aalbert69
asked on
Cisco Policy Based Routing of Traffic over 2 WAN Links - 2801
I have referenced the following two posts, and setup policy based route-maps on my router, to send the http traffic over the DSL link, while pushing other traffic over the T1. Unfortunately, when I setup this way, traffic does not go out at all (can't even ping remote hosts from the router itself) Prior to this, traffic would get out over
ip route 0.0.0.0 0.0.0.0 Serial0/2/0 and
ip route 0.0.0.0 .0.0.0.0 Dialer0 2
My end goal is to have http traffic go out over the DSL link, while everything else goes out over the T1... In the future I will add in some additional rules to route other non-mission critical data over the DSL link as well, but at this point I just need to get it to work.
https://www.experts-exchange.com/questions/24067045/Policy-Based-Routing-Cisco-2800.html
https://www.experts-exchange.com/questions/22110360/Configureing-PBR-Policy-Based-Routing-Cisco-2600.html
https://www.experts-exchange.com/questions/22066846/2611-Setup-policy-based-routing-to-defer-HTTP-traffic-to-specific-interface.html
ip route 0.0.0.0 0.0.0.0 Serial0/2/0 and
ip route 0.0.0.0 .0.0.0.0 Dialer0 2
My end goal is to have http traffic go out over the DSL link, while everything else goes out over the T1... In the future I will add in some additional rules to route other non-mission critical data over the DSL link as well, but at this point I just need to get it to work.
https://www.experts-exchange.com/questions/24067045/Policy-Based-Routing-Cisco-2800.html
https://www.experts-exchange.com/questions/22110360/Configureing-PBR-Policy-Based-Routing-Cisco-2600.html
https://www.experts-exchange.com/questions/22066846/2611-Setup-policy-based-routing-to-defer-HTTP-traffic-to-specific-interface.html
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Store2801
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$OXXwVXXX.
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default if-authenticated
!
aaa session-id common
!
resource policy
!
memory-size iomem 20
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.19.1 192.168.19.10
ip dhcp excluded-address 192.168.19.89 192.168.19.254
!
ip dhcp pool The_Data
import all
network 192.168.19.0 255.255.255.0
dns-server 4.2.2.1 199.72.1.1
default-router 192.168.19.1
domain-name GREEN.local
lease 0 2
!
ip dhcp pool 90
host 192.168.19.90 255.255.255.0
client-identifier 0100.15c5.a642.aa
client-name WOLF
default-router 192.168.19.1
domain-name GREEN.local
dns-server 4.2.2.1 199.72.1.1
netbios-name-server 192.168.19.254
lease infinite
!
!
ip domain name GREEN.local
ip name-server 4.2.2.1
!
!
voice-card 0
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3734409403
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3734409403
revocation-check none
rsakeypair TP-self-signed-3734409403
!
!
crypto pki certificate chain TP-self-signed-3734409403
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
FF246F16 A4DAB5ED D1E50C54 5F2DE435 2C7DC70D 0F367108 EFE79349 367B9F2F
936AC003 330809C7 6EBB7881 227D2832 C2
quit
username bsmith privilege 15 password 0 ThePasswd
username asmith privilege 10 secret 5 $1$5XXXXXXZ3.
username admin privilege 15 view root password 0 TheOtherPasswd
!
!
!
!
!
!
!
interface FastEthernet0/0
description Spare Interface for External Ethernet WAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip tcp adjust-mss 1412
no ip mroute-cache
speed 100
full-duplex
no keepalive
no cdp enable
!
interface Service-Engine0/0
no ip address
!
interface FastEthernet0/1
description connection to customer LAN
ip address 12.34.56.185 255.255.255.248 secondary
ip address 192.168.19.1 255.255.255.0
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
ip policy route-map INTERNET
no ip mroute-cache
speed 100
full-duplex
no keepalive
no cdp enable
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Serial0/2/0
description connection to FTLDFLOV GAR5 (Ckt.ID - DHEC123456789)
bandwidth 1536
ip address 12.34.43.218 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
service-module t1 fdl both
no cdp enable
!
interface ATM0/3/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/3/0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Vlan1
no ip address
!
interface Dialer0
description AT&T DSL - Miami
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
ip tcp header-compression iphc-format
ip tcp adjust-mss 1452
shutdown
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname user@bellsouth.net
ppp chap password 7 XXXXXXXXXXXXXXx
ppp pap sent-username user@bellsouth.net password 7 XXXXXXXXXXXXXXXXXx
ip rtp header-compression iphc-format
ip rtp compression-connections 64
!
ip classless
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map DSL interface Dialer0 overload
ip nat inside source route-map T1 interface Serial0/2/0 overload
ip nat inside source static 192.168.19.90 12.34.56.190
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.19.0 0.0.0.255
access-list 150 remark Route WWW traffic over DSL
access-list 150 permit tcp any any eq www
access-list 150 deny ip any any
access-list 151 remark sends all Non-WWW traffic over T1 interface
access-list 151 permit ip any any
dialer-list 1 protocol ip permit
!
route-map INTERNET permit 10
match ip address 150
set ip default next-hop 65.14.11.7
!
route-map INTERNET permit 20
match ip address 151
match interface Serial0/2/0
set ip default next-hop 12.34.43.217
!
!
!
!
control-plane
!
!
!
voice-port 0/0/0
!
voice-port 0/0/1
!
voice-port 0/0/2
!
voice-port 0/0/3
!
!
!
!
!
!
banner login ^CNo unauthorized Access . Log Off Now!
^C
!
line con 0
line aux 0
session-timeout 7
no exec-banner
exec-timeout 5 0
password ThePasswd
authorization exec Console
login authentication Console
transport input all
line 66
no activation-character
no exec
transport preferred none
transport input all
transport output all
line vty 0 4
transport input telnet ssh
transport output telnet ssh
!
ntp clock-period 17179919
ntp update-calendar
ntp server 192.5.41.41
ntp server 135.89.154.147 prefer
ntp server 135.89.152.51
ntp server 135.89.152.52
ntp server 135.89.154.148
ntp server 152.158.74.251
ntp server 192.5.41.209 prefer
ntp server 12.38.168.18
end
you need to be carefull that your interface dialer 0 is shutdown
so turn it on
int dialer 0
no shut
then add this
ip load-sharing per-packet
to both dialer 0 and Serial0/2/0
and use the default routes
ip route 0.0.0.0 0.0.0.0 Serial0/2/0
ip route 0.0.0.0 .0.0.0.0 Dialer0
try and reply
so turn it on
int dialer 0
no shut
then add this
ip load-sharing per-packet
to both dialer 0 and Serial0/2/0
and use the default routes
ip route 0.0.0.0 0.0.0.0 Serial0/2/0
ip route 0.0.0.0 .0.0.0.0 Dialer0
try and reply
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Worked Great ..... Only question remaining is what changes would you suggest for the NAT?
NAT looks good. No changes necessary.
Use LAN address and its subnet, then destination.
Be as specific as you can on ACL, otherwise this will affect the rest of the route that you have.
You need something like:
access-list 150 remark Route WWW traffic over DSL
access-list 150 permit tcp (LAN address) any eq www
access-list 150 deny ip any any
then remove the acl 151, and use static route to go to T1 for the rest.
This way, any non www traffic will not be affected.