05-19-2010 04:58 PM - edited 03-04-2019 08:32 AM
Greetings, im looking at configuring an 1841 for PBR with Object tracking for two circuits, one SDSL and one DSL.
I want to send web traffic via the DSL circuit and all other traffic down the SDSL circuit.
Ive had a look at the following guide and all seems straight forward enough.
http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml
Can i just add a second route map with the same preferance and specify an ACL matching web traffic, with a default route pointing to the SDSL circuit and a floating static pointing to the DSL circuit? I would also like to failover betwee the two circuits in the event of link failure.
I appreciate that NAT and interface settings will need to be changed but would like to understand the concept.
Regards
R1# show running-config
Building configuration...
Current configuration : 1203 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
clock timezone EST 0
no aaa new-model
ip subnet-zero
no ip domain lookup
!
!
!
!
track 123 rtr 1 reachability
!
track 124 rtr 2 reachability
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Ethernet0/0
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet1/0
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2/0
ip address 10.10.10.1 255.255.255.0
ip policy route-map alpha
!
ip classless
no ip http server
!
!
!
!
route-map alpha permit 10
match ip address 100
set ip next-hop verify-availability 192.168.0.10 10 track 123
!
route-map alpha permit 10
match ip address 101
set ip next-hop verify-availability 192.168.1.20 20 track 124
!
ip route 0.0.0.0 0.0.0.0 Ethernet1/0
ip route 0.0.0.0 0.0.0.0 Ethernet0/0 250
!
control-plane
!
rtr 1
type echo protocol ipIcmpEcho 192.168.0.10
rtr schedule 1 life forever start-time now
!
rtr 2
type echo protocol ipIcmpEcho 192.168.1.20
rtr schedule 2 life forever start-time now
!
access-list 100 remark Route WWW traffic via DSL
access-list 100 permit tcp 10.10.10.0 255.255.255.0 any eq 80
access-list 100 permit tcp 10.10.10.0 255.255.255.0 any eq 443
access-list 100 deny ip any any
!
access-list 101 remark All Other Traffic
access-list 101 deny 10.10.10.0 255.255.255.0 any any eq 80
access-list 101 deny 10.10.10.0 255.255.255.0 any any eq 443
access-list 101 permit ip 10.10.10.0 255.255.255.0 any
!
!
line con 0
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
login
transport preferred all
transport input all
transport output all
!
!
end
05-19-2010 11:29 PM
Hello Mark,
you need to configure two route-map clauses (blocks) with the same name but different sequence number
route-map alpha permit 10
match ip address 100
set ip next-hop verify-availability 192.168.0.10 10 track 123
!
route-map alpha permit 20
match ip address 101
set ip next-hop verify-availability 192.168.1.20 20 track 124
!
ip route 0.0.0.0 0.0.0.0 Ethernet1/0
ip route 0.0.0.0 0.0.0.0 Ethernet0/0 250
you should not use static routes in this way because they are relying on IP Proxy ARP enabled on neighbor device and also causes a lot of ARP activities (multiple ARP requests one of each destination address instead of a single ARP request for next-hop IP address)
A very big ARP table can cause performance issues and if neighbor should disable ip proxy ARP the router would be isolated.
So you should use:
ip route 0.0.0.0 0.0.0.0 ip-next-hop1
ip route 0.0.0.0 0.0.0.0 ip-next-hop2 250
Also the second route-map clause if using the preferred route is not needed at all because traffic not matched by PBR is not, dropped it is routed using destination based IP routing table.
You could use simply the first block for PBR.
route-map alpha permit 10
match ip address 100
set ip next-hop verify-availability 192.168.0.10 10 track 123
!
This is enough for the PBR part.
For NAT you may need a more articulated route-map with two blocks in order to NAT correctly when using link2 instead of link1
Edit:
you could combine object tracking on the static routes
Hope to help
Giuseppe
05-20-2010 02:51 AM
Excellent response Giuseppe, thank you. Updted config below
Just a couple of questions, say the DSL is "Link2" and the SDSL "link 1" if the SDSL link failed would i still be able to send all traffic via the DSL circuit using the default route with the higher metric. I have included the 2nd route map so that i can track the status of both connections as i have seen SDSL/DSL circuits go down but the interface stay up as such the default route would remain in the routing table, does this make sense?
track 123 rtr 1 reachability
!
track 124 rtr 2 reachability
!
!
interface Ethernet0/0
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet1/0
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2/0
ip address 10.10.10.1 255.255.255.0
ip policy route-map alpha
!
ip classless
no ip http server
!
!
!
!
route-map alpha permit 10
match ip address 100
set ip next-hop verify-availability 192.168.0.10 10 track 123
!
route-map alpha permit 20
match ip address 101
set ip next-hop verify-availability 192.168.1.20 20 track 124
!
!
ip route 0.0.0.0 0.0.0.0 192.168.1.2
ip route 0.0.0.0 0.0.0.0 192.168.0.2 250
!
control-plane
!
rtr 1
type echo protocol ipIcmpEcho 192.168.0.10
rtr schedule 1 life forever start-time now
!
rtr 2
type echo protocol ipIcmpEcho 192.168.1.20
rtr schedule 2 life forever start-time now
!
access-list 100 remark Route WWW traffic via DSL
access-list 100 permit tcp 10.10.10.0 255.255.255.0 any eq 80
access-list 100 permit tcp 10.10.10.0 255.255.255.0 any eq 443
access-list 100 deny ip any any
!
access-list 101 remark Route Everything else
access-list 101 permit ip any any
!
05-20-2010 03:29 AM
Hello Mark,
the IP next-hops in the route-map are different from those used in the IP static routes, is this wanted?
Hope to help
Giuseppe
05-20-2010 04:36 AM
Appologies my mistake, they have been corrected.
!
route-map alpha permit 10
match ip address 100
set ip next-hop verify-availability 192.168.0.2 10 track 123
!
route-map alpha permit 20
match ip address 101
set ip next-hop verify-availability 192.168.1.2 20 track 124
!
ip route 0.0.0.0 0.0.0.0 192.168.1.2
ip route 0.0.0.0 0.0.0.0 192.168.0.2 250
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: