cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
889
Views
5
Helpful
25
Replies

Policy Based Routing

paarlberg
Level 1
Level 1

I want any traffic from 192.168.196.2 to be forced out over ADSL

then over a lease line if the ADSL is down. However, I don't want traffic

from 192.168.196.2 to 196.x.x.0-63 or 216.x.x.0-255 to be included..

i will have to double check the format and usage for it to make sure it will

work.. but mainly the access lists and configuration below should meet the

criteria above.. right?

access-list 140 permit ip any any

access-list 140 permit ip any host 192.168.196.2 0.0.0.0 any

access-list 140 deny tcp host 192.168.196.2 196.x.x.0 0.0.0.63 any

access-list 140 deny tcp host 192.168.196.2 216.x.x.0 0.0.0.255 any

route-map adsl-redirect

match ip address 140

set interface dialer1 serial0/0

interface fa0/0

ip policy route-map adsl-redirect

192.168.196.2 is a Cisco CE-505 Cache Engine.

I may also in the future want to define routes based on destination as well.

Thanks

David

25 Replies 25

I forgot to issue a "no" command on the set interface when I was testing. It added everything to the end instead of replacing.

So far so good... I finally have this headache sorted. I think ;-)

Thanks to all that provided feedback..

David

Found one little glitch..

I shutdown the WIC-1ADSL to see if the routing would go to the serial interface and it did not. Do I need to set some kind of time out for the failover?

Thanks

David

Are you using dialer 1 or the ATM sub-interface for the ADSL?

How do you "shutdown the WIC-1ADSL"? Did you do a shutdown in the ATM interface or dialer interface? Or unplug cables?

I issued the following..

int atm0/0

shut

int di1

shut

I made sure that the dialer had disconnected and the ATM interface was down before testing..

It still tried to go out via the dialer1 interface. I was watching the IP NAT T details to see what happened. I even did the following to make sure that the nat translations were done.

clear ip nat t f

I have 2 access list for the NAT.

acl 1

acl 2

both are configured for the cache engine's subnet. 1 is used for the dialer and 1 for the serial link.

Hmm.. do you have a 'fixed' next-hop address on the ADSL-PPPoE link? Ie. Do you get the same gateway-address each time you logon? If so, you could use the IP-addresses in the route-map instead as this feature will check for the routes to exist (they have to be adjacent) before doing the routing:

route-map adsl-redirect permit 200

match ip address 141

set ip next-hop a.a.a.a b.b.b.b

!

Where a.a.a.a is the gateway-address (upstream-router) on the ADSL and b.b.b.b is the same on the leased line.

btw: if you have some more specific routes in the router which you want the CE-5050 to reach.. you could also modify the "set"-statement to this:

set ip default next-hop a.a.a.a b.b.b.b

Then it would only modify the default-route for the matched packets.. and use the routing-table for all specific routes.. :)

Check here for more info:

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00801f3b54.shtml

And if you find any of the answers helpful, please use the "Rate this post" and also check which reply was the right answer.. this would help others in the future.. :)

Unfortunately, the local Telkom (monopoly) in South Africa implements a 3G per month usage cap and then the international speeds drop to sub-dialup speeds. Once that is hit the IP range and gw are changed. I could just use the ADSL for national only traffic to allow for higher national browsing speeds.

The info you provided has been very helpful, I believe I have some issues with NAT not moving to the second route in case of failure. I have diabled the route map completely and it is not defaulting back to the lease line..

Here is my NAT info

ip nat inside source list 1 interface Dialer1 overload

ip nat inside source list 2 interface Serial0/1 overload

!

access-list 1 permit 192.168.80.0 0.0.0.255

access-list 2 permit 192.168.80.0 0.0.0.255

If I could secure which clients can access the CE, then I could put it on a public IP and eliminate one of the NAT statements and possible solve the problem.

Thanks

David

Did you try to use route-map in your nat statement?

e.g.

!

route-map ADSL permit 10

match interface d1

!

route-map LL permit 10

match interface s0/1

!

ip nat inside source route-map ADSL interface d1 overload

ip nat inside source route-map LL interface s0/1 overload

!

In this case, the source IP of all traffic going out of int d1 will be translated to the IP address of int d1, and similar case for int s0/1.

wouldn't that expose the cache engine to external sources?

This is working so far.. I am sending traffic to the national ip addresses over ADSL, and all iinternational is over the lease line.

access-list 140 permit ip host 192.168.80.2 196.x.x.0 0.0.0.63

access-list 140 permit ip host 192.168.80.2 216.x.x.0 0.0.0.255

access-list 140 remark *** Our internal IP address ranges

!

access-list 142 remark **** SA National IP addresses

access-list 142 permit ip host 192.168.80.2 x.x.x.x

******** about 4M total ip addresses or about 20 lines in config

!

ip nat inside source route-map ADSL interface d1 overload

ip nat inside source route-map LL interface s0/1 overload

!

!

route-map adsl-redirect deny 100

description *** Match on these will use regular routing table

match ip address 140

!

route-map adsl-redirect permit 200

description *** Match on these will be policy-routed to the given interfaces

description *** SA National Traffic only

match ip address 142

set interface Dialer1 Serial0/1

!

int eth0/0

ip policy route-map adsl-redirect

ip wccp web-cache redirect in

!

route-map ADSL permit 10

match interface d1

match ip address 1

!

route-map LL permit 10

match interface s0/1

match ip address 1

Hi there,

Just a little update..

I think this route-map could be better for you...:

!

route-map adsl-redirect permit 200

description *** Match on these will be policy-routed to the given interfaces

description *** SA National Traffic only

match ip address 142

set ip next-hop dynamic dhcp

set interface Serial0/1

!

Then it would use the DHCP-provided gateway if possible, if not it would route it out the Serial0/1 interface (this is because of the order of processing of the set-commands).

http://www.cisco.com/en/US/products/ps6350/products_command_reference_chapter09186a00804461f7.html#wp1131416

But you would need at least 12.3(2)XE or 12.3(8)T to use this feature.

We have made some changes to the way the network will be configured.

We have added another lease line to the picture that is the same speed as the previous one..

This new lease line will be on S0/0 and will go to another upstream provider. I will have to NAT on our router at the upstream provider (where we have a colo cabinet) since we are not currently running BGP for our ip space.

Which one of these would be best based on the config below.

Should we try to load balance this traffic equally across the links?

ip route 0.0.0.0 0.0.0.0 s0/1

ip route 0.0.0.0 0.0.0.0 s0/0

If so, would I need to reverse engineer my configuration below to prevent any normal traffic from being misdirected?

Or is it possible to have the specified traffic below use the primary route until 5 minute (or other specified period) utilization exceeds a preset level and then load balance?

The major flaw I have seen so far is any https traffic is not being cached. I have set the following on the cache engine.

https destination-port deny all

https destination-port allow 443

What are my options at this point to get the most BW for my money. The link to our colo is billed per mb used, but we mainly need it for bursting due to browsing.

**** Start Current Config ****

access-list 140 permit ip host 192.168.80.2 196.x.x.0 0.0.0.63

access-list 140 permit ip host 192.168.80.2 216.x.x.0 0.0.0.255

access-list 140 remark *** Our internal IP address ranges

!

access-list 142 remark **** SA National IP addresses

access-list 142 permit ip host 192.168.80.2 x.x.x.x

******** about 4M total ip addresses or about 20 lines in config

!

ip nat inside source route-map ADSL interface d1 overload

ip nat inside source route-map LL interface s0/1 overload

!

!

route-map adsl-redirect deny 100

description *** Match on these will use regular routing table

match ip address 140

!

route-map adsl-redirect permit 200

description *** Match on these will be policy-routed to the given interfaces

description *** SA National Traffic only

match ip address 142

set interface Dialer1 Serial0/1

!

int eth0/0

ip policy route-map adsl-redirect

ip wccp web-cache redirect in

!

route-map ADSL permit 10

match interface d1

match ip address 1

!

route-map LL permit 10

match interface s0/1

match ip address 1

**** End Current Config ****

Thanks

David

Review Cisco Networking for a $25 gift card