Dual ISP Bandwidth Agreggation

Hi, my name is John. We have 1 uplink connected to a Cisco 1900 series router and another 1 uplink connected to a Cisco 2000 series router. Two uplink from 2 different ISP. 1 uplink has static WAN IP while the other 1 has dynamic WAN IP. They are then link to ASA and then from ASA to switches. My question is how can i configure the routers or ASA to combine the bandwidth of two uplinks

Hi Reza,
Thanks for your feedback.
In the case if both uplinks are coming from the same ISP, can we use
1.dual internet links NATing with PBR and IP SLA
https://supportforums.cisco.com/document/32186/dual-internet-links-nating-pbr-and-ip-sla
2.Load balancing using Performance Routing pfr/OER
https://supportforums.cisco.com/document/32216/load-balancing-using-performance-routing-pfroer
In my case, since the uplinks are from different ISPs, can i do failover on either ASA or the routers, such that when 1 uplink fail, it will automatically be tracked and switch the internet traffic from the 2nd uplink?

Similar Messages

VPN device with dual ISP, fail-over, and load balancing

We currently service a client that has a PIX firewall that connects to multiple, separate outside vendors via IPSEC VPN. The VPN connections are mission critical and if for any reason the VPN device or the internet connection (currently only a T1) goes down, the business goes down too. We're looking for a solution that allows dual-ISP, failover, and load balancing. I see that there are several ASA models as well as the IOS that support this but what I'm confused about is what are the requirements for the other end of the VPN, keeping in mind that the other end will always be an outside vendor and out of our control. Current VPN endpoints for outside vendors are to devices like VPN 3000 Concentrator, Sonicwall, etc. that likely do not support any type of fail-over, trunking, load-balancing. Is this just not possible?

Unless I am mistaken the ASA doesn't do VPN Load Balancing for point-to-point IPSec connections either. What you're really after is opportunistic connection failover, and/or something like DMVPN. Coordinating opportunistic failover shouldn't be too much of an issue with the partners, but be prepared for lot of questions.

Performance Routing (PfR) with single router, dual ISP and load balancing

It looks like PfR can do this but I have only found information about this feature which will start using ISP2 once ISP1 reaches 75% usage. But this is not load balancing.
Can we accomplish load balancing utilizing a single router with dual ISPs using this PfR feature?
Or do we have to use another feature?
thank you in advance

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I'm rusty using OER/PfR, but I recall it could load balance two links on same router. The issue, I also recall, if doing BGP, OER/PfR has to detect a load imbalance, and there's a certain difference allowance, and OER/PfR takes some time to decide, so depending on actual traffic, it might not be obvious it's working. If doing BGP, there's a hidden command (which I don't recall is) that will load balance the two links on the same router; then you use OER/PfR to dynamically refine the balance load.

DMVPN Hub with Dual ISPs

I have one Hub Router, I have 2 ISPs and would like to set it up as a dual hub. I have configured two tunnel interfaces on the hubs and spokes, set the ipsec profile to shared, etc.
What i was trying to do was route-map the traffic for the two tunnel interfaces out of the relevant interfaces and came up with the following:
route-map ROUTE-DMVPN permit 10
match interface Tunnel1
set ip default next-hop xxxxx
route-map ROUTE-DMVPN permit 20
match interface Tunnel2
set ip default next-hop xxxxx
and then set that as a local policy route-map on the router.
The first section matches packets and works, the second does not. Is what I am trying to do possible? Or Do I need to be more sophisticated in my design?
Thanks in advance!

OK, here is something I came up really fast in my lab.
Note that it does NOT contain best practices or some required configurations and is only meant to show a concept.
Here is the situation
hub ===== two links ==== "ISP" -----one link ---- spoke
hub physical:
10.1.1.0/24 (ISP1)
10.2.2.0/24 (ISP2)
spoke physical:
10.3.3.0/24
two DMVPN clouds:
172.16.1.0/24
172.16.2.0/24
Hub lan:
99.99.99.0/24
spoke lan:
88.88.88.0/24
Hub configuration:
interface Ethernet0/0 ip address 10.1.1.1 255.255.255.0interface Ethernet1/0 ip vrf forwarding ISP2 ip address 10.2.2.1 255.255.255.0interface Ethernet2/0 ip address 99.99.99.1 255.255.255.0interface Tunnel1 ip address 172.16.1.1 255.255.255.0 no ip redirects ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp server-only delay 1000 tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel key 1endinterface Tunnel2 ip address 172.16.2.1 255.255.255.0 no ip redirects ip nhrp map multicast dynamic ip nhrp network-id 2 delay 2000 tunnel source Ethernet1/0 tunnel mode gre multipoint tunnel key 2 tunnel vrf ISP2endrouter eigrp 100 network 99.99.99.0 0.0.0.255 network 172.16.1.0 0.0.0.255router eigrp 101 network 99.99.99.0 0.0.0.255 network 172.16.2.0 0.0.0.255ip route 0.0.0.0 0.0.0.0 10.1.1.254
ip route vrf ISP2 0.0.0.0 0.0.0.0 10.2.2.254
Spoke config:
interface Ethernet0/0 ip address 10.3.3.1 255.255.255.0endinterface Tunnel1 ip address 172.16.1.2 255.255.255.0 no ip redirects ip nhrp map multicast 10.1.1.1 ip nhrp map 172.16.1.1 10.1.1.1 ip nhrp network-id 1 ip nhrp nhs 172.16.1.1 delay 1000 tunnel source Ethernet0/0 tunnel mode gre multipoint tunnel key 1endrouter eigrp 100 network 88.88.88.0 0.0.0.255 network 172.16.1.0 0.0.0.255router eigrp 101 network 88.88.88.0 0.0.0.255 network 172.16.2.0 0.0.0.255
Some outputs:
spoke#sh ip eigrp topology 99.99.99.0/24EIGRP-IPv4 Topology Entry for AS(100)/ID(172.16.2.2) for 99.99.99.0/24 State is Passive, Query origin flag is 1, 1 Successor(s), FD is 25881600 Descriptor Blocks: 172.16.1.1 (Tunnel1), from 172.16.1.1, Send flag is 0x0      Composite metric is (25881600/281600), route is Internal      Vector metric:        Minimum bandwidth is 100 Kbit        Total delay is 11000 microseconds        Reliability is 255/255        Load is 1/255        Minimum MTU is 1472        Hop count is 1        Originating router is 172.16.2.1EIGRP-IPv4 Topology Entry for AS(101)/ID(172.16.2.2) for 99.99.99.0/24 State is Passive, Query origin flag is 1, 0 Successor(s), FD is 4294967295 Descriptor Blocks: 172.16.2.1 (Tunnel2), from 172.16.2.1, Send flag is 0x0      Composite metric is (26137600/281600), route is Internal      Vector metric:        Minimum bandwidth is 100 Kbit        Total delay is 21000 microseconds        Reliability is 255/255        Load is 1/255        Minimum MTU is 1472        Hop count is 1        Originating router is 172.16.2.1spoke#sh ip nhrp detail
172.16.1.1/32 via 172.16.1.1
   Tunnel1 created 00:16:33, never expire
   Type: static, Flags: used
   NBMA address: 10.1.1.1
172.16.2.1/32 via 172.16.2.1
   Tunnel2 created 00:16:33, never expire
   Type: static, Flags: used
   NBMA address: 10.2.2.1
spoke#
and
hub#sh ip eigrp topology 88.88.88.0/24EIGRP-IPv4 Topology Entry for AS(100)/ID(172.16.2.1) for 88.88.88.0/24 State is Passive, Query origin flag is 1, 1 Successor(s), FD is 25881600 Descriptor Blocks: 172.16.1.2 (Tunnel1), from 172.16.1.2, Send flag is 0x0      Composite metric is (25881600/281600), route is Internal      Vector metric:        Minimum bandwidth is 100 Kbit        Total delay is 11000 microseconds        Reliability is 255/255        Load is 1/255        Minimum MTU is 1472        Hop count is 1        Originating router is 172.16.2.2EIGRP-IPv4 Topology Entry for AS(101)/ID(172.16.2.1) for 88.88.88.0/24 State is Passive, Query origin flag is 1, 0 Successor(s), FD is 4294967295 Descriptor Blocks: 172.16.2.2 (Tunnel2), from 172.16.2.2, Send flag is 0x0      Composite metric is (26137600/281600), route is Internal      Vector metric:        Minimum bandwidth is 100 Kbit        Total delay is 21000 microseconds        Reliability is 255/255        Load is 1/255        Minimum MTU is 1472        Hop count is 1        Originating router is 172.16.2.2hub#show ip nhrp detail
172.16.1.2/32 via 172.16.1.2
   Tunnel1 created 00:16:09, expire 01:43:50
   Type: dynamic, Flags: unique registered
   NBMA address: 10.3.3.1
172.16.2.2/32 via 172.16.2.2
   Tunnel2 created 00:16:09, expire 01:43:50
   Type: dynamic, Flags: unique registered
   NBMA address: 10.3.3.1

ISP Bandwidth Testing Issue

We just commission an STM1 link to an upstream ISP, part of the bandwidth is meant for mobile data service of a customer. The customers complain of slow download while we still have 100Mbps of capacity available. The customer did an FTP test but the result was not satisfactorily. Can any one recommend the best practice of testing this kind of connection and any possible suggestions are highly welcome on how to improve the link. The connection to upstream ISP is a BGP connection (traceroute, ping,Video streaming, etc seems to be okay).

HI, [Pls RATE if HELPS]
Download & Use the "WAN KILLER" Tool to generate the Traffic on the LInk.
You can load the LINK with "Traffic" and check for the Capability, Burst & failure rates.
Hope I am Informative.
Pls RATE if HELPS
Best Regards,
Guru Prasad R

DUAL ISPs and Locad Balancing with BM 3.9

I am running a Border Manager 3.9 server and we use a Dual WAN router to bring in our (2) ISPs from different vendors into (1) netcard on the server. The Dual WAN router does load balancing fine but I was wondering if there is a better more efficient way?
Would Border Manager allow multiple Public 10/100/1000 Netcards and do load balancing and fail over?
We run fine speedwise for our little company but it just seems wastefull to have (2) T1's coming into a 10/100 Dual WAN router.
Just wondering,
[email protected]

In article <[email protected]>, Rlmillies wrote:
> I am running a Border Manager 3.9 server and we use a Dual WAN router to
> bring in our (2) ISPs from different vendors into (1) netcard on the
> server. The Dual WAN router does load balancing fine but I was
> wondering if there is a better more efficient way?
No, that's basically the best way. I've got a number of clients set up to
do that, some of them with BMgr clusters behind the twin-wan routers. One
of them at one point even had 5 WAN links (using Xincom X16).
>
> Would Border Manager allow multiple Public 10/100/1000 Netcards and do
> load balancing and fail over?
No. NetWare wasn't designed to do that with IP, though it could with IPX.
>
> We run fine speedwise for our little company but it just seems
> wastefull to have (2) T1's coming into a 10/100 Dual WAN router.
It generally is. What I usually have are clients with a T1 (fixed IP
addresses, mostly for email), and a cable modem/dsl connection (usually
DHCP). I set up load balancing to bias most of the outbound load onto
the cable modem (usually 5mps or greater), and there is usually a very
noticeable increase in browsing speed for the users.
Craig Johnson
Novell Knowledge Partner
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

Dual ISP on ASA VPN question.

Hi all.
My question is very simple is there any way or feature that could allow us to have a backup VPN tunnel on at the secondary ISP at the asa 5520?
Lets assume if the primary isp goes down is there any way for the VPN tunnel come online at the backup isp ?
Config:
crypto isakmp enable outside
crypto isakmp enable backup
tunnel-group 200.200.2.1 type ipsec-l2l
tunnel-group 200.200.2.1 ipsec-attributes
pre-shared-key CISCO
tunnel-group 200.200.1.1 type ipsec-l2l
tunnel-group 200.200.1.1 ipsec-attributes
pre-shared-key CISCO
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
crypto map VPN 10 match address VLAN121_TO_VLAN23
crypto map VPN 10 set peer 200.200.1.1
crypto map VPN 10 set transform-set 3DES_MD5
crypto map VPN 20 match address VLAN121_TO_VLAN23
crypto map VPN 20 set peer 200.200.2.1
crypto map VPN 20 set transform-set 3DES_MD5
! Apply crypto-map and enable VPN traffic to bypass ACLs
crypto map VPN interface outside
crypto map VPN interface backup
sysopt connection permit-vpn
Thank you.

We are not abble to make a loop back on the ASA.
The routing with SLA is working fine the problem is when local network goes to remote network always try to get at the first tunnel with was setup for first isp ip adddrs.

Cisco ASA 5505 Dual-ISP Backup VPN

I am trying to create a backup tunnel from an ASA 5505 to a pix 501 in the case of the Main ISP failing. The Pix external side will stay the same, but not quite sure how I can create a new crypto map and have it use the Backup ISP interface without bringing down the main tunnel.
My first thought was to add the following crypto map to the configuration below:
crypto map outside_map 2 match address outside_1_cryptomap
crypto map outside_map 2 set peer 9.3.21.13
crypto map outside_map 2 set transform-set ESP-DES-MD5
crypto map outside_map interface backupisp -->but this would break the current tunnel.
NYASA# sh run
: Saved
ASA Version 7.2(4)
hostname NYASA
domain-name girls.org
enable password CHwdJ2WMUcjxIIm8 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 10.1.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 9.17.5.8 255.255.255.240
interface Vlan3
description Backup ISP
nameif backupisp
security-level 0
ip address 6.27.9.5 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.2.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list 150 extended permit ip any host 10.1.2.27
access-list 150 extended permit ip host 10.1.2.27 any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backupisp 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (backupisp) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 9.17.5.7 1 track 1
route backupisp 0.0.0.0 0.0.0.0 6.27.9.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 10
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
timeout 1000
frequency 3
sla monitor schedule 10 life forever start-time now
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 9.3.21.13
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
track 1 rtr 10 reachability
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
username ptiadmin password BtOLil2gR0VaUjfX encrypted privilege 15
tunnel-group 9.4.21.13 type ipsec-l2l
tunnel-group 9.4.21.13 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:22bb60b07c4c1805b89eb2376683f861
: end
NYASA#
Thanks in advance.

In that case is the PIX who needs two peers (to the ASA).
The ASA will requiere the crypto map to be applied to the backup interface as well (as you mentioned)
crypto map outside_map interface backupisp -->but this would break the current tunnel.
The above command should not break the current tunnel (if the route to reach the other end goes out via the primary interface).
Additionally you need IP SLA configured in the ASA to allow it to use the primary connection and fallback to the backup connection to build-up the tunnel (as well to use again the primary interface when it recovers).
Federico.

Dual ISP load balancing with 2 routers and 2 FW without using BGP

Hi all,
Based on the attachment diagram, is the design viable?
Do anyone has a similar deployment before and can you share with me the config guide to this because I'm at lost on a few configs:
1. On core switch A and B, I understood we need to have a default route pointing to the firewall interface. For this case, I have different IPs for the same context on both the firewalls.
So, how should the config be?
CoreSW_A(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.110
CoreSW_A(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.111
I don't think the above will work as the core switch will load balance the traffic to both firewalls even if one of the context is on standby mode?
2. The area from the firewall to the internet would all be public IP. Thus, if i put a switch in between the firewall and the router, then i would waste some public IP addresses but if i remove the switch, I would not have enough ports on the ASA firewall. What is the best recommended solution for this?
3. How do I load balance traffic to both R1 and R2 to their respective ISPs without using BGP? I may be using only a 2811 router.
Thanks alot!!.. really much looking forward for some guidance and tips on this as I havent found any guides on this deployment yet.. mostly are LAN HA.

For policy based routing, I would need to create route maps on the core switch itself right?
Correct me if I'm wrong, if i use route-maps, i would be assigning e.g. internal network A to go through firewall context A and internal network B to go through firewall context B.
Context A will only have path to Router A and context B will only have path to Router B. But if router B goes down, network B won't be able to access the Internet, right?
I'm not sure whether it's a PI or PA for this as the ISP will assign us a block of IP address, for example 202.111.1.8/29 (these IPs can be used for webservers, etc). There will also be a public IP of /30 on the serial interface to connect to their router.
Thanks alot..

Dual ISP connection unequal load balancing

Hi All,
I an issue regarding load balancing between to ISP. I have done policy based routing as stated in other cisco discussions .
I have 2 /30 as my test ISP and isp ip configured on other switch while i have my customer configs on my end. I can ping the two test ISP from my router but not with PC's in the lan until i remove "ip nat inside source route-map 20 interface GigabitEthernet0/0.20 overload" from the routers config.
.. Please help
Load-Balancing-Router#show run
Building configuration...
Current configuration : 2716 bytes
! Last configuration change at 04:09:37 UTC Tue Apr 21 2015 by anprasad
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Load-Balancing-Router
boot-start-marker
boot-end-marker
no aaa new-model
no ipv6 cef
ip source-route
ip cef
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.0 192.168.1.100
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
ip domain name fnu.ac.fj
multilink bundle-name authenticated
license udi pid CISCO1921/K9 sn FGL150925YE
username anprasad privilege 15 secret 5 $1$Oy40$h13lWAN4upzI19L6/MXjf/
username aaa privilege 15 secret 5 $1$W3JH$LMd0LUtdxJlXXJkB.NxjB0
ip ssh version 1
class-map match-all 512K-Outbound
match access-group name DR-512K-OutBound
class-map match-all 10240K-Outbound
match access-group name DR-1024K-OutBound
policy-map DR-Outbound
class 10240K-Outbound
police rate 10240000 bps burst 1920000 bytes
conform-action transmit
exceed-action drop
class 512K-Outbound
police rate 512000 bps burst 96000 bytes
conform-action transmit
exceed-action drop
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
interface GigabitEthernet0/0.10
description Student-Internet
encapsulation dot1Q 10
ip address 202.0.1.1 255.255.255.252
ip nat outside
ip virtual-reassembly
interface GigabitEthernet0/0.20
description Staff-Internet
encapsulation dot1Q 20
ip address 202.0.2.1 255.255.255.252
ip nat outside
ip virtual-reassembly
shutdown
interface GigabitEthernet0/1
description LAN-Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/0/0
no ip address
shutdown
duplex auto
speed auto
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source route-map 10 interface GigabitEthernet0/0.10 overload
ip nat inside source route-map 20 interface GigabitEthernet0/0.20 overload
ip route 0.0.0.0 0.0.0.0 202.0.1.2
ip route 0.0.0.0 0.0.0.0 202.0.2.2
ip access-list extended DR-10240K-OutBound
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended DR-512K-OutBound
permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
route-map 10 permit 10
match ip address 100
match interface GigabitEthernet0/0.10
route-map 20 permit 20
match ip address 100
match interface GigabitEthernet0/0.20
snmp-server community fnuro RO
control-plane
line con 0
logging synchronous
login local
line aux 0
line vty 0 4
login local
scheduler allocate 20000 1000
end

Hi,
I would like to ask if you are done with your configuration? Is it working?
next month we will add an addition ISP and I will try to configure it?
Hope you'll give me some ideas.
thank you

Dual ISP Hub and Spoke DMVPN

Hello All,
I am trying to build a DMVPN solution for two sites each with secondary ISPs.
The solution works "sort of", but doesn't seem very robust (sometimes a router reload is required if VPN doesn't come up after ISP failover)
I was wondering if anyone had any suggestions to my config below?
Thanks!
!!!!HUB!!!!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Router!boot-start-markerboot-end-marker!no logging console!no aaa new-modelmemory-size iomem 5!!ip cef!!crypto isakmp policy 3 hash md5 authentication pre-sharecrypto isakmp key cisco123 address 0.0.0.0 0.0.0.0!!crypto ipsec transform-set strong esp-3des esp-md5-hmac!crypto ipsec profile dmvpn set security-association lifetime seconds 1800 set transform-set aes256 set pfs group5!crypto ipsec profile dmvpn2 set security-association lifetime seconds 1800 set transform-set aes256 set pfs group5!!interface Tunnel0 ip address 10.255.255.1 255.255.255.0 no ip redirects ip mtu 1400 no ip next-hop-self eigrp 53 no ip split-horizon eigrp 53 ip nhrp authentication secret1 ip nhrp map multicast dynamic ip nhrp network-id 6 ip nhrp holdtime 300 ip tcp adjust-mss 1360 delay 1000 tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 545 tunnel protection ipsec profile dmvpn shared!interface Tunnel1 ip address 10.255.254.1 255.255.255.0 no ip redirects ip mtu 1400 no ip next-hop-self eigrp 53 no ip split-horizon eigrp 53 ip nhrp authentication secret1 ip nhrp map multicast dynamic ip nhrp network-id 7 ip nhrp holdtime 300 ip tcp adjust-mss 1360 delay 1000 tunnel source FastEthernet0/0/0 tunnel mode gre multipoint tunnel key 546 tunnel protection ipsec profile dmvpn2 shared!interface Tunnel2 ip address 10.255.253.1 255.255.255.0 no ip redirects ip mtu 1400 no ip next-hop-self eigrp 53 no ip split-horizon eigrp 53 ip nhrp authentication secret1 ip nhrp map multicast dynamic ip nhrp network-id 8 ip nhrp holdtime 300 ip tcp adjust-mss 1360 delay 1000 tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 547 tunnel protection ipsec profile dmvpn shared!interface Tunnel3 ip address 10.255.252.1 255.255.255.0 no ip redirects ip mtu 1400 no ip next-hop-self eigrp 53 no ip split-horizon eigrp 53 ip nhrp authentication secret1 ip nhrp map multicast dynamic ip nhrp network-id 9 ip nhrp holdtime 300 ip tcp adjust-mss 1360 delay 1000 tunnel source FastEthernet0/0/0 tunnel mode gre multipoint tunnel key 548 tunnel protection ipsec profile dmvpn2 shared!interface FastEthernet0/0/0 description Secondary ISP ip address 199.1.1.1 255.255.255.0 duplex auto speed auto!interface VLAN1 description LAN ip address 192.168.1.1 255.255.255.0!interface GigabitEthernet0/1 description Primary ISP ip address 200.1.1.1 255.255.255.0 duplex auto speed auto!router eigrp 53 network 10.255.252.0 0.0.0.255 network 10.255.253.0 0.0.0.255 network 10.255.254.0 0.0.0.255 network 10.255.255.0 0.0.0.255 network 192.168.1.0 eigrp stub connected no auto-summary!!ip route 0.0.0.0 0.0.0.0 199.1.1.2 5ip route 0.0.0.0 0.0.0.0 200.1.1.2 !!control-plane!line con 0line aux 0line vty 0 4 login!!end
!!!SPOKE!!!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Router!boot-start-markerboot-end-marker!no logging console!no aaa new-modelmemory-size iomem 5!!ip cef!!crypto isakmp policy 3 hash md5 authentication pre-sharecrypto isakmp key cisco123 address 0.0.0.0 0.0.0.0!!crypto ipsec transform-set strong esp-3des esp-md5-hmac!crypto ipsec profile dmvpn set security-association lifetime seconds 1800 set transform-set aes256 set pfs group5!crypto ipsec profile dmvpn2 set security-association lifetime seconds 1800 set transform-set aes256 set pfs group5!!!interface VLAN1 ip address 192.168.0.1 255.255.255.0 no ip redirects!interface Tunnel0 ip address 10.255.255.5 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication secret1 ip nhrp map 10.255.255.1 200.1.1.1 ip nhrp map multicast 200.1.1.1 ip nhrp network-id 6 ip nhrp holdtime 300 ip nhrp nhs 10.255.255.1 ip nhrp registration timeout 30 delay 1000 tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 545 tunnel protection ipsec profile dmvpn shared!interface Tunnel1 ip address 10.255.254.5 255.255.255.0 no ip redirects ip mtu 1440 ip nhrp authentication secret1 ip nhrp map 10.255.254.1 199.1.1.1 ip nhrp map multicast 199.1.1.1 ip nhrp network-id 7 ip nhrp holdtime 300 ip nhrp nhs 10.255.254.1 delay 1500 tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel key 546 tunnel protection ipsec profile dmvpn shared!interface Tunnel2 ip address 10.255.253.5 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication secret1 ip nhrp map multicast 200.1.1.1 ip nhrp map 10.255.253.1 200.1.1.1 ip nhrp network-id 8 ip nhrp holdtime 300 ip nhrp nhs 10.255.253.1 ip nhrp registration timeout 30 delay 1000 tunnel source FastEthernet0/0/0 tunnel mode gre multipoint tunnel key 547 tunnel protection ipsec profile dmvpn2 shared!interface Tunnel3 ip address 10.255.252.5 255.255.255.0 no ip redirects ip mtu 1440 ip nhrp authentication secret1 ip nhrp map multicast 199.1.1.1 ip nhrp map 10.255.252.1 199.1.1.1 ip nhrp network-id 9 ip nhrp holdtime 300 ip nhrp nhs 10.255.252.1 delay 1500 tunnel source FastEthernet0/0/0 tunnel mode gre multipoint tunnel key 548 tunnel protection ipsec profile dmvpn2 shared!interface FastEthernet0/0/0description Secondary Internet ip address 201.1.1.1 255.255.255.0 duplex auto speed auto!interface GigabitEthernet0/1 description Primary Internet ip address 201.2.2.1 255.255.255.0 duplex auto speed auto!router eigrp 53 distribute-list 1 out network 10.255.252.0 0.0.0.255 network 10.255.253.0 0.0.0.255 network 10.255.254.0 0.0.0.255 network 10.255.255.0 0.0.0.255 network 192.168.0.0 offset-list 1 out 12800 Tunnel1 eigrp stub connected no auto-summary!!ip route 0.0.0.0 0.0.0.0 201.2.2.2ip route 0.0.0.0 0.0.0.0 201.1.1.2 5!!access-list 1 permit 192.168.0.0access-list 1 permit 10.255.255.0 0.0.0.255access-list 1 permit 10.255.254.0 0.0.0.255access-list 1 permit 10.255.253.0 0.0.0.255access-list 1 permit 10.255.252.0 0.0.0.255!!control-plane!!line con 0line aux 0line vty 0 4 login!!end

Hello,
Thanks for the response!
I left the stub on the hub while troubleshooting, it has since been removed.
By DPD, do you mean "crypto isakmp keepalive 10 periodic"?
I've since added that (spoke and hub) and while the tunnels work great (they fail over, can ping 10.255.25x.x) the routes do not update which lead me to believe it's an EIGRP problem. Is there something else I should do for DPD?
Thanks again
Will
Can't edit the original post, so:
!Hub
crypto isakmp keepalive 10 periodic
router eigrp 53
network 10.255.252.0 0.0.0.255
network 10.255.253.0 0.0.0.255
network 10.255.254.0 0.0.0.255
network 10.255.255.0 0.0.0.255
network 192.168.1.0
no auto-summary
!Spoke
crypto isakmp keepalive 10 periodic
router eigrp 53
network 10.255.252.0 0.0.0.255
network 10.255.253.0 0.0.0.255
network 10.255.254.0 0.0.0.255
network 10.255.255.0 0.0.0.255
network 192.168.0.0
eigrp stub connected
no auto-summary

Configuring PFR with NAT - Dual ISP

Hi,
We are configuring the pfr feature in a router, this router has two connections to Internet, different providers. I have the following question:
Is possible to configure two pool for NAT translations? one pool by each internet provider?
I attach the diagram.

Thanks Julio.
I have a second question.
I was able publish an internal server with the PFR function activated with two different ISP and using static nat for incoming connections without problem, however when I try to publish a IPSEC VPN server I can not publish the ESP protocol with two different public addresses. The IOS only permit the publication of the ESP protocol using only one public address. How I can publish the ESP protocol using two public addresses at the same time (ISPA-ISPB)?
Regards.

Ipsec tunnel possible with Checkpoint ngx 6.5 and Cisco ISR-dual ISP?

Hi Gurus,
I have a requirement to fulfill in that there are 2 sites that I need to create an ipsec tunnel. A remote site running a Checkpoint ngx 6.5 and a local site with 2 different ISPs and 2 x ISR 29xx routers for both ISP and hardware redundancy. I have only done the vpn setup with one ISR and ISP1 so far.
I am planning to have just 1 ISR (ISR1) and ISP1 being active at any given time. If ISP1 or ISR 1 goes out, all traffic should fail over to ISR2 with ISP2.
is this possible with the ISRs?
Checkpoint does not appear to allow seeing the different ISRs with 2 possible WAN ip addresses with the same encryption domain or 'interesting traffic', so i am not sure if this work at all.
BGP won't be used.
I have looked at ip sla, pbr, and it appears that the best I could achieve would be vpn traffic via ISR1 and ISP1, and could failover only the non vpn traffic to ISR2 and ISP2. Please correct me if I am wrong....many thanks.
Any ideas will be greatly appreciated..
Civicfan

I found the problem but dont know how to fix it now!
Problem is on siteB with using the same ACL name "siteA" in both sequence numbers in cryptomap "outside_map"
crypto map outside_map 9 match address SiteA
crypto map outside_map 9 set peer 212.89.229.xx
crypto map outside_map 9 set transform-set ESP-AES-256-SHA
crypto map outside_map 9 set security-association lifetime seconds 28800
crypto map outside_map 9 set security-association lifetime kilobytes 4608000
crypto map outside_map 10 match address SiteA
crypto map outside_map 10 set peer 212.89.235.yy
crypto map outside_map 10 set transform-set ESP-AES-256-SHA
crypto map outside_map 10 set security-association lifetime seconds 28800
crypto map outside_map 10 set security-association lifetime kilobytes 4608000
If I remove:
no crypto map outside_map 9 match address SiteA
the IPSEC through 2nd ISP on siteA is working correct

DMVPN Dual ISPs with EIGRP

Hi expert,
I am facing a eigrp routing issues , Has anyone kindly assist...
The topology as below, each router only has two tunnels and run in same eigrp AS
Here is my question in red with underline :
R2: sh ip ro
D 192.168.30.0/24 [90/310172416] via 192.168.1.1, 01:08:05, Tunnel1
[90/310172416] via 192.168.0.3, 01:08:05, Tunnel0
R3: sh ip ro
D 192.168.20.0/24 [90/310172416] via 192.168.1.1, 01:12:25, Tunnel1
[90/310172416] via 192.168.0.2, 01:12:25, Tunnel0
The result see above is not my expect , as i understand :
at R2 192.168.30.0 learn from Tunnel1 should be via192.168.1.3 not red one
at R3 192.168.20.0 learn from Tunnel1 should be via 192.168.1.2 not red one
because of via 192.168.1.1 , that's mean the traffic must through R1 (spoke to HUB) not Spoke to Spoke , am i right ?
I hope the route between R2 and R3 can always use spoke to spoke tunnel
I also checked nhrp and ipsec status , anything looks work properly except the eigrp route i mention above.
Here is configuration:
R1:
interface Loopback0
ip address 192.168.10.254 255.255.255.0
interface Tunnel0
ip address 192.168.0.1 255.255.255.0
no ip redirects
ip accounting output-packets
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 10
ip nhrp cache non-authoritative
no ip split-horizon eigrp 1
tunnel source 172.16.15.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
interface Tunnel1
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip accounting output-packets
no ip next-hop-self eigrp 1
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 10
ip nhrp cache non-authoritative
no ip split-horizon eigrp 1
tunnel source 172.17.15.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
router eigrp 1
network 192.168.0.0
network 192.168.1.0
network 192.168.10.0
no auto-summary
R2:
interface Tunnel0
ip address 192.168.0.2 255.255.255.0
no ip redirects
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
ip nhrp authentication cisco123
ip nhrp map 192.168.0.1 172.16.15.2
ip nhrp map multicast 172.16.15.2
ip nhrp network-id 1
ip nhrp holdtime 10
ip nhrp nhs 192.168.0.1
ip nhrp cache non-authoritative
no ip split-horizon eigrp 1
tunnel source 172.16.25.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
interface Tunnel1
ip address 192.168.1.2 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 1
ip nhrp authentication cisco123
ip nhrp map 192.168.1.1 172.17.15.2
ip nhrp map multicast 172.17.15.2
ip nhrp network-id 2
ip nhrp holdtime 10
ip nhrp nhs 192.168.1.1
ip nhrp cache non-authoritative
no ip split-horizon eigrp 1
tunnel source 172.17.25.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
router eigrp 1
network 192.168.0.0
network 192.168.1.0
network 192.168.20.0
no auto-summary
R3
interface Loopback0
ip address 192.168.30.254 255.255.255.0
interface Tunnel0
ip address 192.168.0.3 255.255.255.0
no ip redirects
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
ip nhrp authentication cisco123
ip nhrp map 192.168.0.1 172.16.15.2
ip nhrp map multicast 172.16.15.2
ip nhrp network-id 1
ip nhrp holdtime 10
ip nhrp nhs 192.168.0.1
ip nhrp cache non-authoritative
no ip split-horizon eigrp 1
tunnel source 172.16.35.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
interface Tunnel1
ip address 192.168.1.3 255.255.255.0
no ip redirects
no ip next-hop-self eigrp 1
ip nhrp authentication cisco123
ip nhrp map 192.168.1.1 172.17.15.2
ip nhrp map multicast 172.17.15.2
ip nhrp network-id 2
ip nhrp holdtime 10
ip nhrp nhs 192.168.1.1
ip nhrp cache non-authoritative
no ip split-horizon eigrp 1
tunnel source 172.17.35.2
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
router eigrp 1
network 192.168.0.0
network 192.168.1.0
network 192.168.30.0

Hi AllertGen ,
Each each router's tunnel0 and tunnel1 are work well , they all can ping each other ip as well via tunnel 0 and tunnel 1 (192.168.0.0/24 & 192.168.1.0/24)
and also at each router has two physical interface connect to different ISP.
In this topology ,my purpose is when spoke to spoke , they will has two routes via two NHRP cloulds , i keep the same eigrp priority at each router just for equal cost load sharing ,the more important thing is the next hop IP.
Actually , The ipsec function is not my concern so far, i just try your suggestion add the "shared" at the end of the line , its still has same result , but as i understand , if there is any wrong with ipsec profile, the tunnel won't work well , am i right ?
Thanks for your kind assist
Here is some show result at each router , hope that's helpful.
R1
R1#sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.16.15.2 YES NVRAM up up
FastEthernet0/1 172.17.15.2 YES NVRAM up up
Loopback0 192.168.10.254 YES NVRAM up up
Tunnel0 192.168.0.1 YES NVRAM up up
Tunnel1 192.168.1.1 YES NVRAM up up
R1#sh dmvpn
Tunnel0, Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 172.16.25.2 192.168.0.2 UP never D
1 172.16.35.2 192.168.0.3 UP never D
Tunnel1, Type:Hub, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 172.17.25.2 192.168.1.2 UP never D
1 172.17.35.2 192.168.1.3 UP never D
R1#sh ip eigrp top
P 192.168.10.0/24, 1 successors, FD is 128256
via Connected, Loopback0
P 192.168.0.0/24, 1 successors, FD is 297244416
via Connected, Tunnel0
P 192.168.1.0/24, 1 successors, FD is 297244416
via Connected, Tunnel1
P 192.168.30.0/24, 2 successors, FD is 297372416
via 192.168.0.3 (297372416/128256), Tunnel0
via 192.168.1.3 (297372416/128256), Tunnel1
P 192.168.20.0/24, 2 successors, FD is 297372416
via 192.168.0.2 (297372416/128256), Tunnel0
via 192.168.1.2 (297372416/128256), Tunnel1
R1#sh ip nhrp
192.168.0.2/32 via 192.168.0.2, Tunnel0 created 20:53:39, expire 00:00:07
Type: dynamic, Flags: unique nat registered used
NBMA address: 172.16.25.2
192.168.0.3/32 via 192.168.0.3, Tunnel0 created 20:53:38, expire 00:00:08
Type: dynamic, Flags: unique nat registered used
NBMA address: 172.16.35.2
192.168.1.2/32 via 192.168.1.2, Tunnel1 created 4d17h, expire 00:00:07
Type: dynamic, Flags: unique nat registered used
NBMA address: 172.17.25.2
192.168.1.3/32 via 192.168.1.3, Tunnel1 created 4d17h, expire 00:00:08
Type: dynamic, Flags: unique nat registered used
NBMA address: 172.17.35.2
R2
R2#sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.16.25.2 YES NVRAM up up
FastEthernet0/1 172.17.25.2 YES NVRAM up up
Loopback0 192.168.20.254 YES NVRAM up up
Tunnel0 192.168.0.2 YES NVRAM up up
Tunnel1 192.168.1.2 YES NVRAM up up
R2#sh dmvpn
Tunnel0, Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 172.16.15.2 192.168.0.1 UP 4d17h S
1 172.16.35.2 192.168.0.3 UP never D
Tunnel1, Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 172.17.15.2 192.168.1.1 UP 4d17h S
1 172.17.35.2 192.168.1.3 UP never D
R2#sh ip eigrp topology
P 192.168.10.0/24, 2 successors, FD is 297372416
via 192.168.0.1 (297372416/128256), Tunnel0
via 192.168.1.1 (297372416/128256), Tunnel1
P 192.168.0.0/24, 1 successors, FD is 297244416
via Connected, Tunnel0
P 192.168.1.0/24, 1 successors, FD is 297244416
via Connected, Tunnel1
P 192.168.30.0/24, 2 successors, FD is 310172416
192.168.0.3 via 192.168.0.1 (310172416/297372416), Tunnel0
via 192.168.1.1 (310172416/297372416), Tunnel1
P 192.168.20.0/24, 1 successors, FD is 128256
via Connected, Loopback0
R2#sh ip nhrp
192.168.0.1/32 via 192.168.0.1, Tunnel0 created 4d20h, never expire
Type: static, Flags: nat used
NBMA address: 172.16.15.2
192.168.0.3/32 via 192.168.0.3, Tunnel0 created 00:00:14, expire 00:00:51
Type: dynamic, Flags: router nat
NBMA address: 172.16.35.2
192.168.1.1/32 via 192.168.1.1, Tunnel1 created 4d20h, never expire
Type: static, Flags: nat used
NBMA address: 172.17.15.2
192.168.1.3/32 via 192.168.1.3, Tunnel1 created 00:00:12, expire 00:00:53
Type: dynamic, Flags: router nat
NBMA address: 172.17.35.2
R3
R3#sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.16.35.2 YES NVRAM up up
FastEthernet0/1 172.17.35.2 YES NVRAM up up
Loopback0 192.168.30.254 YES NVRAM up up
Tunnel0 192.168.0.3 YES NVRAM up up
Tunnel1 192.168.1.3 YES NVRAM up up
R3#sh dmvpn
Tunnel0, Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 172.16.15.2 192.168.0.1 UP 4d17h S
1 172.16.25.2 192.168.0.2 UP never D
Tunnel1, Type:Spoke, NHRP Peers:2,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
1 172.17.15.2 192.168.1.1 UP 4d17h S
1 172.17.25.2 192.168.1.2 UP never D
R3#sh ip eigrp topology
P 192.168.10.0/24, 2 successors, FD is 297372416
via 192.168.0.1 (297372416/128256), Tunnel0
via 192.168.1.1 (297372416/128256), Tunnel1
P 192.168.0.0/24, 1 successors, FD is 297244416
via Connected, Tunnel0
P 192.168.1.0/24, 1 successors, FD is 297244416
via Connected, Tunnel1
P 192.168.30.0/24, 1 successors, FD is 128256
via Connected, Loopback0
P 192.168.20.0/24, 2 successors, FD is 310172416
192.168.0.2 via 192.168.0.1 (310172416/297372416), Tunnel0
via 192.168.1.1 (310172416/297372416), Tunnel1
R3#sh ip nhrp
192.168.0.1/32 via 192.168.0.1, Tunnel0 created 4d17h, never expire
Type: static, Flags: nat used
NBMA address: 172.16.15.2
192.168.0.2/32 via 192.168.0.2, Tunnel0 created 00:00:43, expire 00:00:22
Type: dynamic, Flags: router nat
NBMA address: 172.16.25.2
192.168.1.1/32 via 192.168.1.1, Tunnel1 created 4d17h, never expire
Type: static, Flags: nat used
NBMA address: 172.17.15.2
192.168.1.2/32 via 192.168.1.2, Tunnel1 created 00:01:02, expire 00:00:48
Type: dynamic, Flags: router nat implicit used
NBMA address: 172.17.25.2

PBR using dual ISP and single LAN subnet

Hello,
I have 2 ISP connections on the Cisco router 29121 i.e. Leased Line and PPPoe and single LAN subnet
I want to use PBR.
I want to allow ip traffic destined for 1.1.1.1,2.2.2.2,3.3.3.3 ( Fictitious IP) to go through Lease Line
and all other traffic through PPPoe
Please help me to achieve this.
Thanks in advance.

WoW Great Thanks cadet alain
It working as desired.
This is my current config. I just want you help for last thing
If leased line goes down, I want to direct the user to PPPoe
However, if PPPoe, the users should NOT BE directed to leased line
int gi0/0
description << Leased Line >>
ip address 100.100.100.101 255.255.255.252
ip nat outside
no shut
int gi0/2
description << LAN Subnet>>
ip address 10.1.50.1 ip nat inside
ip policy route-map lease
no shut
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in max-reassemblies 512
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname XXXXXXXXXXXXXXX
ppp chap password 0 9860
ppp pap sent-username XXXXXXXXXXXXXXX password 0 9860
no cdp enable
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no shut
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
access-list 100 permit ip 10.1.50.0 0.0.0.255
route-map lease permit 10
match ip address 100
match interface gi0/0
route-map pppoe permit 10
match ip address 100
match interface dialer 0
ip nat inside source route-map lease interface gi0/0 overload
ip nat inside source route-map pppe interface dialer 0 overload
access-list 101 permit ip 10.10.1.50.0 0.0.0.255 host 1.1.1.1
acess-list 101 permit ip 10.1.50.0 0.0.0.255 host 4.2.2.2
route-map PBR permit 10
match ip address 101
set ip next-hop 100.100.100.102
ip route 0.0.0.0 0.0.0.0 dialer0
ip route 0.0.0.0 0.0.0.0 100.100.100.102

Dual ISP Bandwidth Agreggation

Similar Messages

Maybe you are looking for