asked on

Cisco Policy Based Routing of Traffic over 2 WAN Links - 2801

I have referenced the following two posts, and setup policy based route-maps on my router, to send the http traffic over the DSL link, while pushing other traffic over the T1. Unfortunately, when I setup this way, traffic does not go out at all (can't even ping remote hosts from the router itself) Prior to this, traffic would get out over
ip route 0.0.0.0 0.0.0.0 Serial0/2/0 and
ip route 0.0.0.0 .0.0.0.0 Dialer0 2

My end goal is to have http traffic go out over the DSL link, while everything else goes out over the T1... In the future I will add in some additional rules to route other non-mission critical data over the DSL link as well, but at this point I just need to get it to work.

https://www.experts-exchange.com/questions/24067045/Policy-Based-Routing-Cisco-2800.html

https://www.experts-exchange.com/questions/22110360/Configureing-PBR-Policy-Based-Routing-Cisco-2600.html

https://www.experts-exchange.com/questions/22066846/2611-Setup-policy-based-routing-to-defer-HTTP-traffic-to-specific-interface.html

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Store2801
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$OXXwVXXX.
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local 
aaa authorization network default if-authenticated 
!
aaa session-id common
!
resource policy
!
memory-size iomem 20
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.19.1 192.168.19.10
ip dhcp excluded-address 192.168.19.89 192.168.19.254
!
ip dhcp pool The_Data
   import all
   network 192.168.19.0 255.255.255.0
   dns-server 4.2.2.1 199.72.1.1 
   default-router 192.168.19.1 
   domain-name GREEN.local
   lease 0 2
!
ip dhcp pool 90
   host 192.168.19.90 255.255.255.0
   client-identifier 0100.15c5.a642.aa
   client-name WOLF
   default-router 192.168.19.1 
   domain-name GREEN.local
   dns-server 4.2.2.1 199.72.1.1 
   netbios-name-server 192.168.19.254 
   lease infinite
!
!
ip domain name GREEN.local
ip name-server 4.2.2.1
!
!
voice-card 0
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3734409403
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3734409403
 revocation-check none
 rsakeypair TP-self-signed-3734409403
!
!
crypto pki certificate chain TP-self-signed-3734409403
 certificate self-signed 01
  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  FF246F16 A4DAB5ED D1E50C54 5F2DE435 2C7DC70D 0F367108 EFE79349 367B9F2F 
  936AC003 330809C7 6EBB7881 227D2832 C2
  quit
username bsmith privilege 15 password 0 ThePasswd
username asmith privilege 10 secret 5 $1$5XXXXXXZ3.
username admin privilege 15 view root password 0 TheOtherPasswd
!
! 
!
!
!
!
!
interface FastEthernet0/0
 description Spare Interface for External Ethernet WAN
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip tcp adjust-mss 1412
 no ip mroute-cache
 speed 100
 full-duplex
 no keepalive
 no cdp enable
!
interface Service-Engine0/0
 no ip address
!
interface FastEthernet0/1
 description connection to customer LAN
 ip address 12.34.56.185 255.255.255.248 secondary
 ip address 192.168.19.1 255.255.255.0
 ip access-group 103 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
 ip policy route-map INTERNET
 no ip mroute-cache
 speed 100
 full-duplex
 no keepalive
 no cdp enable
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Serial0/2/0
 description connection to FTLDFLOV GAR5 (Ckt.ID - DHEC123456789)
 bandwidth 1536
 ip address 12.34.43.218 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 no ip mroute-cache
 service-module t1 timeslots 1-24
 service-module t1 remote-alarm-enable
 service-module t1 fdl both
 no cdp enable
!
interface ATM0/3/0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0/3/0.1 point-to-point
 pvc 8/35 
  pppoe-client dial-pool-number 1
 !
!
interface Vlan1
 no ip address
!
interface Dialer0
 description AT&T DSL - Miami
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 ip tcp header-compression iphc-format
 ip tcp adjust-mss 1452
 shutdown
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname user@bellsouth.net
 ppp chap password 7 XXXXXXXXXXXXXXx
 ppp pap sent-username user@bellsouth.net password 7 XXXXXXXXXXXXXXXXXx
 ip rtp header-compression iphc-format
 ip rtp compression-connections 64
!
ip classless
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map DSL interface Dialer0 overload
ip nat inside source route-map T1 interface Serial0/2/0 overload
ip nat inside source static 192.168.19.90 12.34.56.190
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.19.0 0.0.0.255
access-list 150 remark Route WWW traffic over DSL
access-list 150 permit tcp any any eq www
access-list 150 deny   ip any any
access-list 151 remark sends all Non-WWW traffic over T1 interface
access-list 151 permit ip any any
dialer-list 1 protocol ip permit
!
route-map INTERNET permit 10
 match ip address 150
 set ip default next-hop 65.14.11.7
!
route-map INTERNET permit 20
 match ip address 151
 match interface Serial0/2/0
 set ip default next-hop 12.34.43.217
!
!
!
!
control-plane
!
!
!
voice-port 0/0/0
!
voice-port 0/0/1
!
voice-port 0/0/2
!
voice-port 0/0/3
!         
!
!
!
!
!
banner login ^CNo unauthorized Access . Log Off Now!
^C
!
line con 0
line aux 0
 session-timeout 7 
 no exec-banner
 exec-timeout 5 0
 password ThePasswd
 authorization exec Console
 login authentication Console
 transport input all
line 66
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output all
line vty 0 4
 transport input telnet ssh
 transport output telnet ssh
!
ntp clock-period 17179919
ntp update-calendar
ntp server 192.5.41.41
ntp server 135.89.154.147 prefer
ntp server 135.89.152.51
ntp server 135.89.152.52
ntp server 135.89.154.148
ntp server 152.158.74.251
ntp server 192.5.41.209 prefer
ntp server 12.38.168.18
end

Open in new window

ricks_v

try modifying your ACL.
Use LAN address and its subnet, then destination.
Be as specific as you can on ACL, otherwise this will affect the rest of the route that you have.

You need something like:
access-list 150 remark Route WWW traffic over DSL
access-list 150 permit tcp (LAN address) any eq www
access-list 150 deny ip any any

then remove the acl 151, and use static route to go to T1 for the rest.

This way, any non www traffic will not be affected.

memo_tnt

you need to be carefull that your interface dialer 0 is shutdown
so turn it on
int dialer 0
no shut
then add this
ip load-sharing per-packet
to both dialer 0 and Serial0/2/0
and use the default routes
ip route 0.0.0.0 0.0.0.0 Serial0/2/0
ip route 0.0.0.0 .0.0.0.0 Dialer0

try and reply

ASKER CERTIFIED SOLUTION

JFrederick29

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

aalbert69

ASKER

Worked Great ..... Only question remaining is what changes would you suggest for the NAT?

JFrederick29

NAT looks good. No changes necessary.