oelolemy
asked on
PBR problem
problem with policy based routing- urgent please !Bookmark:Question:
Dear Experts
i need your advise andexperties on tyhefollwiong issue
as showon on the figure ,
- the network addresses 10.232.100.0/22 10.232.104.0/22 are configured as primay and secondary address on the lan
network of BAZ router
- on the other hand , the networks 10.232.0.0/22 and 10.232.4.0/22 has been configured as primary and secondary
network on the TAS router
- i have configure an extended access list to allow onlythe primary network addresses of 10.232.0.0/22 and
10.232.100.0/22 to see each other and deny them from accessing the secondary address networks of 10.232.4.0/22 and
10.232.104.0/22 and vice versa as per below :
ON BAZ router
-=-=-=-=-=
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I NTF-INFO-G E 0/0$
ip address 10.232.104.1 255.255.252.0 secondary
ip address 10.232.100.1 255.255.252.0
ip access-group block_lan in
duplex auto
speed auto
ip access-list extended block_lan
deny ip 10.232.104.0 0.0.3.255 10.232.100.0 0.0.3.255
deny ip 10.232.100.0 0.0.3.255 10.232.104.0 0.0.3.255
permit ip any any
interface Serial0/3/0:0
ip address 10.254.1.130 255.255.255.252
ip access-group block out
encapsulation ppp
ip classless
ip route 0.0.0.0 0.0.0.0 10.254.1.129
ip route 10.232.0.0 255.255.252.0 10.254.1.129
ip route 10.232.4.0 255.255.252.0 10.254.1.129
ip route 192.168.1.0 255.255.255.0 10.254.1.129
p access-list extended block
deny ip 10.232.100.0 0.0.3.255 10.232.4.0 0.0.3.255
deny ip 10.232.104.0 0.0.3.255 10.232.0.0 0.0.3.255
permit ip 10.232.104.0 0.0.3.255 10.232.4.0 0.0.3.255
permit ip any any
ip access-list extended block_lan
deny ip 10.232.104.0 0.0.3.255 10.232.100.0 0.0.3.255
deny ip 10.232.100.0 0.0.3.255 10.232.104.0 0.0.3.255
permit ip any any
-============
on TAS router :
-=======
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I NTF-INFO-G E 0/0$
ip address 10.232.4.1 255.255.252.0 secondary
ip address 10.232.0.1 255.255.252.0
ip access-group block_lan in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.232.8.1 255.255.252.0
duplex auto
speed auto
!
interface Serial0/3/0:0
ip address 10.254.1.129 255.255.255.252
ip access-group block out
encapsulation ppp
!
ip access-list extended block
deny ip 10.232.0.0 0.0.3.255 10.232.104.0 0.0.3.255
deny ip 10.232.4.0 0.0.3.255 10.232.100.0 0.0.3.255
permit ip any any
ip access-list extended block_lan
deny ip 10.232.0.0 0.0.3.255 10.232.4.0 0.0.3.255
deny ip 10.232.4.0 0.0.3.255 10.232.0.0 0.0.3.255
permit ip any any
-=====================
the above has been tested on lab and confirmed ok
however, i need to separate them as well from accessing internet meaning i want to route the primary networks
through an internet router from TAS router and route the secondary networks through a diffrent internet router
from TAS router as well, the first internet gateway should be an ISA server while the second one is a pix firewall
but lets consider them as if they are routers
- the primary network addresses should be routed to the internet through the LAN 10.232.0.15 of the internet
router while the secondary network addresses should be routed to a different gatway through the lan interface
10.232.4.10 of the internet gateway
- i configured a policy based routing on the TAS router and applied the policy on the gig0/0 interface as per
below
on TAS
access-list 10 permit 10.232.0.0 0.0.3.255
access-list 10 permit 10.232.100.0 0.0.3.255
access-list 20 permit 10.232.4.0 0.0.3.255
access-list 20 permit 10.232.104.0 0.0.3.255
route-map internet permit 10
match ip address 10
set ip next-hop 10.232.0.15
route-map internet permit 20
match ip address 20
set ip next-hop 10.232.4.10
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I NTF-INFO-G E 0/0$
ip address 10.232.4.1 255.255.252.0 secondary
ip address 10.232.0.1 255.255.252.0
ip access-group block_lan in
ip policy route-map internet <<<<<<<<<<<<<<<<<<<<<<<<<< <<
duplex auto
speed auto
-=======================
i disconnected the isp router 2 and started to test on ISP router1
the result is that when i tried to ping from TAS router to the wan interface 192.168.1.100 using extendended ping
, once soecifying source address as primary 10.232.0.1 and once speciying source address as secondary 10.232.4.0.
i was able to ping the WAN interface from both sources, although i was not able to ping the LAN 10.232.0.15 using
10.232.4.1 ( secondary address)
- i recognized that the PBR is either not applied correctly or is wrongly done,i also tested the connectivity
between the primary addresses between both routers ( TAS and BAZ) and they no more see each other after i have
applied the PBR !!!!
- i did the same thing ( disconnecting ISP 1 and connectong ISP2 router) and both primary and secondary networks
cannot ping the WAN interface this time nor the LAN interface
- kindly advise what would possibly be worng and kindly correct my configuration i f any
regards
lab.jpg
Dear Experts
i need your advise andexperties on tyhefollwiong issue
as showon on the figure ,
- the network addresses 10.232.100.0/22 10.232.104.0/22 are configured as primay and secondary address on the lan
network of BAZ router
- on the other hand , the networks 10.232.0.0/22 and 10.232.4.0/22 has been configured as primary and secondary
network on the TAS router
- i have configure an extended access list to allow onlythe primary network addresses of 10.232.0.0/22 and
10.232.100.0/22 to see each other and deny them from accessing the secondary address networks of 10.232.4.0/22 and
10.232.104.0/22 and vice versa as per below :
ON BAZ router
-=-=-=-=-=
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I
ip address 10.232.104.1 255.255.252.0 secondary
ip address 10.232.100.1 255.255.252.0
ip access-group block_lan in
duplex auto
speed auto
ip access-list extended block_lan
deny ip 10.232.104.0 0.0.3.255 10.232.100.0 0.0.3.255
deny ip 10.232.100.0 0.0.3.255 10.232.104.0 0.0.3.255
permit ip any any
interface Serial0/3/0:0
ip address 10.254.1.130 255.255.255.252
ip access-group block out
encapsulation ppp
ip classless
ip route 0.0.0.0 0.0.0.0 10.254.1.129
ip route 10.232.0.0 255.255.252.0 10.254.1.129
ip route 10.232.4.0 255.255.252.0 10.254.1.129
ip route 192.168.1.0 255.255.255.0 10.254.1.129
p access-list extended block
deny ip 10.232.100.0 0.0.3.255 10.232.4.0 0.0.3.255
deny ip 10.232.104.0 0.0.3.255 10.232.0.0 0.0.3.255
permit ip 10.232.104.0 0.0.3.255 10.232.4.0 0.0.3.255
permit ip any any
ip access-list extended block_lan
deny ip 10.232.104.0 0.0.3.255 10.232.100.0 0.0.3.255
deny ip 10.232.100.0 0.0.3.255 10.232.104.0 0.0.3.255
permit ip any any
-============
on TAS router :
-=======
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I
ip address 10.232.4.1 255.255.252.0 secondary
ip address 10.232.0.1 255.255.252.0
ip access-group block_lan in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.232.8.1 255.255.252.0
duplex auto
speed auto
!
interface Serial0/3/0:0
ip address 10.254.1.129 255.255.255.252
ip access-group block out
encapsulation ppp
!
ip access-list extended block
deny ip 10.232.0.0 0.0.3.255 10.232.104.0 0.0.3.255
deny ip 10.232.4.0 0.0.3.255 10.232.100.0 0.0.3.255
permit ip any any
ip access-list extended block_lan
deny ip 10.232.0.0 0.0.3.255 10.232.4.0 0.0.3.255
deny ip 10.232.4.0 0.0.3.255 10.232.0.0 0.0.3.255
permit ip any any
-=====================
the above has been tested on lab and confirmed ok
however, i need to separate them as well from accessing internet meaning i want to route the primary networks
through an internet router from TAS router and route the secondary networks through a diffrent internet router
from TAS router as well, the first internet gateway should be an ISA server while the second one is a pix firewall
but lets consider them as if they are routers
- the primary network addresses should be routed to the internet through the LAN 10.232.0.15 of the internet
router while the secondary network addresses should be routed to a different gatway through the lan interface
10.232.4.10 of the internet gateway
- i configured a policy based routing on the TAS router and applied the policy on the gig0/0 interface as per
below
on TAS
access-list 10 permit 10.232.0.0 0.0.3.255
access-list 10 permit 10.232.100.0 0.0.3.255
access-list 20 permit 10.232.4.0 0.0.3.255
access-list 20 permit 10.232.104.0 0.0.3.255
route-map internet permit 10
match ip address 10
set ip next-hop 10.232.0.15
route-map internet permit 20
match ip address 20
set ip next-hop 10.232.4.10
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I
ip address 10.232.4.1 255.255.252.0 secondary
ip address 10.232.0.1 255.255.252.0
ip access-group block_lan in
ip policy route-map internet <<<<<<<<<<<<<<<<<<<<<<<<<<
duplex auto
speed auto
-=======================
i disconnected the isp router 2 and started to test on ISP router1
the result is that when i tried to ping from TAS router to the wan interface 192.168.1.100 using extendended ping
, once soecifying source address as primary 10.232.0.1 and once speciying source address as secondary 10.232.4.0.
i was able to ping the WAN interface from both sources, although i was not able to ping the LAN 10.232.0.15 using
10.232.4.1 ( secondary address)
- i recognized that the PBR is either not applied correctly or is wrongly done,i also tested the connectivity
between the primary addresses between both routers ( TAS and BAZ) and they no more see each other after i have
applied the PBR !!!!
- i did the same thing ( disconnecting ISP 1 and connectong ISP2 router) and both primary and secondary networks
cannot ping the WAN interface this time nor the LAN interface
- kindly advise what would possibly be worng and kindly correct my configuration i f any
regards
lab.jpg
I'll test this out in my lab and get back to you tonight
Try using ip local policy route-map instead, otherwise the router will ignore the policy routing for traffic it generates.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.