05-28-2008 01:37 AM - edited 03-03-2019 10:08 PM
Hi I have 2821 and 2 ISP. I want for network's 10.10.60.0 - 10.10.61.0 goto over ISP 1, and all remained over isp2. It's work! But in this configuration not work routing between network. For example: 10.10.60.0 not route 10.10.10.0, 10.10.10.0 not route 10.10.18.0
You can help me fix it?
My config:
!
interface GigabitEthernet0/0.4
encapsulation dot1Q 4
ip address 10.10.4.254 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip policy route-map univer
no cdp enable
!
!
interface GigabitEthernet0/0.18
encapsulation dot1Q 18
ip address 10.10.18.254 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip policy route-map univer
!
!
interface GigabitEthernet0/0.60
encapsulation dot1Q 60
ip address 10.10.60.254 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip policy route-map sety
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 102
ip address 92.255.YYY.130 255.255.255.252
ip nat outside
ip virtual-reassembly
zone-member security out-zone-sety
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 101
ip address 195.70.XXX.68 255.255.255.240
ip nat outside
ip virtual-reassembly
zone-member security out-zone
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 195.70.YYY.65
ip route 0.0.0.0 0.0.0.0 92.255.XX.129
ip route 10.10.0.0 255.255.0.0 10.10.4.1
ip nat inside source route-map sety interface GigabitEthernet0/1.1 overload
ip nat inside source route-map univer interface GigabitEthernet0/1.2 overload
!
ip access-list standard ForSety
permit 10.10.60.0 0.0.0.255
permit 10.10.61.0 0.0.0.255
ip access-list standard ForUniver
permit 0.0.0.0 10.10.59.255
permit 10.10.70.0 0.0.185.255
!
!
route-map univer permit 10
match ip address ForUniver
set interface GigabitEthernet0/1.2
!
route-map sety permit 10
match ip address ForSety
set interface GigabitEthernet0/1.1
!
Solved! Go to Solution.
05-28-2008 02:02 AM
Sun:
PBR is sourced-based routing, right?
So, your route maps are forcing all traffic from the source networks to take the next hop you've assigned, regardless of the destination. All source traffic that matches the ACL for the route map is going to take that next hop, which is not what you want for local inter-subnet/vlan routing. You want "normal" destination-based routing for such traffic.
You need to do two things:
1.) Use extended ACLs in your route maps that define more specific flows and include "deny" statements for traffic sourced from one subnet and headed toward another.
Example: access-list 110 deny 10.10.60.0 0.0.0.255 10.10.18.0 0.0.0.255
This will exclude such traffic from the policy set forth in the route map and allow for normal destination-based routing.
2.) Fix the ACL called "For Univer". For one thing, there's no such thing as a ".185" octet in a wildcard mask. And what is the story with that first statement?
HTH
Victor
05-28-2008 02:02 AM
Sun:
PBR is sourced-based routing, right?
So, your route maps are forcing all traffic from the source networks to take the next hop you've assigned, regardless of the destination. All source traffic that matches the ACL for the route map is going to take that next hop, which is not what you want for local inter-subnet/vlan routing. You want "normal" destination-based routing for such traffic.
You need to do two things:
1.) Use extended ACLs in your route maps that define more specific flows and include "deny" statements for traffic sourced from one subnet and headed toward another.
Example: access-list 110 deny 10.10.60.0 0.0.0.255 10.10.18.0 0.0.0.255
This will exclude such traffic from the policy set forth in the route map and allow for normal destination-based routing.
2.) Fix the ACL called "For Univer". For one thing, there's no such thing as a ".185" octet in a wildcard mask. And what is the story with that first statement?
HTH
Victor
05-28-2008 04:45 AM
Hi Victor.
Than you for help. All work.
I do not understand you question
"And what is the story with that first statement?"
05-28-2008 04:47 AM
I had much the same question about this statement in your access list:
permit 0.0.0.0 10.10.59.255
HTH
Rick
05-28-2008 05:21 AM
Works
05-28-2008 05:27 AM
Great. Im glad I was able to help you.
Thanks for the rating, too.
Victor
05-28-2008 05:22 AM
I can imagine the thought process behind the ForUniver ACL even if it's not valid(0.0.0.0 to 10.10.59.255 and 10.10.70.0 and everythng higher since 70+185 is 255).
But it should be
deny 10.60.0.0 0.0.0.255
deny 10.61.0.0 0.0.0.255
permit any
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: