cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
546
Views
0
Helpful
12
Replies

Is this possible?

adcorbett_2
Level 1
Level 1

Hello - I have 2 different ways out to the Internet in our office, a regular T1 and a Verizon FIOS fiber optic line. RIght now all http traffic goes out over the T1. What I would like to do is take 4 or so of the heavy Internet users and move them to the FIOS line. Do I have to use some sort of plicy based routing to get those 4 so IP's to use a different link for http traffic than the rest?

1 Accepted Solution

Accepted Solutions

Andy

You need to apply the route-map to an interface. Assuming that fa0/0.1 is the interface that 192.168.2.x addresses arrive at the router

int fa0/0.1

ip policy route-map IT_Internet

Your next hop in your route-map is 72.93.114.2 - this next hop router is adjacent to this router yes ?. By this i mean that the router that has an interface with the address of 72.93.114.2 is one hop away from this router.

Jon

View solution in original post

12 Replies 12

Jon Marshall
Hall of Fame
Hall of Fame

Andy

Yes PBR is exactly what you would do.

Define an access-list that includes the 4 heavy internet users and then use a route-map to set the next hop to the link you want to use.

You also need to think about return traffic. If you are using different public addresses on each linnk just make sure you NAT the source addresses to that public address or a public address allocated to you within that subnet.

Jon

Hi Jon

Thanks for the response. I am fairly new to this so bear with me. So if the interface I want to use for my heavy hitters in IT is X.X.X.6 (if name Internet) (I have X.2-X.6 available), my access list would look something like this? (using 192.168.2.8 as an example of a user)

access-list IT_Internet_acl permit tcp 192.168.2.8 host X.X.X.5 eq www

access-list IT_Internet_acl permit tcp 192.168.2.8 host X.X.X.5 eq https

static (Inside,Internet) X.X.X.5 192.168.2.8 netmask 255.255.255.255

Then what would the route-map line look like?

Ok, go easy if I am way off base here :-)

Andy

Andy

No problem, no one should give you a hard time on these forums, that's one of the best things about them :-)

Firstly you have added this line in your config

static (Inside,Internet) X.X.X.5 192.168.2.8 netmask 255.255.255.255

Couple of things confusing me. The above is syntax from a pix and you can't do PBR on a pix. Are we talking about a pix or a router ?

Assuming a router

If your heavy hitter was 192.168.2.8

access-list 101 permit tcp host 192.168.2.8 any eq www

access-list 101 permit tcp host 192.168.2.8 any eq https

Note that i have used any as the destination address. if you know the sites these users hit by IP address you could use the specific IP addresses but any would cover all their http/https traffic.

route-map INTERNET permit 10

match ip address 101

set ip next-hop

This will route all traffic from 192.168.2.8 to the upstream router of the link you want to use.

My point about NAT was that 192.168.2.8 will not route on the Internet so you must be Natting to a public address. If you are already doing this on your 2 interfaces that connect to the Internet you don't need to do anything else.

Does this make sense ?

Jon

Hi Jon

This is an ASA 5520 that I am using here. This makes a lot of sense now. Let me try it with one user and I'll let you know how it goes.

Thanks!

Andy

ASA's do not support PBR either as far as i am aware.

Jon

Hi Jon

Thanks for the update. Ok, so I put those commands on my router instead (my workstations default gateway), but I am still getting out to the internet via the default route on the router, meaning it's still taking 192.168.2.8 out via the t1.

Andy

Andy

If you do a "sh ip access-list 101" do you see any hits on the entries ?

Could you post config if possible.

Jon

Hi Jon - sorry for the delay - got wrapped up in another project. Ok, so a sh ip access-list 101 gives me:

Extended IP access list 101

permit tcp host 192.168.2.8 any eq www

permit tcp host 192.168.2.8 any eq 443

permit tcp host 192.168.2.8 any

I am attaching a config as well. Thanks for your help!

Andy

You need to apply the route-map to an interface. Assuming that fa0/0.1 is the interface that 192.168.2.x addresses arrive at the router

int fa0/0.1

ip policy route-map IT_Internet

Your next hop in your route-map is 72.93.114.2 - this next hop router is adjacent to this router yes ?. By this i mean that the router that has an interface with the address of 72.93.114.2 is one hop away from this router.

Jon

That was it Jon. I did have to change the next hop address to the inside address of that router rather than the outside. But its working great now, thanks for all your help!

Glad you got it working Andy, and i appreciate the rating.

Jon

!!!!!!!!Change your passwords now that you posted your configs !!!!!!!!!!!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: