06-11-2008 11:46 AM - edited 03-05-2019 11:34 PM
Hello - I have 2 different ways out to the Internet in our office, a regular T1 and a Verizon FIOS fiber optic line. RIght now all http traffic goes out over the T1. What I would like to do is take 4 or so of the heavy Internet users and move them to the FIOS line. Do I have to use some sort of plicy based routing to get those 4 so IP's to use a different link for http traffic than the rest?
Solved! Go to Solution.
06-19-2008 01:46 PM
Andy
You need to apply the route-map to an interface. Assuming that fa0/0.1 is the interface that 192.168.2.x addresses arrive at the router
int fa0/0.1
ip policy route-map IT_Internet
Your next hop in your route-map is 72.93.114.2 - this next hop router is adjacent to this router yes ?. By this i mean that the router that has an interface with the address of 72.93.114.2 is one hop away from this router.
Jon
06-11-2008 11:50 AM
Andy
Yes PBR is exactly what you would do.
Define an access-list that includes the 4 heavy internet users and then use a route-map to set the next hop to the link you want to use.
You also need to think about return traffic. If you are using different public addresses on each linnk just make sure you NAT the source addresses to that public address or a public address allocated to you within that subnet.
Jon
06-12-2008 03:59 AM
Hi Jon
Thanks for the response. I am fairly new to this so bear with me. So if the interface I want to use for my heavy hitters in IT is X.X.X.6 (if name Internet) (I have X.2-X.6 available), my access list would look something like this? (using 192.168.2.8 as an example of a user)
access-list IT_Internet_acl permit tcp 192.168.2.8 host X.X.X.5 eq www
access-list IT_Internet_acl permit tcp 192.168.2.8 host X.X.X.5 eq https
static (Inside,Internet) X.X.X.5 192.168.2.8 netmask 255.255.255.255
Then what would the route-map line look like?
Ok, go easy if I am way off base here :-)
Andy
06-12-2008 04:08 AM
Andy
No problem, no one should give you a hard time on these forums, that's one of the best things about them :-)
Firstly you have added this line in your config
static (Inside,Internet) X.X.X.5 192.168.2.8 netmask 255.255.255.255
Couple of things confusing me. The above is syntax from a pix and you can't do PBR on a pix. Are we talking about a pix or a router ?
Assuming a router
If your heavy hitter was 192.168.2.8
access-list 101 permit tcp host 192.168.2.8 any eq www
access-list 101 permit tcp host 192.168.2.8 any eq https
Note that i have used any as the destination address. if you know the sites these users hit by IP address you could use the specific IP addresses but any would cover all their http/https traffic.
route-map INTERNET permit 10
match ip address 101
set ip next-hop
This will route all traffic from 192.168.2.8 to the upstream router of the link you want to use.
My point about NAT was that 192.168.2.8 will not route on the Internet so you must be Natting to a public address. If you are already doing this on your 2 interfaces that connect to the Internet you don't need to do anything else.
Does this make sense ?
Jon
06-12-2008 04:19 AM
Hi Jon
This is an ASA 5520 that I am using here. This makes a lot of sense now. Let me try it with one user and I'll let you know how it goes.
Thanks!
06-12-2008 04:21 AM
Andy
ASA's do not support PBR either as far as i am aware.
Jon
06-13-2008 07:04 AM
Hi Jon
Thanks for the update. Ok, so I put those commands on my router instead (my workstations default gateway), but I am still getting out to the internet via the default route on the router, meaning it's still taking 192.168.2.8 out via the t1.
Andy
06-13-2008 10:00 AM
Andy
If you do a "sh ip access-list 101" do you see any hits on the entries ?
Could you post config if possible.
Jon
06-19-2008 10:54 AM
Hi Jon - sorry for the delay - got wrapped up in another project. Ok, so a sh ip access-list 101 gives me:
Extended IP access list 101
permit tcp host 192.168.2.8 any eq www
permit tcp host 192.168.2.8 any eq 443
permit tcp host 192.168.2.8 any
I am attaching a config as well. Thanks for your help!
06-19-2008 01:46 PM
Andy
You need to apply the route-map to an interface. Assuming that fa0/0.1 is the interface that 192.168.2.x addresses arrive at the router
int fa0/0.1
ip policy route-map IT_Internet
Your next hop in your route-map is 72.93.114.2 - this next hop router is adjacent to this router yes ?. By this i mean that the router that has an interface with the address of 72.93.114.2 is one hop away from this router.
Jon
06-20-2008 03:13 AM
That was it Jon. I did have to change the next hop address to the inside address of that router rather than the outside. But its working great now, thanks for all your help!
06-20-2008 07:13 AM
Glad you got it working Andy, and i appreciate the rating.
Jon
06-20-2008 08:05 AM
!!!!!!!!Change your passwords now that you posted your configs !!!!!!!!!!!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: