cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1638
Views
0
Helpful
6
Replies

ISR 2921 - Configuration Help

bhicks
Level 1
Level 1

Hi,

I just purchased a cisco 2921 ISR.  I want to set it up to be inbetween our switches and our internet connections.  I added an extra port to handle the extra connection (so a total of 4).

Our company is setup like this:

T1 - Main internet. (x.x.x.248)

Marketing DSL (x.x.x.251)

Media DSL. (x.x.x.254)

I want to put the isr inbetween the switches and these three wan or isp connections.  The two dsl connections are for seperate use by other departments so they don't kill our bandwith.  The setup would be to move the internet connectons from our switches to the router.  Then have a network cable joining the router to our switches.  Then I can do some routing on the traffic.

I don't wan to have to change the IP's of each of the gateways.  How can I do this?

I don't want any load balancing, or failover.  Just the x.x.x.248 as the route of last resort and have trafic go to the correct isp if they specify x.x.x.251 or x.x.x.254 as the gateway on their pc's.

Thanks in advance.

6 Replies 6

Edison Ortiz
Hall of Fame
Hall of Fame

I'm afraid you need to change the gateway on your PCs.

You could run IRB (Integrated Routing and Bridging) if the interface type on the LAN and WAN were Ethernet.

You aren't concerned on protecting the internal devices with NAT and/or iACLs?

Regards

Edison

______

Each time you rate a CSC   discussion  we'll donate $1 to the American Red Cross Haiti fund up to a   maximum  donation of $10,000 USD.

https://supportforums.cisco.com/docs/DOC-8895

Thanks for the help.  Will this senario work:

Change lan side to the gateway ip (x.x.x.248 ==> currently in use by the ASA on the lan side for the t1).

Change the lan side of the asa to some other subnet and put it on a wan port on the router. Then set that as the route as last option.

Then change the wan IP;s to get the ip from the dsl modems.  Then I could, based on the source, route the traffic to either one of these 2 dsl connections.

Then I could setup routing to the other two dsl connections based on the source or the destination?

If I have the 3 isp connections on the wan side, 1 connection to the switches on the lan side, how would it work if users from the marketing department specified a gateway?  Would I just intercept it on the router, and redirect it.  Or,  Would I give the wan inteface a ficticious subnet, and have the users change their gateway to point to it. 

Sorry for rambling. I'm new to this and I want to make sure I know what to do.

Change lan side to the gateway ip (x.x.x.248 ==> currently in use by the ASA on the lan side for the t1).

Change the lan side of the asa to some other subnet and put it on a wan port on the router. Then set that as the route as last option.

Yes, you need to renumber your LAN port to a private IP address.

All devices on that LAN port will also need to be renumber and the gateway will be the new LAN private IP address on the router.

You will move your public IP address to the respective WAN interface.


The router will have a default gateway pointing to each ISP and you need to implement PBR (as Paolo noted) to influence which ISP the client(s) are going to use.

As you are a newbie, I recommend keeping this process simple and use one ISP as primary while keeping the others as backup. With this design, you don't need to use PBR. All you need to do is configuring a default gateway to the primary ISP and two other 'weighted' default gateways pointing to the backup ISPs.

If I have the 3 isp connections on the wan side, 1 connection to the switches on the lan side, how would it work if users from the marketing department specified a gateway?  Would I just intercept it on the router, and redirect it.  Or,  Would I give the wan inteface a ficticious subnet, and have the users change their gateway to point to it.

To force routing based on source, you need to configure PBR. Again, if you aren't proficient in routing this task can be difficult to deploy. I highly recommend you hire a contracting firm to do this work for you.

Regards

Edison.

paolo bevilacqua
Hall of Fame
Hall of Fame

What you want to do is called "policy routing". Also recommended you move the NAT functionality from other devics to the router.

I recommend you engage a reputable consultant, or certified cisco partner, for this type of work.

Thanks for the reply. I do apprecaite you help.

Our T1 is protected by an ASA5505 firewall. Our other DSL will be protected by the firewall on the 2921, or at least it will be once I get the license upgrade from cisco.

For normal use, NAT protection on a router is enough. I never seen a case in which security was violated in presence of NAT.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco