Solved: Policy base Routing in cisco router

santosh kumar · ‎08-02-2018

Hi,

I have 2 isp and are connected to 2 differnt rouetrs. Both the routers are configured HSRP.
Also BGP is configured on both the routers advertising our own IP Block.

Goal is to sent ISP2 LAN /24 public block traffic via ISP2. For the same i configured PBR on Router 1

I have a challenge when i trace to 8.8.8.8 from switch with source IP as ISP 2 LAN public IP x8.135.x8.1 still the traffic is going via ISP 1.

Router 1
ISP1 -->>gi0/0/1
LAN-->>gi0/0/3 2.2.2.2/29

Router2
ISP2 -->>gi0/0/0
LAN-->>gi0/0/3 2.2.2.3/29

HSRP Configured between routers hsrp ip 2.2.2.5

Switch --2.2.2.1/29 & ISP2 public IP x8.135.x8.1/24

PBR Configuration:
=================
access-list 101 permit ip x8.135.x8.0 0.0.0.255 any

route-map ISP2-Traffic-PBR permit 10
match ip address 101
set ip next-hop x8.x.x.201------------------------->>ISP 2 end IP address
!

interface GigabitEthernet0/0/3
description "LAN-HSRP-Gi3/1/4"
ip address 2.2.2.2 255.255.255.248
standby 1 ip 2.2.2.5
standby 1 priority 150
standby 1 preempt
ip policy route-map ISP2-Traffic-PBR
negotiation auto

ebenav11 · ‎08-02-2018

Modify the x8.x.x.201 by the LAN-->>gi0/0/3 2.2.2.3/29.

if you to validate the routing table in RTR2, do you can see the prefix x8.x.x.201?

Kind regards

View solution in original post

santosh kumar · ‎08-21-2018

Changed to 2.2.2.3 its working. Thank you.

View solution in original post

ebenav11 · ‎08-02-2018

Modify the x8.x.x.201 by the LAN-->>gi0/0/3 2.2.2.3/29.

if you to validate the routing table in RTR2, do you can see the prefix x8.x.x.201?

Kind regards

santosh kumar · ‎08-06-2018

Hi Edgar,

I changed it to 2.2.2.3 and when I am trying to trace from firewall with source IP (ISP2 LAN public pool ip) the trace is going via 2nd ISP & 2nd router. (which we need).

But when I nat the server with ISP2 LAN IP pool the trace from the server is going via ISP1.

Trace from firewall (right path):
[root@F380:~]# traceroute -s x8.135.x.2 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 1x.250.x.1 (1x.250.x.1) 0.504 ms 1.045 ms 1.274 ms
2 2.2.2.2 (2.2.2.2) 0.170 ms 0.146 ms 0.168 ms
3 2.2.2.3 (2.2.2.3) 0.195 ms 0.171 ms 0.186 ms
4 x.14.x.201 (x.14.x.201) 0.826 ms 0.858 ms 0.857 ms
5 be2956.ccr41.iad02.atlas.yco.com (x.54.x.193) 0.885 ms 0.964 ms 0.889 ms
6 tata.iad02.atlas.yco.com (x.54.x.206) 0.762 ms 0.651 ms 0.728 ms
7 72.14.198.28 (72.14.198.28) 0.654 ms 0.680 ms 0.658 ms
8 108.170.246.1 (108.170.246.1) 0.582 ms 108.170.240.97 (108.170.240.97) 1.672 ms 1.621 ms
9 72.14.239.79 (72.14.239.79) 0.591 ms 74.125.251.253 (74.125.251.253) 1.776 ms 209.85.254.73 (209.85.254.73) 0.903 ms
10 google-public-dns-a.google.com (8.8.8.8) 0.827 ms 0.490 ms 0.513 ms
[2018-08-06 05:24 PDT] [-root shell-] [-Barracuda Networks-]
[root@F380:~]#

Trace from the system which we did nat 38.135.88.2 -->10.21.10.250 the trace is going on 2nd ISP.

vadmin@test-cogent-ip:~$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 10.21.10.1 (10.21.10.1) 0.322 ms 0.327 ms 0.226 ms
2 1x.250.x.1(199.250.248.1) 0.764 ms 1.600 ms 1.270 ms
3 2.2.2.2 (2.2.2.2) 0.547 ms 0.450 ms 0.499 ms
4 edge1.ge3-0-25.abcd-1.x.net (6x.150.x.177) 2.082 ms 2.098 ms 2.049 ms
5 border1.ae0-edgenet.abcd-1.x.net (x.150.x.17) 0.461 ms 0.466 ms 0.513 ms
6 core2.te5-1-bbnet1.abcd-1.x.net (216.52.127.8) 1.061 ms core2.te5-2-bbnet2.wdc002.pnap.net (216.52.127.72) 0.973 ms 1.042 ms
7 bbr2.ae4.inapvox-9.abcd-1.x.net (64.95.158.246) 0.605 ms 0.761 ms 0.728 ms
8 bbr1.ae2.wdc002.pnap.net (64.95.159.33) 0.688 ms bbr1.ae1.abcd-1.x.net (64.95.159.29) 0.674 ms bbr1.ae2.wdc002.pnap.net (64.95.159.33) 0.636 ms
9 eqixva-google-gige.google.com (206.126.236.21) 0.715 ms 0.808 ms 0.797 ms
10 108.170.246.65 (108.170.246.65) 1.120 ms 108.170.246.33 (108.170.246.33) 2.176 ms 108.170.240.97 (108.170.240.97) 1.967 ms
11 108.170.229.67 (108.170.229.67) 0.947 ms 74.125.251.255 (74.125.251.255) 1.854 ms 108.170.226.95 (108.170.226.95) 0.706 ms
12 google-public-dns-a.google.com (8.8.8.8) 0.685 ms 0.928 ms 0.736 ms
vadmin@test-cogent-ip:~$

santosh kumar · ‎08-21-2018

Changed to 2.2.2.3 its working. Thank you.

paul driver · ‎08-02-2018

Hello

Your access-list looks incorrect it should be the internal network you wish to be PBR'd not the public addressing of ISP2.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

santosh kumar · ‎08-05-2018

Hi Paul,

Its /24 public pool of ISP2 and were nat in Firewall. It won't work