Re: PBR with PPP Dialer interface - ATM vs PPPoE

Michael Mercier · ‎11-22-2011

Hello,

I seem to be having an issue with Policy Based Routing on a Dialer interface. I have the following two setups:

A. Cisco router with ADSL WIC - relevant configuration information

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

pvc 0/35

pppoe-client dial-pool-number 1

interface FastEthernet0/1

ip address x.x.x.x x.x.x.x

ip nat inside

ip policy route-map dialer1-access

interface Dialer1

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

route-map dialer1-access permit 10

match ip address acl_dialer1_permit

set default interface Dialer1

B. Cisco router Ethernet interface connected to DSL modem via switch - relevant configuration information

interface GigabitEthernet0/2.220

encapsulation dot1q 220

pppoe enable

pppoe-client dial-pool-number 10

interface GigabitEthernet0/1

ip address x.x.x.x x.x.x.x

ip nat inside

ip policy route-map dialer10-access

interface Dialer10

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 10

route-map dialer10-access permit 10

match ip address acl_dialer10_access

set default interface Dialer10

There is no static default route (ip route 0.0.0.0 0.0.0.0) on either setup. Setup A works for me successfully. As configured, setup B does not seem to correctly 'route' the traffic (connection fails)? If I add the following command to the Dialer interface,

ppp ipcp route default

then connections succeed but I believe this is because there is now a static default route installed which I don't want.

Questions:

1. Is there a way around this?

2. Is this behaviour different when using PPPoE vs ATM?

Thanks,

Mike

Marwan ALshawi · ‎11-22-2011

before you can get the right answer

can you describe what you trying to archive and why you do not use a static default route for example in your setup ?

Michael Mercier · ‎11-23-2011

Hi,

I am trying to achieve the following:

Only 2 systems on the internal network (192.168.0.50 and 192.168.0.75) should be allowed to access the internet. All systems should be able to communicate over the 'interoffice backbone'. The 'interoffice backbone' is using the eigrp routing protocol.

To modify my example B:

interface GigabitEthernet0/0

description access to interoffice backbone

ip address 10.0.0.1 255.255.255.248

interface GigabitEthernet0/1

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip policy route-map dialer10-access

interface GigabitEthernet0/2.220

no ip address

encapsulation dot1q 220

pppoe enable

pppoe-client dial-pool-number 10

interface Dialer10

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 10

ip nat inside source list acl_dialer10_permit interface Dialer10 overload

router eigrp 5

network 10.0.0.0 0.0.0.7

network 192.168.0.0 0.0.0.255

passive-interface default

no passive-interface GigabitEthernet0/0

route-map dialer10-access permit 10

match ip address acl_dialer10_access

set default interface Dialer10

ip access-list standard acl_dialer10_permit

permit host 192.168.0.50

permit host 192.168.0.75

ip access-list acl_dialer10_access

permit ip host 192.168.0.50 any

permit ip host 192.168.0.75 any

Only .50 and .75 should have access to the internet via the Dialer10 interface and should only use the Dialer interface if the route is specifically not known (the default option in the set statement). Traffic from any other device on the 192.168.0.0/24 network should be dropped by the router (no route to host)

If we modify example A:

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

pvc 0/35

pppoe-client dial-pool-number 1

interface FastEthernet0/0

description access to interoffice backbone

ip address 10.0.0.1 255.255.255.248

interface FastEthernet0/1

ip address 192.168.0.1 255.255.255.248

ip nat inside

ip policy route-map dialer1-access

interface Dialer1

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

ip nat inside source list acl_dialer1_permit interface Dialer10 overload

router eigrp 5

network 10.0.0.0 0.0.0.7

network 192.168.0.0 0.0.0.255

passive-interface default

no passive-interface FastEthernet0/0

ip access-list standard acl_dialer1_permit

permit host 192.168.0.50

permit host 192.168.0.75

ip access-list extended acl_dialer1_access

permit ip host 192.168.0.50 any

permit ip host 192.168.0.75 any

Again only .50 and .75 should have access to the internet.

With example A:

show ip route

Gateway of last resort is not set

Traffic from .50 and .75 can access the internet

With example B:

show ip route

Gateway of last resort is not set

Traffic from .50 and .75 can not access the internet unless I add the following to the Dialer interface:

ppp ipcp route default

Why does example A work using the ATM interface, but example B not work using the GigabitEthernet sub-interface?

Thanks,

Mike

smitesh kharecha · ‎11-23-2011

Hi Michael,

One doubt, why you have put IP address on GigE and also had put IP ADDRESS Negotiated on Dialer ?

Remove IP address from GigE interface and check whether it is working or not.

If it is NOT working even after removing IP address from GigE, then can you please issue debug ppp negotiation, sh caller and paste the outputs.

Regards,
Smitesh

Michael Mercier · ‎11-23-2011

Hi,

I am not sure I understand your question!

GigabitEthernet0/2.220 is the interface using the Dialer and although I didn't put the statement, there is no ip address assigned to that interface. GigabitEthernet0/1 is used for the internal network where the workstations reside (ip address 192.168.0.1 255.255.255.0).

Thanks,

Mike

smitesh kharecha · ‎11-23-2011

Hi Michael,

My apologies, I misread the interface config.

Are you trying to have PPP between A and B or PPP at both sides is with SP.

Also can you please provide the output of following commands,

sh caller ip

debug ppp negotiation

Regards,

Smitesh

Michael Mercier · ‎11-23-2011

Hi Smitesh,

I am establishing a PPP session to an ISP successfully with both configurations (I get an IP address). When using the ATM0/0/0 interface, I can set default interface Dialer1 in the route-map and traffic will go to the internet with no default route set. When using the ethernet interface and using the same command, the traffic will not go to the internet with no default route set. I must add ppp ipcp route default before traffic will go to the internet (which also adds a static default route to the routing table).

sh caller ip

Line User IP address Local Number Remote Number <->

Vi2 x.x.x.x -

Note that the above is the same with or without the ppp ipcp route default command on the Dialer interface.

I didn't think the ppp debugging is needed since I am successfully establishing a connection.

The IOS version is 15.1(4).

Thanks,

Mike

smitesh kharecha · ‎11-23-2011

Hi Mike,

I requested for debug ppp negotiation to check whether you are getting default route & gateway from your ISP and is IPCP working fine.

Regards,

Smitesh

Michael Mercier · ‎11-24-2011

Hi Smitesh,

As I mentioned before, the default route is being distributed by the ISP.

Here is the output I believe you are looking for:

With ppp ipcp route default command enabled.

Nov 24 14:25:53.979: Di10 IPCP: Install negotiated IP interface address xx.xx.xxx.xxx

Nov 24 14:25:53.979: Di10 IPCP: Install default route thru xx.xxx.xxx.x

Nov 24 14:25:53.979: Di10 Added to neighbor route AVL tree: topoid 0, address xx.xxx.xxx.x

Nov 24 14:25:53.979: Di10 IPCP: Install route to xx.xxx.xxx.xx

With ppp ipcp route default command disabled.

Nov 24 14:28:27.353: Di10 IPCP: Install negotiated IP interface address xx.xx.xxx.xxx

Nov 24 14:28:27.353: Di10 Added to neighbor route AVL tree: topoid 0, address xx.xxx.xxx.x

Nov 24 14:28:27.353: Di10 IPCP: Install route to xx.xxx.xxx.x

Thanks,

Mike

smitesh kharecha · ‎11-24-2011

HI Mike,

Seems like you are not receiving default route from ISP when ppp ipcp route default is disabled.

Can you post

sh ip route 0.0.0.0 with ppp ipcp route default disabled.

If you not see anything, then it time to call up your ISP.

Regards,

Smitesh

Michael Mercier · ‎11-24-2011

Hi Smitesh,

I recieve the default route with or without the ppp ipcp route default command on the Dialer interface. The message 'Di10 IPCP: Install route to xx.xxx.xxx.x' is installing the route and it is visible in the routing table.

sh ip route 0.0.0.0 will show if I have a default route installed, but as I mentioned before, I do not want a route to 0.0.0.0 / default route installed.

I do not need the default route installed when using the DSL WIC to have traffic go to the internet using PBR. This does not seem to be replicating when using an Ethernet interface with PPPoE.

Thanks,

Mike

smitesh kharecha · ‎11-24-2011

Hi Mike,

Can you make a try making a PBR for your other subnets and route them through other connection ?

Just an thought of alternative way to solve the issue...

Edited:

Also else you can make an ACl, so that other subnets ( which you don't want to transverse though Dialer) gets dropped.

Regards,

Smitesh

Message was edited by: smitesh kharecha