Solved

Using Policy Based Routing to route port 80 traffic out of secondary internet circuit on Cisco Router

Posted on 2014-03-06
15
1,446 Views
Last Modified: 2014-03-10
I have a Cisco 2911 router that has two internet circuits.  The serial interface is the T1, and interface gi0/0 is the cable modem.  I use PBR to push port 80 and port 81 out of the cable modem.  It seems to be working, if I go to www.ipchicken.com the ip address of the cable modem shows up, so I know port 80 is going out the right circuit.  Here's the problem, the cable modem is a 50 Mbps circuit.  If I connect my laptop directly to the cable modem, all day every day I can achieve 50Mbps downloads.  When the router is connected to the cable modem, with port 80 traffic going through it, I can't get more than 1.5mbps speeds.  I don't understand what is happening.  I have this same exact setup at other locations but using 2800 series routers.  This setup the only difference is its a 2900 series.  I will attach the configurations.  Any assistance would be greatly appreciated.  Thanks.
2911-Configuration.txt
0
Comment
Question by:denver218
  • 10
  • 4
15 Comments
 
LVL 14

Expert Comment

by:Don Thomson
ID: 39909722
I suspect that the Rate-Limit speed has been set at around the 1.5 mps  limit -  

Here's some info on that

http://www.cisco.com/c/en/us/td/docs/ios/12_2/qos/command/reference/fqos_r/qrfcmd8.html
0
 
LVL 4

Author Comment

by:denver218
ID: 39910091
Did you look at the configuration?  I don't have rate limiting configured.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39910146
I can't see where you're sending ports 80 and 81 out via the cable modem.

You have these NAT statements...

ip nat inside source route-map CABLE interface GigabitEthernet0/0 overload
ip nat inside source route-map NAT interface Serial0/0/0.1 overload

Open in new window


...and these ACLs and route-maps...

ip access-list extended NAT
 deny   ip 172.18.106.0 0.0.0.255 10.11.0.0 0.0.255.255
 deny   ip 172.18.106.0 0.0.0.255 10.15.1.0 0.0.0.255
 deny   ip 172.18.106.0 0.0.0.255 10.41.0.0 0.0.255.255
 deny   ip 172.18.106.0 0.0.0.255 10.52.0.0 0.0.255.255
 deny   ip 172.18.106.0 0.0.0.255 10.253.1.0 0.0.0.255
 deny   ip 172.18.106.0 0.0.0.255 10.254.1.0 0.0.0.255
 deny   ip 172.18.106.0 0.0.0.255 10.0.0.0 0.0.15.255
 deny   ip 172.18.106.0 0.0.0.255 172.31.252.0 0.0.3.255
 permit ip 172.18.106.0 0.0.0.255 any
!
access-list 141 deny   ip 172.18.106.0 0.0.0.255 10.0.0.0 0.0.15.255
access-list 141 deny   ip 172.18.106.0 0.0.0.255 172.31.252.0 0.0.3.255
access-list 141 deny   ip 172.18.106.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 141 deny   ip 172.18.106.0 0.0.0.255 10.15.1.0 0.0.0.255
access-list 141 permit ip 172.18.106.0 0.0.0.255 any
!
!
!
!
route-map CABLE permit 10
 match ip address 141
 match interface GigabitEthernet0/0
!
route-map NAT permit 10
 match ip address NAT

Open in new window


So, based on that NAT statement configuration it looks to me like you're not sending 80 and 81 out of the cable link specifically.

You need to be using the CABLE-WEB route-map to send traffic over the cable link.

I know that you say you're seeing the correct IP when you go to IPChicken, but I think that's probably a cached result.

As I say, that's what it looks like.
0
 
LVL 4

Author Comment

by:denver218
ID: 39910241
I'm sending port 80 and port 81 out the cable modem via the following:

route-map CABLE-WEB permit 10
 match ip address 180
 set ip next-hop verify-availability x.x.20.73 50 track 101

access-list 180 permit tcp 172.18.106.0 0.0.0.255 any eq www
access-list 180 permit tcp 172.18.106.0 0.0.0.255 any eq 81

interface GigabitEthernet0/1
 description LAN
 ip address 172.18.106.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1360
 ip policy route-map CABLE-WEB
 duplex auto
 speed auto

I don't think the ipchicken ip is cached.  If I unplug the cable modem and go to ipchicken.com the ip of the T1 comes up as it should.  If I plug the cable modem back in, wait for the track to come back up, and then go to ipchicken.com the IP changes to the cable modem.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39910286
Ok fair enough.

If you're using NAT statements you don't need to do it at the interface.  I'm struggling to work out how your web traffic is going over the cable-modem but only at the Serial line speed - the interface statement is what must be causing this.
0
 
LVL 4

Author Comment

by:denver218
ID: 39910813
Yeah that's where I'm at with it too.  So you think it has to do with the NAT overload on the cable modem interface?
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39911058
I think it's being NAT'ed by both policies, ending up on the Serial NAT.  I can't explain why you get the right IP though.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 4

Author Comment

by:denver218
ID: 39911240
I can try and remove that NAT statement early tomorrow morning and see what the outcome is?  I'll keep you updated.
0
 
LVL 4

Author Comment

by:denver218
ID: 39912197
I removed that NAT statement, but couldn't get out to the internet so I added it back.  Still having the same speed problem.
0
 
LVL 4

Author Comment

by:denver218
ID: 39912267
I opened up a TAC case, they seem stumped as well.  I will post an update when I have something.  In the mean time, if anyone has any ideas, please share.  Thanks.
0
 
LVL 4

Author Comment

by:denver218
ID: 39912808
TAC seems to be stumped as well.  They want me to be onsite for further testing, but that is just not feasible right now because the location this router is at is 4 hours away.  Here's what I know so far.  Again this morning, I had a user plug a laptop directly into cable modem, and I do get 50mbps.  I have the user plug the cable modem back into the router, I only get only 1.5mbps.  I'm thinking there may be some asymmetric routing going on.  Maybe its going on one path, but coming back in over the T1?  I guess that could be possible.
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39912837
It's doubtful.  I don't see how the site would know about the other circuit to send traffic back over it.

Can you try a different website?  Go to www.whatismyip.com and see what that says.

The only other thing I could suggest is to push all traffic over the cable link without the policy routing to see if you get the 50Mbps then.  If you don't I'd look at issues with cabling or duplex between the router and the modem maybe.
0
 
LVL 4

Author Comment

by:denver218
ID: 39913128
I figured so.  If I go to www.whatismyip.com, I get the same result.  I thought about it being a speed,duplex, or cable issue, but I have no interface errors.  I called the ISP just to be sure of their speed and duplex, so that matches.  I will try pushing all traffic over the cable modem and see what happens during a maintenance window.
0
 
LVL 4

Author Comment

by:denver218
ID: 39918623
Turns out my configuration was working properly all along.  I figured all speed test sites use port 80, but I was wrong.  I was only pushing port 80 and 81 out of the cable modem, so if I ran a speed test that used a different destination port, I of course would get the speed of the T1.  To prove this, I found a speed test website that uses one single destination port, I added this port to the access-list 180, and speed tests came back at 50Mbps on the cable modem like they should.
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 39918625
Thanks for your help.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now