02-11-2014 03:16 AM - edited 03-04-2019 10:18 PM
Dear all,
I have router with two WAN interfaces ('primary' and 'secondary') and one LAN. My LAN subnet is 10.0.0./23 .
For some reasons I need to configure router in such way, that most of the LAN users should go out via 'primary' WAN uplink, but few LAN ip address should use only 'secondary' WAN.
Which tools should I use? What is the best approach to achive above goal?
Thank you in advance for any tip.
BR
Piotr
Solved! Go to Solution.
02-11-2014 03:47 AM
Hello
You dont say how the uplinks are connected - ie dynamically or static routing however on the information you have provided initially this sounds like a job for PBR ( policy Based routing)
Something like this:
PBR with 2 wan links - static routing
==============================================
access-list 1 permit x.x.x.x
access-list 2 permit y.y.y.y
track 3 list boolean and
object 1
object 2
ip sla 1
icmp-echo (primary wan ip source-ip (Primary wan interface of router)
frequency 5
ip sla 2
icmp-echo (seconday wan ip source-ip (secondary wan interface of router)
frequency 5
ip sla schedule 1 start-time now life forever
ip sla schedule 2 start-time now life forever
track 1 ip sla 1 reach
track 2 ip sla 2 reach
route-map PBR permit 10
match ip address 1
set ip next-hop (prmary link) (seconady link)
set ip next-hop verify-availability (prmary link) 1 track 1
set ip next-hop verify-availability (secondary link) 2 track 2
route-map PBR permit 10
match ip address 2
set ip next-hop (secondary link) (prmary link)
set ip next-hop verify-availability (secondary link) 1 track 2
set ip next-hop verify-availability (prmary link) 2 track 1
ip route 0.0.0.0 0.0.0.0 x.x.x.x ( prmary wan) 200 track 3
ip route 0.0.0.0 0.0.0.0 x.x.x.x ( secondary wan) 250
int xx ( lan interace)
ip policy route-map PBR
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
02-11-2014 04:55 AM
Hello
Any prefix matched in either acl 1 or 2 will be PBR'd to the first nexhop defined in the route-map associated with that acl (if it is reachable), if its not reachable it will try the secondary nexthop defined....
If no matches are made on either acl then the packet will NOT be PBR'd it WILL be routed as per the default routing table.....it isn't dropped.
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
02-12-2014 06:06 AM
Hi,
track 3 will be up if track 1 and track 2 are UP and will be down when either one is down or both are down.
Regards
Alain
Don't forget to rate helpful posts.
02-11-2014 03:47 AM
Hello
You dont say how the uplinks are connected - ie dynamically or static routing however on the information you have provided initially this sounds like a job for PBR ( policy Based routing)
Something like this:
PBR with 2 wan links - static routing
==============================================
access-list 1 permit x.x.x.x
access-list 2 permit y.y.y.y
track 3 list boolean and
object 1
object 2
ip sla 1
icmp-echo (primary wan ip source-ip (Primary wan interface of router)
frequency 5
ip sla 2
icmp-echo (seconday wan ip source-ip (secondary wan interface of router)
frequency 5
ip sla schedule 1 start-time now life forever
ip sla schedule 2 start-time now life forever
track 1 ip sla 1 reach
track 2 ip sla 2 reach
route-map PBR permit 10
match ip address 1
set ip next-hop (prmary link) (seconady link)
set ip next-hop verify-availability (prmary link) 1 track 1
set ip next-hop verify-availability (secondary link) 2 track 2
route-map PBR permit 10
match ip address 2
set ip next-hop (secondary link) (prmary link)
set ip next-hop verify-availability (secondary link) 1 track 2
set ip next-hop verify-availability (prmary link) 2 track 1
ip route 0.0.0.0 0.0.0.0 x.x.x.x ( prmary wan) 200 track 3
ip route 0.0.0.0 0.0.0.0 x.x.x.x ( secondary wan) 250
int xx ( lan interace)
ip policy route-map PBR
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
02-12-2014 05:45 AM
That's great. pdriver, thanks!
Can you jest explain what statement below mean?
track 3 list boolean and
object 1
object 2
And why it is used in 'ip route'?
Thanks in advance.
02-12-2014 06:06 AM
Hi,
track 3 will be up if track 1 and track 2 are UP and will be down when either one is down or both are down.
Regards
Alain
Don't forget to rate helpful posts.
02-17-2014 02:06 AM
pdriver,
I configured almost in same way as you wrote (I skipped SLA part, because right now I do not need it) and unfortunately something is not as I thought:
Router(config)#route-map RM-test permit 10
Router(config-route-map)#match ip add
Router(config-route-map)#match ip address ACL_all_computers_subnet
Router(config-route-map)#set ip next-hop GW_IP_of_primary_uplink
Router(config-route-map)#exit
Router(config)#route-map RM-test permit 10
Router(config-route-map)#match ip address ACL_internal_servers
Router(config-route-map)#set ip next-hop GW_IP_of_secondary_uplink
Router(config-route-map)#exit
Router(config)#do sh route-map RM-test
route-map RM-test, permit, sequence 10
Match clauses:
ip address (access-lists): ACL_all_computers_subnet ACL_internal_servers
Set clauses:
ip next-hop GW_IP_of_primary_uplink GW_IP_of_secondary_uplink
Policy routing matches: 0 packets, 0 bytes
So, as far as I understand, both uplinks will be threated equally or GW_IP_of_primary_uplink will handle most of the traffic.
Please, let me know, where I made a mistake in configuration or in a way of thinking.
Thank you in advance.
02-17-2014 02:43 AM
Hello
I saw an config error in my OP relating to the route-map stanza's numbering - which I amended, please check.
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
02-17-2014 06:40 AM
It works like a charm.
Thank you all for sharing your knowledge.
02-11-2014 04:17 AM
Yes, I was also thinking about PBR. However, I have one concern regarding access-list in this example (please correct me if I am wrong):
With above conditions, first route-map entry should have set ip next-hop (secondary link) (prmary link) while second route-map should have set ip next-hop (prmary link) (secondary link).
Let's presume, that request comes from IP 10.0.0.2, which is not in acl 1. Because acl 1 cannot be applied on 10.0.0.2 , it will be 'transferred' to acl 2 and at the end request from 10.0.0.2 will go via 'primary' uplink. Request from 10.0.0.3 IP, which is mentioned in acl 1, will be 'cought' by acl1 so it wil go via 'secondary' uplink.
Do I understand it correctly?
Thanks.
02-11-2014 04:48 AM
Hi,
What you could do too is primary path with a default static route with AD of 1 and secondary path with a static route with AD of 10, then make an ACL for the few LAN users wanting to go via secondary path and match against it in a route-map that sets the next-hop to secondary next-hop.Then use this route-map for PBR on the lan interface.
of course there is no tracking involved here so depending upon wan technology you may need to track the first static route so most users use secondary when secondary is down and track the next-hop in the PBR so few users will use primary in case secondary link is down.
Regards
Alain
Don't forget to rate helpful posts.
02-11-2014 04:55 AM
Hello
Any prefix matched in either acl 1 or 2 will be PBR'd to the first nexhop defined in the route-map associated with that acl (if it is reachable), if its not reachable it will try the secondary nexthop defined....
If no matches are made on either acl then the packet will NOT be PBR'd it WILL be routed as per the default routing table.....it isn't dropped.
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: