11-25-2008 11:32 PM - edited 03-04-2019 12:30 AM
using a 7206 router with 3 FastEthernet ports. For port 1 - ISP1, port 2 - ISP2, port3 - connected to 3524XL switch. To separate each Public LAN IP i created 2 VLANs. My question now, how could I forced each subnet to go to its corresponding ISP. I know that creating 2 default routes will create conflicts. See below for my current configuration:
7206 Router
------------
interface FastEthernet1/0
description to ISP1-WAN
ip address 203.192.165.x 255.255.255.252
interface FastEthernet2/0
description ISP2-WAN
ip address 61.28.165.x 255.255.255.252
interface FastEthernet3/0.1
description ISP1_Public LAN
encapsulation dot1q 10
ip address 61.14.x.x 255.255.255.128
interface FastEthernet3/0.2
description ISP2_Public LAN
encapsulation dot1q 20
ip address 116.50.x.x 255.255.255.128
0.0.0.0 0.0.0.0 203.192.165.x - to ISP1
0.0.0.0 0.0.0.0 61.28.165.x - to ISP2
What I want to know is that if I connect a 2 PCs with 116.50.x.x subnet and 61.14.x.x subnet and both tried to access the internet at the same time. Will it go to ISP2 default route? or ISP1 ? because both have the same administrative distance so it would create conflicts. How do I resolve this problem ? What would be the best approach to this kind of problem ?
11-25-2008 11:44 PM
PBR would allow you to do this outbound.
access-list 101 permit ip 116.50.x.x 0.0.0.127 any
access-list 102 permit ip 61.14.x.x 0.0.0.127 any
route-map TOINTERNET permit 10
match ip address 101
set ip next-hop 203.192.165.x
route-map TOINTERNET permit 20
match ip address 102
set ip next-hop 61.28.165.x
int fa3/0.1
ip policy route-map TOINTERNET
int fa3/0.2
ip policy route-map TOINTERNET
Note that this will only guarantee that outbound traffic uses the correct links. How the traffic is routed back is dependant on the ISP routing.
Jon
11-26-2008 08:49 PM
Hi Jon,
What do you mean, by "how the traffic is routed back is dependent on the ISP routing" ? Does it mean, I have to check this with our providers ? In the command set ip next-hop 61.28.165.x, this will replace the default route command 0.0.0.0 0.0.0.0 61.28.165.x ?
11-26-2008 09:04 PM
What do you mean, by "how the traffic is routed back is dependent on the ISP routing" ?
Since you have been assigned address blocks from ISP 1 and ISP 2,for example, if you use a host address from ISP 1's address block and use the default gateway from ISP2 to route the traffic (provided ISP 2 will not be filtering the address). In that scenario, traffic will go through ISP 2 and come back through ISP 1, since the source address does not belong to ISP 2's address block. To avoid this kind of asymmetric routing, you need configured policy based routing to set next-hops appropriately based on the source address.
HTH
Lejoe
11-25-2008 11:46 PM
Hello Jaime,
in your case you need to use PBR to force traffic from IP block of provider1 to exit on link to provider1.
you need to apply a route-map on interfaces receiving traffic
access-list 111 permit ip 61.14.x.0 0.0.0.127 any
access-list 112 permit ip 116.50.x.0 0.0.0.127 any
route-map pbr-isp1 permit 10
match ip address 111
set ip next-hop 203.192.165.x
route-map pbr-isp2 permit 10
match ip addr 112
set ip next-hop 61.28.165.x
int f3/0.1
ip policy route-map pbr-isp1
int f3/0.2
ip policy route-map pbr-isp2
This should solve your issue
note: you may want to modify the ACLs to permit to route traffic on the inside for that use some deny statement before the current single statement
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: