Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
366
Views
0
Helpful
2
Replies

c2821 policy routing issue

schughtai
Level 1
Level 1

‎07-30-2008 03:08 AM - edited ‎03-06-2019 12:31 AM

Guys - could you take a quick look at this config and let me know what I'm missing out.

I've included the diag and config. Basically the 2821 is acting as a hub and 2 spokes ( 3 if you include the dsl connection when its configured )

The first spoke is connected to an existing Verizon network and the second spoke to the BT network

Customer wishes to send existing VPN traffic over Verizon, SMTP over BT and everything else over the DSL.

The issue that I have is that I cannot get the routing policy to do this, but I do see traffic going across the interfaces…. Is there anything obvious that comes to mind ?

From the c2821 I have visibility of both devices when I sh cdp nei and ping the open interfaces. Verizon have blocked pings and some icmp traffic in their int. but the BT interfaces are open.

I also have visibility of both networks from the customer LAN behind the firewall

The 2821 has a HWIC-4ES - I cannot config them directly as routed interfaces without creating VLANs on the WAN side.

Any suggestions to what I might be missing would help me a lot - Thanks in Advance, S

Labels:
10193-Required now_v21.vsd
3 KB
0 Helpful
2 Replies 2

mheusing
Cisco Employee
Cisco Employee

‎07-30-2008 05:10 AM

Hi,

an excerpt from your config:

interface Vlan2

description **** Checkpoint FW and Internal LAN ****

no ip address

ip access-group 101 in

ip access-group 101 out

ip policy route-map BT_OR_VERIZON

shutdown

!

interface Vlan3

description *** FE to Verizon ***

ip address 195.217.166.61 255.255.255.192

ip access-group 101 in

ip access-group 101 out

ip policy route-map BT_OR_VERIZON

!

interface Vlan4

description *** FE to BT ***

ip address 81.145.134.226 255.255.255.224

ip access-group 101 in

ip access-group 101 out

!

ip classless

ip route 0.0.0.0 0.0.0.0 195.217.166.62

!

!

ip http server

no ip http secure-server

!

access-list 100 permit tcp any any eq smtp log

access-list 101 permit icmp any any echo log

access-list 101 permit udp any any eq echo

access-list 101 permit udp any any eq isakmp log

access-list 101 permit udp any any eq non500-isakmp log

access-list 101 permit esp any any log

route-map BT_OR_VERIZON permit 10

match ip address 100

set default interface Vlan4

!

Some remarks:

1) The ACL 100 should direct traffic, but this traffic is not allowed by ACL 101. So I assume you are dropping any packet entering Vlan3, which could be policy routed.

2) The Vlan2 interface does not have any IP address configured and is shutdown and thus IP traffic will be dropped.

3) Apply PBR on the interface receiving the traffic

4) Is this the whole config or did you cut out some portions?

Suggestion:

1) add an IP address to interface Vlan2

2) modify ACL 101 to allow SMTP traffic. As you are applying the ACL in both directions it likely should look like

access-list 101 permit icmp any any log

access-list 101 permit udp any any eq echo

access-list 101 permit udp any any eq isakmp log

access-list 101 permit udp any any eq non500-isakmp log

access-list 101 permit esp any any log

access-list 101 permit udp any eq echo any

access-list 101 permit udp any eq isakmp log any

access-list 101 permit udp any eq non500-isakmp log any

access-list 101 permit esp any any log

access-list 101 permit tcp any any eq smtp

access-list 101 permit tcp any eq smtp any

2) Create per interface ACLs, because the traffic is different

3) set an explicit next hop in your route-map for PBR. Only pointing to a broadcast interface relies on proxy-arp being functional, which might or might not be the case.

4) Apply PBR on the interface receiving the traffic

Hope this helps! Please use the rating system.

Regards,

Martin

0 Helpful

schughtai
Level 1
Level 1
In response to mheusing

‎07-30-2008 10:07 AM

Hi Martin

Many Thanks for your response.

The config is very basic and nothing has been removed.

VLAN 2 is shutdown as it is not being used. I have put FE/0/0/3 ( incoming traffic from the FW )in VLAN 3 as it resides in the same subnet as the Verizon subnet ie 195.217.166.x subnet, so basically FE0/0/3 and FE0/0/0 ( spoke to Verizon router ) lie in the same subnet. I will modify the access-list 101 as you suggested see if that helps and explicitly set the next hop to 81.145.134.225, which hopefully allow the traffic to go via this link. The pbr is applied to the ingress port at the moment.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card