Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Policy Based Routing -- Multiple external links -- load-balance / failover -- verify-availability

Hello,

I have a router with the following:

1. MPLS network for inter-site communication (all sites use RFC1918 addresses and eigrp for routing)

2. Cable modem internet access

3. DSL internet access

4. IOS version 15.1(4)M

I am trying to accomplish the following:

1. Use the two internet connections in a load-balanced / failover setup

2. Only allow certain internal IP addresses access to these internet connections (policy based routing)

3. Do not insert a default route into the routing table

I have reviewed the following:

1. IOS NAT Load-Balancing for Two ISP Connections

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080950834.shtml

2. IOS NAT Load-Balancing with Optimized Edge Routing for Two Internet Connections

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a00808d2b72.shtml

Both of the above examples show inserting a default route in the configurations (breaking my rule 3).

I have tried the configuration at the bottom, the problem I have run into:

As configured below, the device that is allowed internet access will now attemp to use the internet connections for all traffic.  My issue seems to come from the fact that I have used set ip next-hop where instead I would like to use set ip default next-hop. The problem is that command does not have the verify-availability <gateway> <sequence> track <object> option.

Idea I have to overcome the issue:

In acl_internet_permit, insert a deny statement for RFC1918 address space. 

Questions:

1. Is the above 'idea' my only option?

2. Will this actually load-balance between the two lines or just provide failover?

Thanks,

Mike

<start-configuration>

version 15.1

!

hostname router

ip domain name internet.local

!

object-group network og_internet_access

host 192.168.65.100

track 220 ip sla 220 reachability

!

track 221 ip sla 221 reachability

!

interface GigabitEthernet0/0

description MPLS

ip address 172.20.0.69 255.255.255.248

!

interface GigabitEthernet0/1

description Inside network

ip address 192.168.64.1 255.255.240.0

ip nat inside

ip policy route-map Internet-Access

!

! NOTE: the following 'internet' addresses are static and the gateways known (i.e. dhcp always provides

! the same address)

!

interface GigabitEthernet0/2.220

description VLAN220 - Internet (Cable Modem)

encapsulation dot1Q 220

no ip dhcp client request router

ip address dhcp

ip nat outside

!

interface GigabitEthernet0/2.221

description VLAN221 - Internet (DSL)

encapsulation dot1Q 221

no ip dhcp client request router

ip address dhcp

ip nat outside

!

router eigrp 150

network 172.20.0.64 0.0.0.7

network 192.168.64.0 0.0.15.255

passive-interface GigabitEthernet0/2.220

passive-interface GigabitEthernet0/2.221

!

ip nat inside source route-map cable-nat interface GigabitEthernet0/2.220 overload

ip nat inside source route-map dsl-nat interface GigabitEthernet0/2.221 overload

!

ip access-list standard acl_internet_nat

permit 192.168.65.100

!

ip access-list extended acl_internet_permit

permit ip object-group og_internet_access any

!

ip sla 220

icmp-echo <cable-gateway> source-interface GigabitEthernet0/2.220

threshold 2

timeout 3000

frequency 3

ip sla schedule 220 life forever start-time now

ip sla 221

icmp-echo <dsl-gateway> source-interface GigabitEthernet0/2.221

threshold 2

timeout 3000

frequency 3

ip sla schedule 221 life forever start-time now

!

route-map dsl-nat permit 10

match ip address acl_internet_nat

match interface GigabitEthernet0/2.221

!

route-map Internet-Access permit 10

match ip address acl_internet_permit

set ip next-hop verify-availability <cable-gateway> 1 track 220

set ip next-hop verify-availability <dsl-gateway> 2 track 221

!        

route-map cable-nat permit 10

match ip address acl_internet_nat

match interface GigabitEthernet0/2.220

!

4037
Views
0
Helpful
0
Replies
CreatePlease to create content