One of our customers have two internet connections (one for data and one for VoIP) that we have connected to the two routed interfaces to an ISR 1812W.
The goal is to seperate the data and VoIP traffic and send it out of their correct connection - is it NOT to be used for failover scenarios. Using the configuration below I can control which data should be routed/PAT'ed out of the VoIP interface by issuing a route command for each specific destination.
Is the configuration that I have made okay or is there a better approach? How would you do it?
I'm especially interested in hearing your comments about the route-maps and their associated access-lists.
Thank you for your input.
interface FastEthernet0 description DATA ip address 188.8.131.52 255.255.255.248 ip access-group Outside in no ip redirects no ip proxy-arp ip nat outside ip inspect inside out ip virtual-reassembly duplex auto speed auto no cdp enable crypto map vpnmap ! interface FastEthernet1 description VOIP ip address 184.108.40.206 255.255.255.248 ip access-group Outside-f1 in no ip redirects no ip proxy-arp ip nat outside ip inspect inside out ip virtual-reassembly duplex auto speed auto no cdp enable
interface Vlan1 ip address 192.168.6.1 255.255.255.0 no ip redirects no ip proxy-arp ip nat inside ip virtual-reassembly
ip route 0.0.0.0 0.0.0.0 220.127.116.11 ip route 18.104.22.168 255.255.255.255 22.214.171.124 ip route 126.96.36.199 255.255.255.255 188.8.131.52
ip nat inside source route-map DATA interface FastEthernet0 overload ip nat inside source route-map VOIP interface FastEthernet1 overload
route-map VOIP permit 10 match ip address VoIP-out match interface FastEthernet1
route-map DATA permit 10 match ip address NatList match interface FastEthernet0
ip access-list extended NatList deny ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255 <-- VPN related permit ip 192.168.6.0 0.0.0.255 any
ip access-list extended VoIP-out permit ip 192.168.6.0 0.0.0.255 any
Thank you for your reply. The crypto stuff is not an issue as the two WAN links are not to be used in any kind of failover scenarios (both links go to the same ISP). So the crypto is only needed on the data interface.
Yes, the data and voice traffic share the same IP subnet and VLAN. As of now it will hardly be possible to seperate the two.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...