Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
750
Views
5
Helpful
25
Replies

Policy Based Routing

paarlberg
Level 1
Level 1

‎06-14-2005 06:47 AM - edited ‎03-03-2019 09:48 AM

I want any traffic from 192.168.196.2 to be forced out over ADSL

then over a lease line if the ADSL is down. However, I don't want traffic

from 192.168.196.2 to 196.x.x.0-63 or 216.x.x.0-255 to be included..

i will have to double check the format and usage for it to make sure it will

work.. but mainly the access lists and configuration below should meet the

criteria above.. right?

access-list 140 permit ip any any

access-list 140 permit ip any host 192.168.196.2 0.0.0.0 any

access-list 140 deny tcp host 192.168.196.2 196.x.x.0 0.0.0.63 any

access-list 140 deny tcp host 192.168.196.2 216.x.x.0 0.0.0.255 any

route-map adsl-redirect

match ip address 140

set interface dialer1 serial0/0

interface fa0/0

ip policy route-map adsl-redirect

192.168.196.2 is a Cisco CE-505 Cache Engine.

I may also in the future want to define routes based on destination as well.

Thanks

David

Labels:
0 Helpful
25 Replies 25

cconroy
Level 1
Level 1

‎06-14-2005 07:03 AM

Be careful with your ACL syntax and order. As listed all traffic will satisfy the first ACL line and pass (ip any any). Your second line has an erroneous "any". Your "deny" lines will only negate "tcp" traffic where your "permits" are allowing all "ip". I would list as follows -

access-list 140 deny ip host 192.168.196.2 196.x.x.0 0.0.0.63 any

access-list 140 deny ip host 192.168.196.2 216.x.x.0 0.0.0.255 any

access-list 140 permit ip any host 192.168.196.2 0.0.0.0 any

HTH !

Chris

0 Helpful

amit-singh
Level 8
Level 8

‎06-14-2005 07:05 AM

Hi,

Please correct the ACLs that are defined.

In this case the first line ( access-list 140 permit ip any any) allows all of the IP traffic to pass through and thus defeat the purpose od defining the rest of the ACE's. The other ACE's will not match in this case hence the PBR will not work.

The above first line (access-list 140 permit ip any any) should be used at the last.

access-list 140 permit ip any host 192.168.196.2 0.0.0.0 any

access-list 140 deny tcp host 192.168.196.2 196.x.x.0 0.0.0.63 any

access-list 140 deny tcp host 192.168.196.2 216.x.x.0 0.0.0.255 any

access-list 140 permit ip any any

Please use the following links :

http://www.cisco.com/warp/public/cc/techno/protocol/tech/plicy_wp.htm

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009481d.shtml

HTH,

-amit singh

0 Helpful

st_kannan
Level 1
Level 1
In response to amit-singh

‎06-15-2005 02:33 AM

Hi Amit,

If you are permitting all traffic in the access-list then all traffic will go via only ADSL link only.

Let me know my assumption is correct?

Kannan.S.T.

0 Helpful

st_kannan
Level 1
Level 1

‎06-15-2005 02:31 AM

Hi,

I think the following configuration will fulfill your requirment.

interface fa0/0

ip policy route-map adsl-redirect

route-map adsl-redirect permit 10

match ip address 140

set interface dialer1 serial0/0

route-map adsl-redirect permit 20

access-list 140 deny ip host 192.168.196.2 196.x.x.0 0.0.0.63

access-list 140 deny ip host 192.168.196.2 216.x.x.0 0.0.0.255

access-list 140 permit ip host 192.168.196.2 any

Policy Route Maps

If the statement is marked as permit and the packets do not meet the match criteria, then those packets are also forwarded through the normal routing channel.

So the traffics which are denied by access-list will be routed by normal routing.

Kannan.S.T.

0 Helpful

amit-singh
Level 8
Level 8
In response to st_kannan

‎06-15-2005 02:42 AM

Hi Kannan,

You are right,still it would use the same link. I should have inlcuded the permit ip any any and also shold have checked the ACE's properly.

Oops.. My mistake ;)

thanks,

-amit singh

0 Helpful

paarlberg
Level 1
Level 1

‎06-15-2005 04:05 AM

Thank you everyone. I will have to wait until the weekend before I can test since this is a live system. I currently have 2x 2600 routers and the cache engine between them on a switch. 1 of the 2600's is for the ADSL WIC and the other handles serial and ethernet only. So this would be a definate plus if I can get it to work.

I will let you know how it goes..

Thanks

David

0 Helpful

paarlberg
Level 1
Level 1

‎06-15-2005 07:05 AM

Just thought of something..

Wouldn't this config load balance (for lack of better term) across the dialer1 and serial0/0?

route-map adsl-redirect

match ip address 140

set interface dialer1 serial0/0

I would probably want something like this instead to have a primary and a failover..

route-map adsl-redirect

match ip address 140

set interface dialer1

set interface serial0/0 10

Or am I looking at it wrong?

Thanks

David

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to paarlberg

‎06-15-2005 07:51 AM

David

Your first version is what you want. It will not load balance (it will not use both alternately). It will try to set the outbound interface to the first alternative and if it is not available it will set to the second alternative.

HTH

Rick

HTH

Rick
0 Helpful

paarlberg
Level 1
Level 1
In response to Richard Burts

‎06-15-2005 09:03 AM

Thanks..

Was just thinking about the normal default routes like, as it would route equally across the links..

ip route 0.0.0.0 0.0.0.0 s0/0

ip route 0.0.0.0 0.0.0.0 s0/1

vs

ip route 0.0.0.0 0.0.0.0 s0/0

ip route 0.0.0.0 0.0.0.0 s0/1 10

With that in mind, if I wanted to use a load sharing solution (since it is behind NAT). How would that be accomplished easily? (maybe should have left the last word out)

Thanks

0 Helpful

jtantsura
Level 1
Level 1
In response to paarlberg

‎06-16-2005 01:05 AM

NAT translation will fail.

When NATing inbound and outbound traffic should use same router.

Jeff

0 Helpful

paarlberg
Level 1
Level 1
In response to jtantsura

‎06-19-2005 08:13 AM

I tried several of these options. All failed so far.

The problme appears to be that the traffic from the cache engine is not being allowed to return to the client after the request has been handled by the cache engine. I am not sure if it is due to the access-lists or not.

Maybe I need to rephrase my need..

I want the cache engine to be able to pull traffic from the ADSL link as the primary route. However any traffic that orginates from another host on the network will use the default route of the network.

I hope this makes sense.

Thanks

David

0 Helpful

johansens
Level 4
Level 4

‎06-19-2005 10:40 AM

Given that your ADSL-connection is reachable over the Dialer1 interface, the leased-line is over the serial0/0 interface and the CE-505 is connected to the Fa0/0 interface, the following should work:

access-list 140 permit ip host 192.168.196.2 196.x.x.0 0.0.0.63

access-list 140 permit ip host 192.168.196.2 216.x.x.0 0.0.0.255

access-list 141 permit ip host 192.168.196.2 any

!

route-map adsl-redirect deny 100

description *** Match on these will use regular routing table

match ip address 140

!

route-map adsl-redirect permit 200

description *** Match on these will be policy-routed to the given interfaces

match ip address 141

set interface Dialer1 Serial0/0

!

! There is a implicit deny at the end of the route-map which sends everything which didn't match in the route-map statements to the regular routing-decision.

!

interface FastEthernet0/0

description *** This is the inside interface, where the CE-505 is connected

ip policy route-map adsl-redirect

!

Now the only problem would be where your clients are located and how they connect to the CE-505. Depending on the layout, the access-lists may have to be tuned a little and/or more route-map statments made.

paarlberg
Level 1
Level 1
In response to johansens

‎06-19-2005 04:40 PM

Ok... Here is my layout.

I have a 2610 with a WIC-2T and WIC-1ADSL

S0/0

Link to site B PoP

S0/1

Link to primary lease line - ISP

Dialer1

Link to ADSL provider (PPPoE w/ DHCP)

Eth0/0

Local network, cache engine and some clients

I have just seen something very weird. The CE-550 is on a private IP 192.168.80.2 connected to a Cisco Switch and then to the 2610 router. The IP address for the CE is behind NAT on both the S0/1 and Di1 interfaces. Someone in China is using it as an open proxy and I can't find how they are getting to it. Is there an easy way to allow only certain traffic to go to the CE? Would this be on the CE itself?

I have the same config at site b and I have not had any problems with security there since moving the CE behind NAT.

I like the config that you have, will give it a shot now. I have 4 hours to configure and test before clients come online again.

Thanks

David

0 Helpful

paarlberg
Level 1
Level 1
In response to johansens

‎06-19-2005 06:14 PM

I just tried this, unfortunately, it is not using the Dialer1 interface.

Could this be due to the fact that the source address is in the

"route-map adsl-redirect deny 100" list?

It should go to the cache engine due to the external interface having the " ip wccp web-cache redirect out" command entered.

I have tried several of the what is my ip sites on site b and it always shows the real system ip and any dialer and proxy ip addresses. This only shows the real and the external serial interface address.

Site be is using a dual router configuration to handle this, but I would prefer not to have to do that at every site that will have a CE.

Thanks

David

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card