Policy Routing Help!

Unanswered Question
Jan 7th, 2010

Hi,

I thought I knew how to do Policy Routing and now I think I don't....

This is the situation....

I have a 2821 running c2800nm-advsecurityk9-mz.124-24.T.bin acting as the Internet router.

I have two ISPs directly connected.

I have two default gateways (one principal and the other backup)

ip route 0.0.0.0 0 0.0.0.0 FIRST_ISP 10

ip route 0.0.0.0 0 0.0.0.0 SECOND_ISP 20

I am doing NAT for both connections:

ip nat inside source route-map METRO interface GigabitEthernet 0.1 overload

ip nat inside source route-map SHDSL interface GigabitEthernet0/0.11 overload

route-map METRO permit 10

match ip address ACL_METRO

set interface GigabitEthernet 0/1

route-map SHDSL permit 10

match ip address ACL_SHDSL

set interface GigabitEthernet 0/0.11

ip access-list extended ACL_METRO permit ip 192.168.1.0 0.0.0.255 any

ip access-list extended ACL_SHDSL permit ip 192.168.1.0 0.0.0.255 any

So, everybody goes out to the Internet via the SDHSL (which is the FIRST_ISP), and if it fails, they get out via the METRO ISP

The problem is with the servers. I have these NAT rules:

ip nat inside source static 192.168.2.78 201.195.231.152 route-map METRO_78

route-map METRO_78 permit 10
match ip address ACL_METRO_78
match interface GigabitEthernet0/1

Extended IP access list ACL_METRO_78
    10 deny ip host 192.168.2.78 192.168.32.0 0.0.0.255
    20 permit ip host 192.168.2.78 any (888630 matches)

Because I want that if server 192.168.2.78 gets to the Router, it will get translated to 201.195.231.152 and routed via the Metro ISP (is not happening). It always prefer the SHDSL ISP.

What do I need to change in the route-maps to make them work?

Thanks!

Federico.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Thu, 01/07/2010 - 19:11

I try setting the next-hop as you mention and still does not work....

I am wondering if it makes any difference the fact that I'm applying the route-map to the static NAT instead than to the incoming interface.....

But that's where i need the route map.

Any ideas?

Jon Marshall Fri, 01/08/2010 - 02:53

coto.fusionet wrote:

Hi,

I thought I knew how to do Policy Routing and now I think I don't....

This is the situation....

I have a 2821 running c2800nm-advsecurityk9-mz.124-24.T.bin acting as the Internet router.

I have two ISPs directly connected.

I have two default gateways (one principal and the other backup)

ip route 0.0.0.0 0 0.0.0.0 FIRST_ISP 10

ip route 0.0.0.0 0 0.0.0.0 SECOND_ISP 20

I am doing NAT for both connections:

ip nat inside source route-map METRO interface GigabitEthernet 0.1 overload

ip nat inside source route-map SHDSL interface GigabitEthernet0/0.11 overload

route-map METRO permit 10

match ip address ACL_METRO

set interface GigabitEthernet 0/1

route-map SHDSL permit 10

match ip address ACL_SHDSL

set interface GigabitEthernet 0/0.11

ip access-list extended ACL_METRO permit ip 192.168.1.0 0.0.0.255 any

ip access-list extended ACL_SHDSL permit ip 192.168.1.0 0.0.0.255 any

So, everybody goes out to the Internet via the SDHSL (which is the FIRST_ISP), and if it fails, they get out via the METRO ISP

The problem is with the servers. I have these NAT rules:

ip nat inside source static 192.168.2.78 201.195.231.152 route-map METRO_78

route-map METRO_78 permit 10
match ip address ACL_METRO_78
match interface GigabitEthernet0/1

Extended IP access list ACL_METRO_78
    10 deny ip host 192.168.2.78 192.168.32.0 0.0.0.255
    20 permit ip host 192.168.2.78 any (888630 matches)

Because I want that if server 192.168.2.78 gets to the Router, it will get translated to 201.195.231.152 and routed via the Metro ISP (is not happening). It always prefer the SHDSL ISP.

What do I need to change in the route-maps to make them work?

Thanks!

Federico.

Federico

There are a couple of things here.

1) You don't need PBR for the NAT overloading because you are using the same source and destination subnets ie.

ip access-list extended ACL_METRO permit ip 192.168.1.0 0.0.0.255 any

ip access-list extended ACL_SHDSL permit ip 192.168.1.0 0.0.0.255 any

so your NAT statements could just be

ip nat inside source list ACL_METRO interace gi0.1 overload

ip nat inside source list ACL_SHDSL interface gi0/0.11

2)  The docs are a little unclear as to how this works and i can't remember but i would also try and add this route-map to the interface ie.the interface that the 192.168.2.78 traffic arrives at the router on -

int fa0/0

ip policy route-map METRO_78

Jon

Federico Coto F... Fri, 01/08/2010 - 04:30

Thank you,

But I don't want the policy route-map applied to the incoming interface because I have a lot of traffic coming in, and only want the rules to apply to the static NATs.

That's why I have the Policy Route Maps applied to the static NAT like follows:

ip nat inside source route-map METRO interface GigabitEthernet0/1 overload
ip nat inside source route-map SHDSL interface GigabitEthernet0/0.11 overload

ip nat inside source static 192.168.2.75 201.195.231.150 route-map METRO_75
ip nat inside source static 192.168.2.77 201.195.231.151 route-map METRO_77
ip nat inside source static 192.168.2.78 201.195.231.152 route-map METRO_78

route-map METRO_78 permit 10
match ip address ACL_METRO_78
match interface GigabitEthernet0/1
route-map METRO_75 permit 10
match ip address ACL_METRO_75
match interface GigabitEthernet0/1
set ip next-hop 201.195.231.145
route-map METRO_77 permit 10
match ip address ACL_METRO_77
match interface GigabitEthernet0/1
route-map SHDSL permit 10
match ip address ACL_SHDSL
match interface GigabitEthernet0/0.11
route-map METRO permit 10
match ip address ACL_METRO
match interface GigabitEthernet0/1

IT_2821_Primario#sh access-l ACL_METRO_78
Extended IP access list ACL_METRO_78
    10 deny ip host 192.168.2.78 192.168.32.0 0.0.0.255
    20 permit ip host 192.168.2.78 any (903911 matches)
IT_2821_Primario#sh access-l ACL_METRO_77
Extended IP access list ACL_METRO_77
    10 deny ip host 192.168.2.77 192.168.32.0 0.0.0.255
    20 permit ip host 192.168.2.77 any
IT_2821_Primario#sh access-l ACL_METRO_75
Extended IP access list ACL_METRO_75
    10 deny ip host 192.168.2.75 192.168.32.0 0.0.0.255
    20 permit ip host 192.168.2.75 any (145964 matches)
IT_2821_Primario#sh access-l ACL_SHDSL  
Extended IP access list ACL_SHDSL
    10 permit ip 192.168.1.0 0.0.0.255 any (572855 matches)
    20 permit ip 192.168.2.0 0.0.0.255 any (1554754 matches)
    30 permit ip 192.168.3.0 0.0.0.255 any (681 matches)
IT_2821_Primario#sh access-l ACL_METRO
Extended IP access list ACL_METRO
    10 permit ip 192.168.100.0 0.0.0.255 any (523 matches)
    20 permit ip 192.168.1.0 0.0.0.255 any (296300 matches)
    30 permit ip 192.168.2.0 0.0.0.255 any (1136535 matches)
    40 permit ip 192.168.3.0 0.0.0.255 any (493 matches)

ip route 0.0.0.0 0.0.0.0 201.195.91.49 10 track 100
ip route 0.0.0.0 0.0.0.0 201.195.231.145 30 track 300

interface GigabitEthernet0/0.11
encapsulation dot1Q 11
ip address 201.195.91.54 255.255.255.240

ip nat outside

interface GigabitEthernet0/1
ip address 201.195.231.154 255.255.255.240

ip nat outside

interface FastEthernet0/0/0
ip address 192.168.100.6 255.255.255.0

ip nat inside

###################################################################################################

So, basically what I want to do is the following:

I want all internal users from the 192.168.1.0, 2.0 and 3.0 networks to get out my primary ISP (interface GigabitEthernet0/0.11).

Then, I want the servers 192.168.2.75, 2.77, 2.78 to get out using the secondary ISP (interface GigabitEthernet0/1)

But when they get out to the Internet, they get out using the primary ISP. This is telling me, the route-maps are not working. I thourgh the route-maps will work if I just apply them to the static NAT statement.

If there's a way to apply the route-map to the incoming interface (Fast 0/0/0) without disrupting all other network traffic, that will work.

Please advise!

Federico.

Federico Coto F... Fri, 01/08/2010 - 04:38

Just to clarify, I've tried entering the command:

set ip next-hop 201.195.231.145

to all the Route-Maps applied to the Servers, and they still get out to the Internet using the primary connection.

Giuseppe Larosa Fri, 01/08/2010 - 05:07

Hello Federico,

I'm afraid you need the PBR on the incoming interface.

However, PBR implementation is more efficient in modern IOS images so the added load may be acceptable.

I would suggest to test it during low traffic time interval and to compare cpu usage with and without.

Hope to help

Giuseppe

Jon Marshall Fri, 01/08/2010 - 05:05

coto.fusionet wrote:###################################################################################################

So, basically what I want to do is the following:

I want all internal users from the 192.168.1.0, 2.0 and 3.0 networks to get out my primary ISP (interface GigabitEthernet0/0.11).

Then, I want the servers 192.168.2.75, 2.77, 2.78 to get out using the secondary ISP (interface GigabitEthernet0/1)

But when they get out to the Internet, they get out using the primary ISP. This is telling me, the route-maps are not working. I thourgh the route-maps will work if I just apply them to the static NAT statement.

If there's a way to apply the route-map to the incoming interface (Fast 0/0/0) without disrupting all other network traffic, that will work.

Please advise!

Federico.

Frederico

Add a specific route-map for the servers ie.

access-list 101 deny ip host 192.168.2.75 192.168.32.0 0.0.0.255
access-list 101 deny ip host 192.168.2.77 192.168.32.0 0.0.0.255
access-list 101 deny ip host 192.168.2.78 192.168.32.0 0.0.0.255
access-list 101 permit ip host 192.168.2.75 any
access-list 101 permit ip host 192.168.2.77 any
access-list 101 permit ip host 192.168.2.78 any

route-map SERVERS permit 10
match ip address 101
set ip next-hop 201.195.231.145

int fa0/0/0
ip policy route-map SERVERS

this will only affect the server traffic and nothing else.

I don't have time today but i will lab up your config to see if you do indeed need to apply a route-map to the interface. As i say i simply can't remember if you do or you don't. Perhaps someone else may be able to step in. But i would try adding the above config and see if it works.

Jon

Federico Coto F... Fri, 01/08/2010 - 05:40

Thank you for your reply!

Please let me know if this config should also work then....

route-map ALL-TRAFFIC permit 10
match ip address match-ALL-traffic1
set ip next-hop 201.195.231.145

route-map ALL-TRAFFIC permit 20
match ip address match-ALL-traffic2
set ip next-hop 201.195.91.49

ip access-list extended match-ALL-traffic1
deny ip host 192.168.2.75 192.168.32.0 0.0.0.255
deny ip host 192.168.2.77 192.168.32.0 0.0.0.255
deny ip host 192.168.2.78 192.168.32.0 0.0.0.255
deny ip host 192.168.2.79 192.168.32.0 0.0.0.255
permit ip host 192.168.2.75 any
permit ip host 192.168.2.77 any
permit ip host 192.168.2.78 any
permit ip host 192.168.2.79 any
deny ip 192.168.1.0 0.0.0.255 any
deny ip 192.168.2.0 0.0.0.255 any
deny ip 192.168.3.0 0.0.0.255 any

ip access-list extended match-ALL-traffic2
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any

ip nat inside source static 192.168.2.75 201.195.231.150
ip nat inside source static 192.168.2.77 201.195.231.151
ip nat inside source static 192.168.2.78 201.195.231.152
ip nat inside source static 192.168.2.79 201.195.231.153

interface FastEthernet0/0/0 
ip policy route-map ALL-TRAFFIC

#################################################################

I just want to make sure that only servers  2.75, 77, 78 and 79 will go out the secondary ISP, and the networks 192.168.1.0, 2.0 and 3.0 will go out the primary link.

I don't need any route maps on the static NAT then?

Thank you again!

Federico.

Jon Marshall Fri, 01/08/2010 - 05:45

coto.fusionet wrote:

Thank you for your reply!

Please let me know if this config should also work then....

route-map ALL-TRAFFIC permit 10
match ip address match-ALL-traffic1
set ip next-hop 201.195.231.145

route-map ALL-TRAFFIC permit 20
match ip address match-ALL-traffic2
set ip next-hop 201.195.91.49

ip access-list extended match-ALL-traffic1
deny ip host 192.168.2.75 192.168.32.0 0.0.0.255
deny ip host 192.168.2.77 192.168.32.0 0.0.0.255
deny ip host 192.168.2.78 192.168.32.0 0.0.0.255
deny ip host 192.168.2.79 192.168.32.0 0.0.0.255
permit ip host 192.168.2.75 any
permit ip host 192.168.2.77 any
permit ip host 192.168.2.78 any
permit ip host 192.168.2.79 any
deny ip 192.168.1.0 0.0.0.255 any
deny ip 192.168.2.0 0.0.0.255 any
deny ip 192.168.3.0 0.0.0.255 any

ip access-list extended match-ALL-traffic2
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any

ip nat inside source static 192.168.2.75 201.195.231.150
ip nat inside source static 192.168.2.77 201.195.231.151
ip nat inside source static 192.168.2.78 201.195.231.152
ip nat inside source static 192.168.2.79 201.195.231.153

interface FastEthernet0/0/0 
ip policy route-map ALL-TRAFFIC

#################################################################

I just want to make sure that only servers  2.75, 77, 78 and 79 will go out the secondary ISP, and the networks 192.168.1.0, 2.0 and 3.0 will go out the primary link.

I don't need any route maps on the static NAT then?

Thank you again!

Federico.

Federico

You don't need route-maps for the static NATs if you always want to translate the 192.168.2.7x address to it's equivalent 201.195.231.15.x address.

Also you do not need to PBR the non-server traffic because the default-route will take of that. You only need PBR where you want the traffic to go via a different next-hop so you can remove from your config -

ip access-list extended match-ALL-traffic2
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any

route-map ALL-TRAFFIC permit 20
match ip address match-ALL-traffic2
set ip next-hop 201.195.91.49

and also you can change the acl match-all-traffic1 from

ip access-list extended match-ALL-traffic1
deny ip host 192.168.2.75 192.168.32.0 0.0.0.255
deny ip host 192.168.2.77 192.168.32.0 0.0.0.255
deny ip host 192.168.2.78 192.168.32.0 0.0.0.255
deny ip host 192.168.2.79 192.168.32.0 0.0.0.255
permit ip host 192.168.2.75 any
permit ip host 192.168.2.77 any
permit ip host 192.168.2.78 any
permit ip host 192.168.2.79 any
deny ip 192.168.1.0 0.0.0.255 any
deny ip 192.168.2.0 0.0.0.255 any
deny ip 192.168.3.0 0.0.0.255 any

to

ip access-list extended match-ALL-traffic1
deny ip host 192.168.2.75 192.168.32.0 0.0.0.255
deny ip host 192.168.2.77 192.168.32.0 0.0.0.255
deny ip host 192.168.2.78 192.168.32.0 0.0.0.255
deny ip host 192.168.2.79 192.168.32.0 0.0.0.255
permit ip host 192.168.2.75 any
permit ip host 192.168.2.77 any
permit ip host 192.168.2.78 any
permit ip host 192.168.2.79 any
deny ip any any

Jon

Federico Coto F... Fri, 01/08/2010 - 12:36

Jon,

Thank you for your help.

It actually worked, but now for some reason, some servers work and other's don't....

Anyway, I'm going to have to investigate a bit more on what's going on exactly....

I just want to ask one more question....

What is the purpose of a route-map applied to a static NAT on a router? i.e.

ip nat inside source static 192.168.2.79 201.195.91.53 route-map ROUTE_MAP_79

As far as I understand, routing comes before NAT, so unless this route map is applied to the incoming interface, it won't do nothing correct?

Or am I missing something?

Thank you again.

Federico.

Jon Marshall Fri, 01/08/2010 - 12:42

coto.fusionet wrote:

Jon,

Thank you for your help.

It actually worked, but now for some reason, some servers work and other's don't....

Anyway, I'm going to have to investigate a bit more on what's going on exactly....

I just want to ask one more question....

What is the purpose of a route-map applied to a static NAT on a router? i.e.

ip nat inside source static 192.168.2.79 201.195.91.53 route-map ROUTE_MAP_79

As far as I understand, routing comes before NAT, so unless this route map is applied to the incoming interface, it won't do nothing correct?

Or am I missing something?

Thank you again.

Federico.

Federico

The purpose of a route-map for a static NAT is if you want to do conditional NAT eg you want to NAT 192.168.5.1 to 195.17.17.1 but only when 192.168.5.1 is sending packets to 192.12.12.0/24 subnet.

If you wanted to always NAT 192.168.5.1 to 195.17.17.1 regardless of where 192.168.5.1 is sending packets to then you don't need a route-map, you can just do a normal static NAT statement.

Jon

Federico Coto F... Wed, 01/13/2010 - 12:30

Hi Jon,

This is the situation now...

Traffic from the inside network to the Internet works fine.

I am having problems with traffic from the Internet clients reaching the internal servers.

I think the problem is that I have the same static NAT statements on both HSRP routers, for instance the NAT statements:

ip nat inside source static 192.168.2.175 201.195.91.50
ip nat inside source static 192.168.2.177 201.195.91.51
ip nat inside source static 192.168.2.178 201.195.91.52
ip nat inside source static 192.168.2.179 201.195.91.53

I have these rules on both routers, and what is happening is that clients from the Internet can reach the server via either router.....

So, I'm getting duplicate addresses on both routers.... and troubles with the communication.....

I am wondering if the solution to this problem is SNAT?

Thank you,

Federico.

Actions

This Discussion