Techrunner
asked on
Help Designing Network with Policy Route
Hello Experts,
Please have a look at the below image. I have 2 Routers Connected two different ISP's
Behind router I have multi-layer switch with several vlan's. VLAN 50 users connected to Access Switch. I want distribute the internet access for this vlan user.
Meaning only for certain websites ( like Facebook, Youtube) that I know should go to ISP1
and for the rest of the web and other traffic should go to ISP 2.
I would highly appreciate if any expert can help to achieve this scenario.
Please have a look at the below image. I have 2 Routers Connected two different ISP's
Behind router I have multi-layer switch with several vlan's. VLAN 50 users connected to Access Switch. I want distribute the internet access for this vlan user.
Meaning only for certain websites ( like Facebook, Youtube) that I know should go to ISP1
and for the rest of the web and other traffic should go to ISP 2.
I would highly appreciate if any expert can help to achieve this scenario.
ASKER
Thanks for the response.
The default for the client is my core switch.
There are some websites there IP address keeps changing.
How can I tell router or switch to filter the URL send to ISP1 and other traffic to ISP2
The default for the client is my core switch.
There are some websites there IP address keeps changing.
How can I tell router or switch to filter the URL send to ISP1 and other traffic to ISP2
ASKER
BTW, We don't to affect other vlans. Meaning other vlans should not route internet traffic to router (ISP 1 and ISP 2) shown in the diagram
This is where your needs are best served by a proxy server such as Squid rather than a switch and router combination. Switches don't have any way to differentiate URLs, so your decision can't take place there.
With a proxy server, you can flag these destinations by marking the packets as they are transmitted. The switch can then use PBR to direct marked packets to R9 and everything else to R10 based on the marking.
With a proxy server, you can flag these destinations by marking the packets as they are transmitted. The switch can then use PBR to direct marked packets to R9 and everything else to R10 based on the marking.
ASKER
I have worked with Microsoft TMG but I am not sure how to get working this scenario.
Please can you provide some or guide if you have.
There's no way to do with router ?
Please can you provide some or guide if you have.
There's no way to do with router ?
If both of your ISPs are on the same router, you can do it fairly easily, but your diagram suggests that you want the switch to do it. It just doesn't have the ability to extract the URLs from the HTTP requests and you need to mark the packets *before* they get to the router.
I don't know much about TMG. I've removed a lot of them from customers' sites, but never actually installed one. Squid works nicely though.
I don't know much about TMG. I've removed a lot of them from customers' sites, but never actually installed one. Squid works nicely though.
ASKER
I have 2 type of connections
- DIA Leased Line ( Point to Point with ISP)
- PPPoe Connection
Is it possible to configure on the same router.
I have no problem configuring on same router In fact I prefer to do that..
Thanks
- DIA Leased Line ( Point to Point with ISP)
- PPPoe Connection
Is it possible to configure on the same router.
I have no problem configuring on same router In fact I prefer to do that..
Thanks
Actually, on further investigation, it looks like the traffic needs to be flagged *before* it gets to the router in either case. You can't do PBR with URL filtering on the same router because the source and destination have already been decided before the ZPF policy engages.
Another possibility is to check with ARIN (or other appropriate regional NICs) and just static route all IPv4 blocks that are owned by the organizations in question to the appropriate destinations.
Another possibility is to check with ARIN (or other appropriate regional NICs) and just static route all IPv4 blocks that are owned by the organizations in question to the appropriate destinations.
ASKER
Sir,
Ok Lets forget about the URL's
Lets assume I have the following IP's websites like 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4 I want them to go through ISP 1
and all other traffic to ISP 2. I want setup on the same router.
Now can you please help with configuration. I have 2 type connection DIA and PPPoe
Thanks
Ok Lets forget about the URL's
Lets assume I have the following IP's websites like 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4 I want them to go through ISP 1
and all other traffic to ISP 2. I want setup on the same router.
Now can you please help with configuration. I have 2 type connection DIA and PPPoe
Thanks
Given that your PPPoE and DIA connections are both point-to-point, you can run with the following:
ip route 1.1.1.1 255.255.255.255 Dialer1
ip route 2.2.2.2 255.255.255.255 Serial0
Replace the interfaces appropriately, of course. If you're wanting to capture entire organizations, you're looking at much bigger blocks.
ip route 1.1.1.1 255.255.255.255 Dialer1
ip route 2.2.2.2 255.255.255.255 Serial0
Replace the interfaces appropriately, of course. If you're wanting to capture entire organizations, you're looking at much bigger blocks.
ASKER
Sir what if I want to use PBR.
If you're going to use PBR, you need something to define the policy. What are you planning on using? The configuration will be different depending on the criteria.
If you just want to route everything from VLAN50, you can do something like this:
ip access-list extended acl-vlan50
permit ip 10.1.50.0 0.0.0.255 any
!
route-map rm-pbr
match ip address acl-vlan50
set interface Dialer1
!
interface FastEthernet0/0
ip policy route-map rm-pbr
Change FastEthernet0/0 to whatever interface LAN traffic will be entering on and Dialer1 to whatever interface you want to push the traffic out on. Anything that doesn't match the ACL will fall down to whatever you've defined in the normal routing table.
ip access-list extended acl-vlan50
permit ip 10.1.50.0 0.0.0.255 any
!
route-map rm-pbr
match ip address acl-vlan50
set interface Dialer1
!
interface FastEthernet0/0
ip policy route-map rm-pbr
Change FastEthernet0/0 to whatever interface LAN traffic will be entering on and Dialer1 to whatever interface you want to push the traffic out on. Anything that doesn't match the ACL will fall down to whatever you've defined in the normal routing table.
ASKER
Sir I will give try and update you
ASKER
Hello Sir,
Please have a lookg at my config. Just to make sure going on right track
ROUTER CONFIG
interface GigabitEthernet0/0
description << Connection to ISP1 >>
ip address 100.100.100.100 255.255.255.252
ip nat outside
interface GigabitEthernet0/1
description << Connection to ISP2 >>
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface GigabitEthernet0/2
ip address 10.1.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
duplex auto
speed auto
ip policy route-map ISP1
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in max-reassemblies 512
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxx
ppp chap password 0 xxxxxxxxxx
ppp pap sent-username xxxxxxxxxxxxxxxxxxx password 0 xxxxx
no cdp enable
ip route 0.0.0.0 0.0.0.0 Gi0/1
access-list 110
permit ip 10.1.50.0 0.0.0.255 host 1.1.1.1
deny ip any any
access-list 120 permit ip 10.1.50.0 0.0.0.0.255 any
route-map ISP1 permit 10
match ip address 110
set interface GigabitEthernet0/0
route-map ISP2 permit 20
match ip address 120
set interface dialer 0
ip nat inside source route-map ISP1 interface gi0/0 onverload
ip nat inside source route-map ISP2 interface dialer 0 overload
Please have a lookg at my config. Just to make sure going on right track
ROUTER CONFIG
interface GigabitEthernet0/0
description << Connection to ISP1 >>
ip address 100.100.100.100 255.255.255.252
ip nat outside
interface GigabitEthernet0/1
description << Connection to ISP2 >>
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface GigabitEthernet0/2
ip address 10.1.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
duplex auto
speed auto
ip policy route-map ISP1
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in max-reassemblies 512
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxx
ppp chap password 0 xxxxxxxxxx
ppp pap sent-username xxxxxxxxxxxxxxxxxxx password 0 xxxxx
no cdp enable
ip route 0.0.0.0 0.0.0.0 Gi0/1
access-list 110
permit ip 10.1.50.0 0.0.0.255 host 1.1.1.1
deny ip any any
access-list 120 permit ip 10.1.50.0 0.0.0.0.255 any
route-map ISP1 permit 10
match ip address 110
set interface GigabitEthernet0/0
route-map ISP2 permit 20
match ip address 120
set interface dialer 0
ip nat inside source route-map ISP1 interface gi0/0 onverload
ip nat inside source route-map ISP2 interface dialer 0 overload
ASKER
Hello,
I have configured the router but its not working as expected.
The cleints are not traffic to ISP 1 desitned to 1.1.1.1 as defined in Route Map.
The other traffic is going to dialer 0
Thanks
Please any help
I have configured the router but its not working as expected.
The cleints are not traffic to ISP 1 desitned to 1.1.1.1 as defined in Route Map.
The other traffic is going to dialer 0
Thanks
Please any help
If your connection is on GigabitEthernet0/0, then it isn't a point-to-point connection and that route map won't work unless your ISP has proxy ARP enabled. Try this instead:
route-map ISP1 permit 10
match ip address 110
no set interface GigabitEthernet0/0
set ip next-hop x.x.x.x
Replace x.x.x.x with the default router IPv4 address provided by your ISP for that connection.
route-map ISP1 permit 10
match ip address 110
no set interface GigabitEthernet0/0
set ip next-hop x.x.x.x
Replace x.x.x.x with the default router IPv4 address provided by your ISP for that connection.
ASKER
hello sir Thanks for response. What about Dialer0 Do i need to change anything ?
Dialer0 is an actual point-to-point link, so that can remain as-is.
ASKER
Sir,
How about my default route Is that OK Do I need to add default route to ISP1 ?
I have added for ISP2
How about my default route Is that OK Do I need to add default route to ISP1 ?
I have added for ISP2
Anything that doesn't match the PBR route map will fall to normal routing, so you'll need a route for anything that needs to use that gateway and isn't covered by the PBR.
ASKER
Sir,
Do I need to apply the route map on LAN interface. If yes then which should be as I have 2 Route Maps
Do I need to apply the route map on LAN interface. If yes then which should be as I have 2 Route Maps
ASKER
Sir,
This is my final router configuration. Still not working
interface GigabitEthernet0/0
description << Connection to ISP1 >>
ip address 100.100.100.101 255.255.255.252
ip nat outside
interface GigabitEthernet0/1
description << Connection to ISP2 >>
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface GigabitEthernet0/2
ip address 10.1.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
duplex auto
speed auto
ip policy route-map ISP1
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in max-reassemblies 512
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxx
ppp chap password 0 xxxxxxxxxx
ppp pap sent-username xxxxxxxxxxxxxxxxxxx password 0 xxxxx
no cdp enable
ip route 0.0.0.0 0.0.0.0 dialer 0
access-list 110
permit ip 10.1.50.0 0.0.0.255 host 1.1.1.1
permit ip 10.1.50.0 0.0.0.255 host 2.2.2.2
deny ip any any
access-list 120 permit ip 10.1.50.0 0.0.0.0.255 any
ip nat inside source list 120 interface dialer 0 overload
ip nat inside source route-map interface gi0/0 overload
route-map ISP1 permit 10
match ip address 110
set ip next-hop 100.100.100.102
This is my final router configuration. Still not working
interface GigabitEthernet0/0
description << Connection to ISP1 >>
ip address 100.100.100.101 255.255.255.252
ip nat outside
interface GigabitEthernet0/1
description << Connection to ISP2 >>
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface GigabitEthernet0/2
ip address 10.1.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
duplex auto
speed auto
ip policy route-map ISP1
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in max-reassemblies 512
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxx
ppp chap password 0 xxxxxxxxxx
ppp pap sent-username xxxxxxxxxxxxxxxxxxx password 0 xxxxx
no cdp enable
ip route 0.0.0.0 0.0.0.0 dialer 0
access-list 110
permit ip 10.1.50.0 0.0.0.255 host 1.1.1.1
permit ip 10.1.50.0 0.0.0.255 host 2.2.2.2
deny ip any any
access-list 120 permit ip 10.1.50.0 0.0.0.0.255 any
ip nat inside source list 120 interface dialer 0 overload
ip nat inside source route-map interface gi0/0 overload
route-map ISP1 permit 10
match ip address 110
set ip next-hop 100.100.100.102
ASKER
Hello,
I figured it out
I change the NAT commands from
ip nat inside source route-map ISP1 interface gi0/0 onverload
ip nat inside source route-map ISP2 interface dialer 0 overload
to
ip nat inside source list 110 ISP1 interface gi0/0 onverload
ip nat inside source list 120 ISP2 interface dialer 0 overload
and its working fine.
I figured it out
I change the NAT commands from
ip nat inside source route-map ISP1 interface gi0/0 onverload
ip nat inside source route-map ISP2 interface dialer 0 overload
to
ip nat inside source list 110 ISP1 interface gi0/0 onverload
ip nat inside source list 120 ISP2 interface dialer 0 overload
and its working fine.
Sorry about that... I was paying too much attention to the policy routing and not to the NAT configuration. Your route maps would have worked correctly if you had used "match interface" instead of "set interface". In this case you would have used one set of route maps with "set interface" for PBR and another set with "match interface" for the NAT.
ASKER
Sir,
It would be much clear to me cli command..sorry for that.
This my current config
ip nat inside source list 110 ISP1 interface gi0/0 onverload
ip nat inside source list 120 ISP2 interface dialer 0 overload
route-map ISP1 permit 10
match ip address 110
set ip next-hop 100.100.100.102
Thanks
It would be much clear to me cli command..sorry for that.
This my current config
ip nat inside source list 110 ISP1 interface gi0/0 onverload
ip nat inside source list 120 ISP2 interface dialer 0 overload
route-map ISP1 permit 10
match ip address 110
set ip next-hop 100.100.100.102
Thanks
Here's a sample for NAT overload with route-map. You don't need to be nearly so specific with this as you are with your PBR. The NAT route-map will only engage when traffic matches its outgoing interface, so allowing any private IPv4 address to any destination works best. This way, you don't have to change the NAT configuration if you're adding networks in the future.
Leave your PBR configuration as-is and you should be fine. The route-map for ISP1 will be used when any traffic leaves via GigabitEthernet0/0. The route-map for ISP2 will be used for any traffic leaving via Dialer0. That is controlled through regular routing and your PBR.
object-group network OG-RFC1918
10.0.0.0 /8
172.16.0.0 /12
192.168.0.0 /16
!
access-list ACL-NAT
permit ip object-group OG-RFC1918 any
! (You don't need "deny ip any any" as this is assumed at the end of every ACL)
!
route-map RM-NAT-ISP1 permit 10
match ip address ACL-NAT
match interface GigabitEthernet0
!
route-map RM-NAT-ISP2 permit 10
match ip address ACL-NAT
match interface Dialer0
!
ip nat inside source route-map RM-NAT-ISP1 interface GigabitEthernet0/0 overload
ip nat inside source route-map RM-NAT-ISP2 interface Dialer0 overload
Leave your PBR configuration as-is and you should be fine. The route-map for ISP1 will be used when any traffic leaves via GigabitEthernet0/0. The route-map for ISP2 will be used for any traffic leaving via Dialer0. That is controlled through regular routing and your PBR.
ASKER
Hi
And I apply the route map ISP 1 on inside interface
And I apply the route map ISP 1 on inside interface
Nope. The route-maps for NAT only exist in the NAT overload statement. Only your PBR route-maps get applied to the inside interface.
ASKER
I have tried this but not working with me
route-map RM-NAT-ISP1 permit 10
match ip address ACL-NAT
match interface GigabitEthernet0
!
route-map RM-NAT-ISP2 permit 10
match ip address ACL-NAT
match interface Dialer0
!
ip nat inside source route-map RM-NAT-ISP1 interface GigabitEthernet0/0 overload
ip nat inside source route-map RM-NAT-ISP2 interface Dialer0 overload
when I generate ping from router source inside interface and desitned to specific host defined in ACL for ISP 1 I recieved request time out
and no outsput when I sh ip nat translations.
route-map RM-NAT-ISP1 permit 10
match ip address ACL-NAT
match interface GigabitEthernet0
!
route-map RM-NAT-ISP2 permit 10
match ip address ACL-NAT
match interface Dialer0
!
ip nat inside source route-map RM-NAT-ISP1 interface GigabitEthernet0/0 overload
ip nat inside source route-map RM-NAT-ISP2 interface Dialer0 overload
when I generate ping from router source inside interface and desitned to specific host defined in ACL for ISP 1 I recieved request time out
and no outsput when I sh ip nat translations.
Did you define the object group and the ACL-NAT access-list? Also, did you remove your current NAT overloads? The configuration I sent you is one I use on customer routers extensively, so I know it works.
ASKER
Sir,
This is current configuration
This is current configuration
int gi0/0
ip address 100.100.100.101 255.255.255.252
ip nat outside
int gi0/1
ip address 10.1.50.1 255.255.255.0
ip nat inside
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in max-reassemblies 512
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxx
ppp chap password 0 xxxxxxxxxx
ppp pap sent-username xxxxxxxxxxxxxxxxxxx password 0 xxxxx
no cdp enable
access-list 110 permit ip 10.1.50.0 0.0.0.255 host 173.194.39.34
access-list 110 permit ip 10.1.50.0 0.0.0.255 host 4.2.2.2
access-list 120 permit ip 10.1.50.0. 0.0.0.255 any
route-map ISP1 permit 10
match ip address 110
match interface gi0/0
ip route 0.0.0.0 0.0.0.0 dialer0
ip nat inside source route-map ISP1 interface gi0/0 overload
ip nat inside route list 120 interface dialer 0 overload
That explains much. It looks like you have a mash-up of the old nat configuration combined with pieces of the sample I have provided. Two different NAT mechanisms are definitely going to conflict and fail. Try removing your existing NAT configuration and using the example provided. Then you can add your standard routing and policy routing to get a working solution.
ASKER
I've removed your configuration from the router and paste it mine just to show you the result.
Just curious to know is there anything wrong with my configuration
Actually my aim
Example
10.1.50.0 >> accessing 173.194.39.34 >> Go to ISP1
10.1.50.0 >> any other traffic >>> Go to ISP2
Just curious to know is there anything wrong with my configuration
Actually my aim
Example
10.1.50.0 >> accessing 173.194.39.34 >> Go to ISP1
10.1.50.0 >> any other traffic >>> Go to ISP2
ASKER
Hi,
I have tried now your configuration but still the same result as above.
I have tried now your configuration but still the same result as above.
ASKER
Any further help Sir !
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Sir,
Its working. Big Help
One last thing "traffic that is policy routed (on leased line) to take the other path if leased line is down but I don't want other traffic that is routed to adsl to take leased line if adsl goes down ?.
I have around 15-20 that will be routed to leased line.
Thanks
Its working. Big Help
One last thing "traffic that is policy routed (on leased line) to take the other path if leased line is down but I don't want other traffic that is routed to adsl to take leased line if adsl goes down ?.
I have around 15-20 that will be routed to leased line.
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sir,
You mean set interface dialer 0
route-map RM-PBR permit 10
match ip address ACL-PBR
set ip next-hop 100.100.100.101
set interface dialer 0
You mean set interface dialer 0
route-map RM-PBR permit 10
match ip address ACL-PBR
set ip next-hop 100.100.100.101
set interface dialer 0
Sorry, I made a mistake in my original posting. You don't need to do anything. If the destination for the policy route doesn't exist, it will fall back to the normal routing table.
If you really want to be sure, you can manually set the interface for Dialer0 as you indicated. Did it not work when you tested it?
If you really want to be sure, you can manually set the interface for Dialer0 as you indicated. Did it not work when you tested it?
ASKER
Oops route-map NAT was incorrect -- Typo mistake
Its working now. You are great and you really helped me a lot.
I truly appreciate your support
God Bless You.
I'll just monitoring till tomorrow and will close the ticket.
Thanks
Its working now. You are great and you really helped me a lot.
I truly appreciate your support
God Bless You.
I'll just monitoring till tomorrow and will close the ticket.
Thanks
ASKER
I hope you don't mind
In my production environment, the clients has default gateway pointing to switch.
The router has inside 10.1.50.2
Client Gateway 10.1.50.1
How I can define a rule on switch to route client traffic to route when the packet arrives to switch.
In my production environment, the clients has default gateway pointing to switch.
The router has inside 10.1.50.2
Client Gateway 10.1.50.1
How I can define a rule on switch to route client traffic to route when the packet arrives to switch.
Most switches can't do PBR.
ASKER
I just want to route VLAN 50 traffic to router and then route can handle PBR
I have 6500 Switch
VLAN 50
ip address 10.1.50.1 255.255.255.0
Client
10.1.50.100/24
10.1.50.1 ( GW)
Thanks
I have 6500 Switch
VLAN 50
ip address 10.1.50.1 255.255.255.0
Client
10.1.50.100/24
10.1.50.1 ( GW)
Thanks
If all Internet traffic is going to the router and it's deciding what to send over the DSL or leased line, you can just add a default route to the 6500 and you're good.
If you only want to send VLAN50 traffic to the router, the 6500 should be able to do PBR. Just use the PBR configuration from the router, adjust the next-hop and apply it to the switch.
If you only want to send VLAN50 traffic to the router, the 6500 should be able to do PBR. Just use the PBR configuration from the router, adjust the next-hop and apply it to the switch.
ASKER
Sir,
You mean add PBR on the switch as follows
route-map route_traffic_router permit 10
match ip address 120
set ip next-hop 10.1.50.2
But still vlan 50 should talk to other vlans
You mean add PBR on the switch as follows
route-map route_traffic_router permit 10
match ip address 120
set ip next-hop 10.1.50.2
But still vlan 50 should talk to other vlans
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello,
I will give try with overall confgiuration and let you know
Thanks Sir
I will give try with overall confgiuration and let you know
Thanks Sir
ASKER
Sir,
The very last question.
I have added PBR on our switch to route the traffic to Router initiating from vlan 20 ( terminating lease line and pppoe).
Vlan 20 can ping other vlans.
But I have another router connected to Switch interface ( Subnet : 172.16.1.0)
I am able to ping other vlans on switch from vlan 20
interface gi3/1
ip address 172.16.1.1 255.255.255.00
Router:
ip address 172.16.1.2 255.255.255.0
Any workaround to solve this.
Thanks for your precious time. I am really obliged.
The very last question.
I have added PBR on our switch to route the traffic to Router initiating from vlan 20 ( terminating lease line and pppoe).
Vlan 20 can ping other vlans.
But I have another router connected to Switch interface ( Subnet : 172.16.1.0)
I am able to ping other vlans on switch from vlan 20
interface gi3/1
ip address 172.16.1.1 255.255.255.00
Router:
ip address 172.16.1.2 255.255.255.0
Any workaround to solve this.
Thanks for your precious time. I am really obliged.
I've re-read your last comment a few times and can't find a problem that needs solving. Is there something that systems on vlan20 shouldn't be able to ping?
ASKER
Sir,
I'll post a diagram. One moment
I'll post a diagram. One moment
ASKER
Oops not vlan 20, Typo Mistake its vlan 50 10.1.50.0
Still not seeing a problem. If vlan 50 can ping other VLANs and all other traffic is being policy routed to the DSL router, that's what you said you wanted. What's the problem?
ASKER
I'll post the diagram now 1 moment please
ASKER
When I try to ping it results in Destination Host Unreachable.
I can't see any reason why this would be occurring. As long as the ACL was entered exactly as posted, it won't have anything to do with your PBR. Traffic from VLAN 50 to 172.16.0.0/12 is denied by the PBR and follows the normal routing table.
ASKER
By this word
" Traffic from VLAN 50 to 172.16.0.0/12 is denied by the PBR and follows the normal routing table."
I went through the post to review and I found my mistake. Really sorry for that.
I guess I should close this ticket for now, it's being a long conversation. Even I am confused which post support suppose to be accepted as solution. Anyway I'll manage it.
ACL on switch I did not add ( bold rule)
ip access-list extended 120
deny ip 10.1.50.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 10.1.50.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 10.1.50.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 10.1.50.0 0.0.0.255 any
!
route-map route_traffic_router permit 10
match ip address 120
set ip next-hop 10.1.50.2
Finally I would like to thank you so much for your time, help and support. Being Friendly Got to learn many points from you.
Appreciating that.
" Traffic from VLAN 50 to 172.16.0.0/12 is denied by the PBR and follows the normal routing table."
I went through the post to review and I found my mistake. Really sorry for that.
I guess I should close this ticket for now, it's being a long conversation. Even I am confused which post support suppose to be accepted as solution. Anyway I'll manage it.
ACL on switch I did not add ( bold rule)
ip access-list extended 120
deny ip 10.1.50.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 10.1.50.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 10.1.50.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 10.1.50.0 0.0.0.255 any
!
route-map route_traffic_router permit 10
match ip address 120
set ip next-hop 10.1.50.2
Finally I would like to thank you so much for your time, help and support. Being Friendly Got to learn many points from you.
Appreciating that.
Not a problem. The deny rules are important. Without them, the PBR will policy route everything from VLAN 50 to the DSL router. Putting the deny rules in makes sure that traffic to other private networks is skipped by the policy and gets routed normally.
ASKER
Great Help and extremely supportive.
The answer to the original question asked has been selected "BEST Solution"
Thanks
The answer to the original question asked has been selected "BEST Solution"
Thanks
So basically you need to lookup the full network rages of the sites you want send the traffic to over a specific gateway. You can look this up using http://network-tools.com/ or some other free site on the internet.
Then you need to add those router e.g. "ip route 173.252.64.0 255.255.192.0 ISP1 IP
You also need a gateway of last resort route to point to ISP2 for the other traffic.
ip route 0.0.0.0 0.0.0.0 ISP2 IP
Good luck,