Policy-Based Routing Help

[scotto27]

Setup:



T1 Cable Modem
| |
| |
|-----------------------------------|
| S0/0 Fa0/1 |
|10.10.10.3 192.168.10.10 |
| Cisco 2621 |
| |
| |
| Fa0/0 10.10.10.8 |
|-----------------------------------|
|
|

Internal Network


Everything routes out of the T1 currently. I was assigned a dynamic reserved address from the cable modem. So I get the following information from the ISP of the cable modem, I am able to ping the default gateway and see the packet count go up by that number of packets on the Fa0/1 interface, so I know the added directly connected route is working:

IP Address: 192.168.10.10
Subnet Mask: 255.255.255.0
Def. Gateway: 192.168.10.1

I tried the following Policy-Based Routing setup and thought this would work, but I must have something wrong somewhere. I only want to send HTTP traffic out the cable modem for now, then figure out other steps later. With this PBR in place, all traffic to websites stop, everything else continues to function.

Changes to Config:

access-list 131 permit tcp any any eq www

route-map Websurfers permit 45
match ip address 131
set ip next-hop 192.168.10.1

(interface Fa0/0)
ip policy route-map Websurfers
ip route-cache policy



Can anyone see an issue with this, or where I may have made a mistake?

 

[lambent]

hmm what's the subnet mask of s0/0 and f0/0? If the mask is the same on both interfaces, then it's quite amazing to have same subnets on different interfaces in the same router.

Btw did you try to connect a PC to the cable modem and try to access the Internet using proper DNS servers provided by your ISP?

Also is your T1 connected to other remote sites of your company?

 

[scotto27]

Ah, yes. My fault. They are not the same subnet, I confused the config with the diagram I did, assume s0/0 is 172.16.10.30.

Prior to connecting the cable modem to the Cisco router, I used a Linksys and a laptop with the cable modem and it worked well. I then verified that the Cisco router is getting an address from the cable modem and that from the Cisco router I could ping the Default Gateway.

The T1 is not connected to any remote sites of my company, just out to the internet.

Thanks,

Scott

 

[lambent]

So you want to keep 2 Internet connections at the same time?

If you said your Cisco router received an IP address from your Cable Modem, I'm assuming that the Cable Modem is running DHCP and NATing this DHCP range to a real IP address.

Also you've mentioned that you've tested it with a Linksys and Laptop. Is that Linksys device a broadband router or just a switch?

At the same time, you can try one more thing. Simply just change the default route of your Cisco to the IP address of the Cable Modem (192.168.10.1) and test the Internet connectivity first. Let me know the results. Thanks.

 

[scotto27]

yes, keep 2 internet connections at the same time. eventually i want to set them up to provide failover, but for right now, just want to send http traffic out the cable modem, all the rest over the t1.

not sure what you mean about a dhcp range from the cable modem. i am running the dhcp client on the cisco router interface that is connected to the cable modem - the address the router is getting from it is a routable public ip. whether it is nat'ed or part of a dhcp range by the time it gets to the cable modem is up to the isp.

the linksys is a router, it grabs the dhcp'ed address from the cable modem and the linksys provides nat and dhcp to the internal clients behind it.

i will give the default route a try once i have the opportunity to knock people offline again.

someone elsewhere suggested that i may need to use nat on the cisco router so that the ip addresses i use going out the fa0/1 interface are translated back to the address that it has.

thanks,

scott

 

[lambent]

in this case I think you really need NAT in your Cisco

so the IP 192.168.10.10 is not the actual IP received from Cable modem, right?

 

[scotto27]

Correct, the ip's in use are all real, routable ip addresses. I just used the ones above for the example.

I've been messing around with the NAT piece but can't seem to get it right.

On Fa0/0 I added: ip nat inside
On Fa0/1 I added: ip nat outside

Then I also added:
ip nat inside source route-map Websurfers interface Fa0/1 overload

This didn't seem to work, I feel I am close, but can't seem to nail it down.

Thanks,

Scott

 

[blahblip]

Scott, It may be easier for people to assist if you were to post the cisco config.

 

[scotto27]

Okay, here we go (I cleansed the ip address info and removed unneccessary stuff like banners, etc.):

interface FastEthernet0/0
ip address 214.XX.60.XX 255.255.255.224
ip nat inside
no ip mroute-cache
speed auto
full-duplex
!
interface Serial0/0
no ip address
encapsulation frame-relay
no ip mroute-cache
load-interval 30
no fair-queue
service-module t1 timeslots 1-24
frame-relay lmi-type cisco
!
interface Serial0/0.1 point-to-point
bandwidth 768
ip address 214.XX.62.XXX 255.255.255.252
no ip mroute-cache
frame-relay interface-dlci 40 IETF
!
interface Serial0/0.2 point-to-point
bandwidth 1544
backup delay 10 30
backup interface Dialer0
ip address 214.XX.65.X 255.255.255.252
no ip mroute-cache
frame-relay interface-dlci 45 IETF
!
interface FastEthernet0/1
ip address 209.XXX.XXX.XXX 255.255.255.224
ip nat outside
no ip mroute-cache
duplex auto
speed auto
!
router eigrp 143
network 214.XX.60.0 0.0.0.31
network 214.XX.62.XXX 0.0.0.3
network 214.XX.65.X 0.0.0.3
distribute-list 5 out Serial0/0.1
distribute-list 5 out Serial0/0.2
no auto-summary
!
ip nat inside source route-map Websurfers interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 190
!
access-list 131 permit tcp any any eq www
route-map Websurfers permit 45
match ip address 131
set interface FastEthernet0/1


When I add the following lines to Fa0/0, I can't surf the web. Everything else continues to function though:

ip policy route-map Websurfers
ip route-cache policy

Thanks,

Scott

 

[lambent]

maybe you didn't completely paste your config here but I assume you should have a line "ip route 0.0.0.0 0.0.0.0 s0/0.2". Also we usually use IP address rather than using ethernet/fast ethernet interface as the next hop for arp issues.

For the route map, try to use "set ip next-hop <ip address>" rather than "set interface fastethernet0/1"

For NAT I'd rather use:

ip nat inside source list 10 interface FastEthernet0/1 overload
access-list 10 permit <network address of int f0/0> <wild card mask>

Just NAT everything from f0/0 to f0/1 when necessary. Route-map will do the re-routing and trigger NAT as your default route should be pointing to the T1 so normally NAT won't be trigger.

Hope this works.

 

[scotto27]

I don't actually have any other ip route statements. I thought there should be one for s0/0.2 also, but this it came without that setup from my ISP and has been working without it for 3 years now. I was always curious why I don't need that.

I originally used the "set ip next-hop" with the IP address, but there was not difference between it and the "set interface", so I left the interface in there.

I tried your lines for the NAT piece. Still no difference.

Is there something I should be waiting on or command to issue? Like a 'clear xlate' that you would issue on a PIX after a NAT change? Is there a timeout or something?

Thanks,

Scott

 

[scotto27]

One other note I should have made. When I used your NAT statements and my other one that NAT'ed based on the route map, I do see the cable modem ip address being NAT'ed with my FA0/0 IP address (PAT'ed). So the NAT statement appears to be working in my instances and when I have viewed my route map it appears to be matching http traffic. The traffic is just not going out the FA0/1 interface for some reason.

Scott

 

[scotto27]

Okay, getting very close. It is now down to a routing issue I believe. If I put a static route to a certain website say:

ip route xxx.xxx.xxx.xxx 255.255.255.255 FastEthernet0/1

It goes out the Fa0/1 interface over the cable modem, woohoo! I have a different static route from before of:

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 190

I put the 190, because I didn't want it overriding my eigrp routes that I get from my T1 ISP. Just not sure what needs to be changed, but I'm pretty sure I'm on the right track here.

Scott

 

[scotto27]

One last bit of info, the default route is given to the router from the T1 via EIGRP.

Scott

 

[lambent]

hmm well not really related to this issue but I highly recommend you to use next hope IP address rather than a fastethernet/ethernet interface.

"ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 190" is a floating static route that will forward everything to f0/1 in the case of T1 failure as the EIGRP won't learn the default route from your ISP then.

one other thing....are all your PCs using proxy server for http/https?

 

[scotto27]

I understand what you are saying about the next hop IP address, but currently the cable modem is not a static address, so I am using dchp client on the Cisco interface - so it is just easier right now not having to worry about that piece and just point it to the interface.

I gotcha on the floating static route, I just have to figure out how to have a static route in there that allows all traffic to be able to traverse Fa0/1, but still keep the T1 as the default interface.

No proxy server is used on the clients for http/https.

Scott

 

[lambent]

hmm I think of a reverse way to do this

currently you should have a default route learnt from EIGRP. Try to change your static default route to the default metric so that it overrides the EIGRP default route and all traffics will be forwarded to the cable modem.

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1

Then set a route-map as follow:

access-list 132 deny tcp any any eq www
access-list 132 permit ip any any

route-map reverse permit 10
match ip address 132
set interface s0/0.2
or
set ip next-hop <next hop IP of T1>

Then apply this on the int s0/0.2 and see what happens. This should route all traffic except http via T1.

 

[scotto27]

Well, I grabbed the default gateway for the cable modem and tried like you said using the ip next-hop with my original config with the 190 ad on the static route and it works! I don't know why it likes the routing table now all of a sudden, but so far so good.

Thanks,

Scott