Link to home
Start Free TrialLog in
Avatar of denver218
denver218Flag for United States of America

asked on

Using Policy Based Routing to route port 80 traffic out of secondary internet circuit on Cisco Router

I have a Cisco 2911 router that has two internet circuits.  The serial interface is the T1, and interface gi0/0 is the cable modem.  I use PBR to push port 80 and port 81 out of the cable modem.  It seems to be working, if I go to www.ipchicken.com the ip address of the cable modem shows up, so I know port 80 is going out the right circuit.  Here's the problem, the cable modem is a 50 Mbps circuit.  If I connect my laptop directly to the cable modem, all day every day I can achieve 50Mbps downloads.  When the router is connected to the cable modem, with port 80 traffic going through it, I can't get more than 1.5mbps speeds.  I don't understand what is happening.  I have this same exact setup at other locations but using 2800 series routers.  This setup the only difference is its a 2900 series.  I will attach the configurations.  Any assistance would be greatly appreciated.  Thanks.
2911-Configuration.txt
Avatar of Don Thomson
Don Thomson
Flag of Canada image
I suspect that the Rate-Limit speed has been set at around the 1.5 mps  limit -  

Here's some info on that

http://www.cisco.com/c/en/us/td/docs/ios/12_2/qos/command/reference/fqos_r/qrfcmd8.html
Avatar of denver218
denver218
Flag of United States of America image

ASKER

Did you look at the configuration?  I don't have rate limiting configured.
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image
I can't see where you're sending ports 80 and 81 out via the cable modem.

You have these NAT statements...

ip nat inside source route-map CABLE interface GigabitEthernet0/0 overload
ip nat inside source route-map NAT interface Serial0/0/0.1 overload

Open in new window


...and these ACLs and route-maps...

ip access-list extended NAT
 deny   ip 172.18.106.0 0.0.0.255 10.11.0.0 0.0.255.255
 deny   ip 172.18.106.0 0.0.0.255 10.15.1.0 0.0.0.255
 deny   ip 172.18.106.0 0.0.0.255 10.41.0.0 0.0.255.255
 deny   ip 172.18.106.0 0.0.0.255 10.52.0.0 0.0.255.255
 deny   ip 172.18.106.0 0.0.0.255 10.253.1.0 0.0.0.255
 deny   ip 172.18.106.0 0.0.0.255 10.254.1.0 0.0.0.255
 deny   ip 172.18.106.0 0.0.0.255 10.0.0.0 0.0.15.255
 deny   ip 172.18.106.0 0.0.0.255 172.31.252.0 0.0.3.255
 permit ip 172.18.106.0 0.0.0.255 any
!
access-list 141 deny   ip 172.18.106.0 0.0.0.255 10.0.0.0 0.0.15.255
access-list 141 deny   ip 172.18.106.0 0.0.0.255 172.31.252.0 0.0.3.255
access-list 141 deny   ip 172.18.106.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 141 deny   ip 172.18.106.0 0.0.0.255 10.15.1.0 0.0.0.255
access-list 141 permit ip 172.18.106.0 0.0.0.255 any
!
!
!
!
route-map CABLE permit 10
 match ip address 141
 match interface GigabitEthernet0/0
!
route-map NAT permit 10
 match ip address NAT

Open in new window


So, based on that NAT statement configuration it looks to me like you're not sending 80 and 81 out of the cable link specifically.

You need to be using the CABLE-WEB route-map to send traffic over the cable link.

I know that you say you're seeing the correct IP when you go to IPChicken, but I think that's probably a cached result.

As I say, that's what it looks like.
Avatar of denver218
denver218
Flag of United States of America image

ASKER

I'm sending port 80 and port 81 out the cable modem via the following:

route-map CABLE-WEB permit 10
 match ip address 180
 set ip next-hop verify-availability x.x.20.73 50 track 101

access-list 180 permit tcp 172.18.106.0 0.0.0.255 any eq www
access-list 180 permit tcp 172.18.106.0 0.0.0.255 any eq 81

interface GigabitEthernet0/1
 description LAN
 ip address 172.18.106.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1360
 ip policy route-map CABLE-WEB
 duplex auto
 speed auto

I don't think the ipchicken ip is cached.  If I unplug the cable modem and go to ipchicken.com the ip of the T1 comes up as it should.  If I plug the cable modem back in, wait for the track to come back up, and then go to ipchicken.com the IP changes to the cable modem.
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image
Ok fair enough.

If you're using NAT statements you don't need to do it at the interface.  I'm struggling to work out how your web traffic is going over the cable-modem but only at the Serial line speed - the interface statement is what must be causing this.
Avatar of denver218
denver218
Flag of United States of America image

ASKER

Yeah that's where I'm at with it too.  So you think it has to do with the NAT overload on the cable modem interface?
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image
I think it's being NAT'ed by both policies, ending up on the Serial NAT.  I can't explain why you get the right IP though.
Avatar of denver218
denver218
Flag of United States of America image

ASKER

I can try and remove that NAT statement early tomorrow morning and see what the outcome is?  I'll keep you updated.
Avatar of denver218
denver218
Flag of United States of America image

ASKER

I removed that NAT statement, but couldn't get out to the internet so I added it back.  Still having the same speed problem.
Avatar of denver218
denver218
Flag of United States of America image

ASKER

I opened up a TAC case, they seem stumped as well.  I will post an update when I have something.  In the mean time, if anyone has any ideas, please share.  Thanks.
Avatar of denver218
denver218
Flag of United States of America image

ASKER

TAC seems to be stumped as well.  They want me to be onsite for further testing, but that is just not feasible right now because the location this router is at is 4 hours away.  Here's what I know so far.  Again this morning, I had a user plug a laptop directly into cable modem, and I do get 50mbps.  I have the user plug the cable modem back into the router, I only get only 1.5mbps.  I'm thinking there may be some asymmetric routing going on.  Maybe its going on one path, but coming back in over the T1?  I guess that could be possible.
ASKER CERTIFIED SOLUTION
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of denver218
denver218
Flag of United States of America image

ASKER

I figured so.  If I go to www.whatismyip.com, I get the same result.  I thought about it being a speed,duplex, or cable issue, but I have no interface errors.  I called the ISP just to be sure of their speed and duplex, so that matches.  I will try pushing all traffic over the cable modem and see what happens during a maintenance window.
Avatar of denver218
denver218
Flag of United States of America image

ASKER

Turns out my configuration was working properly all along.  I figured all speed test sites use port 80, but I was wrong.  I was only pushing port 80 and 81 out of the cable modem, so if I ran a speed test that used a different destination port, I of course would get the speed of the T1.  To prove this, I found a speed test website that uses one single destination port, I added this port to the access-list 180, and speed tests came back at 50Mbps on the cable modem like they should.
Avatar of denver218
denver218
Flag of United States of America image

ASKER

Thanks for your help.