Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

PBR Issue - Cisco 1811W

Posted on 2009-04-20
4
Medium Priority
?
438 Views
Last Modified: 2012-05-06
I tried to setup PBR so that I could route all traffic from VLAN1 to Fast0/Public1 and all traffic from VLAN2 to Fast1/Public2, but also to have all traffic  from VLAN1 destined for VLAN2 to be routed directly and vice-versa.  I've only connected the VLAN1 and Public1 networks for now to test and it appears to be working but is EXTREMELY slow when browsing the web.  Does anyone see anything wrong or inefficient about this configuration?

Thanks
Current configuration : 7467 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco1811W
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 ????????????????????????????
enable password ?????????????
!
no aaa new-model
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
archive
 log config
  hidekeys
!
!
!
interface FastEthernet0
 description Connection to Public1$ETH-WAN$
 ip address Y.Y.Y.202 255.255.255.252
 ip access-group 199 in
 ip nat outside
 ip virtual-reassembly
 speed auto
 half-duplex
!
interface FastEthernet1
 description Connection to Public2$ETH-WAN$
 ip address Z.Z.Z.2 255.255.255.252
 ip access-group 189 in
 ip nat outside
 ip virtual-reassembly
 speed auto
 half-duplex
!
interface FastEthernet2
 description Connected to VLAN1
!
interface FastEthernet3
 description Connected to VLAN2
!
interface FastEthernet4
 shutdown
!
interface FastEthernet5
 shutdown
!
interface FastEthernet6
 shutdown
!
interface FastEthernet7
 shutdown
!
interface FastEthernet8
 shutdown
!
interface FastEthernet9
 shutdown
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio1
 no ip address
 shutdown
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 ip address A.A.A.254 255.255.255.224
 ip nat inside
 ip virtual-reassembly
 ip route-cache policy
 ip policy route-map routePublic1
!
interface Vlan2
 ip address B.B.B.62 255.255.255.224
 ip nat inside
 ip virtual-reassembly
 ip route-cache policy
 ip policy route-map routePublic2
!
interface Async1
 no ip address
 encapsulation slip
 shutdown
!
router rip
 redistribute connected
 network B.0.0.0
 network A.0.0.0
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
logging trap debugging
logging A.A.A.230
access-list 100 permit icmp any any log
access-list 100 permit ip any any log
!
access-list 180 remark ----ALLOW ALL TO Public1 NETWORK
access-list 180 permit ip any A.A.A.224 0.0.0.31 log
!
access-list 181 remark --------BEGIN OUTGOING RULES - VLAN2
access-list 181 remark ----LOG ALL ICMP
access-list 181 permit icmp any any log
access-list 181 remark ----PERMIT ALL IP
access-list 181 permit ip any any log
access-list 181 remark ----IMPLICIT DENY ALL
access-list 181 deny   ip any any log
access-list 181 remark --------END OUTGOING RULES - VLAN2
!
access-list 189 remark --------BEGIN INCOMING RULES - Public2
access-list 189 remark ----ALLOW ALL ESTABLISHED
access-list 189 permit tcp any any established
access-list 189 remark ----ALLOW ALL ICMP
access-list 189 permit icmp any any log
access-list 189 remark ----IMPLICIT DENY ALL
access-list 189 deny   ip any any log
access-list 189 remark --------END INCOMING RULES - Public2
!
access-list 190 remark ----ALLOW ALL TO Public2 NETWORK
access-list 190 permit ip any B.B.B.32 0.0.0.31 log
!
access-list 191 remark --------BEGIN OUTGOING RULES - VLAN1
access-list 191 remark ----LOG ALL ICMP
access-list 191 permit icmp any any log
access-list 191 remark ----PERMIT ALL IP
access-list 191 permit ip any any log
access-list 191 remark ----IMPLICIT DENY ALL
access-list 191 deny   ip any any log
access-list 191 remark --------END OUTGOING RULES - VLAN1
!
access-list 199 remark --------BEGIN INCOMING RULES - Public1
access-list 199 remark ----ALLOW ALL ESTABLISHED
access-list 199 permit tcp any any established
access-list 199 remark ----ALLOW ALL ICMP
access-list 199 permit icmp any any log
access-list 199 remark ----IMPLICIT DENY ALL
access-list 199 deny   ip any any log
access-list 199 remark --------END INCOMING RULES - Public1
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
!
!
route-map routePublic1 permit 10
 match ip address 190
 set interface Vlan2
!
route-map routePublic1 permit 20
 match ip address 191
 set ip next-hop Y.Y.Y.201
 set interface FastEthernet0
!
route-map routePublic2 permit 10
 match ip address 180
 set interface Vlan1
!
route-map routePublic2 permit 20
 match ip address 181
 set ip next-hop Z.Z.Z.1
 set interface FastEthernet1
!
!
!
!
control-plane
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 password ??????????
 login
!
!
!
webvpn cef
end
!

Open in new window

0
Comment
Question by:Popeyediceclay
  • 2
  • 2
4 Comments
 
LVL 9

Accepted Solution

by:
Donboo earned 2000 total points
ID: 24188013
you should remove the log parameter in your access-lists as this disables CEF.
0
 
LVL 3

Author Closing Comment

by:Popeyediceclay
ID: 31572390
You're exactly right... mind if I ask if there's another way?  Using the log parameter is the only way I knew how to debug stuff.
0
 
LVL 9

Expert Comment

by:Donboo
ID: 24194980
you can always use debug IP packet command.
0
 
LVL 3

Author Comment

by:Popeyediceclay
ID: 24196060
Yeah, I tried that but it generated so many messages it basically locked up the router.  Also, before I enabled PBR it was fine with CEF and the LOG parameter, do you think it has something to do with adding PBR or my PBR config?
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question