Solved

Using Policy Based Routing to route port 80 traffic out of secondary internet circuit on Cisco Router

Posted on 2014-03-06
15
1,422 Views
Last Modified: 2014-03-10
I have a Cisco 2911 router that has two internet circuits.  The serial interface is the T1, and interface gi0/0 is the cable modem.  I use PBR to push port 80 and port 81 out of the cable modem.  It seems to be working, if I go to www.ipchicken.com the ip address of the cable modem shows up, so I know port 80 is going out the right circuit.  Here's the problem, the cable modem is a 50 Mbps circuit.  If I connect my laptop directly to the cable modem, all day every day I can achieve 50Mbps downloads.  When the router is connected to the cable modem, with port 80 traffic going through it, I can't get more than 1.5mbps speeds.  I don't understand what is happening.  I have this same exact setup at other locations but using 2800 series routers.  This setup the only difference is its a 2900 series.  I will attach the configurations.  Any assistance would be greatly appreciated.  Thanks.
2911-Configuration.txt
0
Comment
Question by:denver218
  • 10
  • 4
15 Comments
 
LVL 14

Expert Comment

by:Don Thomson
Comment Utility
I suspect that the Rate-Limit speed has been set at around the 1.5 mps  limit -  

Here's some info on that

http://www.cisco.com/c/en/us/td/docs/ios/12_2/qos/command/reference/fqos_r/qrfcmd8.html
0
 
LVL 4

Author Comment

by:denver218
Comment Utility
Did you look at the configuration?  I don't have rate limiting configured.
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
I can't see where you're sending ports 80 and 81 out via the cable modem.

You have these NAT statements...

ip nat inside source route-map CABLE interface GigabitEthernet0/0 overload
ip nat inside source route-map NAT interface Serial0/0/0.1 overload

Open in new window


...and these ACLs and route-maps...

ip access-list extended NAT
 deny   ip 172.18.106.0 0.0.0.255 10.11.0.0 0.0.255.255
 deny   ip 172.18.106.0 0.0.0.255 10.15.1.0 0.0.0.255
 deny   ip 172.18.106.0 0.0.0.255 10.41.0.0 0.0.255.255
 deny   ip 172.18.106.0 0.0.0.255 10.52.0.0 0.0.255.255
 deny   ip 172.18.106.0 0.0.0.255 10.253.1.0 0.0.0.255
 deny   ip 172.18.106.0 0.0.0.255 10.254.1.0 0.0.0.255
 deny   ip 172.18.106.0 0.0.0.255 10.0.0.0 0.0.15.255
 deny   ip 172.18.106.0 0.0.0.255 172.31.252.0 0.0.3.255
 permit ip 172.18.106.0 0.0.0.255 any
!
access-list 141 deny   ip 172.18.106.0 0.0.0.255 10.0.0.0 0.0.15.255
access-list 141 deny   ip 172.18.106.0 0.0.0.255 172.31.252.0 0.0.3.255
access-list 141 deny   ip 172.18.106.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 141 deny   ip 172.18.106.0 0.0.0.255 10.15.1.0 0.0.0.255
access-list 141 permit ip 172.18.106.0 0.0.0.255 any
!
!
!
!
route-map CABLE permit 10
 match ip address 141
 match interface GigabitEthernet0/0
!
route-map NAT permit 10
 match ip address NAT

Open in new window


So, based on that NAT statement configuration it looks to me like you're not sending 80 and 81 out of the cable link specifically.

You need to be using the CABLE-WEB route-map to send traffic over the cable link.

I know that you say you're seeing the correct IP when you go to IPChicken, but I think that's probably a cached result.

As I say, that's what it looks like.
0
 
LVL 4

Author Comment

by:denver218
Comment Utility
I'm sending port 80 and port 81 out the cable modem via the following:

route-map CABLE-WEB permit 10
 match ip address 180
 set ip next-hop verify-availability x.x.20.73 50 track 101

access-list 180 permit tcp 172.18.106.0 0.0.0.255 any eq www
access-list 180 permit tcp 172.18.106.0 0.0.0.255 any eq 81

interface GigabitEthernet0/1
 description LAN
 ip address 172.18.106.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1360
 ip policy route-map CABLE-WEB
 duplex auto
 speed auto

I don't think the ipchicken ip is cached.  If I unplug the cable modem and go to ipchicken.com the ip of the T1 comes up as it should.  If I plug the cable modem back in, wait for the track to come back up, and then go to ipchicken.com the IP changes to the cable modem.
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
Ok fair enough.

If you're using NAT statements you don't need to do it at the interface.  I'm struggling to work out how your web traffic is going over the cable-modem but only at the Serial line speed - the interface statement is what must be causing this.
0
 
LVL 4

Author Comment

by:denver218
Comment Utility
Yeah that's where I'm at with it too.  So you think it has to do with the NAT overload on the cable modem interface?
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
I think it's being NAT'ed by both policies, ending up on the Serial NAT.  I can't explain why you get the right IP though.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 4

Author Comment

by:denver218
Comment Utility
I can try and remove that NAT statement early tomorrow morning and see what the outcome is?  I'll keep you updated.
0
 
LVL 4

Author Comment

by:denver218
Comment Utility
I removed that NAT statement, but couldn't get out to the internet so I added it back.  Still having the same speed problem.
0
 
LVL 4

Author Comment

by:denver218
Comment Utility
I opened up a TAC case, they seem stumped as well.  I will post an update when I have something.  In the mean time, if anyone has any ideas, please share.  Thanks.
0
 
LVL 4

Author Comment

by:denver218
Comment Utility
TAC seems to be stumped as well.  They want me to be onsite for further testing, but that is just not feasible right now because the location this router is at is 4 hours away.  Here's what I know so far.  Again this morning, I had a user plug a laptop directly into cable modem, and I do get 50mbps.  I have the user plug the cable modem back into the router, I only get only 1.5mbps.  I'm thinking there may be some asymmetric routing going on.  Maybe its going on one path, but coming back in over the T1?  I guess that could be possible.
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
Comment Utility
It's doubtful.  I don't see how the site would know about the other circuit to send traffic back over it.

Can you try a different website?  Go to www.whatismyip.com and see what that says.

The only other thing I could suggest is to push all traffic over the cable link without the policy routing to see if you get the 50Mbps then.  If you don't I'd look at issues with cabling or duplex between the router and the modem maybe.
0
 
LVL 4

Author Comment

by:denver218
Comment Utility
I figured so.  If I go to www.whatismyip.com, I get the same result.  I thought about it being a speed,duplex, or cable issue, but I have no interface errors.  I called the ISP just to be sure of their speed and duplex, so that matches.  I will try pushing all traffic over the cable modem and see what happens during a maintenance window.
0
 
LVL 4

Author Comment

by:denver218
Comment Utility
Turns out my configuration was working properly all along.  I figured all speed test sites use port 80, but I was wrong.  I was only pushing port 80 and 81 out of the cable modem, so if I ran a speed test that used a different destination port, I of course would get the speed of the T1.  To prove this, I found a speed test website that uses one single destination port, I added this port to the access-list 180, and speed tests came back at 50Mbps on the cable modem like they should.
0
 
LVL 4

Author Closing Comment

by:denver218
Comment Utility
Thanks for your help.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
SSL is a very common protocol used these days when browsing the web.  The purpose is to provide security to communication, but how does it do it?  There are several pieces at work that have to be setup before SSL will even work and it requires both …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now