Cisco 877 Config static routing

eric · ‎09-06-2012

dear all,
i am trying to setup my router to work as below can someone advise how do i go about?

Cisco 877

Fa0(Vlan2) ---> WAN1 LINK Router

fa1(Vlan1) ---> Local Network{192.168.210.x}

fa2(Vlan3) ---> WAN2 LINK Router

fa3(vlan4) ---> WAN3 LINK Router

All traffic should be routed to WAN1 by default.

Except for destination ip 10.172.111.11 should be routed to WAN2

and destination ip 10.20.11.22 should be routed to WAN3

For Eg... a host @ Vlan1 do a Ping to 10.20.11.22 it should be routed to WAN3

and if ping to other address it will route to WAN1

eric · ‎09-06-2012

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.210.1 192.168.210.50

!

ip dhcp pool LAN

import all

network 192.168.210.0 255.255.255.0

default-router 192.168.210.1

dns-server 165.21.83.88 8.8.8.8

lease 0 2

!

no ip domain lookup

ip domain name yourdomain.com

ip name-server 165.21.83.88

ip name-server 8.8.8.8

!

multilink bundle-name authenticated

!

username admin privilege

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key ----- address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA1

!

archive

log config

hidekeys

!

interface Tunnel0

bandwidth 1000

ip address 10.10.10.210 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication DMVPN_NW

ip nhrp map multicast -----

ip nhrp map 10.10.10.1 ----

ip nhrp map 10.10.10.2 ---

ip nhrp map multicast ----

ip nhrp network-id 100000

ip nhrp holdtime 360

ip nhrp nhs 10.10.10.1

ip nhrp nhs 10.10.10.2

ip nhrp registration no-unique

ip tcp adjust-mss 1360

delay 1000

tunnel source Vlan2

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile CiscoCP_Profile1

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

!

interface FastEthernet0

switchport access vlan 2

!

interface FastEthernet1

!

interface FastEthernet2

switchport access vlan 3

!

interface FastEthernet3

switchport access vlan 4

!

interface Vlan1

description LocalLan

ip address 192.168.210.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Vlan2

description **wAN1***

ip address dhcp

ip nat outside

ip virtual-reassembly

!

interface Vlan3

description **wAN2***

ip address dhcp

ip nat outside

ip virtual-reassembly

!

interface Vlan4

description **WAN3***

ip address dhcp

ip nat outside

ip virtual-reassembly

!

interface Dialer0

no ip address

shutdown

!

router rip

version 2

network 10.0.0.0

network 192.168.210.0

no auto-summary

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Vlan2

ip route 10.20.11.2 255.255.255.255 vlan4

ip route 10.172.111.0 255.255.255.0 Vlan3

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip dns server

ip nat inside source list 1 interface Vlan2 overload

!

access-list 1 permit 192.168.210.0 0.0.0.255

no cdp run

!

control-plane

eric · ‎09-06-2012

any kind soul around to help? tks!

Peter Paluch · ‎09-06-2012

Hello Eric,

It seems to me that your configuration is almost correct. However, it is not appropriate to define static routes via exit multiaccess interfaces such as Ethernet without specifying the next hop IP address. This may, under circumstances, not work at all, or it may result in huge ARP traffic and overgrown ARP tables.

The slight "gotcha" in your case is caused by the use of DHCP on all your WAN interfaces. However, in that case, you may tell the router to use the DHCP-assigned gateway on the appropriate interface as the next hop IP address in that specific static route. So I suggest using the following modification:

no ip route 0.0.0.0 0.0.0.0 Vlan2

no ip route 10.20.11.2 255.255.255.255 vlan4

no ip route 10.172.111.0 255.255.255.0 Vlan3

ip route 0.0.0.0 0.0.0.0 vlan2 dhcp

ip route 10.20.11.2 255.255.255.255 vlan4 dhcp

ip route 10.172.111.11 255.255.255.255 vlan3 dhcp

Note that I have added the dhcp keyword into each static route, forcing the router to use the appropriate DHCP-obtained gateway on the particular interface for the next hop of this route. Also, I have corrected the route 10.172.111.0/24 into 10.172.111.11/32 per your original description (you did not talk about the entire network, just about a single IP address).

Can you test this out and let me know if it worked?

Best regards,

Peter

eric · ‎09-06-2012

Hi Peter.

I have done as u mention..
From the Cisco 877 router i am able to ping to 10.20.11.2 and 10.172.111.11

But from my host from vlan1 eg. 192.168.210.xx is unable to reach the 2 addresses

do i need to set any ACL?

Sorry..

I add this 2 ACL before my router is able to ping.. but the users in vlan1 is still unable to ping

access-list 101 permit ip host 10.20.11.2 192.168.210.0 0.0.0.255

access-list 101 permit ip host 10.172.111.11 192.168.210.0 0.0.0.255

Peter Paluch · ‎09-07-2012

Hello Eric,

The NAT configuration in your case will have to be modified, so that packets exiting a particular WAN interface are NATted to the interface's particular IP address. Currently, they are all NATted to the Vlan2 interface IP address which is clearly incorrect if the packets are sent out the interface Vlan3 or Vlan4.

Please do not modify your ACL - put it back to the state it was originally. However, add these lines to your configuration:

no ip nat inside source list 1 interface Vlan2 overload

!

route-map Vlan2 permit 10

match ip address 1

match interface Vlan2

!

route-map Vlan3 permit 10

match ip address 1

match interface Vlan3

!

route-map Vlan4 permit 10

match ip address 1

match interface Vlan4

!

ip nat inside source route-map Vlan2 interface Vlan2 overload

ip nat inside source route-map Vlan3 interface Vlan3 overload

ip nat inside source route-map Vlan4 interface Vlan4 overload

Please give it a try and let us know if it worked for you. Thanks!

Best regards,

Peter