How to load balance across 2 ISPs with non-portable address space and cisco ip cef
This is a highly munged working version:
! ip cef load-sharing algorithm original ! interface GigabitEthernet0/0/0 description internal to FIREWALL ip address RFC.ADDR.2.1 255.255.255.0 ip nat inside ip policy route-map pbr-routed-servers negotiation auto cdp enable ! interface GigabitEthernet0/0/4 description ISP2 internet connection bandwidth 300000 ip address ISP2.RANGE.210 255.255.255.252 no ip unreachables ip nat outside ip access-group inbound-ISP2-filter-20151001-01 in negotiation auto ! interface GigabitEthernet0/0/5 description ISP1 internet connection bandwidth 250000 ip address ISP1.RANGE.194 255.255.255.192 no ip unreachables ip nat outside ip access-group inbound-ISP1-filter-20151001-01 in negotiation auto ! ip local policy route-map pbr-router-traffic ! ip nat pool ISP2-pool ISP2.RANGE.4 ISP2.RANGE.7 prefix-length 26 ip nat pool ISP1-pool ISP1.RANGE.196 ISP1.RANGE.199 prefix-length 26 ! ip nat inside source static RFC.ADDR.1.16 ISP1.RANGE.207 ip nat inside source static RFC.ADDR.1.144 ISP1.RANGE.211 ip nat inside source static RFC.ADDR.2.2 ISP2.RANGE.11 ip nat inside source static RFC.ADDR.3.4 ISP2.RANGE.12 ip nat inside source static RFC.ADDR.3.3 ISP2.RANGE.13 ip nat inside source static RFC.ADDR.1.15 ISP2.RANGE.15 ip nat inside source static RFC.ADDR.1.13 ISP2.RANGE.16 ip nat inside source static RFC.ADDR.3.19 ISP2.RANGE.19 ip nat inside source route-map ISP1-map pool ISP1-pool overload ip nat inside source route-map ISP2-map pool ISP2-pool overload ! ip route 0.0.0.0 0.0.0.0 ISP1.ROUTER track 1 ip route 0.0.0.0 0.0.0.0 ISP2.ROUTER track 2 ! ip route ISP1.ROUTER 255.255.255.255 GigabitEthernet0/0/5 ip route ISP2.ROUTER 255.255.255.255 GigabitEthernet0/0/4 ! ip access-list standard admin-traffic permit RFC.INTERNAL.1.0 0.0.255.255 deny any ip access-list standard ISP1-nat-ips deny ISP1.RANGE.194 permit any ip access-list standard ISP1-pbr-hosts permit RFC.ADDR.1.144 permit RFC.ADDR.1.16 ip access-list standard ISP2-nat-ips deny ISP2.RANGE.210 permit any ip access-list standard ISP2-pbr-hosts permit RFC.ADDR.2.2 permit RFC.ADDR.3.19 permit RFC.ADDR.3.3 permit RFC.ADDR.3.4 permit RFC.ADDR.1.13 permit RFC.ADDR.1.15 ! ip access-list extended ISP1-router-address permit ip host ISP1.RANGE.194 any ! ip access-list extended ISP2-router-address permit ip host ISP2.RANGE.210 any ! ip access-list extended inbound-ISP1-filter-20151001-01 remark ---| remark ---| deny special addresses deny ip host 0.0.0.0 any deny ip 127.0.0.0 0.255.255.255 any deny ip 192.0.2.0 0.0.0.255 any deny ip 224.0.0.0 31.255.255.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0 0.15.255.255 any deny ip 192.168.0 0.0.255.255 any deny ip host 255.255.255.255 any deny ip 169.254.0.0 0.0.255.255 any deny icmp any any fragments deny ip ISP2.RANGE.0 0.0.0.63 any log-input deny ip ISP2.RANGE.208 0.0.0.3 any log-input remark ---| remark ---| deny microsoft scans deny tcp any any eq 445 deny tcp any any eq msrpc deny tcp any any eq 139 deny tcp any any eq 3389 remark ---| remark ---| allow icmp diganostic to router permit icmp any host ISP1.RANGE.194 echo permit icmp any host ISP1.RANGE.194 echo-reply permit icmp any host ISP1.RANGE.194 unreachable permit icmp any host ISP1.RANGE.194 time-exceeded permit icmp any host ISP1.RANGE.194 packet-too-big permit udp host NTP.SERVERS eq ntp host ISP1.RANGE.194 eq ntp permit udp host NTP.SERVERS eq ntp host ISP1.RANGE.194 eq ntp permit udp host NTP.SERVERS eq ntp host ISP1.RANGE.194 eq ntp deny ip any host ISP1.RANGE.194 remark ---| remark ---| allow back open connections permit tcp any ISP1.RANGE.192 0.0.0.63 established permit udp any eq domain ISP1.RANGE.192 0.0.0.63 permit udp any eq ntp ISP1.RANGE.192 0.0.0.63 permit icmp any ISP1.RANGE.192 0.0.0.63 echo-reply permit icmp any ISP1.RANGE.192 0.0.0.63 time-exceeded permit icmp any ISP1.RANGE.192 0.0.0.63 unreachable permit icmp any ISP1.RANGE.192 0.0.0.63 packet-too-big permit icmp any ISP1.RANGE.192 0.0.0.63 remark ---| remark ---| allow internal to do anything permit udp any ISP1.RANGE.196 0.0.0.3 permit tcp any ISP1.RANGE.196 0.0.0.3 remark ---| remark ---| allow email to exchange permit tcp EMAIL.RELAY.0 0.0.15.255 host ISP1.RANGE.207 eq smtp remark ---| remark ---| permit client vpn to access FIREWALL -- ssl permit tcp any host ISP1.RANGE.204 eq 443 remark ---| remark ---| permit client vpn to access FIREWALL -- pptp/gre permit tcp any host ISP1.RANGE.204 eq 1723 permit gre any host ISP1.RANGE.204 remark ---| remark ---| permit client vpn to access FIREWALL -- lt2p/ikev1/ikev2 permit esp any host ISP1.RANGE.204 permit udp any host ISP1.RANGE.204 eq isakmp permit udp any host ISP1.RANGE.204 eq non500-isakmp remark ---| remark ---| PARTNER access to aspera permit icmp any host ISP1.RANGE.211 permit tcp any host ISP1.RANGE.211 eq 22 permit udp any host ISP1.RANGE.211 eq 33001 deny ip any any ! ip access-list extended inbound-ISP2-filter-20151001-01 remark ---| remark ---| deny special addresses deny ip host 0.0.0.0 any deny ip 127.0.0.0 0.255.255.255 any deny ip 192.0.2.0 0.0.0.255 any deny ip 224.0.0.0 31.255.255.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0 0.15.255.255 any deny ip 192.168.0 0.0.255.255 any deny ip host 255.255.255.255 any deny ip 169.254.0.0 0.0.255.255 any deny icmp any any fragments deny ip ISP1.RANGE.192 0.0.0.63 any deny ip ISP2.RANGE.0 0.0.0.63 any remark ---| remark ---| deny microsoft scans deny tcp any any eq 445 deny tcp any any eq msrpc deny tcp any any eq 139 deny tcp any any eq 3389 remark ---| remark ---| allow icmp diganostic to router permit icmp any host ISP2.RANGE.210 echo permit icmp any host ISP2.RANGE.210 echo-reply permit icmp any host ISP2.RANGE.210 unreachable permit icmp any host ISP2.RANGE.210 time-exceeded permit icmp any host ISP2.RANGE.210 packet-too-big permit udp host NTP.SERVERS eq ntp host ISP2.RANGE.210 eq ntp permit udp host NTP.SERVERS eq ntp host ISP2.RANGE.210 eq ntp permit udp host NTP.SERVERS eq ntp host ISP2.RANGE.210 eq ntp deny ip any host ISP2.RANGE.210 remark ---| remark ---| allow back open connections permit tcp any any established permit udp any eq domain ISP2.RANGE.0 0.0.0.63 permit udp any eq ntp ISP2.RANGE.0 0.0.0.63 permit icmp any ISP2.RANGE.0 0.0.0.63 echo-reply permit icmp any ISP2.RANGE.0 0.0.0.63 time-exceeded permit icmp any ISP2.RANGE.0 0.0.0.63 unreachable permit icmp any ISP2.RANGE.0 0.0.0.63 packet-too-big permit icmp any ISP2.RANGE.0 0.0.0.63 remark ---| remark ---| allow internal to do anything permit udp any ISP2.RANGE.4 0.0.0.3 permit tcp any ISP2.RANGE.4 0.0.0.3 remark ---| remark ---| allow vpn to vpn permit esp any host ISP2.RANGE.12 permit udp any eq isakmp host ISP2.RANGE.12 eq isakmp permit udp any eq non500-isakmp host ISP2.RANGE.12 eq non500-isakmp permit tcp any eq 500 host ISP2.RANGE.12 eq 500 permit tcp any eq 4500 host ISP2.RANGE.12 eq 4500 permit icmp any host ISP2.RANGE.12 deny ip any host ISP2.RANGE.12 permit esp any host ISP2.RANGE.13 permit udp any eq isakmp host ISP2.RANGE.13 eq isakmp permit udp any eq non500-isakmp host ISP2.RANGE.13 eq non500-isakmp permit tcp any eq 500 host ISP2.RANGE.13 eq 500 permit tcp any eq 4500 host ISP2.RANGE.13 eq 4500 permit icmp any host ISP2.RANGE.13 remark ---| remark ---| permit ftp to ftp permit tcp any host ISP2.RANGE.19 eq ftp permit tcp any host ISP2.RANGE.19 eq ftp-data remark ---| permit passive ftp connections permit tcp any gt 1023 host ISP2.RANGE.19 gt 1023 permit icmp any host ISP2.RANGE.19 echo permit icmp any host ISP2.RANGE.19 unreachable remark ---| remark ---| allow email to exchange permit tcp EMAIL.RELAY 0.0.15.255 host ISP2.RANGE.16 eq smtp remark ---| remark ---| allow other services to INTERNAL.SERVER permit tcp any host ISP2.RANGE.15 eq www permit tcp any host ISP2.RANGE.15 eq 443 permit tcp any host ISP2.RANGE.15 eq 993 permit tcp any host ISP2.RANGE.15 eq 995 permit tcp any host ISP2.RANGE.15 eq 143 permit tcp any host ISP2.RANGE.15 eq pop3 remark ---| remark ---| permit client vpn to access FIREWALL -- ssl permit tcp any host ISP2.RANGE.11 eq 443 remark ---| remark ---| permit client vpn to access FIREWALL -- pptp/gre permit tcp any host ISP2.RANGE.11 eq 1723 permit gre any host ISP2.RANGE.11 remark ---| remark ---| permit client vpn to access FIREWALL -- lt2p/ikev1/ikev2 permit esp any host ISP2.RANGE.11 permit udp any host ISP2.RANGE.11 eq isakmp permit udp any host ISP2.RANGE.11 eq non500-isakmp deny ip any any ! ip sla 1 icmp-echo ISP1.ROUTER source-interface GigabitEthernet0/0/5 threshold 2 timeout 1000 frequency 5 ip sla schedule 1 life forever start-time now ip sla 2 icmp-echo ISP2.ROUTER source-interface GigabitEthernet0/0/4 threshold 2 timeout 1000 frequency 5 ip sla schedule 2 life forever start-time now ! route-map pbr-router-traffic permit 10 match ip address ISP2-router-address set ip next-hop ISP2.ROUTER ! route-map pbr-router-traffic permit 20 match ip address ISP1-router-address set ip next-hop ISP1.ROUTER ! route-map pbr-routed-servers permit 10 match ip address ISP2-pbr-hosts set ip next-hop ISP2.ROUTER ! route-map pbr-routed-servers permit 20 match ip address ISP1-pbr-hosts set ip next-hop ISP1.ROUTER ! route-map ISP2-map permit 10 match ip address ISP2-nat-ips match interface GigabitEthernet0/0/4 ! route-map ISP1-map permit 10 match ip address ISP1-nat-ips match interface GigabitEthernet0/0/5 !
Comments
Post a Comment