• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 736
  • Last Modified:

Cisco 1841 - Configure Routes

I have a question about if this is even possible or makes sense. We have a t-1 circuit that is connected to our other locations via an MPLS network. We also have a backup connection using Comcast Business internet. This is just for internet access. Of late, we have really been pushing our bandwidth with a lot of downloads needed (drawings, specs from some construction websites). I was wondering if it was feasible to set up a Cisco 1841 that I have to route internet traffic out to our Comcast connection and private IP traffic (192.168.0.0/255.255.240.0) through to the MPLS router.

Any help is appreciated.
0
andrishelp
Asked:
andrishelp
  • 6
  • 3
  • 2
  • +3
3 Solutions
 
John MeggersNetwork ArchitectCommented:
I'm setting up something similar for a customer right now.  The usual approach with two circuits of that type is you prefer the MPLS path, and if that goes down, BGP routes are removed, and then you use the Internet connection, which can have a VPN to the other site.  The challenge I had was the customer wanted to prefer the BGP (MPLS) path for some sites but use the IPSec tunnels for other.  So I used route tracking (also called IP SLA) in Cisco IOS to determine whether the IPSec peer was reachable, and if it was, inject a static route to the other site for the remote LAN.  Since the static will have a lower admin distance than BGP, the router will prefer the IPSec path instead of the BGP path.  If the Internet connection goes down, then route tracking will fail, the static route gets pulled from the RIB, and the BGP route is left to provide an alternate path.  Seems to be working great.  I'll see if I can post a sample config, if that will help.
0
 
John MeggersNetwork ArchitectCommented:
So, to clarify, my customer wants only traffic to a business partner to go over the MPLS network.  Traffic between his sites he wants to use the IPSec tunnels.  So he's still using the MPLS network, but bandwidth is better over the Internet connections, so that's better for pushing out patches, etc.

Start with your MPLS / BGP configuration to share routes over that path.  Add an IPSec configuration over the Internet to the WAN router as an alternate path for the same LAN subnets.

Enable route-tracking (IP SLA):

track 1 ip sla 10 reachability

ip sla 10
 icmp-echo <remote peer IP address, same as used in the IPSec configuration>
 timeout 10000
 threshold 100
 frequency 15

ip sla schedule 10 life forever start-time now


Add a static route statement tied to the route tracking mechanism:

ip route 10.1.1.0 255.255.255.0 <ISP next-hop address> track 10


You'll need to do this on both ends, otherwise you'll have asymmetric routing.  If tracking is successful, then this static will be in the RIB and these routes (on both sides of the tunnel) will force traffic to go through the IPSec tunnel instead of the MPLS path.  If Internet fails at either site, route tracking should also fail, in which case the static route is removed, and the BGP route becomes the best path.
0
 
andrishelpAuthor Commented:
I think you are over complicating what I need. Basically if a user on our network 192.168.0.0/22 wants to access a device on 192.168.4.0-192.168.15.255 I want the traffic to route to our Adtran MPLS router. Any other request (internet) should be routed to the Comcast router. Make sense? I am not worried about one circuit being down and switching to the other, etc.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
John MeggersNetwork ArchitectCommented:
Are you exchanging BGP routes over the MPLS network?  If not, use a static route

route <ifname> 192.168.4.0 255.255.252.0 <MPLS router>
route <ifname> 192.168.8.0 255.255.248.0 <MPLS router>
route outside 0 0 <Internet router>

If that's all you want, then yes, I agree my solution is more complex than you need...  ;-)
0
 
andrishelpAuthor Commented:
No BGP.

Can I just do something like this...

route 192.168.0.0 255.255.240.0 192.168.0.1 <MPLS router>

route 0.0.0.0 0.0.0.0 50.xxx.xxx.xx <internet router>
0
 
dcj21Commented:
@Andrishelp

Correct.

You can set specific routes to go to the MPLS circuit and then set your default to to out your Internet circuit. If you are not using a routing protocol (RIPv2, EIGRP,etc..), don't forget to set a static route at the other MPLS site

And you can use a subnet that includes the 'connected' subnets in your static route to the MPLS cloud. The router will see the connected, more specific (as in smaller) networks and give them priority.
0
 
andrishelpAuthor Commented:
I tried my routes as shown above late yesterday and it didn't completely work. I set these routes. I changed my laptop so that the default gateway is 192.168.0.2 (Cisco Router). I can get to the MPLS network without a problem. However any other traffic does seem to get to the internet. I can ping the comcast router from the inside 192.168.0.2 and from the outside 50.73.xxx.xx (comcast router) but it doesn't go any further than that. I will keep working on it over the weekend and let you know if I find any issues.

dcj21: What do you mean "Set a static route at the other MPLS site"?
0
 
dcj21Commented:
The other MPLS site needs to know how to get back to you. Sounds like they have it since it's working.

Can you ping 8.8.8.8? Traceroute (tracert on Windows)?
Please share your roue table -- show ip route


Since you can ping the Comcast, I think routing is ok. Do you have a NAT setup for the internet port? You need to NAT your 192.168.0.0 network behind the IP address on your Internet port.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml
0
 
ipajonesCommented:
I think perhaps policy based routing would be a better solution.  With this you could create a route-map to match specific traffic and then policy route the traffic instead of using the routing table.

For example, create an extended access list to match the specific traffic:
access-list 101 permit ip 192.168.0.0 0.0.15.255 any

Open in new window

(Here I'm just matching any source traffic coming from 192.168.0.0/20 going to any destination, but you could match based on traffic type or destination etc)

Next reference the ACL from a route map:
route-map policy1 permit 10
match ip address 101
set ip next-hop <next hop for MPLS link>

Open in new window

(there are lots of things you can do here and in fact you can also track an SLA to determine whether the policy should be applied)

Now apply the policy to the appropriate incomming interface that needs to route the traffic, for example:
int gi0/1
ip policy route-map policy1

Open in new window


The above would send all source traffic from 192.168.0.0/20 to a specified next hop instead of using the routing table.  All other traffic would be routed normally.  If the next hop is not reachable then traffic matched ny the policy would also be routed normally.  Remember equally you could do this the other way and policy route the Internet traffic instead.

Will also post a link on PBR if I can find one.
Hope this helps
--IJ
0
 
ipajonesCommented:
Here's a link as promised:
http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcpolicy.html

Just noticed from a later post you want to policy route traffic destined to 192.168.4.0-192.168.15.255.  So you would just change the access list to the following if you're not worried about source:

access-list 101 permit ip any 192.168.4.0 0.0.3.255
access-list 101 permit ip any 192.168.8.0 0.0.7.255

Open in new window


The rest is the same as above.
--IJ
0
 
andrishelpAuthor Commented:
Still working on this.
0
 
mat1458Commented:
hi andrishelp

It isn't too much of a problem to do that. if i sum up of what i have seen so far it looks like this:

1. your intra-company communication over the Adtran (MPLS) network works
2. the internet router (Comcast) is attached to the same LAN as Adtran but it does not yet seem to work
3 .you don't know yet how to set up the routes to go to the internet or to reach the other sites

For point 1 there are probably no changes needed.

Point 2 probably needs a proper NAT configuration so that every internal private IP address gets translated into the outside address of you internet service provider (ISP). Depending on your attachment to the provider (I assume that you use an ethernet interface for that purpose, otherwise let me know) your configuration might look somewhat like this:
interface FastEthernet0/0
ip address 192.168.0.2 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
ip address 50.73.xxx.xx 255.255.x.x
ip nat outside
!
ip classless
!
ip nat pool NATP_ISP 50.73.xxx.xx 50.73.xxx.xx prefix-length 32 overload
ip nat inside source list ACL_NAT pool NATP_ISP
!
ip access-list standard ACL_NAT
 remark All Company addresses (local and remote sites) are allowed for NAT to the internet
 permit 192.168.0.0 0.0.15.255
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1

Open in new window

You can test that by configuring the default gateway of one of your PCs to 192.168.0.2, setting the DNS server of your service provider and then try to connect to the internet.

Point 3 is a matter of how much work you want on your PCs. If you want to add static routes to each device then this works by adding something like
route add -p 192.168.0.0 mask 255.255.240.0 192.168.0.1
route add -p 0.0.0.0 mask 0.0.0.0 192.168.0.2

Open in new window

(If your PCs get the IP address from a DHCP server then the second route is recevied from there. Set the default router inthe DHCP server to 192.16.0.2.)
If your Cisco Router has one free ethernet interface you could think of rearranging you network a little and saving some work on the PCs. You could make your network look like this:

192.168.0.0/22 LAN ---- Cisco Router ----192.168.99.0/24 Transport Segment ---- Adtran Router ---- Remote sites

The Cisco router would take the IP Adress 192.168.0.1 that the Adtran router had before so the default gateway of all PC would stay the same. The Cisco Router then decides whether to send the traffic to the internet or to forward it to the Adrtran router and the remote sites. This is done by adding a static route to the Cisco Router that would look something like this:
ip route 192.168.0.0 255.255.240.0 192.168.99.2

Open in new window

(192.168.99.2 would be the new IP address of the LAN interface of the Adtran router.)
With that statement the Cisco Router decides where to send which traffic.

Let me know if that makes sense to you, or if you have further questions it might be helpful to see the configuration and version info of your Cisco router.

Kind regards,
mat

0
 
Nayyar HH (CCIE RS)Network ArchitectCommented:
Is this resolved?
0
 
andrishelpAuthor Commented:
Not yet. This project got sidelined for a few weeks. I hope to get back to it next week. Sorry for the delay.
0
 
andrishelpAuthor Commented:
I got it running. My problem was that our DNS was outside of the routed network. I had to add in a route for that and it seems to work now. However one strange thing, when I did this it seems to be affecting traffic on some devices on the network. They can't seem to "get out" to the internet. Even though their gateway is not this router. I need to investigate that further.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

  • 6
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now