Comments on a dual WAN solution

Unanswered Question
Jun 18th, 2010
User Badges:

Hello folks,


One of our customers have two internet connections (one for data and one for VoIP) that we have connected to the two routed interfaces to an ISR 1812W.

The goal is to seperate the data and VoIP traffic and send it out of their correct connection - is it NOT to be used for failover scenarios. Using the configuration below I can control which data should be routed/PAT'ed out of the VoIP interface by issuing a route command for each specific destination.

Is the configuration that I have made okay or is there a better approach? How would you do it?


I'm especially interested in hearing your comments about the route-maps and their associated access-lists.


Thank you for your input.


------------------------------


interface FastEthernet0
description DATA
ip address 95.201.113.242 255.255.255.248
ip access-group Outside in
no ip redirects
no ip proxy-arp
ip nat outside
ip inspect inside out
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map vpnmap
!
interface FastEthernet1
description VOIP
ip address 95.201.113.250 255.255.255.248
ip access-group Outside-f1 in
no ip redirects
no ip proxy-arp
ip nat outside
ip inspect inside out
ip virtual-reassembly
duplex auto
speed auto
no cdp enable


interface Vlan1
ip address 192.168.6.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly


ip route 0.0.0.0 0.0.0.0 95.201.113.241
ip route 79.61.149.20 255.255.255.255 95.201.113.249
ip route 117.74.116.99 255.255.255.255 95.201.113.249


ip nat inside source route-map DATA interface FastEthernet0 overload
ip nat inside source route-map VOIP interface FastEthernet1 overload


route-map VOIP permit 10
match ip address VoIP-out
match interface FastEthernet1


route-map DATA permit 10
match ip address NatList
match interface FastEthernet0


ip access-list extended NatList
deny   ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255 <-- VPN related
permit ip 192.168.6.0 0.0.0.255 any


ip access-list extended VoIP-out
permit ip 192.168.6.0 0.0.0.255 any

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
spremkumar Fri, 06/18/2010 - 03:03
User Badges:
  • Red, 2250 points or more

Hi Jesper


I could see a crypto map under fasteth0 which needs to be taken care when you want to divert your data traffic on fasteth1 incase of failures.


But i dont wont suggest that since it will definitely affect your voice traffic.


Since you data communication happens through the secure ipsec tunnel you need to make sure you create similar crypto map on both the ends with respective peer ip addresses on it.


Also i see you using the same subnet for both data and voice which will be another thing needs to be solved.


regds

jesper_petersen Fri, 06/18/2010 - 04:15
User Badges:

Hi spremkumar,


Thank you for your reply. The crypto stuff is not an issue as the two WAN links are not to be used in any kind of failover scenarios (both links go to the same ISP). So the crypto is only needed on the data interface.


Yes, the data and voice traffic share the same IP subnet and VLAN. As of now it will hardly be possible to seperate the two.

Actions

This Discussion

Related Content