06-25-2012 03:55 AM - edited 03-07-2019 07:26 AM
Dear Support Team,
I have a 1941 router configured for Policy based routing with two ISPs.
Two static default routes configured to point the gateways of respoective ISPs with same metric.
But the problem is, packets are going throug the one ISP only while doing traceroute.
N/W connectivity:
ISP1-----> <----------------------> LAN1
| Router |
ISP-------> <----------------------> LAN 2
Below is my configuration :
Current configuration : 5958 bytes
!
! Last configuration change at 05:18:56 UTC Mon Jun 25 2012
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GMRIT-WAN-GATEWAY
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$k/Kw$pS1VX17m0hwtKWNxUkBtW0
enable password XXXXX
!
no aaa new-model
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip name-server 8.4.4.4
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description GMRIT-VSNL-ISP-Connection
ip address 111.93.14.250 255.255.255.252
ip policy route-map VSNL-1
duplex auto
speed auto
!
interface GigabitEthernet0/1
description GMRIT-BSNL-ISP-CONNECTION
ip address 172.24.9.149 255.255.255.252
ip policy route-map BSNL-1
duplex auto
speed auto
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
switchport access vlan 2
!
interface FastEthernet0/0/3
!
interface Vlan1
ip address 111.93.20.154 255.255.255.248
ip policy route-map VSNL
!
interface Vlan2
ip address 117.239.50.209 255.255.255.248
ip policy route-map BSNL
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 111.93.14.249
ip route 0.0.0.0 0.0.0.0 172.24.9.150
!
access-list 110 permit ip 111.93.20.152 0.0.0.7 any log
access-list 111 permit ip 117.239.50.208 0.0.0.7 any log
access-list 112 permit ip any 111.93.20.152 0.0.0.7 log
access-list 113 permit ip any 117.239.50.208 0.0.0.7 log
!
route-map VSNL permit 10
match ip address 110
set default interface GigabitEthernet0/0
!
route-map BSNL-1 permit 5
match ip address 111
set ip default next-hop 172.24.9.150
!
route-map BSNL-1 permit 10
match ip address 113
set default interface Vlan2
!
route-map BSNL permit 10
match ip address 111
set default interface GigabitEthernet0/1
!
route-map VSNL-1 permit 5
match ip address 110
set ip default next-hop 111.93.14.249
!
route-map VSNL-1 permit 10
match ip address 112
set default interface Vlan1
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
login local
line aux 0
line vty 0 4
exec-timeout 0 0
privilege level 15
password gmrit@123
login
transport input none
line vty 5 15
exec-timeout 0 0
privilege level 15
password gmrit@123
login
transport input telnet ssh
!
scheduler allocate 20000 1000
end
GMRIT-WAN-GATEWAY#
GMRIT-WAN-GATEWAY#sh route-map
route-map VSNL, permit, sequence 10
Match clauses:
ip address (access-lists): 110
Set clauses:
default interface GigabitEthernet0/0
Policy routing matches: 1720296 packets, 207823775 bytes
route-map BSNL-1, permit, sequence 5
Match clauses:
ip address (access-lists): 111
Set clauses:
ip default next-hop 172.24.9.150
Policy routing matches: 790 packets, 1103956 bytes
route-map BSNL-1, permit, sequence 10
Match clauses:
ip address (access-lists): 113
Set clauses:
default interface Vlan2
Policy routing matches: 615 packets, 39086 bytes
route-map BSNL, permit, sequence 10
Match clauses:
ip address (access-lists): 111
Set clauses:
default interface GigabitEthernet0/1
Policy routing matches: 9583 packets, 914281 bytes
route-map VSNL-1, permit, sequence 5
Match clauses:
ip address (access-lists): 110
Set clauses:
ip default next-hop 111.93.14.249
Policy routing matches: 1724 packets, 1104143 bytes
route-map VSNL-1, permit, sequence 10
Match clauses:
ip address (access-lists): 112
Set clauses:
default interface Vlan1
Policy routing matches: 2294332 packets, 1914372311 bytes
GMRIT-WAN-GATEWAY#
Please help me to solve this issue.
Cheers,
Janardhan
Solved! Go to Solution.
06-29-2012 06:59 AM
Hi,
can you get rid of these , they have no use.
ip route 111.93.14.249 255.255.255.255 GigabitEthernet0/0
ip route 172.24.9.150 255.255.255.255 GigabitEthernet0/1
and post the output from debug ip policy when pinging from each vlan
Regards.
Alain.
Don't forget to rate helpful posts.
06-25-2012 04:48 AM
Hi Janardhan,
Where are you doing the trace from (source ip, interface etc.)
Also, what is the purpose of the route-map statements pointing to the vlan interfaces when the route-map wihin the vlan interfaces point to the same destination as the first statement within each gigabit ethernet interface?
Regards,
Nate
06-25-2012 04:57 AM
HI Nate,
I am tracing from Local LAN( 2 separate N/Ws) systems.
It is not the same policy appiled on the VLAN interfaces but, it is the reverse policy, when packets came from the outside to specific destination inside to Router, they will use this policy.
Cheers,
Janardhan
06-25-2012 05:25 AM
Ok, so you're doing a traceroute from which network (Please include the network/mask). Also, when you do a traceroute, can you give us the first few hops? Third question is, are you trying to change the way traffic leaves, enters, and or both?
Also, the ACL's in your route-map statements, do you see any logs incrementing, indicating that the ACL's are working?
06-25-2012 05:38 AM
HI John,
I have two ISPs with 6 and 2 Mbps respectively. If i configure two default routes with same metric, then mostly all packets are taking ISP with 2 Mbps and some times its going to 6Mbps. So what i understood it is not in our control.
My router having 4 fastethernet switch interfaces. So , i configured 2 VLANs with public IPs of ISP1 and ISP2. From these interfaces switches are connected separately.
ACLs Hint Count Output:
Extended IP access list 110
10 permit ip 111.93.20.152 0.0.0.7 any log (2305698 matches)
Extended IP access list 111
10 permit ip 117.239.50.208 0.0.0.7 any log (10122 matches)
20 deny ip any any log (64836 matches)
Extended IP access list 112
10 permit ip any 111.93.20.152 0.0.0.7 log (7788365 matches)
Extended IP access list 113
10 permit ip any 117.239.50.208 0.0.0.7 log (847 matches)
Cheers,
Janaradhan
06-25-2012 06:03 AM
HI,
Even after configuring Routemaps, all traffic working through the default routes only.
If i change the metric in the default route, its taking best route from the routing table.
Regards,
Janardhan
06-25-2012 06:42 AM
Well, if you have two default routes with the same AD and metric value, they will attempt to load balance I would think. In this way, the LB mechanism will be determined by your switching method, such as process switching, fast forwarding, and or CEF. I would expect you'r most likely running CEF. If this is the case, I believe it will load balance by destination address by default. But, yes, if you change the metric value of one, the better one will be installed in the routing table, and will be the only default route used.
I don't think you will need the following.
access-list 112 permit ip any 111.93.20.152 0.0.0.7 log
access-list 113 permit ip any 117.239.50.208 0.0.0.7 log
I would just use these.
access-list 110 permit ip 111.93.20.152 0.0.0.7 any log
access-list 111 permit ip 117.239.50.208 0.0.0.7 any log
route-map VSLN-1 permit 5
match ip address 110
set ip next-hop 111.93.14.249
route-map BSNL permit 10
match ip address 111
set ip next-hop 172.24.9.150
I would only apply those route-maps to the interface vlan's.
Also, when it does the policy routing, and then says "Hey, I need to go to 111.93.14.249 becaues of this policy defined" it will then look that address up and notice there are 2 equal cost routes to get to that network and possibly your PBR wouldn't work properly.
I would configure 2 static /32 routes to the specific next hops.
such as
ip route 111.93.14.249 255.255.255.255 111.93.14.24
ip route 172.24.9.150 255.255.255.255 172.24.9.150
06-25-2012 07:36 AM
HI,
Can i remove default routes???
Regards,
Janardhan
06-25-2012 07:42 AM
As, long as the following networks, are the only ones that will be transiting that router then yes you could.
111.93.20.154 255.255.255.248
117.239.50.209 255.255.255.248
Since your ACL's are saying all traffic from these two networks to ANY, then you shouldn't have any problems, since your PBRng traffic from those two networks to specify ISPs.
But, you do know your network, better than me, so I would just varify that's not going to bring any production workers down, and or your ability to access these devices, while you are doing this.
06-25-2012 10:43 AM
Hi,
So, to Access it from outside, I think i need to configure Local PBR, write????
06-25-2012 10:56 AM
Local PBR, will PBR traffic that is started directly from the swich itself. Such as, tftp upload of configuration, etc etc.
ip policy route-map
ip local policy route-map
06-25-2012 01:00 PM
HI,
Am i lose connectivity of router, after removing Default Route from the router????
Then what i need to configure to keep connectivity from outside( Generally i will configure from outside)
06-25-2012 04:36 PM
You can leave the default routes and just add the static routes, they will take precedence. You shouldn't lose remote connectivity.
06-26-2012 01:29 AM
HI John,
Thanks for all your suggestions. Let me check what you have suggested.
Regards,
Janardhan
06-29-2012 04:39 AM
Hi John,
After applying your configuration also, i am facing the same issue.
Will you please help me to solve this issue.
While tracing its using ISP's without policies that we defined.
My current configuration:
GMRIT-WAN-GATEWAY#sh run
Building configuration...
Current configuration : 5784 bytes
!
! Last configuration change at 10:57:11 UTC Fri Jun 29 2012
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GMRIT-WAN-GATEWAY
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$k/Kw$pS1VX17m0hwtKWNxUkBtW0
enable password gmrit@123
!
no aaa new-model
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip name-server 8.4.4.4
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-1432443274
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1432443274
revocation-check none
rsakeypair TP-self-signed-1432443274
!
!
crypto pki certificate chain TP-self-signed-1432443274
certificate self-signed 01
30820259 308201C2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31343332 34343332 3734301E 170D3131 31323032 30393333
33355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34333234
34333237 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D483 AD3634F1 8349C67B 7554F74E 6FF39064 25FAA8B6 4D5EBF2E 9D2C199A
DFD2C7F0 185D10DF 6791BA58 80CE9A5F ECCA5F08 45D34429 170FC24F 6AFA8C43
F1261CE9 541C8E64 6E2E2411 5DE5933B AFC788F4 6BB24CA0 D74AFF51 6E5D1194
5B8247AA 3E233EC8 F0EC5A77 C2EB933B 97627DE7 CCE77049 8A9AF3AF 98000825
1D1F0203 010001A3 8180307E 300F0603 551D1301 01FF0405 30030101 FF302B06
03551D11 04243022 8220474D 5249542D 57414E2D 47415445 5741592E 796F7572
646F6D61 696E2E63 6F6D301F 0603551D 23041830 168014E3 F006E059 661B2269
F18B4A47 6FEF6C30 87DF6030 1D060355 1D0E0416 0414E3F0 06E05966 1B2269F1
8B4A476F EF6C3087 DF60300D 06092A86 4886F70D 01010405 00038181 009E2659
C1010031 29DDAACD 6A5C6BC6 DC907082 F5D1CD61 F168B323 AAB542ED 5718A0B5
EF4E9BBB B910E39D 2DA63DC3 834A8AA5 9CF9BDD4 75317E95 C7FE19C7 467A1D3D
1827BDD7 E0D66AF1 445F2B2C E6EE7352 0CE476FF F132D86C 26DCA701 3CBDDACB
48FC5292 E8C135E1 90CEAF33 5876A07D 63BE9D80 08BEA784 BB8BF652 FD
quit
license udi pid CISCO1941/K9 sn XXXXXXX
!
!
username Nipun1 privilege 15 password 0 Nipun1
username gmrit privilege 15 secret 5 $1$vOh0$8GaLCjGKqbt./QU6VmSJl0
!
!
!
!
!
!
interface GigabitEthernet0/0
description GMRIT-VSNL-ISP-Connection
ip address 111.93.14.250 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
description GMRIT-BSNL-ISP-CONNECTION
ip address 172.24.9.149 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
switchport access vlan 2
!
interface FastEthernet0/0/3
!
interface Vlan1
ip address 111.93.20.154 255.255.255.248
ip policy route-map VSNL
!
interface Vlan2
ip address 117.239.50.209 255.255.255.248
ip policy route-map BSNL
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 111.93.14.249
ip route 0.0.0.0 0.0.0.0 172.24.9.150 100
ip route 111.93.14.249 255.255.255.255 111.93.14.249
ip route 172.24.9.150 255.255.255.255 172.24.9.150
!
access-list 110 permit ip 111.93.20.152 0.0.0.7 any log
access-list 111 permit ip 117.239.50.208 0.0.0.7 any log
access-list 111 deny ip any any log
!
route-map VSNL permit 10
match ip address 110
set ip next-hop 111.93.14.249
!
route-map BSNL permit 10
match ip address 111
set ip next-hop 172.24.9.150
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username
Replace
use.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username
no username cisco
Replace
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
login local
line aux 0
line vty 0 4
exec-timeout 0 0
privilege level 15
password XXXXXXX
login
transport input none
line vty 5 15
exec-timeout 0 0
privilege level 15
password XXXXXXX
login
transport input telnet ssh
!
scheduler allocate 20000 1000
end
GMRIT-WAN-GATEWAY#
GMRIT-WAN-GATEWAY#
GMRIT-WAN-GATEWAY#
GMRIT-WAN-GATEWAY#
Regards,
Janardhan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide