Solved

Policy Based Routing Not Working on Cisco 2901

Posted on 2013-01-14
36
929 Views
Last Modified: 2013-01-15
I have a Cisco 2901 router as my network edge device with two ISPs available to use. I'd like to use my less reliable but high bandwidth second ISP link for HTTP and similar non-critical traffic.

This is a very basic PBR application, so I'm really unsure why it's not working.

After configuring my basic PBR solution and applying it to my inside interface, I get hits on the appropriate access list and route-map - packets tick up quite a bit during tests - but traffic is not leaving the router or possibly dropped at the ISP.

I have a feeling it's a NAT problem, but so far NAT seems fine. TAC found no configuration problems and promises that there are no NAT problems, but to be honest I had to guide the two different TAC engineers by the hand through my config (and corrected them a couple times), so I don't have 100% confidence in their assessment.

Attached is my current config. HTTP is supposed to go out the CABLE link. Everything else out the FIBER link. NAT issue? What do you think?

Phil
0
Comment
Question by:Phil1979
  • 16
  • 11
  • 4
  • +3
36 Comments
 
LVL 5
ID: 38776163
Hi Phil,

where is the attachment ?

Quick question , If it was done in a Mw window , did you shutdown the primary link and see how it goes ? Will the routing be successful ?

2. whats the traceroute say for an http application ? where does it stop ?
3. If you have access, can you debug the access-list which matches the http traffic in detail ?

let me know the scenario and I will try to emulate it with my labs, looks interesting tough

Regards
Game
0
 
LVL 12

Expert Comment

by:TomRScott
ID: 38776164
Attachment appears to be missing...

 - Tom
0
 

Author Comment

by:Phil1979
ID: 38776176
Router config
config.txt
0
 
LVL 13

Expert Comment

by:themrrobert
ID: 38776177
I think you forgot to attach the file.

Also, is traffic going through the fiber link?

All traffic? No traffic? Non-HTTP traffic?
0
 

Author Comment

by:Phil1979
ID: 38776193
I attached the config again - sorry about that.

The FIBER link is my default gateway and right now all traffic goes out that way - g0/0/0.

I want to divert HTTP traffic to the CABLE link - g0/0.

What do you think?
0
 
LVL 5
ID: 38776197
Hello,

interface GigabitEthernet0/1.1
 description DATA_GATEWAY
 encapsulation dot1Q 1 native
 ip address 172.16.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map HTTP_TRAFFIC

The route-map is for Gig0/0.1 and nat statement is for Gig0/0

ip nat inside source route-map HTTP_TRAFFIC interface GigabitEthernet0/0 overload

Can you explain a bit on what are inside and outside interfaceS ?

Regards
Game
0
 

Author Comment

by:Phil1979
ID: 38776211
I tried separate route-maps for the actual policy and for the nat rule, but TAC recommended I use the same policy for both. Do you think I need to add a separate nat policy to be used by g0/0?

g0/1.1 is the inside LAN gateway interface (the other sub-interfaces are for phones and other internal sue endpoints)

g0/0 is my CABLE ISP that I want to use for HTTP only.

g0/0/0 is my main pipe (FIBER) through which I want to send everything else
0
 

Author Comment

by:Phil1979
ID: 38776218
Also, the route-map is used in the policy applied to g0/1.1 and then again for nat on g0/0.

The actual route-map can be used anywhere, to identify traffic. I know in the process of routing the 2901 uses route-maps first, and on my router this seems to be working because access-list 101 and route-map HTTP_TRAFFIC are getting hits when I test the solution.

However, I can't actually get to any websites, and I can't telnet to anything on the internet on port 80.

I've also tried this as a rout-map specifying my lab computer and all traffic. When I did that the computer could not reach the internet whatsoever (let alone pings).
0
 
LVL 5
ID: 38776233
Is it like are you laying off TCP traffic explicitly by any means ?
0
 
LVL 5
ID: 38776240
So, when you actually implement this , you dont have webtraffic going out in either links as per your ACL definition ? whats up with the next-hop , who is he ?
0
 

Author Comment

by:Phil1979
ID: 38776254
No I don't think so. I know the traffic is being diverted - at least it's hitting the ACL and route-map as HTTP form the LAN enters the router from the LAN on g0/1.1

As soon as I remove the policy HTTP is fine, though all traffic then goes out my default pipe g0/0/0 and nothing goes out g0/0.

This is a very simple pbr, so that's why I think there's some nat issue or something similar not allowing traffic to get nat'd out to the internet. Strange.

Can I really use the same route-map for my nat statement and for my ip policy?
0
 

Author Comment

by:Phil1979
ID: 38776270
That's right. When I apply the policy, web traffic dies. Does not go out either link.

The next hop in the route-map is my CABLE gateway which in this case is the cable modem sitting on my server room wall.

I know for a fact it works because as a test I changed my default gateway for everything to use the cable modem instead as my default route and then use pbr to send to the FIBER link - the exact opposite. What happened was that the CABLE pipe worked fine and my FIBER pipe (which I was using for HTTP) did not work.
0
 
LVL 5
ID: 38776272
what does nat translations say when this happens ? What the outside global and outside local ?

I was going through the ROUTE-MAP , what up with the next-hop definition ?

route-map HTTP_TRAFFIC permit 10
 match ip address 101
 set ip next-hop 72.72.72.73

Anything explicit ?

Regards
Game
0
 

Author Comment

by:Phil1979
ID: 38776295
The strange thing is that in my nat translation table where I should see my outside address as 72.72.72.73 I still see 50.50.50.50.....that's why I'm leaning toward a nat problem

I'm not sure what you're asking about the next-hop definition. The next hop statement is just the set statement directing any traffic defined in acl 101 to 72.72.72.73 which is the address of my cable modem (CABLE ISP gateway)
0
 
LVL 5
ID: 38776301
Well, then the only place i would look would be at nat table translations and see whats happening , would pick up a quite time may be in a midnight and then debug a specific nat translation to being with to troubleshoot nat, but i highly doubt its somewhere with the policy implementation which is going wrong, I guess it would help if we had two different statements in first place, Will go through the config once again to see if i see anything obvious.
0
 
LVL 5
ID: 38776322
I wanted to know if it was really the next-hop for the ISP as I am unware about the exitpoints, any ways that is strange ,

interface GigabitEthernet0/0/0
 description FIBER
 ip address 50.50.50.50 255.255.255.248
 ip access-group 140 in
 ip nat outside
 ip inspect FIREWALL out
 ip virtual-reassembly in
 duplex full
 speed auto
 crypto map VPN

which is your fiber :) , there are lots of things under this interface , i would definitely want a debug for nat translations atleast for a specific host , if it overkills all.

Regards
Game
0
 
LVL 5
ID: 38776334
Why would you expect to see 72.72.72.73, you should see 72.72.72.74  ?
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 38776385
Hi

Instead of this:

route-map HTTP_TRAFFIC permit 10
 match ip address 101
 set ip next-hop 72.72.72.73

do this

route-map HTTP_TRAFFIC permit 10
 match ip address 101
 match interface GigabitEthernet0/0
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 5
ID: 38776388
rochey2009, did you mean set interface gig0/0 ?
0
 

Author Comment

by:Phil1979
ID: 38776423
I've tried using the interface g0/0 statement instead of the next heop. I've also tried set ip default next hop. None work.

Game, to answer your question from above, my traceroutes from my windows computers fail when the policy is applied. I don't see anything passed the router. I didn't shut down my primary link, but I won't be able to try that tonight since I'm home now.

I was thinking to get rid of the default gateway and just having a second route-map sending all non-HTTP traffic out the FIBER link.

I will try doing some deeper debugs next. I can easily narrow ACL 101 to match only my lab computer, so testing ideas during the day is just fine.
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 38776453
0
 

Author Comment

by:Phil1979
ID: 38776475
I see I see. That doesn't make total sense to me because I feel like there needs to be some sort of set statement, but Cisco knows best. Let me try this tonight using my lab computer at work. That would theoretically solve the nat problem. I don't see set statements that tells the router where to send traffic, but let me try and see.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 38776495
regarding the author's comment "The strange thing is that in my nat translation table where I should see my outside address as 72.72.72.73 I still see 50.50.50.50.....that's why I'm leaning toward a nat problem

I'm not sure what you're asking about the next-hop definition. The next hop statement is just the set statement directing any traffic defined in acl 101 to 72.72.72.73 which is the address of my cable modem (CABLE ISP gateway)"

The next hop is not your interface address. It's the next hop. where is traffic supposed to go when it exits 72.72.72.73?
0
 

Author Comment

by:Phil1979
ID: 38776530
My outside address on g0/0 is 72.72.72.74. The next hop is 72.72.72.73. It's my ISP gateway - 110% certain. It used to be my default gateway before the FIBER link was put in a few months ago. Therefore my route-map set statement is correct and in my experience should work fine.....
0
 

Author Comment

by:Phil1979
ID: 38776813
Tried all of the above suggestions. Nothing so far. I'm still stuck on nat. I don't see the right address in the nat translation table.....
0
 

Author Comment

by:Phil1979
ID: 38776921
Experimenting with nat on both wan interfaces. Still no success. No matter what I do instead of successful web browsing I end up killing http traffic out.
0
 
LVL 5
ID: 38777259
I have only one suggestion left out if that feasible to deploy

allow everything for your lab pc (ie instead of tcp , allow ip) for 172.16.10.0 subnet, also try to overload everything on the interface 72.72.72.74 and see if Nat works good.
0
 

Author Comment

by:Phil1979
ID: 38778121
I tried that the other day. Just for testing I allowed everything from my local PC at 172.16.10.40 without specifying any particular protocol. Just divert all traffic from this PC to CABLE. Didn't work. Last night I also tried overloading the entire 172.16.10.0 subnet on g0/0 rather than specifying a particular port in the route-map. That didn't work either. Good idea though. I was excited about that one thinking that possibly it just needs the layer 3 info and nothing more for simple nat overload. Anyway, neither worked, and I have to keep working on this today to get it working properly. Not exactly an option at work right now - our FIBER link is not a huge pipe, so we really need our cable link working on HTTP and several other protocols for our larger downloads and uploads that we often do in my office.

I'll give another update shortly, but for now I'm not exactly sure what else to try....
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 38779343
If your NAT translation is showing you as 50.50.50.50 then the problem isn't NAT, because the traffic is going to the wrong interface.

You could try this:
1. Add your PC to the access list so that all of your traffic should follow PBR.
2. "clear ip nat *" to clear all of your translations, check to make sure it's gone.
3. try again and look at your new translation.

If it's still going to the wrong interface then PBR is not working. If it's not there at all then PBR is working but NAT isn't. Either way, a debug on the at-fault technology may help to determine what's wrong.
0
 

Author Comment

by:Phil1979
ID: 38779372
Good point. So even though I'm getting hits on the ACL and route-map somehow the traffic is not being sent out the right interface. I wonder why?

I tried clearing the nat translation table and checking quickly for my lab PC IP address. It popped back in with the 50.50.50.50 address after sending out some traffic to port 80. I guess that means that PBR is not working itself and not necessarily nat.

What could be going on? I can re-post my config if you like....it's a little different now after experimenting.
0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 500 total points
ID: 38779609
Since you're using the same access list for multiple functions there's no way to know which function is causing the hits. Try duplicating it and separating, then see which is getting hits.

but as we've said, debug may be really helpful
debug ip packet detail
debug ip nat
debug ip policy

run a test, capture all of the output, then
u all
to turn it off again. Keep your test to one machine to limit the output.
0
 

Author Comment

by:Phil1979
ID: 38779960
Awesome it finally worked! The problem must have been with sharing route-maps for policy and for nat. Your suggestion to split everything up seemed to do the trick and now my simple policy routing is working perfectly. I'd like to post my new config for you guys - let me scrub it and post it in a bit.

So - mental note for me: don't use the same route-map to identify traffic for your policy route-map and for nat.
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 38780004
Hi,

Try this

For the NAT:
route-map HTTP_TRAFFIC permit 10
 match ip address 101
 match interface GigabitEthernet0/0

ip nat inside source route-map HTTP_TRAFFIC interface GigabitEthernet0/0 overload

For the PBR:
route-map HTTP_NEXT_HOP
 match ip address 101
 set ip next-hop 72.72.72.73

interface GigabitEthernet0/1.1
 ip policy route-map HTTP_NEXT_HOP
0
 

Author Closing Comment

by:Phil1979
ID: 38780026
This answer was geared toward helping me debug the problem, but it also turned out to be the actual solution.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 38780483
That's actually really strange and leads me to wonder if there was some kind of a bug. The access list itself just tells the function what to act on. It doesn't do anything in and of itself.
0
 
LVL 5
ID: 38781208
Good to know that its finally solved.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now