Solved: Re: IP Policy ignored

Frank Sinatra · ‎03-21-2019

I have a router with a default route set to the first WAN. I want to set up a second WAN but can't remove the default route because the router is live. I have added an ip policy to the second WAN interface but it is being ignore and it uses the default route of the first WAN instead (I have confirmed using trace). Here's my config:

aaa new-model
!
aaa authentication login default local
!
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp excluded-address 10.10.20.1 10.10.20.10
!
ip dhcp pool Vlan10
 network 10.10.10.0 255.255.255.0
 default-router 10.10.10.1
 dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool Vlan20
 network 10.10.20.0 255.255.255.0
 default-router 10.10.20.1
 dns-server 8.8.8.8 8.8.4.4
!
ip domain name test.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
interface FastEthernet0
 switchport access vlan 2
!
interface FastEthernet1
 switchport access vlan 3
!
interface Vlan1
 shutdown
!
interface Vlan2
 description WAN-1
 ip address 1.1.1.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
!
interface Vlan3
 description WAN-2
 ip address 2.2.2.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
!
interface Vlan10
 description LAN-1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan20
 description LAN-2
 ip address 10.10.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map PBR
!
ip nat inside source list Vlan10 interface Vlan2 overload
ip nat inside source list Vlan20 interface Vlan3 overload
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
ip access-list extended Vlan10
 permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended Vlan20
 permit ip 10.10.20.0 0.0.0.255 any

route-map PBR permit 10
 match ip address Vlan20
 set ip next-hop 2.2.2.1

This is a follow-up to this discussion:

https://community.cisco.com/t5/routing/two-active-wan-connections/m-p/3815883#M311082

Frank Sinatra · ‎03-21-2019

Ok. I have found the issue. I was checking using traceroute and ping with source on the Cisco router itself and for some reason it never worked. I just connected a computer with the router and everything is working fine! I can use both ISPs.

View solution in original post

Georg Pauwen · ‎03-21-2019

Hello,

try 'clear ip route *'...

Frank Sinatra · ‎03-21-2019

Thank you for responding. I tried that and it is still using the default route.

Richard Burts · ‎03-21-2019

Can you post the output of show ip interface brief from the router?

Can you post the output of ipconfig and the tracert from the PC?

HTH

Rick

HTH

Rick

Frank Sinatra · ‎03-21-2019

Here's the sh ip int brief output:

Interface                  IP-Address      OK? Method Status                Protocol
ATM0                       unassigned      YES NVRAM  administratively down down
Ethernet0                  unassigned      YES NVRAM  up                    down
FastEthernet0              unassigned      YES unset  up                    up
FastEthernet1              unassigned      YES unset  up                    up
Vlan1                      unassigned      YES unset  administratively down down
Vlan2                      1.1.1.2         YES NVRAM  up                    up
Vlan3                      2.2.2.2         YES manual up                    up
Vlan10                     10.10.10.1      YES NVRAM  up                    up
Vlan20                     10.10.20.1      YES NVRAM  up                    up

Computer has an IP Address of 10.10.20.11

Richard Burts · ‎03-21-2019

Thanks for the output of show ip interface brief. My reason for asking was to verify that the interface with the IP specified in the set command was up and operational. Your output shows that it is. What model of router is this running on? Is this live equipment or is this some simulation? Would you post the output of show ip policy?

HTH

Rick

HTH

Rick

Richard Burts · ‎03-21-2019

Another question occurs to me. Your config and the output of show ip interface brief show that the router has 2 physical interfaces. Both of those interfaces are assigned to the WAN connections. So how are vlans 10 and 20 connected to this router?

HTH

Rick

HTH

Rick

Frank Sinatra · ‎03-21-2019

I didn't include the trunk port. F3 is a trunk port that goes to a switch.

Frank Sinatra · ‎03-21-2019

This is live. I am using Cisco 880. I just changed the public IP address to 1.1.1.1 and 2.2.2.2 in the config I posted.

sh ip policy:

Interface      Route map
Vlan20         PBR

Deepak Kumar · ‎03-21-2019

Hi,

If I will consider your running config and this output.

FastEthernet0              unassigned      YES unset  up                    up
FastEthernet1              unassigned      YES unset  up                    up
Vlan1                      unassigned      YES unset  administratively down down
Vlan2                      1.1.1.2         YES NVRAM  up                    up
Vlan3                      2.2.2.2         YES manual up                    up
Vlan10                     10.10.10.1      YES NVRAM  up                    up
Vlan20                     10.10.20.1      YES NVRAM  up                    u

and

interface FastEthernet0
 switchport access vlan 2
!
interface FastEthernet1
 switchport access vlan 3

Where is your LAN physical Interface? And Same time your VLAN 10 and 20 are also showing up. what is happing?

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Jaderson Pessoa · ‎03-21-2019

Hello @Frank Sinatra ,

try 'clear ip route *'... << if this not work as suggested by @Georg Pauwen

Try changes below;

aaa new-model
!
aaa authentication login default local
!
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp excluded-address 10.10.20.1 10.10.20.10
!
ip dhcp pool Vlan10
 network 10.10.10.0 255.255.255.0
 default-router 10.10.10.1
 dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool Vlan20
 network 10.10.20.0 255.255.255.0
 default-router 10.10.20.1
 dns-server 8.8.8.8 8.8.4.4
!
ip domain name test.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
interface FastEthernet0
 switchport access vlan 2
!
interface FastEthernet1
 switchport access vlan 3
!
interface Vlan1
 shutdown
!
interface Vlan2
 description WAN-1
 ip address 1.1.1.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
!
interface Vlan3
 description WAN-2
 ip address 2.2.2.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
!
interface Vlan10
 description LAN-1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip policy route-map PBR
 ip virtual-reassembly in
!
interface Vlan20
 description LAN-2
 ip address 10.10.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map PBR
!
ip nat inside source list Vlan10 interface Vlan2 overload
ip nat inside source list Vlan20 interface Vlan3 overload
no ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
ip access-list extended Vlan10
 permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended Vlan20
 permit ip 10.10.20.0 0.0.0.255 any

route-map PBR permit 10
 match ip address Vlan20
 set ip default next-hop 2.2.2.1
route-map PBR permit 20
 match ip address Vlan10
 set ip default next-hop 1.1.1.1

Jaderson Pessoa
*** Rate All Helpful Responses ***

Frank Sinatra · ‎03-21-2019

I tried this and it's still not working. It doesn't work with one ISP either.

paul driver · ‎03-21-2019

Hello

ast this time looks like your pbr is correct however having dual isp suggest to use route-maps for nat

route-map isp1

match interface xx

match up address xxx

Route- map isp2

match interface

match ip address xxx

ip nat inside source route-map isp 1 interface isp1

etc,,,

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts · ‎03-21-2019

Paul

As I read the original post I also thought about using route maps to control the address translation, since the route map allows you to match both the acl identifying traffic and match the interface. This is the common approach when doing address translation for dual ISP - especially when outgoing traffic might be on one interface or might be on the other interface (when doing load sharing or doing failover). But in this case one set of traffic should be going out only one interface and the other set of traffic should be going out only the other interface. In that case I believe that the original nat is ok

ip nat inside source list Vlan10 interface Vlan2 overload
ip nat inside source list Vlan20 interface Vlan3 overload

I still would like to see the outputs that I identified and would add to that a request to post the output of show ip policy

HTH

Rick

HTH

Rick

Frank Sinatra · ‎03-21-2019

Ok. I have found the issue. I was checking using traceroute and ping with source on the Cisco router itself and for some reason it never worked. I just connected a computer with the router and everything is working fine! I can use both ISPs.