Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Setup 2 ISPs 1st Static IP and 2nd DHCP

 hi all. i have 2 ISPs 1st ISP provides Static IP and 2nd ISP provides dynamic IP. i want to setup router as all HTTP, HTTPs, SMTP, POP traffic go though 2nd ISP and remaining traffice go through 1st ISP. if 2nd ISP goes down then HTTP, HTTPs, SMTP, POP go through 1st ISP.

 

Thanks,

  • WAN Routing and Switching
2 ACCEPTED SOLUTIONS

Accepted Solutions

Hi ,         This can be

Hi ,

         This can be achieved using following combination , with IP SLA Commands

Differing Next Hops

The following example illustrates how to route traffic for different destination ports to different places (next hops). Packets arriving to destination ports http , https, POP, SMMTP are sent to the next hop at 3.3.3.3; packets arriving to other destination port are sent to the next hop at 3.3.3.5.


 !
 interface fastethernet 3/1
  ip policy route-map Texas

 !
 route-map Texas permit 10
  match ip address test
  set ip next-hop 3.3.3.3
! if you use IP SLA
set ip next-hop verify-availability 3.3.3.3 10 track 123
set ip next-hop verify-availability 3.3.3.5 20 track 124
( look into URL for IP SLA  configuration )

http://www.cisco.com/c/en/us/support/docs/ip/ip-routed-protocols/48003-pbrtracking.html
 !
 route-map Texas permit 20
  match ip address test2
  set ip next-hop 3.3.3.5
! if you use IP SLA

set ip next-hop verify-availability 3.3.3.5 10 track 124
set ip next-hop verify-availability 3.3.3.3 20 track 123


ip access-list extended test
permit tcp any any eq wwW
permit tcp any any eq https
permit tcp any any eq 25
permit tcp any any eq 995
deny tcp any any

ip access-list extended test2
deny tcp any any eq wwW
deny tcp any any eq https
deny tcp any any eq 25
deny tcp any any eq 995
permit tcp any any


HTH

Sandy.

Hi, Write separate ACL for

Hi,

 Write separate ACL for NAT allowing everything 

access-list 7 permit 192.168.3.0 0.0.0.255
access-list 7 permit 192.168.4.0 0.0.0.255
access-list 7 permit 192.168.5.0 0.0.0.255

ip nat inside source list 7 interface FastEthernet0/0/0 overload
ip nat inside source list 7 interface FastEthernet0/0/1 overload

Similarly perform testing by bringing down your primary link .

Kindly let me know once you done 

 

HTH

sandy

14 REPLIES

Hi ,         This can be

Hi ,

         This can be achieved using following combination , with IP SLA Commands

Differing Next Hops

The following example illustrates how to route traffic for different destination ports to different places (next hops). Packets arriving to destination ports http , https, POP, SMMTP are sent to the next hop at 3.3.3.3; packets arriving to other destination port are sent to the next hop at 3.3.3.5.


 !
 interface fastethernet 3/1
  ip policy route-map Texas

 !
 route-map Texas permit 10
  match ip address test
  set ip next-hop 3.3.3.3
! if you use IP SLA
set ip next-hop verify-availability 3.3.3.3 10 track 123
set ip next-hop verify-availability 3.3.3.5 20 track 124
( look into URL for IP SLA  configuration )

http://www.cisco.com/c/en/us/support/docs/ip/ip-routed-protocols/48003-pbrtracking.html
 !
 route-map Texas permit 20
  match ip address test2
  set ip next-hop 3.3.3.5
! if you use IP SLA

set ip next-hop verify-availability 3.3.3.5 10 track 124
set ip next-hop verify-availability 3.3.3.3 20 track 123


ip access-list extended test
permit tcp any any eq wwW
permit tcp any any eq https
permit tcp any any eq 25
permit tcp any any eq 995
deny tcp any any

ip access-list extended test2
deny tcp any any eq wwW
deny tcp any any eq https
deny tcp any any eq 25
deny tcp any any eq 995
permit tcp any any


HTH

Sandy.

New Member

Hi,      Please see following

Hi,

      Please see following config, if i allow 80 on 1st ISP (Fa 0/0/0) then browsing works, but it does not work on 2nd ISP (Fa 0/0/1).

 

track 10 ip sla 1 reachability
 delay down 1 up 1
!
track 20 ip sla 2 reachability
 delay down 1 up 1
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/0.3
 description Voice-Vlan
 encapsulation dot1Q 3
 ip address 192.168.3.1 255.255.255.0
ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/0.4
 description Servers-&-Switches-Vlan
 encapsulation dot1Q 4
 ip address 192.168.4.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/0.5
 description NCS-Vlan
 encapsulation dot1Q 5
 ip address 192.168.5.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map PBR
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface FastEthernet0/0/0
 description "Nexlinx Fiber Link 2Mbps"
 ip address 116.58.63.34 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet0/0/1
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
speed auto
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source route-map Nexlinx-nat interface FastEthernet0/0/0 overload
ip nat inside source route-map PTCL-nat interface FastEthernet0/0/1 overload
ip route 0.0.0.0 0.0.0.0 116.58.63.33 track 10
!
ip access-list extended acl_Nexlinx
 deny   tcp any any eq www
 deny   tcp any any eq 443
 deny   tcp any any eq smtp
 deny   tcp any any eq 995
 permit tcp any any
ip access-list extended acl_PTCL
 permit tcp any any eq www
 permit tcp any any eq 443
permit tcp any any eq smtp
 permit tcp any any eq 995
 deny   tcp any any
!
ip sla 1
 icmp-echo 116.58.63.33 source-interface FastEthernet0/0/0
 threshold 500
 timeout 500
 frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 192.168.1.1 source-interface FastEthernet0/0/1
 threshold 500
 timeout 500
 frequency 3
!
!
!
!
route-map Nexlinx-nat permit 10
 match ip address acl_Nexlinx
 match interface FastEthernet0/0/0
route-map PBR permit 10
 match ip address acl_PTCL
 set ip next-hop verify-availability 192.168.1.1 10 track 10
 set ip next-hop verify-availability 116.58.63.33 20 track 20
!
route-map PBR permit 20
 match ip address acl_Nexlinx
 set ip next-hop verify-availability 116.58.63.33 10 track 20
 set ip next-hop verify-availability 192.168.1.1 20 track 10
 set ip next-hop 116.58.63.33
!
route-map PTCL-nat permit 20
 match ip address acl_PTCL
 match interface FastEthernet0/0/1

Hi, Write separate ACL for

Hi,

 Write separate ACL for NAT allowing everything 

access-list 7 permit 192.168.3.0 0.0.0.255
access-list 7 permit 192.168.4.0 0.0.0.255
access-list 7 permit 192.168.5.0 0.0.0.255

ip nat inside source list 7 interface FastEthernet0/0/0 overload
ip nat inside source list 7 interface FastEthernet0/0/1 overload

Similarly perform testing by bringing down your primary link .

Kindly let me know once you done 

 

HTH

sandy

New Member

Hi Sandy,                   

Hi Sandy,

                    WOW, its working now. but i could not understand, how separate ACL affected this problem? can you please give me teeny weeny info on this :)

Hi , Look into below post of

Hi ,

 Look into below post of more understanding . 

https://supportforums.cisco.com/discussion/11555036/difference-between-acl-distribution-list-and-route-map

short about route-map & ACL

  • A route-map can perform matching operations based on very diverse attributes. An ACL performs matching based only on IP addresses, L4 protocols and ports and some additional variables typical for packet headers and contents. In fact, when a route-map needs to perform these kinds of matches, it simply calls an ACL to do this job. However, it can also perform matching on different criteria (AS paths, metrics, route types, outgoing interfaces, ...) that are not matchable by an ACL.
  • A route-map can perform a set operation on the packets or prefixes it matched, modifying their route (packets) or their attributes (prefixes). An ACL can only permit or deny them but it can't modify anything about them.

 

HTH

Sandy 

please make sure to rate all helpful posts.

New Member

Thanks Sandy for you kind

Thanks Sandy for you kind support.

New Member

i cannot access (telnet)

i cannot access (telnet) router through public ip. is ACL blocking it? i dont see it.

Hi , Share me line vty output

Hi ,

 Share me line vty output . 

 

HTH

Sandy

New Member

line vty 0 4 no login

line vty 0 4
 no login
 transport input telnet
 transport output none

92
Views
0
Helpful
14
Replies