Solved: Re: Policy based routing on Cisco 2911 ISR

andy_4578 · ‎03-19-2013

Hi,

I have setup a basic PBR config to route Http and Https out of a different interface (fa0/0/0) but for some reason http traffic is still going out of the Gi0/1 interface.

Is anyone able to see whats wrong?

Config attached minus the crypto stuff and the publics have been changed.

Thanks

Bilal Nawaz · ‎03-19-2013

There is no need to take out the route-maps with the 'no' commands.
You can just edit the existing route-maps:

route-map SDM_RMAP_1 permit 1
match ip address 101
match int gi0/1
!
route-map SDM_RMAP_2 permit 2
match ip address 101
match int fa0/0/0

Obviously there's a need for caution since the nat statements are in place and could potentially break things

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

cadet alain · ‎03-19-2013

Hi Andy,

My bad I gave you a wrong command for the NAT overload route-maps, you have to match the outgoing interface not the next-hop so that the traffic is correctly natted depending which outgoing interface it is using.

route-map SDM_RMAP_1 permit 1

match ip address 101

match interface g0/1

!

route-map SDM_RMAP_2 permit 2

match ip address 101

match interface f0/0

doing these changes should not affect your access to the router as it is for natted traffic which is transit traffic but it will affect your end users of course.

Also your PBR is ok with the set ip next-hop, if you use the set ip default next-hop then it will use that next-hop only if there is no explicit route for the destination in the routing table( it won't consider a default route as an explicit entry).

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎03-19-2013

Hi,

can you try this:

no route-map SDM_RMAP_1

no route-map SDM_RMAP_2

route-map SDM_RMAP_1 permit 1

match ip address 101

match ip next-hop 94.1.1.1

route-map SDM_RMAP_2 permit 1

match ip address 101

match ip next-hop 192.168.200.253

Regards

Alain

Don't forget to rate helpful posts.

andy_4578 · ‎03-19-2013

Just tried using "set interface fa0/0/0" and they lost all http/https traffic so i've put it back to "set ip next-hop 192.168.200.253"

I can see hits on the route map acl..

soleshow route-map HTTP

route-map HTTP, permit, sequence 10

Match clauses:

ip address (access-lists): HTTP

Set clauses:

ip next-hop 192.168.200.253

interface FastEthernet0/0/0

Policy routing matches: 418868 packets, 130677567 bytes

gw1ja#

But if i go to website www.whatismyip.com i still see the public IP of interface gi0/1

The default route pointing to interface gi0/1 has to be there otherwise all traffic stops

andy_4578 · ‎03-19-2013

Hi Alain,

I can try that, trouble is im about 5000 miles away from the router and removing the route-maps will drop the internet and my connection.

I should be able to try it later when the users have gone home i'll use the "reload in" command incase anything goes wrong

Cheers

Andy

Bilal Nawaz · ‎03-19-2013

route-map HTTP permit 10

match ip address HTTP

set ip default next-hop 192.168.200.253

default next-hop: Sets next hop to which to route the packet if there is no explicit route for this destination.

Try this and see if this works, you have a default route towards gi0/1 which may be the cause for traffic still being routed that way. Not saying to take your default out.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

andy_4578 · ‎03-19-2013

Hi Bilal,

Just tried changing to set ip default next-hop 192.168.200.253 but the traffic still seems to go out via the gi0/1 interface.

The odd thing is doing an internet speed test the traffic seems to go out via the gi0/1 interface and come back via the fa0/0/0 the reason i say that is because gi0/1 is on a 4mb lease line and fa0/0/0 is a 40mb adsl line, the return traffic shows as 36mb

If that makes any sense

Cheers

cadet alain · ‎03-19-2013

Hi,

did you try what I suggested above ?

Regards

Alain

Don't forget to rate helpful posts.

Bilal Nawaz · ‎03-19-2013

There is no need to take out the route-maps with the 'no' commands.
You can just edit the existing route-maps:

route-map SDM_RMAP_1 permit 1
match ip address 101
match int gi0/1
!
route-map SDM_RMAP_2 permit 2
match ip address 101
match int fa0/0/0

Obviously there's a need for caution since the nat statements are in place and could potentially break things

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

andy_4578 · ‎03-19-2013

Cheers for your help guys. I will try the above at 3pm GMT, the router is in Dubai so the users will have left for the day at 3 my time then if i break it no one will no.

andy_4578 · ‎03-19-2013

Just tried ...

route-map SDM_RMAP_1 permit 1

match ip address 101

match ip next-hop 94.1.1.1

!

route-map SDM_RMAP_2 permit 2

match ip address 101

match ip next-hop 192.168.200.253

Still going out of the wrong interface unfortunatley

cadet alain · ‎03-19-2013

Hi Andy,

My bad I gave you a wrong command for the NAT overload route-maps, you have to match the outgoing interface not the next-hop so that the traffic is correctly natted depending which outgoing interface it is using.

route-map SDM_RMAP_1 permit 1

match ip address 101

match interface g0/1

!

route-map SDM_RMAP_2 permit 2

match ip address 101

match interface f0/0

doing these changes should not affect your access to the router as it is for natted traffic which is transit traffic but it will affect your end users of course.

Also your PBR is ok with the set ip next-hop, if you use the set ip default next-hop then it will use that next-hop only if there is no explicit route for the destination in the routing table( it won't consider a default route as an explicit entry).

Regards

Alain

Don't forget to rate helpful posts.

Bilal Nawaz · ‎03-19-2013

When you had the option:

set ip default next-hop 192.168.200.253

How did you do your tests? Did you do a speed test and whatismyip? Could you explain what the results were please?

Thank you

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

andy_4578 · ‎03-19-2013

The config is currently like this...

route-map HTTP permit 10

match ip address HTTP

set ip default next-hop 192.168.200.253

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

route-map SDM_RMAP_2 permit 2

match ip address 101

If i do a speed test i get 4mb down and 20/30 up which doesnt make any sense

If i go to what is my IP i see the public address of gi0/1

Bilal Nawaz · ‎03-19-2013

Hi Andy,

Just a query - what are your nat statements purposing?

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload

ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0/0/0 overload

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

andy_4578 · ‎03-19-2013

Hi Bilal,

Not sure what you mean? both NAT statements are to do dynamic nat for the inside traffic out to the internet.

If i remove them nothing will get out.

Thanks

Andy