Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
564
Views
0
Helpful
5
Replies

Policy based routing giving a headache

mpaul
Level 1
Level 1

‎07-19-2007 08:33 AM - edited ‎03-09-2019 06:26 PM

I have two internet connections on an 1841, through ethernet. I'm using subinterfaces. I have two default routes with floating static.

ip route 0.0.0.0 0.0.0.0 Y.Y.Y.209 5

ip route 0.0.0.0 0.0.0.0 X.X.X.65 10

When I remove the first route at weight 5, everything fails over properly and I can ping the x.x.x.65 address.

However if the first y.y.y.209 is in the routing table I cannot ping x.x.x.65 correctly.

Which of course I need one system within the LAN to route over that other connection. So I have setup a PBR statement, but seemingly since I cannot ping that next hop, (from the router or the server, it doesn't work.)

I see the policy-map matching the traffic coming from the server, but I just can't ping that other hop when the first default route is in place. Have gotten something similar to this working before on a 1760, but for whatever reason can't ping the second hop, on this 1841. Here's a config. I would have the expectation that I could ping both default gateways, since they are technically on the same subnet.

ip cef

no ip dhcp use vrf connected

no ip domain lookup

interface FastEthernet0/0

description PORT to DMZ VLAN

ip address 172.16.20.2 255.255.255.0

ip nat inside

ip policy route-map stn_util

no ip mroute-cache

duplex auto

speed auto

!

interface FastEthernet0/1

description PORT to TRUNK for MPOWER/COMCAST

no ip address

duplex auto

speed auto

!

interface FastEthernet0/1.30

description PORT to MPOWER

encapsulation dot1Q 30

ip address X.X.X.115 255.255.255.192

ip verify unicast reverse-path

ip nat outside

no ip mroute-cache

no snmp trap link-status

!

interface FastEthernet0/1.40

description PORT to COMCAST

encapsulation dot1Q 40

ip address Y.Y.Y.210 255.255.255.240

ip verify unicast reverse-path

ip nat outside

no ip mroute-cache

no snmp trap link-status

!

ip classless

ip route 0.0.0.0 0.0.0.0 Y.Y.Y.209 5

ip route 0.0.0.0 0.0.0.0 X.X.X.65 10

!

no ip http server

ip http authentication local

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map NAT1-MPOWER interface FastEthernet0/1.30 overload

ip nat inside source route-map NAT2-COMCAST interface FastEthernet0/1.40 overloa

d

ip nat inside source static 172.16.20.1 Y.Y.Y.211 route-map NAT2-Static-COMC

AST

ip nat inside source static 172.16.20.10 Y.Y.Y.212 route-map NAT2-Static-COM

CAST

ip nat inside source static 172.16.20.11 Y.Y.Y.213 route-map NAT2-Static-COM

CAST

ip nat inside source static 172.16.20.12 Y.Y.Y.214 route-map NAT2-Static-COM

CAST

ip nat inside source static 172.16.20.12 X.X.X.112 route-map NAT1-Static-MP

OWER

ip nat inside source static 172.16.20.10 X.X.X.113 route-map NAT1-Static-MP

OWER

ip nat inside source static 172.16.20.11 X.X.X.114 route-map NAT1-Static-MP

OWER

!

access-list 150 permit ip host 172.16.20.12 any

access-list 160 remark DYNAMIC NAT

access-list 160 deny ip host 172.16.20.1 any

access-list 160 deny ip host 172.16.20.10 any

access-list 160 deny ip host 172.16.20.11 any

access-list 160 deny ip host 172.16.20.12 any

access-list 160 permit ip 172.16.20.0 0.0.0.255 any

access-list 170 remark STATIC NATS

access-list 170 permit ip host 172.16.20.1 any

access-list 170 permit ip host 172.16.20.10 any

access-list 170 permit ip host 172.16.20.11 any

access-list 170 permit ip host 172.16.20.12 any

access-list 170 deny ip 172.16.20.0 0.0.0.255 any

route-map NAT2-COMCAST permit 10

match ip address 160

match interface FastEthernet0/1.40

!

route-map NAT2-Static-COMCAST permit 10

match ip address 170

match interface FastEthernet0/1.40

!

route-map stn_util permit 10

description change UTIL server default route

match ip address 150

set ip next-hop X.X.X.65

!

route-map NAT1-Static-MPOWER permit 10

match ip address 170

match interface FastEthernet0/1.30

!

route-map NAT1-MPOWER permit 10

match ip address 160

match interface FastEthernet0/1.30

Labels:
0 Helpful
5 Replies 5

mattiaseriksson
Level 3
Level 3

‎07-19-2007 12:43 PM

Have you tried without 'ip verify unicast reverse-path' on interface FastEthernet0/1.30?

0 Helpful

mpaul
Level 1
Level 1
In response to mattiaseriksson

‎07-19-2007 01:35 PM

Indeed I have. I actually added that statement and turned on CEF, (have to, in order to enable that statement.) With or without the CEF and the 'ip verify unicast reverse-path' it still can't ping the second default gateway. Thanks for the reply.

0 Helpful

mattiaseriksson
Level 3
Level 3
In response to mpaul

‎07-19-2007 02:10 PM

You are trying to ping from the router?

You can verify the prefix in the arp table and with 'sh ip cef'. It should be there and pointing to the right interface.

0 Helpful

mpaul
Level 1
Level 1
In response to mattiaseriksson

‎07-19-2007 02:34 PM

I haven't checked yet, but if that information is missing, then what can I do to make it work.

0 Helpful

mattiaseriksson
Level 3
Level 3
In response to mpaul

‎07-19-2007 02:52 PM

It depends on the result. Compare the output for the attached network from sh ip route and sh ip cef.

You can also run debug arp and try some pings, does it send requests? replies?

Which version of IOS are you running? Older versions had issues between CEF and route-maps. You can try to disable CEF.

You do not have an "ip local policy" configured?

I know it is not in what you attaced but it does not look complete.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents