

If you are using an L3 switch you can do routing via EIGRP or OSPF......

router eigrp VLAN20
address-family ipv4 unicast vrf VLAN20 as xx
network 10.55.20.1 0.0.0.0
!
router eigrp VLAN30
address-family ipv4 unicast vrf VLAN30 as xx
network 10.55.30.1 0.0.0.0
!
router ospf xx vrf VLAN20
router-id x.x.x.x
network 10.55.20.1 0.0.0.0 area 0
!
router ospf xx vrf VLAN30
router-id x.x.x.x
network 10.55.30.1 0.0.0.0 area 0
!
So that is the LAN side, the WAN side will be determined on how the provider is handling your traffic and your public IP space available for your use.

Another question I may have in this scenario since you didn't mention any public IP space.....are they providing a managed router and doing NAT for you? If that is the case, then it makes this much easier on your side for configuration but you also want to ensure you are communicating with the provider regarding the networks that will be allowed in their NAT policy.
Network Engineer
Commented:
Here's basic PBR code for you.

interface vlan 30
 ip address 10.22.30.1 255.255.255.0
 ip flow ingress
 ip policy route-map INTERNET-PBR

route-map INTERNET-PBR permit 1
 description Routes some traffic out to ISP 2
 match ip address ISP2-PBR-ACL
 set ip next-hop aaa.bbb.ccc.ddd 

ip access-list extended ISP2-PBR-ACL
 remark Controls which traffic goes out ISP2
remark anything that doesn't match will take the normal route 
permit 10.22.30.0 0.0.0.255
 

Open in new window

Author

Commented:
Ok great.  What does the "IP flow ingress" command do?
kevinhsiehNetwork Engineer

Commented:
that's leftover command from my router. It allows net flow statistics to be collected. From the router I can see the top 200 conversations by size.

Author

Commented:
Thank you..... last question....  How can I configure failover, just in case one of these circuits goes down?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial