01-25-2011 08:55 PM - edited 03-04-2019 11:12 AM
Hey Guys,
So I set up my dual wan with failover which works perfectly.. basically what I need is for the server which is 10.107.67.10 to be dedicated to ISP1 and all other traffic on the 10.107.67.0 /24 network to use ISP2 as primary and then if it fails to go over to ISP1. Everything seems to work except for the server which I created a static route for .. it seems to always go through ISP2 eventhough I have a deny in the ACL. Please help me out here.. It's so simple but I dont know why its being such a headache. Attached is the config.. Thanks!!
01-26-2011 01:55 AM
Hi,
on f0 use ip local policy route-map director instead of ip policy route-map director
Regards.
alain.
01-26-2011 04:31 AM
hi Alain,
Thanks for the response. unfortunately this did not solve the problem..
2 things to note also - - ip local policy route-map director doesnt attach to the F0 interface it goes on the global config.
When I brought up the ISP2 interface, it disconnected me from my vpn connection.
any other ideas?
01-26-2011 11:28 PM
The policy routing needs to be applied to the ingress interface where the traffic you want to policy route enters the router.
In this case traffic sourced from 10.107.67.10 should be arriving on Vlan1, so:
!
interface FastEthernet0
....
no ip policy route-map director
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
...
ip policy route-map director
!
Then see what happens.
01-27-2011 03:50 PM
hi, still not working.. i am convinced that the problem has to lie in the ip route statements.. i think the default route is messing it up somehow because once the backup interface is turned on.. the 10.107.67.10 server does not route through the original ISP1 gateway anymore regardless of this statement
ip route 10.107.67.10 255.255.255.255 <
01-27-2011 10:01 PM
dlandriscina wrote:
ip route 10.107.67.10 255.255.255.255 <
>
That route is saying the destination 10.107.67.10 is reached via ISP1.
I don't think that's correct. The server is in Vlan 1 I believe.
You should remove that command.
Once you've done that bring up both ISP connections, stop all other traffic in your network, and get:
1: show ip route
2: show ip nat stat
3: show route-map director
4: debug ip policy
ping somewhere from 10.107.67.10
5: undebug all
6: show route-map director
01-28-2011 01:47 AM
01-28-2011 05:02 PM
The PBR is working:
Policy routing matches: 3127 packets, 389419 bytes <===
Jan 28 05:32:43.778 PCTime: IP: s=10.107.67.10 (Vlan1), d=65.106.1.196, len 60, FIB policy match
Jan 28 05:32:43.778 PCTime: IP: s=10.107.67.10 (Vlan1), d=65.106.1.196, g=<
Policy routing matches: 3131 packets, 389715 bytes <===
You have "ip verify unicast reverse-path" on F0.
Since there is no route via F0 the router might be dropping any return traffic arriving on that interface.
Try removing that command.
After that you might need to check on your NAT and firewall to see that they aren't doing something wrong.
01-30-2011 02:30 PM
margalla - removing that command made it work perfectly...
another question for you - I cant connect via VPN anymore.. i also tried changing the interface on the virtual template to the the main active interface Fastethernet1.. but no go?? any ideas?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide