06-14-2005 06:47 AM - edited 03-03-2019 09:48 AM
I want any traffic from 192.168.196.2 to be forced out over ADSL
then over a lease line if the ADSL is down. However, I don't want traffic
from 192.168.196.2 to 196.x.x.0-63 or 216.x.x.0-255 to be included..
i will have to double check the format and usage for it to make sure it will
work.. but mainly the access lists and configuration below should meet the
criteria above.. right?
access-list 140 permit ip any any
access-list 140 permit ip any host 192.168.196.2 0.0.0.0 any
access-list 140 deny tcp host 192.168.196.2 196.x.x.0 0.0.0.63 any
access-list 140 deny tcp host 192.168.196.2 216.x.x.0 0.0.0.255 any
route-map adsl-redirect
match ip address 140
set interface dialer1 serial0/0
interface fa0/0
ip policy route-map adsl-redirect
192.168.196.2 is a Cisco CE-505 Cache Engine.
I may also in the future want to define routes based on destination as well.
Thanks
David
06-19-2005 06:59 PM
I forgot to issue a "no" command on the set interface when I was testing. It added everything to the end instead of replacing.
So far so good... I finally have this headache sorted. I think ;-)
Thanks to all that provided feedback..
David
06-19-2005 07:16 PM
Found one little glitch..
I shutdown the WIC-1ADSL to see if the routing would go to the serial interface and it did not. Do I need to set some kind of time out for the failover?
Thanks
David
06-19-2005 08:40 PM
Are you using dialer 1 or the ATM sub-interface for the ADSL?
How do you "shutdown the WIC-1ADSL"? Did you do a shutdown in the ATM interface or dialer interface? Or unplug cables?
06-19-2005 08:52 PM
I issued the following..
int atm0/0
shut
int di1
shut
I made sure that the dialer had disconnected and the ATM interface was down before testing..
It still tried to go out via the dialer1 interface. I was watching the IP NAT T details to see what happened. I even did the following to make sure that the nat translations were done.
clear ip nat t f
I have 2 access list for the NAT.
acl 1
acl 2
both are configured for the cache engine's subnet. 1 is used for the dialer and 1 for the serial link.
06-20-2005 05:45 AM
Hmm.. do you have a 'fixed' next-hop address on the ADSL-PPPoE link? Ie. Do you get the same gateway-address each time you logon? If so, you could use the IP-addresses in the route-map instead as this feature will check for the routes to exist (they have to be adjacent) before doing the routing:
route-map adsl-redirect permit 200
match ip address 141
set ip next-hop a.a.a.a b.b.b.b
!
Where a.a.a.a is the gateway-address (upstream-router) on the ADSL and b.b.b.b is the same on the leased line.
btw: if you have some more specific routes in the router which you want the CE-5050 to reach.. you could also modify the "set"-statement to this:
set ip default next-hop a.a.a.a b.b.b.b
Then it would only modify the default-route for the matched packets.. and use the routing-table for all specific routes.. :)
Check here for more info:
http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00801f3b54.shtml
And if you find any of the answers helpful, please use the "Rate this post" and also check which reply was the right answer.. this would help others in the future.. :)
06-20-2005 05:59 AM
Unfortunately, the local Telkom (monopoly) in South Africa implements a 3G per month usage cap and then the international speeds drop to sub-dialup speeds. Once that is hit the IP range and gw are changed. I could just use the ADSL for national only traffic to allow for higher national browsing speeds.
The info you provided has been very helpful, I believe I have some issues with NAT not moving to the second route in case of failure. I have diabled the route map completely and it is not defaulting back to the lease line..
Here is my NAT info
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 2 interface Serial0/1 overload
!
access-list 1 permit 192.168.80.0 0.0.0.255
access-list 2 permit 192.168.80.0 0.0.0.255
If I could secure which clients can access the CE, then I could put it on a public IP and eliminate one of the NAT statements and possible solve the problem.
Thanks
David
06-20-2005 11:06 PM
Did you try to use route-map in your nat statement?
e.g.
!
route-map ADSL permit 10
match interface d1
!
route-map LL permit 10
match interface s0/1
!
ip nat inside source route-map ADSL interface d1 overload
ip nat inside source route-map LL interface s0/1 overload
!
In this case, the source IP of all traffic going out of int d1 will be translated to the IP address of int d1, and similar case for int s0/1.
06-21-2005 05:32 AM
wouldn't that expose the cache engine to external sources?
06-22-2005 05:26 PM
This is working so far.. I am sending traffic to the national ip addresses over ADSL, and all iinternational is over the lease line.
access-list 140 permit ip host 192.168.80.2 196.x.x.0 0.0.0.63
access-list 140 permit ip host 192.168.80.2 216.x.x.0 0.0.0.255
access-list 140 remark *** Our internal IP address ranges
!
access-list 142 remark **** SA National IP addresses
access-list 142 permit ip host 192.168.80.2 x.x.x.x
******** about 4M total ip addresses or about 20 lines in config
!
ip nat inside source route-map ADSL interface d1 overload
ip nat inside source route-map LL interface s0/1 overload
!
!
route-map adsl-redirect deny 100
description *** Match on these will use regular routing table
match ip address 140
!
route-map adsl-redirect permit 200
description *** Match on these will be policy-routed to the given interfaces
description *** SA National Traffic only
match ip address 142
set interface Dialer1 Serial0/1
!
int eth0/0
ip policy route-map adsl-redirect
ip wccp web-cache redirect in
!
route-map ADSL permit 10
match interface d1
match ip address 1
!
route-map LL permit 10
match interface s0/1
match ip address 1
06-25-2005 10:31 AM
Hi there,
Just a little update..
I think this route-map could be better for you...:
!
route-map adsl-redirect permit 200
description *** Match on these will be policy-routed to the given interfaces
description *** SA National Traffic only
match ip address 142
set ip next-hop dynamic dhcp
set interface Serial0/1
!
Then it would use the DHCP-provided gateway if possible, if not it would route it out the Serial0/1 interface (this is because of the order of processing of the set-commands).
But you would need at least 12.3(2)XE or 12.3(8)T to use this feature.
08-10-2005 08:56 AM
We have made some changes to the way the network will be configured.
We have added another lease line to the picture that is the same speed as the previous one..
This new lease line will be on S0/0 and will go to another upstream provider. I will have to NAT on our router at the upstream provider (where we have a colo cabinet) since we are not currently running BGP for our ip space.
Which one of these would be best based on the config below.
Should we try to load balance this traffic equally across the links?
ip route 0.0.0.0 0.0.0.0 s0/1
ip route 0.0.0.0 0.0.0.0 s0/0
If so, would I need to reverse engineer my configuration below to prevent any normal traffic from being misdirected?
Or is it possible to have the specified traffic below use the primary route until 5 minute (or other specified period) utilization exceeds a preset level and then load balance?
The major flaw I have seen so far is any https traffic is not being cached. I have set the following on the cache engine.
https destination-port deny all
https destination-port allow 443
What are my options at this point to get the most BW for my money. The link to our colo is billed per mb used, but we mainly need it for bursting due to browsing.
**** Start Current Config ****
access-list 140 permit ip host 192.168.80.2 196.x.x.0 0.0.0.63
access-list 140 permit ip host 192.168.80.2 216.x.x.0 0.0.0.255
access-list 140 remark *** Our internal IP address ranges
!
access-list 142 remark **** SA National IP addresses
access-list 142 permit ip host 192.168.80.2 x.x.x.x
******** about 4M total ip addresses or about 20 lines in config
!
ip nat inside source route-map ADSL interface d1 overload
ip nat inside source route-map LL interface s0/1 overload
!
!
route-map adsl-redirect deny 100
description *** Match on these will use regular routing table
match ip address 140
!
route-map adsl-redirect permit 200
description *** Match on these will be policy-routed to the given interfaces
description *** SA National Traffic only
match ip address 142
set interface Dialer1 Serial0/1
!
int eth0/0
ip policy route-map adsl-redirect
ip wccp web-cache redirect in
!
route-map ADSL permit 10
match interface d1
match ip address 1
!
route-map LL permit 10
match interface s0/1
match ip address 1
**** End Current Config ****
Thanks
David
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide