03-19-2013 01:49 AM - edited 03-04-2019 07:20 PM
Hi,
I have setup a basic PBR config to route Http and Https out of a different interface (fa0/0/0) but for some reason http traffic is still going out of the Gi0/1 interface.
Is anyone able to see whats wrong?
Config attached minus the crypto stuff and the publics have been changed.
Thanks
Solved! Go to Solution.
03-19-2013 03:15 AM
There is no need to take out the route-maps with the 'no' commands.
You can just edit the existing route-maps:
route-map SDM_RMAP_1 permit 1
match ip address 101
match int gi0/1
!
route-map SDM_RMAP_2 permit 2
match ip address 101
match int fa0/0/0
Obviously there's a need for caution since the nat statements are in place and could potentially break things
03-19-2013 10:58 AM
Hi Andy,
My bad I gave you a wrong command for the NAT overload route-maps, you have to match the outgoing interface not the next-hop so that the traffic is correctly natted depending which outgoing interface it is using.
route-map SDM_RMAP_1 permit 1
match ip address 101
match interface g0/1
!
route-map SDM_RMAP_2 permit 2
match ip address 101
match interface f0/0
doing these changes should not affect your access to the router as it is for natted traffic which is transit traffic but it will affect your end users of course.
Also your PBR is ok with the set ip next-hop, if you use the set ip default next-hop then it will use that next-hop only if there is no explicit route for the destination in the routing table( it won't consider a default route as an explicit entry).
Regards
Alain
Don't forget to rate helpful posts.
03-19-2013 02:33 AM
Hi,
can you try this:
no route-map SDM_RMAP_1
no route-map SDM_RMAP_2
route-map SDM_RMAP_1 permit 1
match ip address 101
match ip next-hop 94.1.1.1
route-map SDM_RMAP_2 permit 1
match ip address 101
match ip next-hop 192.168.200.253
Regards
Alain
Don't forget to rate helpful posts.
03-19-2013 02:43 AM
Just tried using "set interface fa0/0/0" and they lost all http/https traffic so i've put it back to "set ip next-hop 192.168.200.253"
I can see hits on the route map acl..
soleshow route-map HTTP
route-map HTTP, permit, sequence 10
Match clauses:
ip address (access-lists): HTTP
Set clauses:
ip next-hop 192.168.200.253
interface FastEthernet0/0/0
Policy routing matches: 418868 packets, 130677567 bytes
gw1ja#
But if i go to website www.whatismyip.com i still see the public IP of interface gi0/1
The default route pointing to interface gi0/1 has to be there otherwise all traffic stops
03-19-2013 02:45 AM
Hi Alain,
I can try that, trouble is im about 5000 miles away from the router and removing the route-maps will drop the internet and my connection.
I should be able to try it later when the users have gone home i'll use the "reload in" command incase anything goes wrong
Cheers
Andy
03-19-2013 02:43 AM
route-map HTTP permit 10
match ip address HTTP
set ip default next-hop 192.168.200.253
default next-hop: Sets next hop to which to route the packet if there is no explicit route for this destination.
Try this and see if this works, you have a default route towards gi0/1 which may be the cause for traffic still being routed that way. Not saying to take your default out.
03-19-2013 02:57 AM
Hi Bilal,
Just tried changing to set ip default next-hop 192.168.200.253 but the traffic still seems to go out via the gi0/1 interface.
The odd thing is doing an internet speed test the traffic seems to go out via the gi0/1 interface and come back via the fa0/0/0 the reason i say that is because gi0/1 is on a 4mb lease line and fa0/0/0 is a 40mb adsl line, the return traffic shows as 36mb
If that makes any sense
Cheers
03-19-2013 03:06 AM
Hi,
did you try what I suggested above ?
Regards
Alain
Don't forget to rate helpful posts.
03-19-2013 03:15 AM
There is no need to take out the route-maps with the 'no' commands.
You can just edit the existing route-maps:
route-map SDM_RMAP_1 permit 1
match ip address 101
match int gi0/1
!
route-map SDM_RMAP_2 permit 2
match ip address 101
match int fa0/0/0
Obviously there's a need for caution since the nat statements are in place and could potentially break things
03-19-2013 04:36 AM
Cheers for your help guys. I will try the above at 3pm GMT, the router is in Dubai so the users will have left for the day at 3 my time then if i break it no one will no.
03-19-2013 08:14 AM
Just tried ...
route-map SDM_RMAP_1 permit 1
match ip address 101
match ip next-hop 94.1.1.1
!
route-map SDM_RMAP_2 permit 2
match ip address 101
match ip next-hop 192.168.200.253
Still going out of the wrong interface unfortunatley
03-19-2013 10:58 AM
Hi Andy,
My bad I gave you a wrong command for the NAT overload route-maps, you have to match the outgoing interface not the next-hop so that the traffic is correctly natted depending which outgoing interface it is using.
route-map SDM_RMAP_1 permit 1
match ip address 101
match interface g0/1
!
route-map SDM_RMAP_2 permit 2
match ip address 101
match interface f0/0
doing these changes should not affect your access to the router as it is for natted traffic which is transit traffic but it will affect your end users of course.
Also your PBR is ok with the set ip next-hop, if you use the set ip default next-hop then it will use that next-hop only if there is no explicit route for the destination in the routing table( it won't consider a default route as an explicit entry).
Regards
Alain
Don't forget to rate helpful posts.
03-19-2013 08:18 AM
When you had the option:
set ip default next-hop 192.168.200.253
How did you do your tests? Did you do a speed test and whatismyip? Could you explain what the results were please?
Thank you
03-19-2013 08:38 AM
The config is currently like this...
route-map HTTP permit 10
match ip address HTTP
set ip default next-hop 192.168.200.253
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
route-map SDM_RMAP_2 permit 2
match ip address 101
If i do a speed test i get 4mb down and 20/30 up which doesnt make any sense
If i go to what is my IP i see the public address of gi0/1
03-19-2013 08:55 AM
Hi Andy,
Just a query - what are your nat statements purposing?
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0/0/0 overload
03-19-2013 09:22 AM
Hi Bilal,
Not sure what you mean? both NAT statements are to do dynamic nat for the inside traffic out to the internet.
If i remove them nothing will get out.
Thanks
Andy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: