Solved: Configure policy based route on 2811 router

Vignesh Ekanathan · ‎01-20-2013

Hi guys,

Can I please seek your help in configuring policy based route for my cisco router?

Basically, I have a 2811 cisco router with 2 ADSL ports. 1 port is for iiNet line and another port is for Telstra line.

I want to configure a policy based route on the router so that:

Any traffic coming from 1 internal IP (i.e. 172.16.x.1) will go through iinet line (i.e. Dialer 0) interface.
Any traffic from rest of the office will go through the Telstra line (i.e. Dialer 1) interface.

Is there any easy way to configure this policy based route?

Kind Regards,
Vignesh.

Kind Regards, Vignesh.

Terry Cheema · ‎01-20-2013

Hi Vignesh,

Try the below:

1) Set default route to Telstra:

Ip route 0.0.0.0 0.0.0.0 dialer 1 << All traffic goes through Telstra

2) Now using PBR, catch the source ip address/subnet you want to send through iinet:

access-list 1 permit 172.16.x.1 /32 << The address you want to send thru iinet

route-map IINET permit 10

match ip address 1 (your ip in ACL 1)

set interface Dialer 0 (iinet interface)

On your incoming interface apply the route-map:

Int f0/0

ip policy route-map IINET

This way only traffic matching the ACL 1, will be sent through Dialer 0 and rest through Dialer 1.

Terry

View solution in original post

Terry Cheema · ‎01-21-2013

Hi Vignesh,

We can remove the default route (going back to your original setup) and do all the matching\routing based on PBR for all incoming LAN traffic. For traffic coming from any other interface, it will keep using your routing table as per your original setup (whatever it was).

You can try this config:

1) Remove the previous default route to Telstra:

no ip route 0.0.0.0 0.0.0.0 dialer 1

2) Now using PBR, send 172.16.x.1 - iinet and rest through Telstra:

access-list 1 permit 172.16.x.1 /32 << The address you want to send thru iinet

access-list 2 permit 0.0.0.0 /0 << Match everything and send to Telstra

route-map PBR permit 10

match ip address 1 (your 172.16.x.1 ip in ACL 1)

set interface Dialer 0 (iinet interface)

route-map PBR permit 20

match ip address 2 (match all other traffic other than 172.16.x.1)

set interface Dialer 1 (Telstra interface)

On your incoming interface apply the route-map:

Int f0/0

ip policy route-map PBR

This way PBR routing affects traffic incoming on your LAN interface F0/0 only. Your routing on other interfaces including ping from outside should continue working as per your original setup.

Please let us know how it goes. If still something is not working please post your config.

Terry

View solution in original post

Terry Cheema · ‎01-20-2013

Hi Vignesh,

Try the below:

1) Set default route to Telstra:

Ip route 0.0.0.0 0.0.0.0 dialer 1 << All traffic goes through Telstra

2) Now using PBR, catch the source ip address/subnet you want to send through iinet:

access-list 1 permit 172.16.x.1 /32 << The address you want to send thru iinet

route-map IINET permit 10

match ip address 1 (your ip in ACL 1)

set interface Dialer 0 (iinet interface)

On your incoming interface apply the route-map:

Int f0/0

ip policy route-map IINET

This way only traffic matching the ACL 1, will be sent through Dialer 0 and rest through Dialer 1.

Terry

Vignesh Ekanathan · ‎01-20-2013

Hi Terry,

Thank you very much for your reply. You are a life saver! I was applying the "ip policy route" on the wrong interface all this time and kept wondering why it didn't work! Now, PBR has been sorted out.

Having said that, I have another problem once I do the above.

After I route all traffic to go through Telstra, I am not able to ping the iiNet's external IP address (203.206.x.x) from outside. This is a problem because all mail DNS are pointing to iiNet external IP address.

If I remove the PBR and route all traffic to go through iiNet, I am able to ping the iinet external IP. But then, that would defeat the purpose of what we want to achieve.

Any ideas?

Kind Regards,
Vignesh.

Kind Regards, Vignesh.

Terry Cheema · ‎01-20-2013

Vignesh,

Not a problem, glad it helped.

About the other issue, I am not sure if I got it right, can I sum up your final requirement as:

1) Traffic from a particular source ip 172.16.x.1 --> iinet
2) Traffic with destination 203.206.x.x iinet's ip --> iinet
3) All other traffic --> Telstra

If thats the case, just change the access-list to extended ACL with two statements:

access-list 101 permit ip host 172.16.x.1 any -- source address u want to send through iinet

access-list 101 permit ip any host 203.206.x.x - with destination as iinet public ip.

Change the route-map to match ip address 101

PS: Please excuse any syntax error sending from phone.

Terry

Sent from Cisco Technical Support iPhone App

Vignesh Ekanathan · ‎01-20-2013

Hey Terry,

Let me rephrase the question.

Traffic from a particular source IP will go through iiNet line.
Traffic from all other IP's will go through Telstra line.

Once I do the above, I am not able to ping the iiNet line from outside world.

Kind Regards,
Vignesh.

Kind Regards, Vignesh.

cadet alain · ‎01-21-2013

Hi,

can you post your sanitized config

Regards.

Alain

Don't forget to rate helpful posts.

Terry Cheema · ‎01-21-2013

Hi Vignesh,

We can remove the default route (going back to your original setup) and do all the matching\routing based on PBR for all incoming LAN traffic. For traffic coming from any other interface, it will keep using your routing table as per your original setup (whatever it was).

You can try this config:

1) Remove the previous default route to Telstra:

no ip route 0.0.0.0 0.0.0.0 dialer 1

2) Now using PBR, send 172.16.x.1 - iinet and rest through Telstra:

access-list 1 permit 172.16.x.1 /32 << The address you want to send thru iinet

access-list 2 permit 0.0.0.0 /0 << Match everything and send to Telstra

route-map PBR permit 10

match ip address 1 (your 172.16.x.1 ip in ACL 1)

set interface Dialer 0 (iinet interface)

route-map PBR permit 20

match ip address 2 (match all other traffic other than 172.16.x.1)

set interface Dialer 1 (Telstra interface)

On your incoming interface apply the route-map:

Int f0/0

ip policy route-map PBR

This way PBR routing affects traffic incoming on your LAN interface F0/0 only. Your routing on other interfaces including ping from outside should continue working as per your original setup.

Please let us know how it goes. If still something is not working please post your config.

Terry

Vignesh Ekanathan · ‎01-21-2013

Hi Terry,

You are a legend! I configured the router to do the same as you suggested (with a little tweaking of course) and olah... It started working.

You saved my a*%e over here, buddy. Keep up the good work.

Thanks to Alain as well for the interest in looking in this issue. Much appreciated.

Kind Regards,
Vignesh.

Kind Regards, Vignesh.

Terry Cheema · ‎01-21-2013

Vignesh - Not a problem, Glad I was able to assist you!

Terry