Client has two internet lines from different ISP's (DNS is different for both internet lines) and wants use both the internet lines as active/active. For active/passive i belive SLA will be helpful but for active what should be used (is it PBR?)
Right now only single internet line is functional and second internet line need to be connected in the network.
Furthermore, ASA firewall need to be deployed between core switch and internet router.
Do i need to connect second internet line on the same router or i have to use use another router. Kindly advise.
Could you please elaborate your answer if possible with simple configuration example. I am using the 192.168.X.X and 10.10.X.X subnets.
On core switch there one default route pointing to router. One router if i do the below configuration where 192.168.x.x traffic is forwarded on ISP A and 10.10.x.x traffic is forwarded ISP B. Will it work
access-list 101 permit ip 192.168.0.0 0.0.0.255 any access-list 102 permit ip 10.10.0.0 0.0.255.255 any
route-map test permit 10 match ip address 101 set interface fa0/0 exit route-map test permit 20 match ip address 102 set interface fa0/1 exit route-map test permit 30
ip local policy route-map test
Usually we do the PAT on router where public IP is terminating in order to allow internet access to all the users.
I did not get why you advised to do nat on router.
Additionally customer asks if ISP A is down then traffic should be forwarded be ISP B and vice versa.
try use set ip next-hop next_hop1 next_hop2 next_hopx instead of interface, using interface require more lookups unless the IP of that particular interface is dynamic. You need to apply the policy on interface inbound. the ip local policy is to use PBR for traffic generate by router itself.
if you have the public IPs on the router in that case the best place to do NAT is on the router.
Could you please have a look on the below summarized points.
1. When the traffic will come for subnet 192.168.x.x on router it will be forwarded to ISP 1 using PBR. 2. When the traffic will come for subnet 10.10.x.x on router it will be forwarded to ISP 2 using PBR. 3. Topology will be like this ISP1-------->Internet LAN ------->Core Switch------>Firewall ------------>Router---| ISP2-------->Internet 4.Solution Configuration ========================== interface FastEthernet1/0 description LAN interface ip address 172.16.1.254 255.255.255.0 ip nat inside ip policy route-map PBR ---- this is for policy based routing
interface FastEthernet1/1 description To ISP 1 ip address <public IP1> 255.255.255.252 ip nat outside ! interface FastEthernet2/0 description To ISP 2 ip address <public IP 2> 255.255.255.252 ip nat outside exit
PBR Configuration. ======================== access-list 101 permit ip 192.168.0.0 0.0.0.255 any access-list 102 permit ip 10.10.0.0 0.0.255.255 any
route-map test permit 10 match ip address 101 set ip next-hop <ISP1 Public IP> exit route-map test permit 20 match ip address 102 set ip next-hop <ISP2 Public IP> exit route-map test permit 30
Routing =============== ip route 0.0.0.0 0.0.0.0 ISP1-Next-Hop-IP ip route 0.0.0.0 0.0.0.0 ISP2-Next-Hop-IP
route-map ISP1 permit 10 match ip address 20 match interface FastEthernet1/1
route-map ISP2 permit 10 match ip address 10 match interface FastEthernet2/0 !
ip nat inside source route-map ISP1 interface FastEthernet1/1 overload ip nat inside source route-map ISP2 interface FastEthernet2/0 overload
I can see on disadvantage in the above configuration i.e. there is not failover when ISP1 is down 192.168.x.x traffic is not switching to ISP2 and vice versa for 10.10.x.x. Additionally how can i assign dns ip address on router or clients as there are different for ISP1 and ISP2. (is it like this ip name-server x.x.x.x x.x.x.x x.x.x.x x.x.x.x).
Do i need to use IP SLA tracking with static router and PBR. Is the above solution will work perfectly if i dont need any failover and send 192.168.x.x traffic to ISP1 and 10.10.x.x traffic to ISP2
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...