cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
kb9mfd
New Contributor III

Policy Based Routing for 2nd Internet Connection

Jump to solution

I have two internet connections and several vlans. All the vlans except one accesses the primary internet connection as the default route. I need to setup the other vlan to use the second internet. I have tried this before but I cannot get it to work. I have the firewall setup and NAT and port forwarding configured and I have the following policies set:

(vlan8 (172.28.130.0/24) - vlan to use second internet connection, vlan2 - internet connection to us, 69.12.165.225 - gateway of internet connection, 69.12.165.226 - internet ip)

MainSwitch(config)#do show route-map

route-map TDS-Map, permit, sequence 10

  Match clauses:

    ip address (access-lists): SecondInt

  Set clauses:

    ip next-hop: 69.12.165.225

    interface: vlan 2

  BGP Filtering matches: 0 routes

  Policy routing matches: 7 packets 420 bytes

  Redistribution Filtering matches: 0 routes

route-map VOIP-Tunnel, permit, sequence 10

  Match clauses:

    ip address (access-lists): VOIP-Gateway

  Set clauses:

    ip next-hop: 69.12.165.225

    interface: vlan 2

  BGP Filtering matches: 0 routes

  Policy routing matches: 3056033 packets 81664717 bytes

  Redistribution Filtering matches: 0 routes

MainSwitch(config)#do show ip local policy

Local policy routing is enable, using route-map TDS-Map

route-map TDS-Map, permit, sequence 10

  Match clauses:

    ip address (access-lists): SecondInt

  Set clauses:

    ip next-hop: 69.12.165.225

    interface: vlan 2

  BGP Filtering matches: 0 routes

  Policy routing matches: 7 packets 420 bytes

  Redistribution Filtering matches: 0 routes

MainSwitch(config)#do show ip access-list SecondInt

Extended IP access list SecondInt

   permit ip host 69.12.165.226  any    log (5 matches)

MainSwitch(config)#do show ip access-list VOIP-Gateway

Extended IP access list VOIP-Gateway

   deny   ip 172.28.130.0 0.0.0.255  172.28.130.0 0.0.0.255    log (284 matches)

   deny   ip 172.28.130.0 0.0.0.255  172.29.0.0 0.0.255.255    log (33020 matches)

   deny   ip 172.28.130.0 0.0.0.255  172.28.101.0 0.0.0.255    log (113423 matches)

   deny   ip 172.28.130.0 0.0.0.255  192.168.1.0 0.0.0.255    log (91 matches)

   deny   ip 172.28.130.0 0.0.0.255  172.28.105.0 0.0.0.255    log (28 matches)

   deny   ip 172.28.130.0 0.0.0.255  172.28.107.0 0.0.0.255    log (0 matches)

   deny   ip 172.29.0.0 0.0.255.255  172.28.130.0 0.0.0.255    log (0 matches)

   permit ip any  any     (41278 matches)

I cannot find out why this will not work. Thanks! - Jeremy

0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Policy Based Routing for 2nd Internet Connection

Jump to solution

:

Thank you for replying with a copy of the configuration.  Currently, the policy-class "VOIP Phones," which is assigned to VLAN 8, has the entry "allow list web-acl-27" first, which is a "permit ip any any."  This will catch all traffic and allow it, but not NAT the source address.  The post NAT Order of Operations explains this concept, as well as provides an example of routing traffic out a secondary Internet connection.

I hope that makes sense, but please do not hesitate to reply to this post with any additional information or questions.  I will be happy to help in any way I can.

Levi

View solution in original post

0 Kudos
11 Replies
Anonymous
Not applicable

Re: Policy Based Routing for 2nd Internet Connection

Jump to solution

:

Thank you for asking this question in the support community.  The goal of this application is to have traffic from VLAN 8 route out VLAN 2, when traffic from VLAN 8 is not destined for the subnets configured in the ACL "VOIP-Gateway."  Is that correct?

When you get a chance, will you please reply to this post and attach a copy of the configuration (please, remember to remove any information that may be sensitive to your organization)?  I will be happy to review it for you.

Levi

kb9mfd
New Contributor III

Re: Policy Based Routing for 2nd Internet Connection

Jump to solution

Yes you are correct, All traffic that is not in the ACL "VOIP-Gateway" needs to go out vlan 2 and NAT'ed, and I need port forwards for only certain traffic from vlan 2 to go to a server in vlan 8. Did you want me to post my entire config file or just parts of it? Is there a way to attach it without putting it in the entire post? Thanks! - Jeremy

Anonymous
Not applicable

Re: Policy Based Routing for 2nd Internet Connection

Jump to solution

:

Yes, please reply to this post and attached the entire configuration (please, remember to remove any information that may be sensitive to your organization).

Levi

kb9mfd
New Contributor III

Re: Policy Based Routing for 2nd Internet Connection

Jump to solution

The configuration.

Message was edited by: levi (I removed the configuration and added it as an attachment.)

Anonymous
Not applicable

Re: Policy Based Routing for 2nd Internet Connection

Jump to solution

:

Thank you for replying with a copy of the configuration.  Currently, the policy-class "VOIP Phones," which is assigned to VLAN 8, has the entry "allow list web-acl-27" first, which is a "permit ip any any."  This will catch all traffic and allow it, but not NAT the source address.  The post NAT Order of Operations explains this concept, as well as provides an example of routing traffic out a secondary Internet connection.

I hope that makes sense, but please do not hesitate to reply to this post with any additional information or questions.  I will be happy to help in any way I can.

Levi

View solution in original post

0 Kudos
kb9mfd
New Contributor III

Re: Policy Based Routing for 2nd Internet Connection

Jump to solution

Ok, I see that. Did not catch it, Thanks! - Jeremy

kb9mfd
New Contributor III

Re: Policy Based Routing for 2nd Internet Connection

Jump to solution

Well, after changing the acl only to apply to traffic from a specific security zone it works for outbound internet. But I cannot get port forwarding to work. I have port forwarding working on the main connection, is there a difference doing port forwarding in this situation? I am not seeing the traffic that I forwarded ending up at the equip. Thanks! - Jeremy

Anonymous
Not applicable

Re: Policy Based Routing for 2nd Internet Connection

Jump to solution

Jeremy:

When you get a chance, will you reply with the current configuration, as well as an example of what isn't working properly?  I will be happy to review it for you.

Levi

kb9mfd
New Contributor III

Re: Policy Based Routing for 2nd Internet Connection

Jump to solution

I'm not sure how to attach a file so here it is. Sorry it took so long, been quite busy. I am trying to port forward from the second internet to a server on 172.28.130.5 but the traffic does not get there. The vlan of 172.28.130.0 does have internet and I have verified it is on the correct wan address. For example port 8080 is forwarded but a wireshark capture from the port that the server is on shows no traffic to port 8080. Thanks! - Jeremy

Anonymous
Not applicable

Re: Policy Based Routing for 2nd Internet Connection

Jump to solution

Jeremy:

I sent you a personal message (PM) asking for some additional information.  The information I requested would most likely have to much sensitive information to remove efficiently, and thus not be prudent to paste in this public forum.  Please, reply to the PM with the information when you get a chance.

Levi

Anonymous
Not applicable

Re: Policy Based Routing for 2nd Internet Connection

Jump to solution

:

You will need to disable the reverse-path forwarding check on the firewall.  Please, issue the following commands:

no ip policy-class TDS rpf-check

no ip policy-class Administration rpf-check

no ip policy-class Charter rpf-check

no ip policy-class "VOIP Phones" rpf-check

Levi