Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Adding a 2nd ISP

I just started working for a small company ~25 users

Scenario:  The upstairs and downstairs network are seperated. I would like to bring them together The cabling exists already

Downstairs and ALL of the phones run off a T1 with a 3 meg Up/Down

Upstairs has a 35Meg down / 3up cable modem.

Equipment:  I've got  a cisco 2800 router with a 2  interface 1 for the t1 and 1 that connects the wireless trunk switch for the phone system and 8 layer 2 Fast ethernet ports that have 5 switches plugged in all on seperate VLANS

I have 1 cisco catalyst 2960.  the rest of the switches are old Linksys 48 ports

I have patched the cable modem that is upstairs down to the patchpanel near the cisco equipment.    I would like to somehow have my LAN traffic go out the cable modem for all users, and reserve the T1 for phone use only.  Is this possible with my current equipment.

I have tried to do policy based routing but I cannot assign the available ports to me an IP address.  I guess I'm not sure what I need to do next.. somebody said to assign the modem to a vlan but I'm not sure what he meant by that.

10 REPLIES

Adding a 2nd ISP

Hi Jason,

From what you have described this could be achived by creating a Layer2 VLAN on the 2800 router:

conf t

vlan 2

name lan_traffic

end

For each of the switch ports on the 2800 that are connected to switches which PC/ servers are connected to and the switch port which will go to the cable modem, you need to configre the same access VLAN on them:

conf t

int x/x

  swithport access vlan 2

  switchport mode access

  spanning-tree portfast

end

This will put all of your phone traffic on the default VLAN1 and all LAN traffic onto VLAN2.

However if your phones require some other network services which are provided by servers/ applicances on VLAN2 you will have to configure SVIs on VLANs so that traffic can be routed between the VLANs on the 2800. These SVIs will need IPs which reside on the subnets running on the respective VLAN they are connected to:

conf t

int vlan2

  ip address x.x.x.x x.x.x.x

end

Let me know if you need further clarification.

cheers,

Seb.

New Member

Re: Adding a 2nd ISP

Okay, 

makes sense but my config is a little more complex than that.  They have natting set up on there   maybe you could take a look at it (I've replaced all external IP addresses with x.x.x.x

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-xxxxxxx

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-xxxxx

revocation-check none

!

!

crypto pki certificate chain TP-self-signed-xxxxxx

certificate self-signed 01

(removed the encrypted jibberish)

quit

dot11 syslog

ip source-route

!

!

ip cef

ip dhcp database vlan2

no ip dhcp use vrf connected

ip dhcp excluded-address 10.0.0.1 10.0.0.30

ip dhcp excluded-address 10.0.1.1 10.0.1.30

ip dhcp excluded-address 10.0.0.201

ip dhcp excluded-address 10.0.2.240

ip dhcp excluded-address 10.0.3.1 10.0.3.30

ip dhcp excluded-address 10.0.4.1 10.0.4.30

ip dhcp excluded-address 192.168.10.1 192.168.10.30

!

ip dhcp pool VLAN4

network 10.0.2.0 255.255.255.0

default-router 10.0.2.1

dns-server x.x.x.x

!

ip dhcp pool VLAN6

network 10.0.4.0 255.255.255.0

default-router 10.0.4.1

dns-server x.x.x.x

!

ip dhcp pool VLAN8

network 192.168.10.0 255.255.255.0

default-router 192.168.10.1

dns-server x.x.x.x

!

ip dhcp pool _STATIC

host 10.0.0.31 255.255.255.0

!

ip ips notify SDEE

ip ips name sdm_ips_rule

no ipv6 cef

!

multilink bundle-name authenticated

!

vpdn enable

!

vpdn-group 25

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 25

l2tp tunnel timeout no-session 15

!

voice-card 0

!

(removed authentication)

!

redundancy

!

crypto ctcp port 10000

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key (statements_)

!

crypto isakmp client configuration group Vision

key xxxxx

pool SDM_POOL_1

acl 107

split-dns x.x.x.x1

split-dns x.x.x.x2

max-users 30

netmask 255.255.255.0

crypto isakmp profile sdm-ike-profile-1

match identity group Vision

client authentication list sdm_vpn_xauth_ml_2

isakmp authorization list sdm_vpn_group_ml_2

client configuration address respond

virtual-template 2

!

!

(crypto statements)

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA5

set isakmp-profile sdm-ike-profile-1

!

!

!

!

!

interface FastEthernet0/0

description WAN INTERFACE$FW_OUTSIDE$

ip address x.x.x.x 255.255.255.252

ip flow ingress

ip flow egress

ip nat outside

ip ips sdm_ips_rule in

ip virtual-reassembly in

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

interface FastEthernet0/1.1

description CORPORATE WIRELESS$FW_INSIDE$

encapsulation dot1Q 5

ip address 10.0.3.1 255.255.255.0

ip helper-address 10.0.0.10

ip nat inside

ip ips sdm_ips_rule in

ip virtual-reassembly in

!

interface FastEthernet0/1.2

description GUEST WIRELESS$FW_INSIDE$

encapsulation dot1Q 6

ip address 10.0.4.1 255.255.255.0

ip nat inside

ip ips sdm_ips_rule in

ip virtual-reassembly in

!

interface FastEthernet0/1.3

description ANOTHER COMPANY$FW_INSIDE$

encapsulation dot1Q 8

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip ips sdm_ips_rule in

ip virtual-reassembly in

!

interface FastEthernet0/0/0

!

interface FastEthernet0/0/1

switchport access vlan 2

!

interface FastEthernet0/0/2

switchport stacking-partner interface FastEthernet0/2/2

!

interface FastEthernet0/0/3

switchport access vlan 4

!

interface FastEthernet0/2/0

switchport access vlan 7

!

interface FastEthernet0/2/1

switchport access vlan 3

!

interface FastEthernet0/2/2

switchport stacking-partner interface FastEthernet0/0/2

!

interface FastEthernet0/2/3

(open interface)

!

interface Virtual-Template2 type tunnel

description $FW_INSIDE$

ip unnumbered FastEthernet0/0

ip ips sdm_ips_rule in

ip virtual-reassembly in

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

interface Virtual-Template25

ip unnumbered Vlan2

peer default ip address pool PPTP

no keepalive

ppp encrypt mppe 128 required

ppp authentication ms-chap-v2

!

interface Vlan1

no ip address

ip ips sdm_ips_rule in

!

interface Vlan2

description  CORPORATE$FW_INSIDE$

ip address 10.0.0.1 255.255.255.0

ip helper-address 10.0.0.10

ip nat inside

ip ips sdm_ips_rule in

ip virtual-reassembly in

!

interface Vlan3

description TRAINING ROOMS$FW_INSIDE$

ip address 10.0.1.1 255.255.255.0

ip helper-address 10.0.0.10

ip nat inside

ip ips sdm_ips_rule in

ip virtual-reassembly in

!

interface Vlan4

description VOIP$FW_INSIDE$

ip address 10.0.2.1 255.255.255.0

ip ips sdm_ips_rule in

ip virtual-reassembly in

!

interface Vlan7

description DMZ$FW_OUTSIDE$

ip address x.x.x.x 255.255.255.224

ip access-group 102 in

ip ips sdm_ips_rule in

ip virtual-reassembly in

!

ip local pool SDM_POOL_1 10.0.0.210 10.0.0.250

ip local pool PPTP 10.0.0.205 10.0.0.209

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip flow-export destination 10.0.0.125 2055

!

ip nat pool COMPANY x.x.x.x y.y.y.y netmask 255.255.255.252

ip nat inside source list 1 pool COMPANY overload

ip route 0.0.0.0 0.0.0.0 X.x.x.x

!

logging esm config

access-list 1 remark NATTING

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 1 permit 10.0.1.0 0.0.0.255

access-list 1 permit 10.0.3.0 0.0.0.255

access-list 1 permit 10.0.4.0 0.0.0.255

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.0.2.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 101 remark SDM_ACL Category=4

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.3.255

access-list 102 remark RESTRICTED DMZ

access-list 102 permit tcp x.x.x.x 0.0.0.31 10.0.0.0 0.0.7.255 established

access-list 102 permit tcp any x.x.x.x 0.0.0.31 eq 3389

access-list 102 permit tcp any host x.x.x.x eq 8000

access-list 102 permit tcp any host x.x.x.x eq www

access-list 102 permit tcp any x.x.x.x 0.0.0.31 eq www

access-list 102 permit tcp any x.x.x.x 0.0.0.31 eq ftp

access-list 102 permit tcp any x.x.x.x 0.0.0.31 eq 115

access-list 102 permit tcp any x.x.x.x 0.0.0.31 eq 22

access-list 102 permit tcp any x.x.x.x 0.0.0.31 eq ftp-data

access-list 102 permit udp x.x.x.x 0.0.0.31 eq domain 10.0.0.0 0.0.7.255

access-list 102 permit ip x.x.x.x 0.0.0.31 any

access-list 102 deny ip x.x.x.x 0.0.0.31 10.0.0.0 0.0.7.255

access-list 103 remark SDM_ACL Category=4

access-list 103 remark IPSec Rule

access-list 103 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 104 remark SDM_ACL Category=4

access-list 104 remark IPSec Rule

access-list 104 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.3.255

access-list 105 remark SDM_ACL Category=4

access-list 105 remark IPSec Rule

access-list 105 permit ip 10.0.2.0 0.0.0.255 192.168.22.0 0.0.0.255

access-list 106 remark SDM_ACL Category=4

access-list 106 remark IPSec Rule

access-list 106 permit ip 10.0.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 107 remark SDM_ACL Category=4

access-list 107 permit ip 10.0.0.0 0.0.0.255 any

access-list 109 remark VPN to Chennai

access-list 109 remark SDM_ACL Category=4

access-list 109 remark Chennai Voice Traffic

access-list 109 permit ip 10.0.2.0 0.0.0.255 192.168.20.0 0.0.0.255

!

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 108

!

!

!

!

control-plane

!

!

!

!

!

!

!

banner motd  C

###################################################################

#

###################################################################

 

!

line con 0

password

line aux 0

line vty 0 4

transport input ssh

!

!

monitor session 1 source interface Fa0/0/1 , Fa0/0/3

monitor session 1 destination interface Fa0/0/0

scheduler allocate 20000 1000

end

New Member

Adding a 2nd ISP

Oh just to clarify that the VLANS that have the IP-HELPER statement are my inside LAN

so the subnets with 10.0.0.0 /24 10.0.3.0 /24 10.0.1.0 /24

the 10.0.2.0 /24 is the phone subnet.

Re: Adding a 2nd ISP

Try the following:

access-list 2 10.0.0.1 255.255.255.0

access-list 2 10.0.1.1 255.255.255.0

route-map cable_modem permit 10

match ip address 2

set ip next-hop

interface vlan 2

  ip policy route-map cable_modem

interface vlan 3

  ip policy route-map cable_modem

interface vlan9

  desc cable_modem vlan

  ip address

int fa0/0/3

  desc to cable modem

  switchport access vlan 9

  switchport mode access

  spanning-tree portfast

I assume your cable modem does NAT? Either way remove the 'ip nat inside' statements from interfaces vlan 2 and 3 .

Hope that helps.

cheers,

Seb.

New Member

Adding a 2nd ISP

Alright thanks, that makes perfect sense to me!!  I will test this after hours tonight and let you know how it works out.

Adding a 2nd ISP

Hi Jason,

On review, I think you need to add some NAT commands to my suggestion above.

First you need to NAT to VLAN 9 from 2 and 3:

interface vlan 2

  ip nat inside

interface vlan 3

  ip nat inside

ip nat inside source route-map cable_modem interface vlan 9 overload

You also need to tidy up the other NAT access-list:

no access-list 1 permit 10.0.0.0 0.0.0.255

no access-list 1 permit 10.0.1.0 0.0.0.255

Also, your existing NAT statement referes to a NAT pool 'COMPANY' which doesn't exist in the config. Should it refer to 'VISIONNAT'?

...and you have also left the external peer IP address visible in your config above.

cheers,

Seb.

New Member

Re: Adding a 2nd ISP

           
IPOh alright I was wondering why my testing was still going out the t1 last night.   Also, I do harve a static IP available on the cable modem. would I need to create a second default route statement for that?

      

*thanks for the heads up on having some of those IP addresses showing still I thought I got them all.

New Member

Re: Adding a 2nd ISP

okay I am trying this only on the 10.0.1.0 subnet for now since there is only one coputer in use there currently and it is not working

is there a need for a ip policy statement?  I think that is what may be missing also  I used the static addresses of the cable modem

Just to be sure I set a laptop on the cable modem and set the static IP address and it does work.

x.x.x.122 = usuable

x.x.x.121 = gateway

x.x.x.123 = Broadcast

vlan 9

ip address x.x.x.122 255.255.255.252

route-map cable_modem permit 10

match ip address 10

set ip next-hop x.x.x.121

New Member

Adding a 2nd ISP

This issue is still not resolved, I am wondering if perhaps I need to remove my default route and add another policy based route statement for the rest of the vlans?

Adding a 2nd ISP

Your statement:

route-map cable_modem permit 10

match ip address 10

set ip next-hop x.x.x.121

Is not accurate for what we use with our local cable modem provider in similar situtation if next-hop x.x.x.121 is your cable modem.  The next-hop should be the gateway IP address provided by the cable provider.  I usually just do a tracert and find the next hop.  Make sure your ACL's are setup properly as well.

334
Views
0
Helpful
10
Replies
CreatePlease to create content