cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4810
Views
0
Helpful
26
Replies
Highlighted

Reg: Policy based Routing with two Default Routes

Dear Support Team,

I have a 1941 router configured for Policy based routing with two ISPs.

Two static default routes configured to point the gateways of respoective ISPs with same metric.

But the problem is, packets are going throug the one ISP only while doing traceroute.

N/W connectivity:

ISP1----->                <----------------------> LAN1   

               |  Router |

ISP------->                <----------------------> LAN 2

Below is my configuration :

Current configuration : 5958 bytes

!

! Last configuration change at 05:18:56 UTC Mon Jun 25 2012

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname GMRIT-WAN-GATEWAY

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 $1$k/Kw$pS1VX17m0hwtKWNxUkBtW0

enable password XXXXX

!

no aaa new-model

!

no ipv6 cef

no ip source-route

ip cef

!

!

!

!

ip domain name yourdomain.com

ip name-server 8.8.8.8

ip name-server 8.4.4.4

multilink bundle-name authenticated

!

!


!

!


!

!

!

!

!

interface GigabitEthernet0/0

description GMRIT-VSNL-ISP-Connection

ip address 111.93.14.250 255.255.255.252

ip policy route-map VSNL-1

duplex auto

speed auto

!

interface GigabitEthernet0/1

description GMRIT-BSNL-ISP-CONNECTION

ip address 172.24.9.149 255.255.255.252

ip policy route-map BSNL-1

duplex auto

speed auto

!

interface FastEthernet0/0/0

!

interface FastEthernet0/0/1

!

interface FastEthernet0/0/2

switchport access vlan 2

!

interface FastEthernet0/0/3

!

interface Vlan1

ip address 111.93.20.154 255.255.255.248

ip policy route-map VSNL

!

interface Vlan2

ip address 117.239.50.209 255.255.255.248

ip policy route-map BSNL

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 0.0.0.0 0.0.0.0 111.93.14.249

ip route 0.0.0.0 0.0.0.0 172.24.9.150

!

access-list 110 permit ip 111.93.20.152 0.0.0.7 any log

access-list 111 permit ip 117.239.50.208 0.0.0.7 any log

access-list 112 permit ip any 111.93.20.152 0.0.0.7 log

access-list 113 permit ip any 117.239.50.208 0.0.0.7 log

!

route-map VSNL permit 10

match ip address 110

set default interface GigabitEthernet0/0

!

route-map BSNL-1 permit 5

match ip address 111

set ip default next-hop 172.24.9.150

!

route-map BSNL-1 permit 10

match ip address 113

set default interface Vlan2

!

route-map BSNL permit 10

match ip address 111

set default interface GigabitEthernet0/1

!

route-map VSNL-1 permit 5

match ip address 110

set ip default next-hop 111.93.14.249

!

route-map VSNL-1 permit 10

match ip address 112

set default interface Vlan1


!

!

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to

use.

-----------------------------------------------------------------------

^C

banner login ^C

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device.

This feature requires the one-time use of the username "cisco" with the

password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN

CREDENTIALS

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>

no username cisco

Replace <myuser> and <mypassword> with the username and password you want

to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE

TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the

QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp

-----------------------------------------------------------------------

^C

!

line con 0

login local

line aux 0

line vty 0 4

exec-timeout 0 0

privilege level 15

password gmrit@123

login

transport input none

line vty 5 15

exec-timeout 0 0

privilege level 15

password gmrit@123

login

transport input telnet ssh

!

scheduler allocate 20000 1000

end

GMRIT-WAN-GATEWAY#

GMRIT-WAN-GATEWAY#sh route-map

route-map VSNL, permit, sequence 10

  Match clauses:

    ip address (access-lists): 110

  Set clauses:

    default interface GigabitEthernet0/0

  Policy routing matches: 1720296 packets, 207823775 bytes

route-map BSNL-1, permit, sequence 5

  Match clauses:

    ip address (access-lists): 111

  Set clauses:

    ip default next-hop 172.24.9.150

  Policy routing matches: 790 packets, 1103956 bytes

route-map BSNL-1, permit, sequence 10

  Match clauses:

    ip address (access-lists): 113

  Set clauses:

    default interface Vlan2

  Policy routing matches: 615 packets, 39086 bytes

route-map BSNL, permit, sequence 10

  Match clauses:

    ip address (access-lists): 111

  Set clauses:

    default interface GigabitEthernet0/1

  Policy routing matches: 9583 packets, 914281 bytes

route-map VSNL-1, permit, sequence 5

  Match clauses:

    ip address (access-lists): 110

  Set clauses:

    ip default next-hop 111.93.14.249

  Policy routing matches: 1724 packets, 1104143 bytes

route-map VSNL-1, permit, sequence 10

  Match clauses:

    ip address (access-lists): 112

  Set clauses:

    default interface Vlan1

  Policy routing matches: 2294332 packets, 1914372311 bytes

GMRIT-WAN-GATEWAY#

Please help me to solve this issue.

Cheers,

Janardhan



1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hi,

can you get rid of these  , they have no use.

ip route 111.93.14.249 255.255.255.255 GigabitEthernet0/0

ip route 172.24.9.150 255.255.255.255 GigabitEthernet0/1

and post the output from debug ip policy when pinging from each vlan

Regards.

Alain.

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

26 REPLIES 26
Highlighted

Hi Janardhan,

Where are you doing the trace from (source ip, interface etc.)

Also, what is the purpose of the route-map statements pointing to the vlan interfaces when the route-map wihin the vlan interfaces point to the same destination as the first statement within each gigabit ethernet interface?

Regards,

Nate

Highlighted

HI Nate,

I am tracing from Local LAN( 2 separate N/Ws) systems.

It is not the same policy appiled on the VLAN interfaces but, it is the reverse policy, when packets came from the outside to specific destination inside to Router, they will use this policy.

Cheers,

Janardhan

Highlighted

Ok, so you're doing a traceroute from which network (Please include the network/mask). Also, when you do a traceroute, can you give us the first few hops? Third question is, are you trying to change the way traffic leaves, enters, and or both?

Also, the ACL's in your route-map statements, do you see any logs incrementing, indicating that the ACL's are working?

Highlighted

HI John,

I have two ISPs with 6 and 2 Mbps respectively. If i configure two default routes with same metric, then mostly  all packets are taking ISP with 2 Mbps and some times its going to 6Mbps. So what i understood it is not in our control.

My router having 4 fastethernet switch interfaces. So , i configured 2 VLANs with public IPs of ISP1 and ISP2. From these interfaces switches are connected separately.

ACLs Hint Count Output:

Extended IP access list 110

    10 permit ip 111.93.20.152 0.0.0.7 any log (2305698 matches)

Extended IP access list 111

    10 permit ip 117.239.50.208 0.0.0.7 any log (10122 matches)

    20 deny ip any any log (64836 matches)

Extended IP access list 112

    10 permit ip any 111.93.20.152 0.0.0.7 log (7788365 matches)

Extended IP access list 113

    10 permit ip any 117.239.50.208 0.0.0.7 log (847 matches)

Cheers,

Janaradhan

Highlighted

HI,

Even after configuring Routemaps, all traffic working through the default routes only.

If i change the metric in the default route, its taking best route from the routing table.

Regards,

Janardhan

Highlighted

Well, if you have two default routes with the same AD and metric value, they will attempt to load balance I would think. In this way, the LB mechanism will be determined by your switching method, such as process switching, fast forwarding, and or CEF. I would expect you'r most likely running CEF. If this is the case, I believe it will load balance by destination address by default. But, yes, if you change the metric value of one, the better one will be installed in the routing table, and will be the only default route used.

I don't think you will need the following.

access-list 112 permit ip any 111.93.20.152 0.0.0.7 log

access-list 113 permit ip any 117.239.50.208 0.0.0.7 log

I would just use these.

access-list 110 permit ip 111.93.20.152 0.0.0.7 any log

access-list 111 permit ip 117.239.50.208 0.0.0.7 any log

route-map VSLN-1 permit 5

match ip address 110

set ip next-hop 111.93.14.249

route-map BSNL permit 10

match ip address 111

set ip next-hop 172.24.9.150

I would only apply those route-maps to the interface vlan's.

Also, when it does the policy routing, and then says "Hey, I need to go to 111.93.14.249 becaues of this policy defined" it will then look that address up and notice there are 2 equal cost routes to get to that network and possibly your PBR wouldn't work properly.

I would configure 2 static /32 routes to the specific next hops.

such as

ip route 111.93.14.249 255.255.255.255 111.93.14.24

ip route 172.24.9.150 255.255.255.255 172.24.9.150

Highlighted

HI,

Can i remove default routes???

Regards,

Janardhan

Highlighted

As, long as the following networks, are the only ones that will be transiting that router then yes you could.

111.93.20.154 255.255.255.248

117.239.50.209 255.255.255.248

Since your ACL's are saying all traffic from these two networks to ANY, then you shouldn't have any problems, since your PBRng traffic from those two networks to specify ISPs.

But, you do know your network, better than me, so I would just varify that's not going to bring any production workers down, and or your ability to access these devices, while you are doing this.

Highlighted

Hi,

So, to Access it from outside, I think i need to configure Local PBR, write????

Highlighted

Local PBR, will PBR traffic that is started directly from the swich itself. Such as, tftp upload of configuration, etc etc.

ip policy route-map    -----> Regular Policy Based Routing

ip local policy route-map    -----> Local Policy Based Routing.

Highlighted

HI,

Am i lose connectivity of router, after removing Default Route from the router????

Then what i need to configure to keep connectivity from outside( Generally i will configure from outside)

Highlighted

You can leave the default routes and just add the static routes, they will take precedence. You shouldn't lose remote connectivity.

Highlighted

HI John,

Thanks for all your suggestions. Let me check what you have suggested.

Regards,

Janardhan

Highlighted

Hi John,

After applying your configuration also, i am facing the same issue.

Will you please help me to solve this issue.

While tracing its using ISP's without policies that we defined.

My current configuration:

GMRIT-WAN-GATEWAY#sh run

Building configuration...

Current configuration : 5784 bytes

!

! Last configuration change at 10:57:11 UTC Fri Jun 29 2012

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname GMRIT-WAN-GATEWAY

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 $1$k/Kw$pS1VX17m0hwtKWNxUkBtW0

enable password gmrit@123

!

no aaa new-model

!

no ipv6 cef

no ip source-route

ip cef

!

!

!

!

ip domain name yourdomain.com

ip name-server 8.8.8.8

ip name-server 8.4.4.4

multilink bundle-name authenticated

!

!

crypto pki trustpoint TP-self-signed-1432443274

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1432443274

revocation-check none

rsakeypair TP-self-signed-1432443274

!

!

crypto pki certificate chain TP-self-signed-1432443274

certificate self-signed 01

  30820259 308201C2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31343332 34343332 3734301E 170D3131 31323032 30393333

  33355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34333234

  34333237 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100D483 AD3634F1 8349C67B 7554F74E 6FF39064 25FAA8B6 4D5EBF2E 9D2C199A

  DFD2C7F0 185D10DF 6791BA58 80CE9A5F ECCA5F08 45D34429 170FC24F 6AFA8C43

  F1261CE9 541C8E64 6E2E2411 5DE5933B AFC788F4 6BB24CA0 D74AFF51 6E5D1194

  5B8247AA 3E233EC8 F0EC5A77 C2EB933B 97627DE7 CCE77049 8A9AF3AF 98000825

  1D1F0203 010001A3 8180307E 300F0603 551D1301 01FF0405 30030101 FF302B06

  03551D11 04243022 8220474D 5249542D 57414E2D 47415445 5741592E 796F7572

  646F6D61 696E2E63 6F6D301F 0603551D 23041830 168014E3 F006E059 661B2269

  F18B4A47 6FEF6C30 87DF6030 1D060355 1D0E0416 0414E3F0 06E05966 1B2269F1

  8B4A476F EF6C3087 DF60300D 06092A86 4886F70D 01010405 00038181 009E2659

  C1010031 29DDAACD 6A5C6BC6 DC907082 F5D1CD61 F168B323 AAB542ED 5718A0B5

  EF4E9BBB B910E39D 2DA63DC3 834A8AA5 9CF9BDD4 75317E95 C7FE19C7 467A1D3D

  1827BDD7 E0D66AF1 445F2B2C E6EE7352 0CE476FF F132D86C 26DCA701 3CBDDACB

  48FC5292 E8C135E1 90CEAF33 5876A07D 63BE9D80 08BEA784 BB8BF652 FD

        quit

license udi pid CISCO1941/K9 sn XXXXXXX

!

!

username Nipun1 privilege 15 password 0 Nipun1

username gmrit privilege 15 secret 5 $1$vOh0$8GaLCjGKqbt./QU6VmSJl0

!

!

!

!

!

!

interface GigabitEthernet0/0

description GMRIT-VSNL-ISP-Connection

ip address 111.93.14.250 255.255.255.252

duplex auto

speed auto

!

interface GigabitEthernet0/1

description GMRIT-BSNL-ISP-CONNECTION

ip address 172.24.9.149 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/0/0

!

interface FastEthernet0/0/1

!

interface FastEthernet0/0/2

switchport access vlan 2

!

interface FastEthernet0/0/3

!

interface Vlan1

ip address 111.93.20.154 255.255.255.248

ip policy route-map VSNL

!

interface Vlan2

ip address 117.239.50.209 255.255.255.248

ip policy route-map BSNL

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 0.0.0.0 0.0.0.0 111.93.14.249

ip route 0.0.0.0 0.0.0.0 172.24.9.150 100

ip route 111.93.14.249 255.255.255.255 111.93.14.249

ip route 172.24.9.150 255.255.255.255 172.24.9.150

!

access-list 110 permit ip 111.93.20.152 0.0.0.7 any log

access-list 111 permit ip 117.239.50.208 0.0.0.7 any log

access-list 111 deny   ip any any log

!

route-map VSNL permit 10

match ip address 110

set ip next-hop 111.93.14.249

!

route-map BSNL permit 10

match ip address 111

set ip next-hop 172.24.9.150

!

!

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you want to

use.

-----------------------------------------------------------------------

^C

banner login ^C

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device.

This feature requires the one-time use of the username "cisco" with the

password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN

CREDENTIALS

Here are the Cisco IOS commands.

username   privilege 15 secret 0

no username cisco

Replace and with the username and password you want

to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE

TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the

QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp

-----------------------------------------------------------------------

^C

!

line con 0

login local

line aux 0

line vty 0 4

exec-timeout 0 0

privilege level 15

password XXXXXXX

login

transport input none

line vty 5 15

exec-timeout 0 0

privilege level 15

password XXXXXXX

login

transport input telnet ssh

!

scheduler allocate 20000 1000

end

GMRIT-WAN-GATEWAY#

GMRIT-WAN-GATEWAY#

GMRIT-WAN-GATEWAY#

GMRIT-WAN-GATEWAY#

Regards,

Janardhan

Content for Community-Ad