06-14-2005 06:47 AM - edited 03-03-2019 09:48 AM
I want any traffic from 192.168.196.2 to be forced out over ADSL
then over a lease line if the ADSL is down. However, I don't want traffic
from 192.168.196.2 to 196.x.x.0-63 or 216.x.x.0-255 to be included..
i will have to double check the format and usage for it to make sure it will
work.. but mainly the access lists and configuration below should meet the
criteria above.. right?
access-list 140 permit ip any any
access-list 140 permit ip any host 192.168.196.2 0.0.0.0 any
access-list 140 deny tcp host 192.168.196.2 196.x.x.0 0.0.0.63 any
access-list 140 deny tcp host 192.168.196.2 216.x.x.0 0.0.0.255 any
route-map adsl-redirect
match ip address 140
set interface dialer1 serial0/0
interface fa0/0
ip policy route-map adsl-redirect
192.168.196.2 is a Cisco CE-505 Cache Engine.
I may also in the future want to define routes based on destination as well.
Thanks
David
06-14-2005 07:03 AM
Be careful with your ACL syntax and order. As listed all traffic will satisfy the first ACL line and pass (ip any any). Your second line has an erroneous "any". Your "deny" lines will only negate "tcp" traffic where your "permits" are allowing all "ip". I would list as follows -
access-list 140 deny ip host 192.168.196.2 196.x.x.0 0.0.0.63 any
access-list 140 deny ip host 192.168.196.2 216.x.x.0 0.0.0.255 any
access-list 140 permit ip any host 192.168.196.2 0.0.0.0 any
HTH !
Chris
06-14-2005 07:05 AM
Hi,
Please correct the ACLs that are defined.
In this case the first line ( access-list 140 permit ip any any) allows all of the IP traffic to pass through and thus defeat the purpose od defining the rest of the ACE's. The other ACE's will not match in this case hence the PBR will not work.
The above first line (access-list 140 permit ip any any) should be used at the last.
access-list 140 permit ip any host 192.168.196.2 0.0.0.0 any
access-list 140 deny tcp host 192.168.196.2 196.x.x.0 0.0.0.63 any
access-list 140 deny tcp host 192.168.196.2 216.x.x.0 0.0.0.255 any
access-list 140 permit ip any any
Please use the following links :
http://www.cisco.com/warp/public/cc/techno/protocol/tech/plicy_wp.htm
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009481d.shtml
HTH,
-amit singh
06-15-2005 02:33 AM
Hi Amit,
If you are permitting all traffic in the access-list then all traffic will go via only ADSL link only.
Let me know my assumption is correct?
Kannan.S.T.
06-15-2005 02:31 AM
Hi,
I think the following configuration will fulfill your requirment.
interface fa0/0
ip policy route-map adsl-redirect
route-map adsl-redirect permit 10
match ip address 140
set interface dialer1 serial0/0
route-map adsl-redirect permit 20
access-list 140 deny ip host 192.168.196.2 196.x.x.0 0.0.0.63
access-list 140 deny ip host 192.168.196.2 216.x.x.0 0.0.0.255
access-list 140 permit ip host 192.168.196.2 any
Policy Route Maps
If the statement is marked as permit and the packets do not meet the match criteria, then those packets are also forwarded through the normal routing channel.
So the traffics which are denied by access-list will be routed by normal routing.
Kannan.S.T.
06-15-2005 02:42 AM
Hi Kannan,
You are right,still it would use the same link. I should have inlcuded the permit ip any any and also shold have checked the ACE's properly.
Oops.. My mistake ;)
thanks,
-amit singh
06-15-2005 04:05 AM
Thank you everyone. I will have to wait until the weekend before I can test since this is a live system. I currently have 2x 2600 routers and the cache engine between them on a switch. 1 of the 2600's is for the ADSL WIC and the other handles serial and ethernet only. So this would be a definate plus if I can get it to work.
I will let you know how it goes..
Thanks
David
06-15-2005 07:05 AM
Just thought of something..
Wouldn't this config load balance (for lack of better term) across the dialer1 and serial0/0?
route-map adsl-redirect
match ip address 140
set interface dialer1 serial0/0
I would probably want something like this instead to have a primary and a failover..
route-map adsl-redirect
match ip address 140
set interface dialer1
set interface serial0/0 10
Or am I looking at it wrong?
Thanks
David
06-15-2005 07:51 AM
David
Your first version is what you want. It will not load balance (it will not use both alternately). It will try to set the outbound interface to the first alternative and if it is not available it will set to the second alternative.
HTH
Rick
06-15-2005 09:03 AM
Thanks..
Was just thinking about the normal default routes like, as it would route equally across the links..
ip route 0.0.0.0 0.0.0.0 s0/0
ip route 0.0.0.0 0.0.0.0 s0/1
vs
ip route 0.0.0.0 0.0.0.0 s0/0
ip route 0.0.0.0 0.0.0.0 s0/1 10
With that in mind, if I wanted to use a load sharing solution (since it is behind NAT). How would that be accomplished easily? (maybe should have left the last word out)
Thanks
06-16-2005 01:05 AM
NAT translation will fail.
When NATing inbound and outbound traffic should use same router.
Jeff
06-19-2005 08:13 AM
I tried several of these options. All failed so far.
The problme appears to be that the traffic from the cache engine is not being allowed to return to the client after the request has been handled by the cache engine. I am not sure if it is due to the access-lists or not.
Maybe I need to rephrase my need..
I want the cache engine to be able to pull traffic from the ADSL link as the primary route. However any traffic that orginates from another host on the network will use the default route of the network.
I hope this makes sense.
Thanks
David
06-19-2005 10:40 AM
Given that your ADSL-connection is reachable over the Dialer1 interface, the leased-line is over the serial0/0 interface and the CE-505 is connected to the Fa0/0 interface, the following should work:
access-list 140 permit ip host 192.168.196.2 196.x.x.0 0.0.0.63
access-list 140 permit ip host 192.168.196.2 216.x.x.0 0.0.0.255
access-list 141 permit ip host 192.168.196.2 any
!
route-map adsl-redirect deny 100
description *** Match on these will use regular routing table
match ip address 140
!
route-map adsl-redirect permit 200
description *** Match on these will be policy-routed to the given interfaces
match ip address 141
set interface Dialer1 Serial0/0
!
! There is a implicit deny at the end of the route-map which sends everything which didn't match in the route-map statements to the regular routing-decision.
!
interface FastEthernet0/0
description *** This is the inside interface, where the CE-505 is connected
ip policy route-map adsl-redirect
!
Now the only problem would be where your clients are located and how they connect to the CE-505. Depending on the layout, the access-lists may have to be tuned a little and/or more route-map statments made.
06-19-2005 04:40 PM
Ok... Here is my layout.
I have a 2610 with a WIC-2T and WIC-1ADSL
S0/0
Link to site B PoP
S0/1
Link to primary lease line - ISP
Dialer1
Link to ADSL provider (PPPoE w/ DHCP)
Eth0/0
Local network, cache engine and some clients
I have just seen something very weird. The CE-550 is on a private IP 192.168.80.2 connected to a Cisco Switch and then to the 2610 router. The IP address for the CE is behind NAT on both the S0/1 and Di1 interfaces. Someone in China is using it as an open proxy and I can't find how they are getting to it. Is there an easy way to allow only certain traffic to go to the CE? Would this be on the CE itself?
I have the same config at site b and I have not had any problems with security there since moving the CE behind NAT.
I like the config that you have, will give it a shot now. I have 4 hours to configure and test before clients come online again.
Thanks
David
06-19-2005 06:14 PM
I just tried this, unfortunately, it is not using the Dialer1 interface.
Could this be due to the fact that the source address is in the
"route-map adsl-redirect deny 100" list?
It should go to the cache engine due to the external interface having the " ip wccp web-cache redirect out" command entered.
I have tried several of the what is my ip sites on site b and it always shows the real system ip and any dialer and proxy ip addresses. This only shows the real and the external serial interface address.
Site be is using a dual router configuration to handle this, but I would prefer not to have to do that at every site that will have a CE.
Thanks
David
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide