How to load balance across 2 ISPs with non-portable address space and cisco ip cef

This is a highly munged working version:
!
ip cef load-sharing algorithm original
!
interface GigabitEthernet0/0/0
 description internal to FIREWALL
 ip address RFC.ADDR.2.1 255.255.255.0
 ip nat inside
 ip policy route-map pbr-routed-servers
 negotiation auto
 cdp enable
!
interface GigabitEthernet0/0/4
 description ISP2 internet connection
 bandwidth 300000
 ip address ISP2.RANGE.210 255.255.255.252
 no ip unreachables
 ip nat outside
 ip access-group inbound-ISP2-filter-20151001-01 in
 negotiation auto
!
interface GigabitEthernet0/0/5
 description ISP1 internet connection
 bandwidth 250000
 ip address ISP1.RANGE.194 255.255.255.192
 no ip unreachables
 ip nat outside
 ip access-group inbound-ISP1-filter-20151001-01 in
 negotiation auto
!
ip local policy route-map pbr-router-traffic
!
ip nat pool ISP2-pool ISP2.RANGE.4 ISP2.RANGE.7 prefix-length 26
ip nat pool ISP1-pool ISP1.RANGE.196 ISP1.RANGE.199 prefix-length 26
!
ip nat inside source static RFC.ADDR.1.16 ISP1.RANGE.207
ip nat inside source static RFC.ADDR.1.144 ISP1.RANGE.211
ip nat inside source static RFC.ADDR.2.2 ISP2.RANGE.11
ip nat inside source static RFC.ADDR.3.4 ISP2.RANGE.12
ip nat inside source static RFC.ADDR.3.3 ISP2.RANGE.13
ip nat inside source static RFC.ADDR.1.15 ISP2.RANGE.15
ip nat inside source static RFC.ADDR.1.13 ISP2.RANGE.16
ip nat inside source static RFC.ADDR.3.19 ISP2.RANGE.19
ip nat inside source route-map ISP1-map pool ISP1-pool overload
ip nat inside source route-map ISP2-map pool ISP2-pool overload
!
ip route 0.0.0.0 0.0.0.0 ISP1.ROUTER track 1
ip route 0.0.0.0 0.0.0.0 ISP2.ROUTER track 2
!
ip route ISP1.ROUTER 255.255.255.255 GigabitEthernet0/0/5
ip route ISP2.ROUTER 255.255.255.255 GigabitEthernet0/0/4
!
ip access-list standard admin-traffic
 permit RFC.INTERNAL.1.0 0.0.255.255
 deny   any
ip access-list standard ISP1-nat-ips
 deny   ISP1.RANGE.194
 permit any
ip access-list standard ISP1-pbr-hosts
 permit RFC.ADDR.1.144
 permit RFC.ADDR.1.16
ip access-list standard ISP2-nat-ips
 deny   ISP2.RANGE.210
 permit any
ip access-list standard ISP2-pbr-hosts
 permit RFC.ADDR.2.2
 permit RFC.ADDR.3.19
 permit RFC.ADDR.3.3
 permit RFC.ADDR.3.4
 permit RFC.ADDR.1.13
 permit RFC.ADDR.1.15
!
ip access-list extended ISP1-router-address
 permit ip host ISP1.RANGE.194 any
!
ip access-list extended ISP2-router-address
 permit ip host ISP2.RANGE.210 any
!
ip access-list extended inbound-ISP1-filter-20151001-01
 remark ---|
 remark ---| deny special addresses
 deny   ip host 0.0.0.0 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 192.0.2.0 0.0.0.255 any
 deny   ip 224.0.0.0 31.255.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0 0.15.255.255 any
 deny   ip 192.168.0 0.0.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip 169.254.0.0 0.0.255.255 any
 deny   icmp any any fragments
 deny   ip ISP2.RANGE.0 0.0.0.63 any log-input
 deny   ip ISP2.RANGE.208 0.0.0.3 any log-input
 remark ---|
 remark ---| deny microsoft scans
 deny   tcp any any eq 445
 deny   tcp any any eq msrpc
 deny   tcp any any eq 139
 deny   tcp any any eq 3389
 remark ---|
 remark ---| allow icmp diganostic to router
 permit icmp any host ISP1.RANGE.194 echo
 permit icmp any host ISP1.RANGE.194 echo-reply
 permit icmp any host ISP1.RANGE.194 unreachable
 permit icmp any host ISP1.RANGE.194 time-exceeded
 permit icmp any host ISP1.RANGE.194 packet-too-big
 permit udp host NTP.SERVERS eq ntp host ISP1.RANGE.194 eq ntp
 permit udp host NTP.SERVERS eq ntp host ISP1.RANGE.194 eq ntp
 permit udp host NTP.SERVERS eq ntp host ISP1.RANGE.194 eq ntp
 deny   ip any host ISP1.RANGE.194
 remark ---|
 remark ---| allow back open connections
 permit tcp any ISP1.RANGE.192 0.0.0.63 established
 permit udp any eq domain ISP1.RANGE.192 0.0.0.63
 permit udp any eq ntp ISP1.RANGE.192 0.0.0.63
 permit icmp any ISP1.RANGE.192 0.0.0.63 echo-reply
 permit icmp any ISP1.RANGE.192 0.0.0.63 time-exceeded
 permit icmp any ISP1.RANGE.192 0.0.0.63 unreachable
 permit icmp any ISP1.RANGE.192 0.0.0.63 packet-too-big
 permit icmp any ISP1.RANGE.192 0.0.0.63
 remark ---|
 remark ---| allow internal to do anything
 permit udp any ISP1.RANGE.196 0.0.0.3
 permit tcp any ISP1.RANGE.196 0.0.0.3
 remark ---|
 remark ---| allow email to exchange
 permit tcp EMAIL.RELAY.0 0.0.15.255 host ISP1.RANGE.207 eq smtp
 remark ---|
 remark ---| permit client vpn to access FIREWALL -- ssl
 permit tcp any host ISP1.RANGE.204 eq 443
 remark ---|
 remark ---| permit client vpn to access FIREWALL -- pptp/gre
 permit tcp any host ISP1.RANGE.204 eq 1723
 permit gre any host ISP1.RANGE.204
 remark ---|
 remark ---| permit client vpn to access FIREWALL -- lt2p/ikev1/ikev2
 permit esp any host ISP1.RANGE.204
 permit udp any host ISP1.RANGE.204 eq isakmp
 permit udp any host ISP1.RANGE.204 eq non500-isakmp
 remark ---|
 remark ---| PARTNER access to aspera
 permit icmp any host ISP1.RANGE.211
 permit tcp any host ISP1.RANGE.211 eq 22
 permit udp any host ISP1.RANGE.211 eq 33001
 deny   ip any any
!
ip access-list extended inbound-ISP2-filter-20151001-01
 remark ---|
 remark ---| deny special addresses
 deny   ip host 0.0.0.0 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 192.0.2.0 0.0.0.255 any
 deny   ip 224.0.0.0 31.255.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0 0.15.255.255 any
 deny   ip 192.168.0 0.0.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip 169.254.0.0 0.0.255.255 any
 deny   icmp any any fragments
 deny   ip ISP1.RANGE.192 0.0.0.63 any
 deny   ip ISP2.RANGE.0 0.0.0.63 any
 remark ---|
 remark ---| deny microsoft scans
 deny   tcp any any eq 445
 deny   tcp any any eq msrpc
 deny   tcp any any eq 139
 deny   tcp any any eq 3389
 remark ---|
 remark ---| allow icmp diganostic to router
 permit icmp any host ISP2.RANGE.210 echo
 permit icmp any host ISP2.RANGE.210 echo-reply
 permit icmp any host ISP2.RANGE.210 unreachable
 permit icmp any host ISP2.RANGE.210 time-exceeded
 permit icmp any host ISP2.RANGE.210 packet-too-big
 permit udp host NTP.SERVERS eq ntp host ISP2.RANGE.210 eq ntp
 permit udp host NTP.SERVERS eq ntp host ISP2.RANGE.210 eq ntp
 permit udp host NTP.SERVERS eq ntp host ISP2.RANGE.210 eq ntp
 deny   ip any host ISP2.RANGE.210
 remark ---|
 remark ---| allow back open connections
 permit tcp any any established
 permit udp any eq domain ISP2.RANGE.0 0.0.0.63
 permit udp any eq ntp ISP2.RANGE.0 0.0.0.63
 permit icmp any ISP2.RANGE.0 0.0.0.63 echo-reply
 permit icmp any ISP2.RANGE.0 0.0.0.63 time-exceeded
 permit icmp any ISP2.RANGE.0 0.0.0.63 unreachable
 permit icmp any ISP2.RANGE.0 0.0.0.63 packet-too-big
 permit icmp any ISP2.RANGE.0 0.0.0.63
 remark ---|
 remark ---| allow internal to do anything
 permit udp any ISP2.RANGE.4 0.0.0.3
 permit tcp any ISP2.RANGE.4 0.0.0.3
 remark ---|
 remark ---| allow vpn to vpn
 permit esp any host ISP2.RANGE.12
 permit udp any eq isakmp host ISP2.RANGE.12 eq isakmp
 permit udp any eq non500-isakmp host ISP2.RANGE.12 eq non500-isakmp
 permit tcp any eq 500 host ISP2.RANGE.12 eq 500
 permit tcp any eq 4500 host ISP2.RANGE.12 eq 4500
 permit icmp any host ISP2.RANGE.12
 deny   ip any host ISP2.RANGE.12
 permit esp any host ISP2.RANGE.13
 permit udp any eq isakmp host ISP2.RANGE.13 eq isakmp
 permit udp any eq non500-isakmp host ISP2.RANGE.13 eq non500-isakmp
 permit tcp any eq 500 host ISP2.RANGE.13 eq 500
 permit tcp any eq 4500 host ISP2.RANGE.13 eq 4500
 permit icmp any host ISP2.RANGE.13
 remark ---|
 remark ---| permit ftp to ftp
 permit tcp any host ISP2.RANGE.19 eq ftp
 permit tcp any host ISP2.RANGE.19 eq ftp-data
 remark ---| permit passive ftp connections
 permit tcp any gt 1023 host ISP2.RANGE.19 gt 1023
 permit icmp any host ISP2.RANGE.19 echo
 permit icmp any host ISP2.RANGE.19 unreachable
 remark ---|
 remark ---| allow email to exchange
 permit tcp EMAIL.RELAY 0.0.15.255 host ISP2.RANGE.16 eq smtp
 remark ---|
 remark ---| allow other services to INTERNAL.SERVER
 permit tcp any host ISP2.RANGE.15 eq www
 permit tcp any host ISP2.RANGE.15 eq 443
 permit tcp any host ISP2.RANGE.15 eq 993
 permit tcp any host ISP2.RANGE.15 eq 995
 permit tcp any host ISP2.RANGE.15 eq 143
 permit tcp any host ISP2.RANGE.15 eq pop3
 remark ---|
 remark ---| permit client vpn to access FIREWALL -- ssl
 permit tcp any host ISP2.RANGE.11 eq 443
 remark ---|
 remark ---| permit client vpn to access FIREWALL -- pptp/gre
 permit tcp any host ISP2.RANGE.11 eq 1723
 permit gre any host ISP2.RANGE.11
 remark ---|
 remark ---| permit client vpn to access FIREWALL -- lt2p/ikev1/ikev2
 permit esp any host ISP2.RANGE.11
 permit udp any host ISP2.RANGE.11 eq isakmp
 permit udp any host ISP2.RANGE.11 eq non500-isakmp
 deny   ip any any
!
ip sla 1
 icmp-echo ISP1.ROUTER source-interface GigabitEthernet0/0/5
 threshold 2
 timeout 1000
 frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo ISP2.ROUTER source-interface GigabitEthernet0/0/4
 threshold 2
 timeout 1000
 frequency 5
ip sla schedule 2 life forever start-time now
!
route-map pbr-router-traffic permit 10
 match ip address ISP2-router-address
 set ip next-hop ISP2.ROUTER
!
route-map pbr-router-traffic permit 20
 match ip address ISP1-router-address
 set ip next-hop ISP1.ROUTER
!
route-map pbr-routed-servers permit 10
 match ip address ISP2-pbr-hosts
 set ip next-hop ISP2.ROUTER
!
route-map pbr-routed-servers permit 20
 match ip address ISP1-pbr-hosts
 set ip next-hop ISP1.ROUTER
!
route-map ISP2-map permit 10
 match ip address ISP2-nat-ips
 match interface GigabitEthernet0/0/4
!
route-map ISP1-map permit 10
 match ip address ISP1-nat-ips
 match interface GigabitEthernet0/0/5
!
Search This Blog

Technical Stuff

How to load balance across 2 ISPs with non-portable address space and cisco ip cef

Comments

Post a Comment

Popular posts from this blog

Xubuntu Home Server on Dell XPS 13 9370

Cygwin + syslog-ng

Installing Fedora 21 on a (late 2014) Mac Mini
