I’m 3 hours from the beginning of my trip to Scotland, but I don’t want to leave unanswered a question that Moh asked me on my previous Dual WAN connection on Cisco with Policy-based routing (PBR) post.
Scenario and Objectives
Scenario and objectives are kindly provided by Moh!
I have a situation same like this, I will give an brief idea. this is for one of my client, they have two leased line connection and using 2801 router it connected to two lan networks(say for 192.168.1.0, 192…2.0/24) they just wanna divide the complete traffic based on internal network. one of the internal(1.0/24) network traffic should go through wan1 (complete traffic, no matter what it is) and other one has (2.0/24) to go through wan2
The solution, as in the previous post, is based on PBR (Policy Based Routing). It’s a quite simple use of PBR in this case; as Moh says:
It is very easy to do in fortinet and juniper. but i’m bit confused in cisco now.
Of course, it’s easy using Cisco & IOS too! 😉
I post it here with the hope it could be helpful to someone – other Moh, of course! 🙂
As first, routing policies: what traffic we want to route where?
LAN1 traffic through the Bronze link, LAN2 traffic through the Gold link. We want LAN-to-LAN reachability too.
We define an access list which matches all traffic towards subnets out of our network:
access-list 199 deny ip any 192.168.0.0 0.0.255.255 access-list 199 permit ip any any
If we don’t exlude 192.168.0.0/16 our route-maps policies will also be applied to LAN-to-LAN traffic.
Then we make route-maps and apply them to LAN interfaces:
route-map LAN1 permit 10 match ip address 199 set interface Serial2/0 route-map LAN2 permit 10 match ip address 199 set interface Serial2/1 interface FastEthernet0/0 description LAN1 ip address 192.168.1.1 255.255.255.0 ip nat inside ip policy route-map LAN1 interface FastEthernet1/0 description LAN2 ip address 192.168.2.1 255.255.255.0 ip nat inside ip policy route-map LAN2
Now, routing is Ok; traffic coming from LAN1 with destinations different from LAN2 subnet will be routed out S2/0. Same for LAN2 traffic, out S2/1.
Now, we have to build policy-based NAT: traffic out the S2/0 interface has to be translated using S2/0 IP address; same for traffic coming out from S2/1, translated with S2/1 address.
route-map NAT_LAN1 permit 10 match interface Serial2/0 route-map NAT_LAN2 permit 10 match interface Serial2/1 ip nat inside source route-map NAT_LAN1 interface Serial2/0 overload ip nat inside source route-map NAT_LAN2 interface Serial2/1 overload
Pings from the LAN (in the GNS3-Lab PCs are routers) to “internet” (188.8.131.52) are routed accordingly to what expected:
GW#sh ip nat translations Pro Inside global Inside local Outside local Outside global icmp 184.108.40.206:6 192.168.1.10:6 220.127.116.11:6 18.104.22.168:6 icmp 22.214.171.124:6 192.168.2.10:6 126.96.36.199:6 188.8.131.52:6
If you want to try this in GNS3 please download the lab from the previous post; just few changes are required!
This post has been written while 85% of my little brain is thinking about Nessie, castle ghosts and left-hand car driving; I hope I didn’t write nonsense!
Latest posts by Pier Carlo Chiodi (see all)
- Route server feature-rich and automatic configuration - 13 February 2017
- Large BGP Communities playground - 15 September 2016
- RFC7050 (DNS64 prefix via ipv4only.arpa) on RIPE Atlas probes - 9 March 2016