Configureing PBR (Policy Based Routing) Cisco 2600
I'm trying to configure this 2620 router to route all WWW traffic to the WIC-1ADSL card and all other traffic through a Serial0/0 that uses a dedicated T1 to a remote site.
Am I close?
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname XXX
!
boot-start-marker
boot system flash slot1:c2600-i-mz.123-21.bi
boot-end-marker
!
enable password
!
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip domain name xxx.com
!
bridge irb
!
interface ATM0/0
description WAN connection
no ip address
bundle-enable
dsl operating-mode auto
bridge-group 1
pvc 0/35
encapsulation aal5snap
!
!
interface FastEthernet0/0
description Internal LAN
ip address 192.168.2.254 255.255.255.0 secondary
ip address 192.168.1.253 255.255.255.0
ip nat inside
ip policy route-map HTTP-TRAFFIC
duplex auto
speed auto
!
interface Serial0/1
description T1 to Remote Branch
ip address 10.10.0.10 255.255.255.252
no ip mroute-cache
priority-group 1
service-module t1 timeslots 1-24
!
interface BVI1
ip address <ADSL Static IP> 255.255.255.0
ip nat outside
!
router rip
network 192.168.1.0
!
ip nat inside source list 1 interface BVI1 overload
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 BVI1
ip route 0.0.0.0 0.0.0.0 Serial0/1
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 120 permit tcp any any eq www
!
route-map HTTP-TRAFFIC permit 20
match ip address 120
set interface BVI1
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
line aux 0
line vty 0 4
Am I close?
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname XXX
!
boot-start-marker
boot system flash slot1:c2600-i-mz.123-21.bi
boot-end-marker
!
enable password
!
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip domain name xxx.com
!
bridge irb
!
interface ATM0/0
description WAN connection
no ip address
bundle-enable
dsl operating-mode auto
bridge-group 1
pvc 0/35
encapsulation aal5snap
!
!
interface FastEthernet0/0
description Internal LAN
ip address 192.168.2.254 255.255.255.0 secondary
ip address 192.168.1.253 255.255.255.0
ip nat inside
ip policy route-map HTTP-TRAFFIC
duplex auto
speed auto
!
interface Serial0/1
description T1 to Remote Branch
ip address 10.10.0.10 255.255.255.252
no ip mroute-cache
priority-group 1
service-module t1 timeslots 1-24
!
interface BVI1
ip address <ADSL Static IP> 255.255.255.0
ip nat outside
!
router rip
network 192.168.1.0
!
ip nat inside source list 1 interface BVI1 overload
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 BVI1
ip route 0.0.0.0 0.0.0.0 Serial0/1
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 120 permit tcp any any eq www
!
route-map HTTP-TRAFFIC permit 20
match ip address 120
set interface BVI1
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
line aux 0
line vty 0 4
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I just wanted you to be aware that with the above config, even external dns name resolution will go to the other site.
If you have to access their www services through the private T1, then you need to add deny statements to the acl 101
If you have to access their www services through the private T1, then you need to add deny statements to the acl 101
ASKER
If I remove "ip route 0.0.0.0 0.0.0.0 BVI1/Serial0/1" I loose connectivity all together. Also how do you determine what would be the "next hop" for the DSL connection? Would it be the ISP's Gateway?
interface ATM0/0
description WAN connection
no ip address
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
bridge-group 1
pvc 0/35
encapsulation aal5snap
!
!
interface FastEthernet0/0
description Internal LAN
ip address 192.168.2.254 255.255.255.0 secondary
ip address 192.168.1.253 255.255.255.0
ip nat inside
ip policy route-map www
duplex auto
speed auto
!
interface Serial0/1
description T1 to Remote Office
ip address 10.10.0.10 255.255.255.252
no ip mroute-cache
priority-group 1
service-module t1 timeslots 1-24
!
interface BVI1
ip address X.X.X.16 255.255.255.0
ip nat outside
!
router rip
network 192.168.1.0
!
ip nat inside source list 1 interface BVI1 overload
no ip http server
ip classless
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 120 permit tcp any any eq www
access-list 130 permit ip any any
!
route-map www permit 10
match ip address 120
set ip next-hop X.X.X.1
!
route-map www permit 20
match ip address 130
set ip next-hop 10.10.0.9
interface ATM0/0
description WAN connection
no ip address
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
bridge-group 1
pvc 0/35
encapsulation aal5snap
!
!
interface FastEthernet0/0
description Internal LAN
ip address 192.168.2.254 255.255.255.0 secondary
ip address 192.168.1.253 255.255.255.0
ip nat inside
ip policy route-map www
duplex auto
speed auto
!
interface Serial0/1
description T1 to Remote Office
ip address 10.10.0.10 255.255.255.252
no ip mroute-cache
priority-group 1
service-module t1 timeslots 1-24
!
interface BVI1
ip address X.X.X.16 255.255.255.0
ip nat outside
!
router rip
network 192.168.1.0
!
ip nat inside source list 1 interface BVI1 overload
no ip http server
ip classless
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 120 permit tcp any any eq www
access-list 130 permit ip any any
!
route-map www permit 10
match ip address 120
set ip next-hop X.X.X.1
!
route-map www permit 20
match ip address 130
set ip next-hop 10.10.0.9
Your ISP should have given you a Gateway IP to use. It would typically be x.x.x.1 as you show. Can you ping that IP from the console of the router?
Use "show access-list" to see hitcounters on the matching access-lists
Use "show access-list" to see hitcounters on the matching access-lists
You might keep the default to BVI interface, but only keep that one.
ASKER
It actually ended up working without the the two IP routes!
You were dead on about the web based apps at the remote site lrmoore. That traffic wants to go out the DSL line. It also looks like external e-mail incoming and outgoing end up trying to come through the DSL pipe.
Thanks LRMoore!
You were dead on about the web based apps at the remote site lrmoore. That traffic wants to go out the DSL line. It also looks like external e-mail incoming and outgoing end up trying to come through the DSL pipe.
Thanks LRMoore!
Just modify your access list to include the snmp traffic with the www, and exclude that www traffic going to the other side..
example:
access-list 120 deny tcp any host 1.2.3.4 eq www <== web host at remote site
access-list 120 deny tcp any host 1.2.3.5 eq www
access-list 120 permit tcp any any eq www
access-list 120 permit tcp host 192.168.1.12 any eq smtp <== your mail host
access-list 120 permit udp host 192.168.1.12 any eq domain <= so your mail host uses DNS out the DSL
Now all traffic matching 120 goes out DSL line,
Everything else goes over the T1
Cheers!
example:
access-list 120 deny tcp any host 1.2.3.4 eq www <== web host at remote site
access-list 120 deny tcp any host 1.2.3.5 eq www
access-list 120 permit tcp any any eq www
access-list 120 permit tcp host 192.168.1.12 any eq smtp <== your mail host
access-list 120 permit udp host 192.168.1.12 any eq domain <= so your mail host uses DNS out the DSL
Now all traffic matching 120 goes out DSL line,
Everything else goes over the T1
Cheers!
ASKER
Awesome!
ASKER
Thanks