Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1734
  • Last Modified:

Cisco Policy Based Routing of Traffic over 2 WAN Links - 2801

I have referenced the following two posts, and setup policy based route-maps on my router, to send the http traffic over the DSL link, while pushing other traffic over the T1. Unfortunately, when I setup this way, traffic does not go out at all (can't even ping remote hosts from the router itself)  Prior to this, traffic would get out over
ip route 0.0.0.0 0.0.0.0 Serial0/2/0 and
ip route 0.0.0.0 .0.0.0.0 Dialer0 2

My end goal is to have http traffic go out over the DSL link, while everything else goes out over the T1... In the future I will add in some additional rules to route other non-mission critical data over the DSL link as well, but at this point I just need to get it to work.

http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_24067045.html

http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_22110360.html

http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_22066846.html




version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Store2801
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$OXXwVXXX.
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local 
aaa authorization network default if-authenticated 
!
aaa session-id common
!
resource policy
!
memory-size iomem 20
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.19.1 192.168.19.10
ip dhcp excluded-address 192.168.19.89 192.168.19.254
!
ip dhcp pool The_Data
   import all
   network 192.168.19.0 255.255.255.0
   dns-server 4.2.2.1 199.72.1.1 
   default-router 192.168.19.1 
   domain-name GREEN.local
   lease 0 2
!
ip dhcp pool 90
   host 192.168.19.90 255.255.255.0
   client-identifier 0100.15c5.a642.aa
   client-name WOLF
   default-router 192.168.19.1 
   domain-name GREEN.local
   dns-server 4.2.2.1 199.72.1.1 
   netbios-name-server 192.168.19.254 
   lease infinite
!
!
ip domain name GREEN.local
ip name-server 4.2.2.1
!
!
voice-card 0
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3734409403
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3734409403
 revocation-check none
 rsakeypair TP-self-signed-3734409403
!
!
crypto pki certificate chain TP-self-signed-3734409403
 certificate self-signed 01
  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  FF246F16 A4DAB5ED D1E50C54 5F2DE435 2C7DC70D 0F367108 EFE79349 367B9F2F 
  936AC003 330809C7 6EBB7881 227D2832 C2
  quit
username bsmith privilege 15 password 0 ThePasswd
username asmith privilege 10 secret 5 $1$5XXXXXXZ3.
username admin privilege 15 view root password 0 TheOtherPasswd
!
! 
!
!
!
!
!
interface FastEthernet0/0
 description Spare Interface for External Ethernet WAN
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip tcp adjust-mss 1412
 no ip mroute-cache
 speed 100
 full-duplex
 no keepalive
 no cdp enable
!
interface Service-Engine0/0
 no ip address
!
interface FastEthernet0/1
 description connection to customer LAN
 ip address 12.34.56.185 255.255.255.248 secondary
 ip address 192.168.19.1 255.255.255.0
 ip access-group 103 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
 ip policy route-map INTERNET
 no ip mroute-cache
 speed 100
 full-duplex
 no keepalive
 no cdp enable
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Serial0/2/0
 description connection to FTLDFLOV GAR5 (Ckt.ID - DHEC123456789)
 bandwidth 1536
 ip address 12.34.43.218 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 no ip mroute-cache
 service-module t1 timeslots 1-24
 service-module t1 remote-alarm-enable
 service-module t1 fdl both
 no cdp enable
!
interface ATM0/3/0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0/3/0.1 point-to-point
 pvc 8/35 
  pppoe-client dial-pool-number 1
 !
!
interface Vlan1
 no ip address
!
interface Dialer0
 description AT&T DSL - Miami
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 ip tcp header-compression iphc-format
 ip tcp adjust-mss 1452
 shutdown
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname user@bellsouth.net
 ppp chap password 7 XXXXXXXXXXXXXXx
 ppp pap sent-username user@bellsouth.net password 7 XXXXXXXXXXXXXXXXXx
 ip rtp header-compression iphc-format
 ip rtp compression-connections 64
!
ip classless
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map DSL interface Dialer0 overload
ip nat inside source route-map T1 interface Serial0/2/0 overload
ip nat inside source static 192.168.19.90 12.34.56.190
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.19.0 0.0.0.255
access-list 150 remark Route WWW traffic over DSL
access-list 150 permit tcp any any eq www
access-list 150 deny   ip any any
access-list 151 remark sends all Non-WWW traffic over T1 interface
access-list 151 permit ip any any
dialer-list 1 protocol ip permit
!
route-map INTERNET permit 10
 match ip address 150
 set ip default next-hop 65.14.11.7
!
route-map INTERNET permit 20
 match ip address 151
 match interface Serial0/2/0
 set ip default next-hop 12.34.43.217
!
!
!
!
control-plane
!
!
!
voice-port 0/0/0
!
voice-port 0/0/1
!
voice-port 0/0/2
!
voice-port 0/0/3
!         
!
!
!
!
!
banner login ^CNo unauthorized Access . Log Off Now!
^C
!
line con 0
line aux 0
 session-timeout 7 
 no exec-banner
 exec-timeout 5 0
 password ThePasswd
 authorization exec Console
 login authentication Console
 transport input all
line 66
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output all
line vty 0 4
 transport input telnet ssh
 transport output telnet ssh
!
ntp clock-period 17179919
ntp update-calendar
ntp server 192.5.41.41
ntp server 135.89.154.147 prefer
ntp server 135.89.152.51
ntp server 135.89.152.52
ntp server 135.89.154.148
ntp server 152.158.74.251
ntp server 192.5.41.209 prefer
ntp server 12.38.168.18
end

Open in new window

0
aalbert69
Asked:
aalbert69
1 Solution
 
ricks_vCommented:
try modifying your ACL.
Use LAN address and its subnet, then destination.
Be as specific as you can on ACL, otherwise this will affect the rest of the route that you have.

You need something like:
access-list 150 remark Route WWW traffic over DSL
access-list 150 permit tcp (LAN address) any eq www
access-list 150 deny   ip any any

then remove the acl 151, and use static route to go to T1 for the rest.

This way, any non www traffic will not be affected.

0
 
memo_tntCommented:
you need to be carefull that your interface dialer 0 is shutdown
so turn it on
int dialer 0
no shut
then add this
ip load-sharing per-packet
to both dialer 0 and Serial0/2/0
and use the default routes
ip route 0.0.0.0 0.0.0.0 Serial0/2/0
ip route 0.0.0.0 .0.0.0.0 Dialer0  
 
try and reply
0
 
JFrederick29Commented:
First, fix your NAT config so traffic will be properly NAT'ed depending on which interface/ISP is used.

conf t

route-map T1 permit 10
 match ip address 1
 match interface Serial0/2/0

route-map DSL permit 10
 match ip address 1
 match interface Dialer0

Then for the route-map:

no route-map INTERNET permit 20

ip route 0.0.0.0 0.0.0.0 12.34.43.217  <--any traffic not sent out the DSL via PBR will be routed via T1

Also make sure you "no shut" the dialer0 interface when ready to bring it up.
0
 
aalbert69Author Commented:
Worked  Great ..... Only question remaining is what changes would you suggest for the NAT?
0
 
JFrederick29Commented:
NAT looks good.  No changes necessary.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now