Link to home
Start Free TrialLog in
Avatar of Popeyediceclay
PopeyediceclayFlag for United States of America

asked on

PBR Issue - Cisco 1811W

I tried to setup PBR so that I could route all traffic from VLAN1 to Fast0/Public1 and all traffic from VLAN2 to Fast1/Public2, but also to have all traffic  from VLAN1 destined for VLAN2 to be routed directly and vice-versa.  I've only connected the VLAN1 and Public1 networks for now to test and it appears to be working but is EXTREMELY slow when browsing the web.  Does anyone see anything wrong or inefficient about this configuration?

Thanks
Current configuration : 7467 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco1811W
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 ????????????????????????????
enable password ?????????????
!
no aaa new-model
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
archive
 log config
  hidekeys
!
!
!
interface FastEthernet0
 description Connection to Public1$ETH-WAN$
 ip address Y.Y.Y.202 255.255.255.252
 ip access-group 199 in
 ip nat outside
 ip virtual-reassembly
 speed auto
 half-duplex
!
interface FastEthernet1
 description Connection to Public2$ETH-WAN$
 ip address Z.Z.Z.2 255.255.255.252
 ip access-group 189 in
 ip nat outside
 ip virtual-reassembly
 speed auto
 half-duplex
!
interface FastEthernet2
 description Connected to VLAN1
!
interface FastEthernet3
 description Connected to VLAN2
!
interface FastEthernet4
 shutdown
!
interface FastEthernet5
 shutdown
!
interface FastEthernet6
 shutdown
!
interface FastEthernet7
 shutdown
!
interface FastEthernet8
 shutdown
!
interface FastEthernet9
 shutdown
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio1
 no ip address
 shutdown
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 ip address A.A.A.254 255.255.255.224
 ip nat inside
 ip virtual-reassembly
 ip route-cache policy
 ip policy route-map routePublic1
!
interface Vlan2
 ip address B.B.B.62 255.255.255.224
 ip nat inside
 ip virtual-reassembly
 ip route-cache policy
 ip policy route-map routePublic2
!
interface Async1
 no ip address
 encapsulation slip
 shutdown
!
router rip
 redistribute connected
 network B.0.0.0
 network A.0.0.0
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
logging trap debugging
logging A.A.A.230
access-list 100 permit icmp any any log
access-list 100 permit ip any any log
!
access-list 180 remark ----ALLOW ALL TO Public1 NETWORK
access-list 180 permit ip any A.A.A.224 0.0.0.31 log
!
access-list 181 remark --------BEGIN OUTGOING RULES - VLAN2
access-list 181 remark ----LOG ALL ICMP
access-list 181 permit icmp any any log
access-list 181 remark ----PERMIT ALL IP
access-list 181 permit ip any any log
access-list 181 remark ----IMPLICIT DENY ALL
access-list 181 deny   ip any any log
access-list 181 remark --------END OUTGOING RULES - VLAN2
!
access-list 189 remark --------BEGIN INCOMING RULES - Public2
access-list 189 remark ----ALLOW ALL ESTABLISHED
access-list 189 permit tcp any any established
access-list 189 remark ----ALLOW ALL ICMP
access-list 189 permit icmp any any log
access-list 189 remark ----IMPLICIT DENY ALL
access-list 189 deny   ip any any log
access-list 189 remark --------END INCOMING RULES - Public2
!
access-list 190 remark ----ALLOW ALL TO Public2 NETWORK
access-list 190 permit ip any B.B.B.32 0.0.0.31 log
!
access-list 191 remark --------BEGIN OUTGOING RULES - VLAN1
access-list 191 remark ----LOG ALL ICMP
access-list 191 permit icmp any any log
access-list 191 remark ----PERMIT ALL IP
access-list 191 permit ip any any log
access-list 191 remark ----IMPLICIT DENY ALL
access-list 191 deny   ip any any log
access-list 191 remark --------END OUTGOING RULES - VLAN1
!
access-list 199 remark --------BEGIN INCOMING RULES - Public1
access-list 199 remark ----ALLOW ALL ESTABLISHED
access-list 199 permit tcp any any established
access-list 199 remark ----ALLOW ALL ICMP
access-list 199 permit icmp any any log
access-list 199 remark ----IMPLICIT DENY ALL
access-list 199 deny   ip any any log
access-list 199 remark --------END INCOMING RULES - Public1
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
!
!
route-map routePublic1 permit 10
 match ip address 190
 set interface Vlan2
!
route-map routePublic1 permit 20
 match ip address 191
 set ip next-hop Y.Y.Y.201
 set interface FastEthernet0
!
route-map routePublic2 permit 10
 match ip address 180
 set interface Vlan1
!
route-map routePublic2 permit 20
 match ip address 181
 set ip next-hop Z.Z.Z.1
 set interface FastEthernet1
!
!
!
!
control-plane
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 password ??????????
 login
!
!
!
webvpn cef
end
!

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of Donboo
Donboo
Flag of Denmark image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Popeyediceclay

ASKER

You're exactly right... mind if I ask if there's another way?  Using the log parameter is the only way I knew how to debug stuff.
you can always use debug IP packet command.
Yeah, I tried that but it generated so many messages it basically locked up the router.  Also, before I enabled PBR it was fine with CEF and the LOG parameter, do you think it has something to do with adding PBR or my PBR config?