Solved: Cisco 3945 Policy Base Routing

max-sandoval · ‎01-17-2014

I have a Cisco 3945, it has on it two DS3 lines which I like to treat independent from each other.

I can ping both Serial interfaces from the internet, and I can ping only GIG 0/0 from the internet. but since the router is configured with one static route, GIG 0/1 can't be ping from the outside

Any help would be greatly appreciated

This is my current config:

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname MOVLABT3-CA-ES

!

boot-start-marker

boot-end-marker

!

card type t3 1

card type t3 2

enable secret 4 oMCBqgRTCeX5XeEW3HsBW6zI763Fibuq/UrLhF/91Rs

!

no aaa new-model

!

no ipv6 cef

ip source-route

ip cef

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1015775704

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1015775704

revocation-check none

rsakeypair TP-self-signed-1015775704

!

crypto pki certificate chain TP-self-signed-1015775704

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31303135 37373537 3034301E 170D3132 30393237 31383132

32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30313537

37353730 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

810097B2 EE9BF6EF F19DDD93 71CA6D5B D672A749 6997BB7E 81256BFA A2BE8B0F

E8EC5D36 F8618878 88C7016D D8998B95 293DE6F3 C0BB5CFE F2356AFD 26645A29

F3BB69C9 46B6959B 98F35193 9729499A 8C9097FE BD0A80A4 727C87F8 963200CE

E852DD3E 1F9F3B97 1DA1902D 7B352FAE 4FA08D32 95362373 887C6D02 6209152F

73850203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 14BCCEA0 AF8EBDF2 05F01968 14CAE720 A41AE8FE EA301D06

03551D0E 04160414 BCCEA0AF 8EBDF205 F0196814 CAE720A4 1AE8FEEA 300D0609

2A864886 F70D0101 05050003 81810066 18505A9D 0D3C4C8F 0C90108D F0606014

0EAE4129 2908928E D4DA7FDC 17D2A21A 4B2689F3 AF6CA062 82A5E7EF 1A0EDA37

297AE79B 65F7182E ED4A57D7 081EC729 A85F2AFB 5A46136A F0F91853 46C89FA7

A1D9F67F 83961EFF E92D7363 D2862517 D1214501 84D675A0 8561891F 4E791F32

6E67990A 9A7B49F9 8D1A8CA0 51AAF2

quit

license udi pid C3900-SPE150/K9 sn FOC16313DE8

hw-module sm 1

!

hw-module sm 2

!

controller T3 1/0

cablelength 75

!

controller T3 2/0

cablelength 75

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 207.168.4.49 255.255.255.240

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 206.135.120.114 255.255.255.240

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/2

no ip address

shutdown

duplex auto

speed auto

!

interface Serial1/0

ip address 206.135.100.202 255.255.255.252

ip nat outside

ip virtual-reassembly in

dsu bandwidth 44210

!

interface Serial2/0

ip address 205.214.40.6 255.255.255.252

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dsu bandwidth 44210

!

no ip classless

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 206.135.100.201

!

access-list 1 permit 10.0.0.0 0.0.0.255

!

snmp-server community RO-N1mS0ft RO

!

control-plane

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

login

transport input all

!

scheduler allocate 20000 1000

end

Jon Marshall · ‎01-17-2014

The following configuration replaces the one i sent before -

int gi0/1

ip policy route-map PBR

access-list 101 permit ip 206.135.120.112 0.0.0.15 any

route-map PBR permit 10

match ip address 101

set ip next-hop 205.214.40.5

the above will send all traffic entering gi0/1 out via s2/0

If you also want to be able to ping the gi0/1 from the internet just add this line

ip local policy route-map PBR

you only need PBR for the gi0/1 interface, all other traffic will be sent using the default route. Note that there is no checking if the next hop is up either with the default route or the PBR next hop. If you want failover then you would need to add IP SLA config to achieve this.

Jon

View solution in original post

Jon Marshall · ‎01-17-2014

So what do you want to do ie. send traffic from gi0/1 via the other link ?

If so -

ip policy local route-map PBR

access-list 101 permit ip host 206.135.120.114

route-map PBR permit 10

match ip address 101

set ip next-hop 205.214.40.5

but i am not sure this is exactly what you want. Can you clarify ?

Jon

max-sandoval · ‎01-17-2014

I like to keep

gig 0/0 route to serial 1/0

gig 0/1 route to serial 2/0

Jon Marshall · ‎01-17-2014

Yes, but do you mean traffic coming into gi0/0 and gi0/0 from internal LAN clients ?

The configuration i supplied only applies to traffic generated by the router ie. your ping goes to the gi0/1 interface and then the router sends a response.

But for traffic through the router ie. from clients inside the gi0/0 and gi0/1 interfaces the configuration does nothing. Usually PBR is used for traffic passing through the router not traffic generated by the router itself.

One further point. You have public IPs on your gi0/0 and gi0/1 interfaces. Is this really want you want ? If so why do you have "ip nat inside" configured on them ie. there is no need to NAT because they are public IPs anyway. That said you have not NAT statements so nothing is being translated anyway.

So can you clarify exactly what you want to achieve in terms of traffic and explain the NAT setup then we should be able to give you a solution.

Jon

max-sandoval · ‎01-17-2014

NAT I took away I just forgot to remove them from the independent interfaces.

To answer the question

internet traffic coming or outgoing into gi0/0 to internal LAN clients through an independent path.

internet traffic coming or outgoing into gi0/1 to internal LAN clients through an independent path.

Since each has their own public bank of public address. the NAT is going away, there is no need to have it there, I won't be doing any nating.

Jon Marshall · ‎01-17-2014

The following configuration replaces the one i sent before -

int gi0/1

ip policy route-map PBR

access-list 101 permit ip 206.135.120.112 0.0.0.15 any

route-map PBR permit 10

match ip address 101

set ip next-hop 205.214.40.5

the above will send all traffic entering gi0/1 out via s2/0

If you also want to be able to ping the gi0/1 from the internet just add this line

ip local policy route-map PBR

you only need PBR for the gi0/1 interface, all other traffic will be sent using the default route. Note that there is no checking if the next hop is up either with the default route or the PBR next hop. If you want failover then you would need to add IP SLA config to achieve this.

Jon

max-sandoval · ‎01-17-2014

This is what it looks like now, and I still can't ping gig 0/1 from the internet

interface GigabitEthernet0/0

ip address 207.168.4.49 255.255.255.240

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 206.135.120.114 255.255.255.240

ip virtual-reassembly in

ip policy route-map pbr

duplex auto

speed auto

!

interface GigabitEthernet0/2

no ip address

shutdown

duplex auto

speed auto

!

interface Serial1/0

ip address 206.135.100.202 255.255.255.252

ip virtual-reassembly in

dsu bandwidth 44210

!

interface Serial2/0

ip address 205.214.40.6 255.255.255.252

ip virtual-reassembly in

encapsulation ppp

dsu bandwidth 44210

!

ip local policy route-map PBR

no ip classless

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 206.135.100.201

!

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 101 permit ip 206.135.120.112 0.0.0.15 any

!

route-map pbr permit 10

match ip address 101

set ip next-hop 205.214.40.5

!

snmp-server community RO-N1mS0ft RO

!

control-plane

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

login

transport input all

!

scheduler allocate 20000 1000

end

Jon Marshall · ‎01-17-2014

I have just done a traceroute to the gi0/1 IP address and it never gets to your router ie. there is a routing loop within one of the ISPs.

Are you sure the subnet associated with gi0/1 is being routed to the s2/0 interface by the ISP who owns that block ?

Jon

max-sandoval · ‎01-17-2014

Yes I am sure

Jon Marshall · ‎01-17-2014

Attached is the traceroute i did. It is not getting to your router.

Jon

max-sandoval · ‎01-17-2014

I just called the supplier and verified the IP addresses

GW 206.135.120.113

usable 114-126

114 is being used on Int gig 0/1

There is only one static route which is seen by Ser 1/0

ip route 0.0.0.0 0.0.0.0 206.135.100.201

but Ser 2/0 which is attached to gig 0/1 is not being seen from the outside

Jon Marshall · ‎01-17-2014

I just called the supplier and verified the IP addresses

GW 206.135.120.113

usable 114-126

what do you mean by the bit in bold ? Does the supplier know that this IP block is sitting behind a serial interface with a different IP address.

I think your supplier is using the address in bold as their end of the connection. But that won't work because you have used this IP block on your internal gi0/1 interface.

Is the link via s2/0 provided by the same supplier who owns the above subnet. If so they need to be sending any traffic for that subnet to the s2/0 interface. They are obviously not because of the traceroute i posted.

If the s2/0 link is provided by the same supplier as the gi/01 IP address block you need to talk to them and tell them that what your setup is.

If the s2/0 link is owned by a different supplier then can you please explain exactly who owns what.

The basic problem is that the gi0/1 subnet is not being sent to your router from the internet. There is nothing you can do on the router until you get that sorted out.

Jon

max-sandoval · ‎01-17-2014

While I wait for the provider I'll provide a show ip command

Gateway of last resort is 206.135.100.201 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 206.135.100.201

205.214.40.0/24 is variably subnetted, 3 subnets, 2 masks

C 205.214.40.4/30 is directly connected, Serial2/0

C 205.214.40.5/32 is directly connected, Serial2/0

L 205.214.40.6/32 is directly connected, Serial2/0

206.135.100.0/24 is variably subnetted, 2 subnets, 2 masks

C 206.135.100.200/30 is directly connected, Serial1/0

L 206.135.100.202/32 is directly connected, Serial1/0

206.135.120.0/24 is variably subnetted, 2 subnets, 2 masks

C 206.135.120.112/28 is directly connected, GigabitEthernet0/1

L 206.135.120.114/32 is directly connected, GigabitEthernet0/1

207.168.4.0/24 is variably subnetted, 2 subnets, 2 masks

C 207.168.4.48/28 is directly connected, GigabitEthernet0/0

L 207.168.4.49/32 is directly connected, GigabitEthernet0/0

Also a sh route-map

route-map PBR, permit, sequence 10

Match clauses:

ip address (access-lists): 101

Set clauses:

ip next-hop 205.214.40.5

Policy routing matches: 1 packets, 44 bytes

max-sandoval · ‎01-17-2014

My question would be to resolve the issue of having

Gateway of last resort is 206.135.100.201 to network 0.0.0.0

Do the route map to both interfaces instead of having a static route just on one interface not the other.

Just trying to understand more what I am doing or what's going on.

Jon Marshall · ‎01-17-2014

It doesn't matter what you do on the router, until that network is routed to your s2/0 interface there is nothing you can do to get this working,

Using PBR for both links would make no difference and would just complicate the configuration.

Jon