04-12-2010 11:27 AM - edited 03-04-2019 08:07 AM
I have setup pbr to direct traffice to a particualr interface but it's not working.
I have the following config:
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$
ip address 172.24.201.190 255.255.0.0
ip nat inside
ip virtual-reassembly
ip policy route-map DLM_SUBNET_TRAFFIC
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
ip address 172.25.0.100 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/2
ip address dhcp
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1412
duplex auto
speed auto
!
!
interface FastEthernet0/0/0
description $ES_WAN$
no ip address
shutdown
duplex auto
speed auto
!
!
ip forward-protocol nd
....
access-list 110 permit ip 172.24.110.0 0.0.0.255 any
access-list 120 permit ip 172.24.120.0 0.0.0.255 any
!
!
!
!
route-map DLM_SUBNET permit 10
set ip next-hop 198.0.0.0
!
route-map DLM_SUBNET_TRAFFIC permit 10
match ip address 110
set interface GigabitEthernet0/2
!
route-map DLM_SUBNET_TRAFFIC permit 20
match ip address 120
set interface FastEthernet0/0/0
!
Should I not use the SET INTERFACE on the route-map? How can I direct traffic to an interface that gets a dhcp address from the DSL modem?
Thanks.
04-12-2010 12:26 PM
Hello,
Sequence 20 is pointed to an interface that's shut 'f0/0/0' you'll need to change it. You can use the set interface command to send traffic on a DHCP enabled interface. Verify the natting is correct and where is your nat statement in the config?
04-12-2010 12:31 PM
Hi,
For my tests I wanted to make sure traffice was going out correctly. I have a laptop using the router as a gateway and the ip set to 172.24.110.10. If I change the ip of the laptop to 172.24.120.10, I would expect the the web to not display.
If the other interface is not up, will that affect the traffic going out the interface gigabitethernet0/2 from working. On the router I can ping 4.2.2.2 no problem.
If I change the laptop to use a 172.24.201.xx ip I get a webpage. As soon as I give it a 172.24.110.xx it stops working.
THanks.
Sorry.. my original config at a set interface going to gigabitethernet0/2. I changed it to ip 198.0.0.0 for a test.
When I change it to interface I get:
wfsrtr1(config-route-map)#no set ip next-hop 192.0.0.0
wfsrtr1(config-route-map)#set interface gig0/2
%Warning:Use P2P interface for routemap set
interface clause
net setting looks like this:
route-map DLM_SUBNET_TRAFFIC permit 10
match ip address 110
set interface GigabitEthernet0/2
!
route-map DLM_SUBNET_TRAFFIC permit 20
match ip address 120
set interface FastEthernet0/0/0
04-12-2010 12:40 PM
Hello,
Change your route-map 20 to 'set interface Null 0' this will black hole the traffic also. The interface being down will not affect the other traffic.
"If I change the laptop to use a 172.24.201.xx ip I get a webpage. As soon as I give it a 172.24.110.xx it stops working." _Where is your nat statement? Don't see it in the config.
Can you past your nat statement also? Also what subnet are you setting on the laptop? If you running windows open a command prompt and do a 'route print'. Verify the routing on the laptop.
04-12-2010 12:47 PM
wfsrtr1(config-route-map)#no set ip next-hop 192.0.0.0
wfsrtr1(config-route-map)#set interface gig0/2
%Warning:Use P2P interface for routemap set
interface clause
try 'set default interface g0/2' or 'set ip next-hop x.x.x.x' This would be the lan side of your internet.
04-12-2010 12:47 PM
Thanks.
My laptop is set to use gateway 172.24.201.190 (the router).
The ip is 172.24.201.110.10 /255.255.255.0
My router config is as follows:
!
! Last configuration change at 19:41:39 UTC Mon Apr 12 2010 by admin
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname wfsrtr1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
no ip domain lookup
ip domain name w3k.wfsltd.com
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-1058945512
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1058945512
revocation-check none
rsakeypair TP-self-signed-1058945512
!
!
crypto pki certificate chain TP-self-signed-1058945512
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303538 39343535 3132301E 170D3130 30343039 31343433
33345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30353839
34353531 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DCE2 45A4C549 019CB875 EEFDB498 48D22C8B E87D0B92 2C84E367 80E43E6E
6287BFAC 5A216BDF 978E6C65 F3B8887E 8D30B5A8 43091F62 F09F198C 57FC3640
33D4C8DF A0921246 3D06FAB3 14F9C65F 1B752154 1DC84878 7191B087 F7CF2179
434FEF56 F9F052D9 D97FBC4C 62547FB9 537287C5 D4E61A3F EF4DCFF0 EDE12175
2E150203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 14E8E96E B1D0936B B8875DED F145FF41 482EF22A
72301D06 03551D0E 04160414 E8E96EB1 D0936BB8 875DEDF1 45FF4148 2EF22A72
300D0609 2A864886 F70D0101 04050003 81810046 3C04E9BB 25821EE1 C6CBCFED
D9AA9D9A 24516C71 81E6D53D 814D1107 FC764B5B 8DE0551E D7CDCB1F FF0E6D50
BF018059 173BAC27 00C3EE4B DB2A1188 3459DC27 9DAF86CB EDC341B4 4F975308
2E7B1D94 FB3A3439 7F77015E B3B5DF04 B61B8421 5DA16B21 15B6CC33 6E74BFAD
5CFE614B AFE8CA18 7712DE98 3072958C C0D58B
quit
license udi pid CISCO2921/K9 sn FTX1350AHE7
!
!
username admin privilege 15 secret 5 $1$O6Kf$I6p/t1uGFxFANC9y7YfiU/
!
redundancy
!
!
!
!
!
!
!
!
!
interface Loopback0
no ip address
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$
ip address 172.24.201.190 255.255.0.0
ip nat inside
ip virtual-reassembly
ip policy route-map DLM_SUBNET_TRAFFIC
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
ip address 172.25.0.100 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/2
ip address dhcp
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1412
duplex auto
speed auto
!
!
interface FastEthernet0/0/0
description $ES_WAN$
no ip address
shutdown
duplex auto
speed auto
!
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 100 interface GigabitEthernet0/2 overload
!
access-list 23 permit 172.24.0.0 0.0.255.255
access-list 100 permit ip 172.24.0.0 0.0.255.255 any
access-list 110 permit ip 172.24.110.0 0.0.0.255 any
access-list 120 permit ip 172.24.120.0 0.0.0.255 any
!
!
!
!
route-map DLM_SUBNET_TRAFFIC permit 10
match ip address 110
set interface GigabitEthernet0/2
!
route-map DLM_SUBNET_TRAFFIC permit 20
match ip address 120
set interface FastEthernet0/0/0
set interface Null 0
!
!
!
control-plane
!
!
banner exec
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username
Replace
use.
-----------------------------------------------------------------------
banner login
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username
no username cisco
Replace
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
04-12-2010 12:50 PM
The problem you have is that "set interface .." expects a P2P link and ethernet isn't a P2P link.
Try this instead under your route-map config -
set ip next-hop dynamic dhcp
Jon
04-12-2010 01:31 PM
Thanks to all of you who helped. Turns out, it's a dns issue..
04-12-2010 01:33 PM
Glade you got it resolved.
04-12-2010 01:41 PM
Let me just say once again. I appreciate all the help from all of you. Your are awesome.
I'm pretty green and i'm struggling through it so your help is very appreciated.
To sumarizse what worked.
- Added the set interface Null 0 to both interfaces so traffic won't hit, the what will be the default rote (t1). Currently it's the dsl.
- Changed the next hop on the g0/2 interface. The ip will change, but the gt on the modem will not.
Here is a complete config.
!
! Last configuration change at 20:36:56 UTC Mon Apr 12 2010 by admin
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname wfsrtr1
!
boot-start-marker
boot-end-marker
!
logging buffered 10000
!
no aaa new-model
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
no ip domain lookup
ip domain name w3k.wfsltd.com
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-1058945512
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1058945512
revocation-check none
rsakeypair TP-self-signed-1058945512
!
!
crypto pki certificate chain TP-self-signed-1058945512
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303538 39343535 3132301E 170D3130 30343039 31343433
33345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30353839
34353531 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DCE2 45A4C549 019CB875 EEFDB498 48D22C8B E87D0B92 2C84E367 80E43E6E
6287BFAC 5A216BDF 978E6C65 F3B8887E 8D30B5A8 43091F62 F09F198C 57FC3640
33D4C8DF A0921246 3D06FAB3 14F9C65F 1B752154 1DC84878 7191B087 F7CF2179
434FEF56 F9F052D9 D97FBC4C 62547FB9 537287C5 D4E61A3F EF4DCFF0 EDE12175
2E150203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 14E8E96E B1D0936B B8875DED F145FF41 482EF22A
72301D06 03551D0E 04160414 E8E96EB1 D0936BB8 875DEDF1 45FF4148 2EF22A72
300D0609 2A864886 F70D0101 04050003 81810046 3C04E9BB 25821EE1 C6CBCFED
D9AA9D9A 24516C71 81E6D53D 814D1107 FC764B5B 8DE0551E D7CDCB1F FF0E6D50
BF018059 173BAC27 00C3EE4B DB2A1188 3459DC27 9DAF86CB EDC341B4 4F975308
2E7B1D94 FB3A3439 7F77015E B3B5DF04 B61B8421 5DA16B21 15B6CC33 6E74BFAD
5CFE614B AFE8CA18 7712DE98 3072958C C0D58B
quit
license udi pid CISCO2921/K9 sn FTX1350AHE7
!
!
username admin privilege 15 secret 5 $1$O6Kf$I6p/t1uGFxFANC9y7YfiU/
!
redundancy
!
!
!
!
!
!
!
!
!
interface Loopback0
no ip address
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$
ip address 172.24.201.190 255.255.0.0
ip nat inside
ip virtual-reassembly
ip policy route-map DLM_SUBNET_TRAFFIC
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
ip address 172.25.0.100 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/2
ip address dhcp
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1412
duplex auto
speed auto
!
!
interface FastEthernet0/0/0
description $ES_WAN$
no ip address
shutdown
duplex auto
speed auto
!
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 100 interface GigabitEthernet0/2 overload
!
access-list 23 permit 172.24.0.0 0.0.255.255
access-list 100 permit ip 172.24.0.0 0.0.255.255 any
access-list 110 permit ip 172.24.110.0 0.0.0.255 any
access-list 120 permit ip 172.24.120.0 0.0.0.255 any
!
!
!
!
route-map DLM_SUBNET_TRAFFIC permit 10
match ip address 110
set ip next-hop 192.168.254.254
set interface Null0
!
route-map DLM_SUBNET_TRAFFIC permit 20
match ip address 120
set interface FastEthernet0/0/0 Null0
!
!
!
control-plane
!
!
banner exec
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username
Replace
use.
-----------------------------------------------------------------------
banner login
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username
no username cisco
Replace
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide