Solved: Need Help With PBR

muratg7777 · ‎12-26-2011

Hi,

I have configure PBR. The 3 local clients connects internet via Dialer1 interface.

There is Point-to-point connection on Dialer 0 interface.

These 3 clients must route traffic to dialer 0 interface if they want to reach the 192.168.1.0/24 network.

How can I do that?

interface GigabitEthernet0/0.1

encapsulation dot1Q 1 native

ip address 10.0.0.254 255.255.255.0

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface GigabitEthernet0/0.60

encapsulation dot1Q 60

ip address 10.0.8.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

ip policy route-map InternetViaADSL

!

interface GigabitEthernet0/0.100

encapsulation dot1Q 100

ip address 10.0.5.254 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 0.0.0.0 0.0.0.0 Dialer1 20

!

ip access-list extended InternetViaADSL

permit ip host 10.0.8.215 any

permit ip host 10.0.8.216 any

permit ip host 10.0.8.217 any

!

route-map InternetViaADSL permit 10

match ip address InternetViaADSL

set interface Dialer1

Kishore Chennupati · ‎12-30-2011

Murat,

So you want those 3 clients to talk to the HQ subnets as well right? well then you need to slightly change the existing route-map a bit. below is what needs to be there to get what you want

ip access-list extended InternetViaADSL

permit ip host 10.0.8.215 any

permit ip host 10.0.8.216 any

permit ip host 10.0.8.217 any

!

access-list 101 permit ip host 10.0.8.215

access-list 101 permit ip host 10.0.8.216

access-list 101 permit ip host 10.0.8.217

route-map InternetViaADSL permit 10

match ip address 101

set interface Dialer0

route-map InternetViaADSL permit 20

match ip address InternetViaADSL

set interface Dialer1

Now, route-maps are sequential meaning they get executed in a sequential order just like ACL's

so when your branch tries to access the HQ the first condition will be fulfilled hence the route-map will not go further and the traffic will be sent out via dialer 0

when you access anything other than the HQ subnets the first condition doesnt match and the route-map will further go down to condition 2 and this will match hence traffic will be sent out via dialer 1

HTH

Regards,

Kishore

View solution in original post

cadet alain · ‎12-26-2011

Hi,

Do this:

no ip route 0.0.0.0 0.0.0.0 Dialer0

no ip route 0.0.0.0 0.0.0.0 Dialer1 20

ip route 0.0.0.0 0.0.0.0 Dialer1

ip nat inside source list 199 NAT interface Dialer1

int Dialer1

ip nat outside

exit

access-list 199 deny ip host 10.0.8.215 192.168.1.0 0.0.0.255

access-list 199 deny ip host 10.0.8.216 192.168.1.0 0.0.0.255

access-list 199 deny ip host 10.0.8.217 192.168.1.0 0.0.0.255

access-list 199 permit ip host 10.0.8.215 any

access-list 199 permit ip host 10.0.8.216 any

access-list 199 permit ip host 10.0.8.217 any

access-list 198 permit ip host 10.0.8.215 192.168.1.0 0.0.0.255

access-list 198 permit ip host 10.0.8.216 192.168.1.0 0.0.0.255

access-list 198 permit ip host 10.0.8.217 192.168.1.0 0.0.0.255

route-map DIALER0

match ip address 198

set interface Dialer0

interface GigabitEthernet0/0.60

ip policy route-map DIALER0

Regards.

Alain

Don't forget to rate helpful posts.

muratg7777 · ‎12-26-2011

Hi Alain;

These 2 subinterfaces must route all traffic to dialer 0 interface. They will connect to internet via headquarter and sources at headquarter.

if I remove routing, no ip route 0.0.0.0 0.0.0.0 Dialer0 , their connection will be dropped

Only GigabitEthernet0/0.60 interface must connect to internet via dialer 1 interface but must be reachable from headquarter (192.168.1.0/24) which comes from dialer 0 interface.

interface GigabitEthernet0/0.1

encapsulation dot1Q 1 native

ip address 10.0.0.254 255.255.255.0

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface GigabitEthernet0/0.100

encapsulation dot1Q 100

ip address 10.0.5.254 255.255.255.0

cadet alain · ‎12-26-2011

Hi,

so can you join a diagram and explain more thoroughly which traffic goes where and if you want failover or load-balancing and exactly what is the goal of PBR.

Regards.

Alain

Don't forget to rate helpful posts.

Marwan ALshawi · ‎12-27-2011

Keep your default routing as it is

Assuming that the default route via dialer1 has less administrative distance to route all traffic via dialer1 interface

Use the bellow pbr config to route the traffic out dialer0 for traffic going to network x.x.x.0/25

Access-list 100 permit ip any x.x.x.0 0.0.0.255

Rout-map map1

Match ip address 100

Set ip next-hop y.y.y.y

Where y.y.y.y is the next hop ip of the dialer0 point point link

Then apply the above pbr to desired interfaces/sibinterface

Hope this help

Sent from Cisco Technical Support iPhone App

muratg7777 · ‎12-30-2011

Hi,

Sorry for the late reply. I am gonna test the configuration.

muratg7777 · ‎12-30-2011

Here is the diagram:

Head Quarter Juniper SRX -----------------------Dialer 0---------------------------------- Cisco 2901 (Branch Office) ( Has 2 wan connections )

Cisco 2901 ----------------------Dialer 1 -------------------- Internet

192.168.1.0 - Lan

192.168.5.0 - Voice

Branch Office:

10.0.0.0/24 - Lan

10.0.5.0/24 - Voice

10.0.8.0/24 - Camera

So Here is the deal.

Branch Office Lan and Voice Netwrok - Routes all traffic to dialer 0

Camera Netwrok routes all traffic to dialer 1

So here is the deal,

From headquarter I can reach lan and voice netwrok but I can not reach camera network because it routes all traffic to dialer 1 interface. I want to seperate routes.

IP Cameras has destination nat rule for dialer interface.

Kishore Chennupati · ‎12-30-2011

Murat,

So you want those 3 clients to talk to the HQ subnets as well right? well then you need to slightly change the existing route-map a bit. below is what needs to be there to get what you want

ip access-list extended InternetViaADSL

permit ip host 10.0.8.215 any

permit ip host 10.0.8.216 any

permit ip host 10.0.8.217 any

!

access-list 101 permit ip host 10.0.8.215

access-list 101 permit ip host 10.0.8.216

access-list 101 permit ip host 10.0.8.217

route-map InternetViaADSL permit 10

match ip address 101

set interface Dialer0

route-map InternetViaADSL permit 20

match ip address InternetViaADSL

set interface Dialer1

Now, route-maps are sequential meaning they get executed in a sequential order just like ACL's

so when your branch tries to access the HQ the first condition will be fulfilled hence the route-map will not go further and the traffic will be sent out via dialer 0

when you access anything other than the HQ subnets the first condition doesnt match and the route-map will further go down to condition 2 and this will match hence traffic will be sent out via dialer 1

HTH

Regards,

Kishore

Pawan Sharma · ‎12-30-2011

Hi,

I beleive this should have solved your problem.

Regards,

Pawan Sharma

http://www.ebrahma.com

Regards,
Pawan Sharma
https://itgears.io

muratg7777 · ‎01-01-2012

Hi Kishore,

It worked. Thanks

Murat