Link to home
Start Free TrialLog in
Avatar of Techrunner
Techrunner

asked on

Help Designing Network with Policy Route

Hello Experts,

Please have a look at the below image. I have 2 Routers Connected two different ISP's

Behind router I have multi-layer switch with several vlan's. VLAN 50 users connected to Access Switch. I want distribute the internet access for this vlan user.

Meaning only for certain websites ( like Facebook, Youtube) that I know should go to ISP1
and for the rest of the web and other traffic should go to ISP 2.

I would highly appreciate if any expert can help to achieveUser generated image this scenario.
Avatar of tercex11
tercex11

From your drawing I am not sure which device is the default gateway for VLAN 50, but that device which is the default gateway for those users needs to have routes added to it that sends any traffic destined for the entire IP range or Facebook(173.252.64.0 /18) or Youtube (74.125.0.0/16) and any other sites you wish to go to using ISP1 to the ISP1 Routers IP and then the Gateway of last resort for all other traffic should point to the ISP2 routers IP.

So basically you need to lookup the full network rages of the sites you want send the traffic to over a specific gateway. You can look this up using http://network-tools.com/ or some other free site on the internet.
Then you need to add those router e.g. "ip route 173.252.64.0 255.255.192.0 ISP1 IP
You also need a gateway of last resort route to point to ISP2 for the other traffic.
ip route 0.0.0.0 0.0.0.0 ISP2 IP

Good luck,
Avatar of Techrunner

ASKER

Thanks for the response.

The default for the client is my core switch.

There are some websites there IP address keeps changing.
How can I tell router or switch  to filter the URL send to  ISP1 and other traffic to ISP2
BTW, We don't to affect other vlans. Meaning other vlans should not route internet traffic to router (ISP 1 and ISP 2)  shown in the diagram
Avatar of Jody Lemoine
This is where your needs are best served by a proxy server such as Squid rather than a switch and router combination. Switches don't have any way to differentiate URLs, so your decision can't take place there.

With a proxy server, you can flag these destinations by marking the packets as they are transmitted. The switch can then use PBR to direct marked packets to R9 and everything else to R10 based on the marking.
I have worked with Microsoft TMG but I am not sure how to get working this scenario.

Please can you provide some or guide if you have.

There's no way to do with router ?
If both of your ISPs are on the same router, you can do it fairly easily, but your diagram suggests that you want the switch to do it. It just doesn't have the ability to extract the URLs from the HTTP requests and you need to mark the packets *before* they get to the router.

I don't know much about TMG. I've removed a lot of them from customers' sites, but never actually installed one. Squid works nicely though.
I have 2 type of connections

- DIA Leased Line ( Point to Point with ISP)
- PPPoe Connection

Is it possible to configure on the same router.

I have no problem configuring on same router In fact I prefer to do  that..

Thanks
Actually, on further investigation, it looks like the traffic needs to be flagged *before* it gets to the router in either case. You can't do PBR with URL filtering on the same router because the source and destination have already been decided before the ZPF policy engages.

Another possibility is to check with ARIN (or other appropriate regional NICs) and just static route all IPv4 blocks that are owned by the organizations in question to the appropriate destinations.
Sir,

Ok Lets forget about the URL's

Lets assume I have the following IP's websites like 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4 I want them to go through ISP 1

and all other traffic to ISP 2. I want setup on the same router.

Now can you please help with configuration. I have 2 type connection DIA and PPPoe

Thanks
Given that your PPPoE and DIA connections are both point-to-point, you can run with the following:

ip route 1.1.1.1 255.255.255.255 Dialer1
ip route 2.2.2.2 255.255.255.255 Serial0

Replace the interfaces appropriately, of course.  If you're wanting to capture entire organizations, you're looking at much bigger blocks.
Sir what if I want to use PBR.
If you're going to use PBR, you need something to define the policy. What are you planning on using? The configuration will be different depending on the criteria.
If you just want to route everything from VLAN50, you can do something like this:

ip access-list extended acl-vlan50
 permit ip 10.1.50.0 0.0.0.255 any
!
route-map rm-pbr
 match ip address acl-vlan50
 set interface Dialer1
!
interface FastEthernet0/0
 ip policy route-map rm-pbr

Change FastEthernet0/0 to whatever interface LAN traffic will be entering on and Dialer1 to whatever interface you want to push the traffic out on. Anything that doesn't match the ACL will fall down to whatever you've defined in the normal routing table.
Sir I will give try and update you
Hello Sir,

Please have a lookg at my config. Just to make sure going on right track

ROUTER CONFIG


interface GigabitEthernet0/0
 description << Connection to ISP1 >>
 ip address 100.100.100.100 255.255.255.252
 ip nat outside

interface GigabitEthernet0/1
 description << Connection to ISP2 >>
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 
interface GigabitEthernet0/2
 ip address 10.1.50.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 ip policy route-map ISP1
 
 interface Dialer0
 
  ip address negotiated
  ip mtu 1492
  ip nat outside
  ip virtual-reassembly in max-reassemblies 512
  encapsulation ppp
  ip tcp adjust-mss 1452
  dialer pool 1
  dialer-group 1
  ppp authentication pap chap callin
  ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxx
  ppp chap password 0 xxxxxxxxxx
  ppp pap sent-username xxxxxxxxxxxxxxxxxxx password 0 xxxxx
  no cdp enable

ip route 0.0.0.0 0.0.0.0 Gi0/1





access-list 110
permit ip 10.1.50.0 0.0.0.255 host 1.1.1.1
deny ip any any

access-list 120 permit ip 10.1.50.0 0.0.0.0.255 any


route-map ISP1 permit 10
match ip address 110
set interface GigabitEthernet0/0

route-map ISP2 permit 20
match ip address 120
set interface dialer 0

ip nat inside source route-map ISP1 interface gi0/0 onverload
ip nat inside source route-map ISP2 interface dialer 0 overload
Hello,

I have configured the router but its not working as expected.

The cleints are not traffic to ISP 1 desitned to 1.1.1.1 as defined in Route Map.

The other traffic is going to dialer 0

Thanks

Please any help
If your connection is on GigabitEthernet0/0, then it isn't a point-to-point connection and that route map won't work unless your ISP has proxy ARP enabled.  Try this instead:

route-map ISP1 permit 10
match ip address 110
no set interface GigabitEthernet0/0
set ip next-hop x.x.x.x

Replace x.x.x.x with the default router IPv4 address provided by your ISP for that connection.
hello sir Thanks for response. What about Dialer0 Do i need to change anything ?
Dialer0 is an actual point-to-point link, so that can remain as-is.
Sir,
How about my default route Is that OK Do I need to add default route to ISP1 ?

I have added for ISP2
Anything that doesn't match the PBR route map will fall to normal routing, so you'll need a route for anything that needs to use that gateway and isn't covered by the PBR.
Sir,

Do I need to apply the route map on LAN interface. If yes then which should be as I have 2 Route Maps
Sir,

This is my final router configuration. Still not working

interface GigabitEthernet0/0
 description << Connection to ISP1 >>
 ip address 100.100.100.101 255.255.255.252
 ip nat outside

interface GigabitEthernet0/1
 description << Connection to ISP2 >>
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 
interface GigabitEthernet0/2
 ip address 10.1.50.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 ip policy route-map ISP1
 
 interface Dialer0
 
  ip address negotiated
  ip mtu 1492
  ip nat outside
  ip virtual-reassembly in max-reassemblies 512
  encapsulation ppp
  ip tcp adjust-mss 1452
  dialer pool 1
  dialer-group 1
  ppp authentication pap chap callin
  ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxx
  ppp chap password 0 xxxxxxxxxx
  ppp pap sent-username xxxxxxxxxxxxxxxxxxx password 0 xxxxx
  no cdp enable

ip route 0.0.0.0 0.0.0.0 dialer 0

access-list 110
permit ip 10.1.50.0 0.0.0.255 host 1.1.1.1
permit ip 10.1.50.0 0.0.0.255 host 2.2.2.2
deny ip any any

access-list 120 permit ip 10.1.50.0 0.0.0.0.255 any

ip nat inside source list 120 interface dialer 0 overload
ip nat inside source route-map interface gi0/0 overload

route-map ISP1 permit 10
match ip address 110
set ip next-hop 100.100.100.102
Hello,

I figured it out

I change the NAT commands from

ip nat inside source route-map ISP1 interface gi0/0 onverload
ip nat inside source route-map ISP2 interface dialer 0 overload

to

ip nat inside source list 110 ISP1 interface gi0/0 onverload
ip nat inside source list 120 ISP2 interface dialer 0 overload

and its working fine.
Sorry about that... I was paying too much attention to the policy routing and not to the NAT configuration. Your route maps would have worked correctly if you had used "match interface" instead of "set interface". In this case you would have used one set of route maps with "set interface" for PBR and another set with "match interface" for the NAT.
Sir,

It would be much clear to me cli command..sorry for that.

This my current config

ip nat inside source list 110 ISP1 interface gi0/0 onverload
ip nat inside source list 120 ISP2 interface dialer 0 overload


route-map ISP1 permit 10
match ip address 110
set ip next-hop 100.100.100.102

Thanks
Here's a sample for NAT overload with route-map. You don't need to be nearly so specific with this as you are with your PBR. The NAT route-map will only engage when traffic matches its outgoing interface, so allowing any private IPv4 address to any destination works best. This way, you don't have to change the NAT configuration if you're adding networks in the future.

object-group network OG-RFC1918
 10.0.0.0 /8
 172.16.0.0 /12
 192.168.0.0 /16
!
access-list ACL-NAT
 permit ip object-group OG-RFC1918 any
! (You don't need "deny ip any any" as this is assumed at the end of every ACL)
!
route-map RM-NAT-ISP1 permit 10
 match ip address ACL-NAT
 match interface GigabitEthernet0
!
route-map RM-NAT-ISP2 permit 10
 match ip address ACL-NAT
 match interface Dialer0
!
ip nat inside source route-map RM-NAT-ISP1 interface GigabitEthernet0/0 overload
ip nat inside source route-map RM-NAT-ISP2 interface Dialer0 overload

Open in new window


Leave your PBR configuration as-is and you should be fine. The route-map for ISP1 will be used when any traffic leaves via GigabitEthernet0/0. The route-map for ISP2 will be used for any traffic leaving via Dialer0. That is controlled through regular routing and your PBR.
Hi
And I apply the route map ISP 1 on inside interface
Nope. The route-maps for NAT only exist in the NAT overload statement. Only your PBR route-maps get applied to the inside interface.
I have tried this but not working with me

route-map RM-NAT-ISP1 permit 10
 match ip address ACL-NAT
 match interface GigabitEthernet0
!
route-map RM-NAT-ISP2 permit 10
 match ip address ACL-NAT
 match interface Dialer0
!
ip nat inside source route-map RM-NAT-ISP1 interface GigabitEthernet0/0 overload
ip nat inside source route-map RM-NAT-ISP2 interface Dialer0 overload

when I generate ping from router source inside interface and desitned to specific host defined in ACL for ISP 1 I recieved request time out

and no outsput when I sh ip nat translations.
Did you define the object group and the ACL-NAT access-list? Also, did you remove your current NAT overloads? The configuration I sent you is one I use on customer routers extensively, so I know it works.
Sir,

This is current configuration
int gi0/0
ip address 100.100.100.101 255.255.255.252
ip nat outside

int gi0/1
ip address 10.1.50.1 255.255.255.0
ip nat inside

interface Dialer0
 
  ip address negotiated
  ip mtu 1492
  ip nat outside
  ip virtual-reassembly in max-reassemblies 512
  encapsulation ppp
  ip tcp adjust-mss 1452
  dialer pool 1
  dialer-group 1
  ppp authentication pap chap callin
  ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxx
  ppp chap password 0 xxxxxxxxxx
  ppp pap sent-username xxxxxxxxxxxxxxxxxxx password 0 xxxxx
  no cdp enable


access-list 110 permit ip 10.1.50.0 0.0.0.255 host 173.194.39.34
access-list 110 permit ip 10.1.50.0 0.0.0.255 host 4.2.2.2

access-list 120 permit ip 10.1.50.0. 0.0.0.255 any

route-map ISP1 permit 10
match ip address 110
match interface gi0/0

ip route 0.0.0.0 0.0.0.0 dialer0

ip nat inside source route-map ISP1 interface gi0/0 overload
ip nat inside route list 120 interface dialer 0 overload

Open in new window

That explains much. It looks like you have a mash-up of the old nat configuration combined with pieces of the sample I have provided. Two different NAT mechanisms are definitely going to conflict and fail. Try removing your existing NAT configuration and using the example provided. Then you can add your standard routing and policy routing to get a working solution.
I've removed your configuration from the router and paste it mine just to show you the result.

Just curious to know is there anything wrong with my configuration

Actually my aim

Example

10.1.50.0 >> accessing 173.194.39.34 >> Go to ISP1
10.1.50.0 >>  any other traffic >>> Go to ISP2
Hi,

I have tried now your configuration but still the same result as above.
Any further help Sir !
ASKER CERTIFIED SOLUTION
Avatar of Jody Lemoine
Jody Lemoine
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks Sir,

Its working. Big Help

One last thing "traffic that is policy routed (on leased line) to take the other path if leased line is down but I don't want other traffic that is routed to adsl to take leased line if adsl goes down ?.

I have around 15-20 that will be routed to leased line.

Thanks
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Sir,

You mean set interface dialer 0

route-map RM-PBR permit 10
 match ip address ACL-PBR
 set ip next-hop 100.100.100.101
 set interface dialer 0
Sorry, I made a mistake in my original posting. You don't need to do anything. If the destination for the policy route doesn't exist, it will fall back to the normal routing table.

If you really want to be sure, you can manually set the interface for Dialer0 as you indicated. Did it not work when you tested it?
Oops route-map NAT was incorrect -- Typo mistake

Its working now. You are great and you really helped me a lot.

I truly appreciate your support

God Bless You.

I'll just monitoring till tomorrow and will close the ticket.

Thanks
I hope you don't mind

In my production environment, the clients has default gateway pointing to switch.
The router has inside 10.1.50.2
Client Gateway 10.1.50.1

How I can define a rule on switch to route client traffic to route when the packet arrives to switch.
Most switches can't do PBR.
I just want to route VLAN 50 traffic to router and then route can handle PBR

I have 6500 Switch

VLAN 50
ip address 10.1.50.1 255.255.255.0

Client
10.1.50.100/24
10.1.50.1 ( GW)

Thanks
If all Internet traffic is going to the router and it's deciding what to send over the DSL or leased line, you can just add a default route to the 6500 and you're good.

If you only want to send VLAN50 traffic to the router, the 6500 should be able to do PBR. Just use the PBR configuration from the router, adjust the next-hop and apply it to the switch.
Sir,

You mean add PBR on the switch as follows

route-map route_traffic_router permit 10
match ip address 120
set ip next-hop 10.1.50.2


But still vlan 50 should talk to other vlans
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hello,
I will give try with overall confgiuration and let you know

Thanks Sir
Sir,
The very last question.

I have added PBR on our switch to route the traffic to Router initiating from vlan 20 ( terminating lease line and pppoe).

Vlan 20 can ping other vlans.

But I have another router connected to Switch interface ( Subnet : 172.16.1.0)
I am able to ping other vlans on switch from vlan 20

interface gi3/1
ip address 172.16.1.1 255.255.255.00

Router:

ip address 172.16.1.2 255.255.255.0



Any workaround to solve this.

Thanks for your precious time. I am really obliged.
I've re-read your last comment a few times and can't find a problem that needs solving. Is there something that systems on vlan20 shouldn't be able to ping?
Sir,

I'll post a diagram. One moment
Oops not vlan 20, Typo Mistake its vlan 50 10.1.50.0
Still not seeing a problem. If vlan 50 can ping other VLANs and all other traffic is being policy routed to the DSL router, that's what you said you wanted. What's the problem?
I'll post the diagram now 1 moment please
Sir,

Here is the diagram.

Now problem appearing from Vlan 50 I cannot ping 172.16.1.2.

User generated image
When I try to ping it results in Destination Host Unreachable.
I can't see any reason why this would be occurring. As long as the ACL was entered exactly as posted, it won't have anything to do with your PBR. Traffic from VLAN 50 to 172.16.0.0/12 is denied by the PBR and follows the normal routing table.
By this word

" Traffic from VLAN 50 to 172.16.0.0/12 is denied by the PBR and follows the normal routing table."

I went through the post to review and I found my mistake. Really sorry for that.

I guess I should close this ticket for now, it's being a long conversation. Even I am confused which post support suppose to be accepted as solution. Anyway I'll manage it.

ACL on switch I did not add ( bold rule)

ip access-list extended 120
deny ip 10.1.50.0 0.0.0.255 10.0.0.0 0.255.255.255
 deny ip 10.1.50.0 0.0.0.255 172.16.0.0 0.15.255.255
 deny ip 10.1.50.0 0.0.0.255 192.168.0.0 0.0.255.255

 permit ip 10.1.50.0 0.0.0.255 any
!
route-map route_traffic_router permit 10
 match ip address 120
 set ip next-hop 10.1.50.2

Finally I would like to thank you so much for your time, help and support. Being Friendly Got to learn many points from you.

Appreciating that.
Not a problem. The deny rules are important. Without them, the PBR will policy route everything from VLAN 50 to the DSL router. Putting the deny rules in makes sure that traffic to other private networks is skipped by the policy and gets routed normally.
Great Help and extremely supportive.

The answer to the original question asked has been selected "BEST Solution"

Thanks