cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10694
Views
8
Helpful
11
Replies

Multiple Route-maps to define routes by Source IP

Mike Elliott
Level 1
Level 1

I have a very simple setup.  I have a cisco 837 that connects to a DSL line (via ethernet0) and I have Nat setup on that interface in an overload.  That interface also has a route-map applied to it so that it can divert some traffic based on an ACL to our vpn tunnel.

I recently got handed the task of having this branch office also test a new ISP.  The line is in, and I setup a secondary ip interface on ethernet0.  I'd like to route some machines through the new ISP while others go through the old one.

Is this possible?

11 Replies 11

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Mike,

combining NAT and PBR you should be able to do this.

Use extended ACLs for NAT invoked inside a route-map.

The route-map needs to have two blocks one for NATTING and diverting hosts for new ISPs, the second block can represent the current NAT.

In this case I would use an ACL that denies traffic to vpn destinations and traffic sourced by the sample hosts that should use the new ISP.

Hope to help

Giuseppe

Thanks Giusular

Here is my route map and nat overload statements, very simple..

ip nat inside source route-map nonat interface Ethernet0 overload

route-map nonat permit 10
match ip address 110

Access list 110 contains the traffic from my Branch subnets, to my HQ Subnets.

Ethernet0 has two IP addresses and the crypto map attached to it. xxx.xxx.xxx.1 is my NEW isp, and yyy.yyy.yyy.1 is my OLD isp.

interface Ethernet0
description "Connected to the Net"
ip address xxx.xxx.xxx.1 255.255.255.240 secondary
ip address yyy.yyy.yyy.1 255.255.255.192
ip nat outside
no ip mroute-cache
half-duplex
crypto map test

interface FastEthernet0

description "Internal Lan"

ip address 192.168.3.254 255.255.255.0

ip nat inside

ip route-cache policy

ip policy route-map rock

no ip mroute-cache

speed auto

half-duplex

Route map rock sets the next hop for site to site traffic through the vpn tunnel.

route-map rock permit 10
match ip address 123
set ip next-hop 1.1.1.2

So if I can explain it a bit better, I want to have a decision made in one of those two maps, or in another nat pool to direct "some" traffic down the OLD ISP and the rest of the traffic out the NEW ISP.  I want to define the different routes based on the source and desination IP addresses.

i.e. all VPN traffic to go through the old isp, and all other traffic to go through the new one.

The default route is currently set to the OLD ISP.

Hello Mike,

an example is provided here

http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_addr_consv_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1073518

in your case you need to use two statements like:

ip nat pool newISP

ip nat inside source route-map rock pool newISP overload
+
ip nat inside source route-map ISP1 interface eth0 overload

route-map rock is also invoked on internal LAN interface

the ACLs used in the two route-maps should clearly deny what is not to be natted by the current route-map

if for example first half of net 192.168.3.0/24 is to be used with old ISP

access-list 111 remark acl for ISP2

access-list 111 deny ip 192.168.3.0 0.0.0.255

access-list 111 permit ip 192.168.3.128 0.0.0.127 any

access-list 112 remark acl for ISP1

access-list 112 deny ip 192.168.3.0 0.0.0.255

access-list 112 permit ip 192.168.3.0 0.0.0.127 any

route-map ISP1 permit 10

match ip address 112

route-map rock permit 10

match ip address 111

set ip next-hop 1.1.1.2

Hope to help

Giuseppe

i just wanna add to the nice post from Giuseppe,  that you almost need to have the exit interface matched int e route map to avoid the nat using the first nat line only

route-map xx

match interface x/x

where x/x the interface that supposd to be the exit interface for that traffic ( only required with nat command )

good luck

if helpful rate

Could I test this out by setting up route maps for each isp like this:

route-map isp2 permit 10

match ip address 102

set ip next-hop

!

route-map isp1 permit 10

match ip address 101

set ip next-hop

Then use static nat translations pointing at the route-maps like this:

ip nat inside source static aaa.aaa.aaa.1 xxx.xxx.xxx.21 route-map isp2
ip nat inside source static aaa.aaa.aaa.2 yyy.yyy.yyy.21 route-map isp1


I am using static routes, so I could just set two static routes to 0.0.0.0 0.0.0.0


Hi Mik

all of the above will work

however to make you 100% sure just follow the bellow example

first you have to have two default routes each one point to one of your ISP's link

internal network

10.1.1.0/24 --- this go thorugh old ISP -- ISP1

20.1.1.0/24 -- this will use the new ISP-- ISP2

E0--To internal LAN

E1 ---to ISP1

E2 -- o ISP2

access-list 10 permit 10.1.1.0 0.0.0.255

access-list 20 permit 20.1.1.0 0.0.0.255

route-map PBR 10

match ip add 10

set ip next-hop ISP1

route-map PBR 20

match ip add 20

set ip next-hop ISP2

route-map IPS1 permit 10

match ip address 10

match interface E1

route-map ISP2 permit 20

match ip adress 20

match interface E2

interface Ethernet0 

ip nat inside

ip policy route-map PBR   ---- this will do policy based routing for you ----

ip nat inside source route-map ISP1 interface E1 overload

ip nat inside source route-map ISP2 interface E2 overload

int E1

ip nat outside

int E2

ip nat outside

good luck

if helpful Rate

Hello Marwan,

only a small note:

Mike is going to use a single WAN interface with new ISP using secondary IP address for this reason I thought that using a NAT pool to represent the secondary address is more sure, that is when we use interface type x/y in NAT we are referring to primary address.

From this the little changes in my proposal.

Mike:

yes using static NAT you are in a match with the link I had provided in my second post in this thread.

Hope to help

Giuseppe

Hi Giuseppe

i think i hhavn't noticed this point

anyway still all the solutions provided in the discussion valid except as you mentioned inthe case of a scondary ip Mike needsto use a pool with overload option

thank you for you and good luck for Mike

Hi Mike

see this document which will give all the information and configurations steps

https://supportforums.cisco.com/docs/DOC-8313

good luck

Thanks for everyone's help so far, I do plan on rating all of your suggestions/recommendations when I get the plan implemented.

That being said, I have not been able to configure the router yet because my new ISP has thrown a bit of a monkey wrench into things.  They have provided me with a pre-confgured Cisco DPC3000 cable modem.

They have assigned me a CIDR block instead of giving me an IP Range like I am used to.  It appears, from their documentation I should be using xx.xxx.178.100 (seen below) as my wan interface, then using the CIDR block as my internal IP address range.  This simply won't do because we have a lot more machines inside our network than they block provisions for, and there are a lot of services in place that would be very difficult to re-work into the new address range.

Question here is, can I use this CIDR block on my 1710?  If so, what's the best way to implement it considering I want to have both ISPs up for a period of time in the transition phase?  I have been told by the ISP that it is impossible to set the WAN IP and the CIDR block on the external interface on the router.

My old isp gave me a range of 32 addresses, and a gateway to use as the default route from my router... simple enough. I set one of the range as my wan interface, use it as a nat overload IP, then I statically nat a bunch of internal machines to the outside world (hence my need for an IP Range).

The new ISP has given me this

For my wan Interface it's

IP: xx.xxx.178.100

Mask: 255.255.255.224

gateway: xx.xxx.178.65

For my CIDR Block

Subnet: xx.xxx.163.192/27

Mask: 255.255.255.224

Gateway: xx.xxx.163.193

If I set xx.xxx.178.100 with the right mask as a secondary.  I try and ping the upstream router and get very sketchy results.  If I ping directly to the upstream router it fails.  If I use xx.xxx.178.100 as the source interface, I get a lot of timeouts but ocasionally I get a reply.  If I disconnect the router from the cable modem, and setup a workstation with the 178.100 address, I can ping the upstream router consistently.

Here is my config

interface Ethernet0
description "Connected to the Net"
ip address xx.xxx.178.100 255.255.255.192 secondary
ip address yy.yy.89.66 255.255.255.192
ip nat outside
no ip mroute-cache
half-duplex
crypto map test
!
interface FastEthernet0
description "Internal Lan"
ip address 192.168.3.254 255.255.255.0
ip nat inside
ip route-cache policy
ip policy route-map rock
no ip mroute-cache
speed auto
half-duplex

ip route 0.0.0.0 0.0.0.0 yy.yy.89.65

!route-map nonat is for vpn traffic

ip nat inside source route-map nonat interface Ethernet0 overload

are using a switch between your router and ISP links

if yes

try the follwoing method

in your switch create a tunk lin to the port connected to it

in ur swtich create two vlan vlan 2 for ISP 1

and vlan 3 for ISP 2

put ISP 1 port in thre swtich int vlan 2

and isp port in the switch in vlan 3

in your router use subinterfaces instead of secondary ips

int ethernet0

no shut

ip nat outside

int ethernet 0.1

encapsulation do1q vlan 2

ip address x.x.x.x

p nat outside

int ethernet 0.2

encapsulation dot1q vlan 3

ip add y.y.y.y

ip nat outside

and use your normal nating config

good luck

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco