cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3630
Views
5
Helpful
4
Replies

Policy Based Routing with Object Tracking

Mark Rigby
Level 1
Level 1

Greetings, im looking at configuring an 1841 for PBR with Object tracking for two circuits, one SDSL and one DSL.

I want to send web traffic via the DSL circuit and all other traffic down the SDSL circuit.

Ive had a look at the following guide and all seems straight forward enough.

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml

Can i just add a second route map with the same preferance and specify an ACL matching web traffic, with a default route pointing to the SDSL circuit and a floating static pointing to the DSL circuit? I would also like to failover betwee the two circuits in the event of link failure.

I appreciate that NAT and interface settings will need to be changed but would like to understand the concept.

Regards

R1# show running-config
Building configuration...

Current configuration : 1203 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
clock timezone EST 0
no aaa new-model
ip subnet-zero
no ip domain lookup
!
!
!
!
track 123 rtr 1 reachability

!        
track 124 rtr 2 reachability

!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Ethernet0/0
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet1/0
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2/0
ip address 10.10.10.1 255.255.255.0
ip policy route-map alpha

!
ip classless
no ip http server
!
!
!
!
route-map alpha permit 10
match ip address 100
set ip next-hop verify-availability 192.168.0.10 10 track 123
!
route-map alpha permit 10

match ip address 101
set ip next-hop verify-availability 192.168.1.20 20 track 124
!
ip route 0.0.0.0 0.0.0.0 Ethernet1/0

ip route 0.0.0.0 0.0.0.0 Ethernet0/0 250

!
control-plane
!
rtr 1
type echo protocol ipIcmpEcho 192.168.0.10
rtr schedule 1 life forever start-time now
!
rtr 2
type echo protocol ipIcmpEcho 192.168.1.20
rtr schedule 2 life forever start-time now
!
access-list 100 remark Route WWW traffic via DSL
access-list 100 permit tcp 10.10.10.0 255.255.255.0 any eq 80
access-list 100 permit tcp 10.10.10.0 255.255.255.0 any eq 443
access-list 100 deny   ip any any

!

access-list 101 remark All Other Traffic

access-list 101 deny 10.10.10.0 255.255.255.0 any any eq 80
access-list 101 deny 10.10.10.0 255.255.255.0 any any eq 443
access-list 101 permit ip 10.10.10.0 255.255.255.0 any

!
!
line con 0
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
login
transport preferred all
transport input all
transport output all
!
!
end

4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Mark,

you need to configure two route-map clauses (blocks) with the same name but different sequence number

route-map alpha permit 10
match ip address 100
set ip next-hop verify-availability 192.168.0.10 10 track 123
!
route-map alpha permit
20

match ip address 101
set ip next-hop verify-availability 192.168.1.20 20 track 124
!
ip route 0.0.0.0 0.0.0.0 Ethernet1/0

ip route 0.0.0.0 0.0.0.0 Ethernet0/0 250

you should not use static routes in this way because they are relying on IP Proxy ARP enabled on neighbor device and also causes a lot of ARP activities (multiple ARP requests one of each destination address instead of a single ARP request for next-hop IP address)

A very big ARP table can cause performance issues and if neighbor should disable ip proxy ARP the router would be isolated.

So you should use:

ip route 0.0.0.0 0.0.0.0 ip-next-hop1

ip route 0.0.0.0 0.0.0.0 ip-next-hop2 250

Also the second route-map clause if using the preferred route is not needed at all because traffic not matched by PBR is not, dropped it is routed using destination based IP routing table.

You could use simply the first block for PBR.

route-map alpha permit 10
match ip address 100
set ip next-hop verify-availability 192.168.0.10 10 track 123
!

This is enough for the PBR part.

For NAT you may need a more articulated route-map with two blocks in order to NAT correctly when using link2 instead of link1

Edit:

you could combine object tracking on the static routes

Hope to help

Giuseppe

Excellent response Giuseppe, thank you. Updted config  below

Just a couple of questions, say the DSL is "Link2" and the SDSL "link 1" if the SDSL link failed would i still be able to send all traffic via the DSL circuit using the default route with the higher metric. I have included the 2nd route map so that i can track the status of both connections as i have seen SDSL/DSL circuits go down but the interface stay up as such the default route would remain in the routing table, does this make sense?

track 123 rtr 1  reachability

!        
track 124 rtr 2 reachability

!

!
interface Ethernet0/0
ip  address 192.168.0.1 255.255.255.0
!
interface Ethernet1/0
ip  address 192.168.1.1 255.255.255.0
!
interface Ethernet2/0
ip  address 10.10.10.1 255.255.255.0
ip policy route-map alpha

!
ip classless
no ip  http server
!
!
!
!
route-map alpha permit 10
match ip  address 100
set ip next-hop verify-availability 192.168.0.10 10  track 123

!

route-map alpha permit 20

match ip address 101

set ip next-hop verify-availability 192.168.1.20 20 track 124

!

!
ip route  0.0.0.0 0.0.0.0 192.168.1.2

ip route 0.0.0.0 0.0.0.0 192.168.0.2 250

!
control-plane
!
rtr  1
type echo protocol ipIcmpEcho 192.168.0.10
rtr schedule 1 life  forever start-time now
!
rtr 2
type echo protocol ipIcmpEcho  192.168.1.20
rtr schedule 2 life forever start-time now
!
access-list  100 remark Route WWW traffic via DSL
access-list 100 permit tcp  10.10.10.0 255.255.255.0 any eq 80
access-list 100 permit tcp  10.10.10.0 255.255.255.0 any eq 443
access-list 100 deny   ip any any

!

access-list  101 remark Route Everything else
access-list 101 permit ip any any

!

Hello Mark,

the IP next-hops in the route-map are different from those used in the IP static routes, is this wanted?

Hope to help

Giuseppe

Appologies my mistake, they have been corrected.


!
route-map alpha  permit 10
match ip  address 100
set ip next-hop  verify-availability 192.168.0.2 10  track 123

!

route-map alpha permit 20

match ip address 101

set  ip next-hop verify-availability 192.168.1.2 20 track 124

!
ip  route  0.0.0.0 0.0.0.0 192.168.1.2

ip route 0.0.0.0 0.0.0.0  192.168.0.2 250


Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: