ISP-1 ------ ISP-2
same country ISP ------ outside of country ISP
------- My router (Cisco 7600)--------
User's real subnet (for example 18.104.22.168)
I have got two different ISPs connections from my router. One of the ISP is in my country (local ISP) , other IPS is in the different country. Here are the requiremets ;
If the traffic is p2p and if it goes to the outside of the country , use ISP-2. And the return of this traffic will come from the ISP-2 link. (syncronous traffic flow)
The other traffic types will use the ISP-1 connection. For example , maybe p2p traffic goes inside of the country. Use ISP-1 connection for this type of traffic as well.
How can i differentiate the traffic goes to the inside of the country , or the outside of the country ?
The users have got real ip addresses. (Nearly 10.000 users.) To catch the p2p traffic , i think we have to use NBAR. To route the different kind of traffic types , i think we have to use PBR. For this kind of request , i can use NATing on the ISP-2 link. But , is this cause any problem for this type of connection on the Cisco 7600 model router ? Is NAT doing on the Cisco 7600 router by software based or hardware based ? For complete scenario , we have to use NAT , PBR and NBAR. Is that cause any problem on the Cisco 7600 router , what about performance ? Could you give me an idea how can it be done ? Kind Regards...
first of all as long as you have the connectivity with your ISPs as bgp
then i twould say bgp will let you play with path-selction better than using nbar or PBR regarding simplicity and performance as well
u may need nbar or PBR in some sijuations butin general if u have multihomed bgp links
BGP can help u
about how to know this traffic ouside the country or inside
you need to kow your country real IPs range maybe the ISP can help you or search the net about the your country IPs range
this way yo can use wight or localprefrence to make the ISP1 link prefered for any traffic going to your country IP range
for traffic coming back it looks a bit tricky
but one trick you could use
as long as you gonna use nat
make the traffic going thorugh ISP1 use a spicific range of that nat and the other use the rest of the nat pool
this way you will have tow pools
oneuse through IPS1 abd other through ISP2
do ur nat correctly test it
then for any traffic going through ISP1 u goonsa use pool1 now add tow more ASs to IP range from pool2 and make it through route-map in the outboung direction toward ISP1
this way any traffic will use ISP2 thorugh pool2 will be ssen btter to go back thorugh ISPs as well
i think it look a bit complex but when configure it not very complex
this is an example of config
consider tow links u have and 22.214.171.124 is the range of outside country range and 126.96.36.199 is local range of your country
these to routes each one go thorugh diffrent link and also used as prepend to prefere the path back as well
wish this will help you just lab example just did it
router bgp 2200
neighbor 192.168.1.1 remote-as 10
neighbor 192.168.1.1 route-map AS10 in
neighbor 192.168.1.1 route-map map2 out
neighbor 192.168.2.1 remote-as 20
neighbor 192.168.2.1 route-map AS20 in
neighbor 192.168.2.1 route-map map1 out
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat pool 120 192.168.1.10 192.168.1.20 prefix-length 24
ip nat pool 150 192.168.2.10 192.168.2.20 prefix-length 24
ip nat inside source list 120 pool 120
ip nat inside source list 150 pool 150
logging alarm informational
access-list 1 permit 192.168.1.0
access-list 2 permit 192.168.2.0
access-list 10 permit 188.8.131.52 0.0.0.255
access-list 20 permit 184.108.40.206 0.0.0.255
access-list 120 permit ip any 220.127.116.11 0.0.0.255
access-list 150 permit ip any 18.104.22.168 0.0.0.255
route-map AS20 permit 20
match ip address 20
set weight 120
route-map AS20 permit 30
route-map AS10 permit 20
match ip address 10
set weight 120
route-map AS10 permit 30
route-map map1 permit 10
set as-path prepend 30
route-map map1 permit 20
match ip address 1
set as-path prepend 2200 2200 2200 2200
route-map map1 permit 30
route-map map2 permit 20
match ip address 2
set as-path prepend 2200 2200 2200 2200
route-map map2 permit 30
if helpful Rate
Just using AS path prepending is not enough to adjust certain inbound traffic. I have tested it , but i am still getting inbound traffic from ISP-2. I want to configure the ISP-2 link as backup for all traffic except p2p outside country traffic.
Is that possible to configure this kind of traffic flow without using NAT ?
what you mean in P2P is it the P2P download ?
AS prepend just a good way
but u need to checkl with your ISP what method thet consider for BGP attributes to influnce the path selection
ofcourse it is possible with nat and without nat depends on your network
u can use the ideas i posted above just done use nat will work the same
I mean peer to peer traffic. Peer to peer traffic to the outside of the country , i will go over the ISP-2 link , and the return traffic of this connection will come back through the same ISP-2 link.
My clients are using the real ip addresses. If i advertise their subnet from the ISP-1 with BGP to the outside world , the outside world knows them via the ISP-1 link and the their return traffic will come through the ISP-1 link.
I i catch the outside of the country with p2p traffic with NBAR and route this traffic to the ISP-2 with PBR , what about the return traffic of this connection ? At this point the NATing comes in the play. The outside of the country with p2p traffic's source ip address will be NATed to the ISP-2 NAT pool addresses. And this NAT pool addresses will be advertise with BGP only to the ISP-2 link. Therefore , the outside world knows this addresses only through the ISP-2 and the return traffic of this connection will come back through the ISP-2 link , it is symmetrical traffic flow for the outside of the country with p2p traffic. Am i right ?
How can it be done without using the NAT ?
IMHO, without NAT it's impossible.
The outside world will not be able to differentiate between P2P and non-P2P traffic from/to the same device.
It will always route both the same direction - based on the destination IP address.
i agree that it is not possible without nat
in other words u need to give every device static real public IP assigned from ur ISP which is not practical and dont think about it
just use nat and diffrent pools this will be easy
and make is simple awlays to avoid complixity when you troubleshoot issues
please rate the helpful post