Re: 2 Default Routes in a single router with 2 ISP

worldcalltel · ‎11-25-2008

using a 7206 router with 3 FastEthernet ports. For port 1 - ISP1, port 2 - ISP2, port3 - connected to 3524XL switch. To separate each Public LAN IP i created 2 VLANs. My question now, how could I forced each subnet to go to its corresponding ISP. I know that creating 2 default routes will create conflicts. See below for my current configuration:

7206 Router

------------

interface FastEthernet1/0

description to ISP1-WAN

ip address 203.192.165.x 255.255.255.252

interface FastEthernet2/0

description ISP2-WAN

ip address 61.28.165.x 255.255.255.252

interface FastEthernet3/0.1

description ISP1_Public LAN

encapsulation dot1q 10

ip address 61.14.x.x 255.255.255.128

interface FastEthernet3/0.2

description ISP2_Public LAN

encapsulation dot1q 20

ip address 116.50.x.x 255.255.255.128

0.0.0.0 0.0.0.0 203.192.165.x - to ISP1

0.0.0.0 0.0.0.0 61.28.165.x - to ISP2

What I want to know is that if I connect a 2 PCs with 116.50.x.x subnet and 61.14.x.x subnet and both tried to access the internet at the same time. Will it go to ISP2 default route? or ISP1 ? because both have the same administrative distance so it would create conflicts. How do I resolve this problem ? What would be the best approach to this kind of problem ?

Jon Marshall · ‎11-25-2008

PBR would allow you to do this outbound.

access-list 101 permit ip 116.50.x.x 0.0.0.127 any

access-list 102 permit ip 61.14.x.x 0.0.0.127 any

route-map TOINTERNET permit 10

match ip address 101

set ip next-hop 203.192.165.x

route-map TOINTERNET permit 20

match ip address 102

set ip next-hop 61.28.165.x

int fa3/0.1

ip policy route-map TOINTERNET

int fa3/0.2

ip policy route-map TOINTERNET

Note that this will only guarantee that outbound traffic uses the correct links. How the traffic is routed back is dependant on the ISP routing.

Jon

worldcalltel · ‎11-26-2008

Hi Jon,

What do you mean, by "how the traffic is routed back is dependent on the ISP routing" ? Does it mean, I have to check this with our providers ? In the command set ip next-hop 61.28.165.x, this will replace the default route command 0.0.0.0 0.0.0.0 61.28.165.x ?

lejoe.thomas · ‎11-26-2008

What do you mean, by "how the traffic is routed back is dependent on the ISP routing" ?

Since you have been assigned address blocks from ISP 1 and ISP 2,for example, if you use a host address from ISP 1's address block and use the default gateway from ISP2 to route the traffic (provided ISP 2 will not be filtering the address). In that scenario, traffic will go through ISP 2 and come back through ISP 1, since the source address does not belong to ISP 2's address block. To avoid this kind of asymmetric routing, you need configured policy based routing to set next-hops appropriately based on the source address.

HTH

Lejoe

Giuseppe Larosa · ‎11-25-2008

Hello Jaime,

in your case you need to use PBR to force traffic from IP block of provider1 to exit on link to provider1.

you need to apply a route-map on interfaces receiving traffic

access-list 111 permit ip 61.14.x.0 0.0.0.127 any

access-list 112 permit ip 116.50.x.0 0.0.0.127 any

route-map pbr-isp1 permit 10

match ip address 111

set ip next-hop 203.192.165.x

route-map pbr-isp2 permit 10

match ip addr 112

set ip next-hop 61.28.165.x

int f3/0.1

ip policy route-map pbr-isp1

int f3/0.2

ip policy route-map pbr-isp2

This should solve your issue

note: you may want to modify the ACLs to permit to route traffic on the inside for that use some deny statement before the current single statement

Hope to help

Giuseppe