02-06-2012 05:34 AM - edited 03-07-2019 04:45 AM
Hi,
I have a router that has two DSL connection, both with dynamic IP.
If in the routing table I have :
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 Dialer1
Then I can ping both external IP from the outside, but it seem the router doesn't have access to the internet (ie can't ping from the router, can't resolve names, ...), This probably happens if the router selects the source IP of Dialer0 and tries to route them through Dialer1 ...
If I put a different metric, then the router has internet access but only the external IP of the Dialer with the lower metric can be reached / ping from outside.
How can I make Dialer0 the default to use, but still have a route via Dialer1 for when someone tries to talk to the router via its Dialer1 IP from outide ?
I tought about routemap, but I can't match on the source IP of dialer1 to set the next hop since it's not fixed ...
Cheers,
Sylvain
Solved! Go to Solution.
02-09-2012 02:32 AM
Hi,
I think VRFs will add extra complexity but it seems option 2 is a good one but you could maybe also try out Pfr(
http://www.cisco.com/en/US/docs/ios-xml/ios/pfr/configuration/15-1mt/pfr-15-1mt-book.html )
Regards.
Alain.
02-06-2012 06:52 AM
Hi,
You may try this link : http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080950834.shtml
HTH,
Toshi
02-07-2012 04:16 AM
Hi,
Yes, I've read that. And it works fine for hosts on the LAN behind the router, but _not_ for the router itself.
Cheers,
Sylvain
02-07-2012 05:28 AM
Let me explain what I'm trying to achieve in the end, that might be easier :
I have a router that has:
- 2 distinct WAN access, both PPPoE dialers with dynamic IPs assigned in various ranges
- 2 distinct LAN.
I want:
- The router generated packets to use Dialer0 by default and fallback to Dialer1 if Dialer0 fails.
- The router to respond to incoming connection depending on the IP it connected to (so if I try to SSH to the Dialer1 WAN IP it must respond via Dialer 1 IP)
- The LAN 1 users to be NATed using Dialer0 and fallback to Dialer1 if Dialer0 has no connectivity
- The LAN 2 users to be NATes using Dialer1 and fallback to Dialer0 if Dialer1 has no connectivity
02-07-2012 07:00 AM
Hi Sylvain,
hi,
so let's suppose LAN1 is 192.168.1.0/24
and LAN2 is 192.168.2.0/24
1) the router-generated packets use dialer 0 by default and fallback to
dialer1
ip route 0.0.0.0 0.0.0.0 dialer0
route-map LOCAL-PBR permit 10
set default interface dialer1
exit
ip local-policy route-map LOCAL-PBR
3)The LAN 1 users to be NATed using Dialer0 and fallback to Dialer1 if Dialer0 has no connectivity
4)The LAN 2 users to be NATes using Dialer1 and fallback to Dialer0 if Dialer1 has no connectivity
ip route 0.0.0.0 0.0.0.0 dialer0
access-list 198 permit 192.168.1.0 0.0.0.255 any
access-list 199 permit 192.168.2.0 0.0.0.255 any
route-map PBR-LAN1 permit 10
match ip address 198
set interface dialer0 dialer1
route-map PBR-LAN2 permit 10
match ip address 199
set interface dialer1 dialer0
exit
int vlan 1
ip policy route-map PBR-LAN1
int vlan 2
ip policy route-map PBR-LAN2
route-map NAT-DIALER0
match ip address 198 199
match interface dialer0
route-map NAT-DIALER1
match ip address 198 199
match interface dialer1
exit
ip nat inside source route-map NAT-DIALER0 interface dialer0
ip nat inside source route-map NAT-DIALER1 interface dialer1
2)The router to respond to incoming connection depending on the IP it connected to (so if I try to SSH to the Dialer1 WAN IP it must respond via Dialer 1 IP)
if this is for static NAT or PAT then it can be doable but if this is for traffic destined to the router then it will not be compatible with point 1
Tell us if this is what you want for this point and try the snippets I gave you and tell us if it works.
Regards.
Alain
02-07-2012 08:44 AM
Hi Alain,
Thanks for taking the time to answer to me
- The first part doesn't work tough. If I add this config, the router can't ping the outside at all (without specifying explicitely the source IP to use).
My understanding of the source IP choosen by IOS "by default" is that it looks into the routing table (only routing table, it ignores PBR) to know what interface would be used to reach the destination and then it chooses that as source IP. Then it generates the packet and feed it to the local process (and then only PBR is taken into account).
So when I try to ping a random IP with this config, it looks up the destination (which would be Dialer0), and then it generates the packet, and then the PBR tell it to route it via 'Dialer 1'.
The doc says that 'set default interface dialer1' will only set the interface is there was no hit in the routing table, however in my experience, a match of the default route (0.0.0.0 / 0.0.0.0) is _not_ considered a hit and so it will use Dialer1 to send the packet.
What I can do at some other site is that the source IP when the connection IP is fixed. Imagine if Dialer0 had source ip 80.80.80.100 and Dialer1 90.90.90.100:
ip route 0.0.0.0 0.0.0.0 10 dialer0
ip route 0.0.0.0 0.0.0.0 20 dialer1
route-map LOCAL-PBR permit 10
match ip address acl_dialer0
set default interface dialer0
exit
route-map LOCAL-PBR permit 20
match ip address acl_dialer1
set default interface dialer1
exit
ip access-list extended acl dialer0
permit host 80.80.80.100 any
ip access-list extended acl dialer1
permit host 90.90.90.100 any
ip local-policy route-map LOCAL-PBR
Unfortunately if the IPs are not fixed, I can't do an ACL matching the IP.
I guess I could lookup the possible ranges and add theses if that's the only way.
- The second part of the config (for lan clients) work very nicely thanks !
However I would have liked to track (via sla) the real connectivity of the Dialer and not only if the interface is up or down because it's quie common for the PPPoE link to be up but actual connectivity is down.
I've seen how to set the 'next hop' with verify reachability and a tracking object however:
- It doesn't seem to be available for "set ip default next-hop" (and I can't really use "set ip next-hop" because there are other LAN routes that don't need to be natted, going to other sites via other connections, everything learned by ospf dynamically)
- It doesn't seem to be available to "set interface / set default interface" at all ...
Cheers,
Sylvain
02-07-2012 11:06 AM
Hi,
you're right about the default interface which isn't working if there is no explicit route in the RIB, I had forgotten this important fact
so try this one for 1)
ip route 0.0.0.0 0.0.0.0 dialer0
route-map LOCAL-PBR permit 10
set interface dialer0 dialer1
exit
ip local-policy route-map LOCAL-PBR
Gonna see if there is a solution for your sla need.
Regards.
Alain
02-09-2012 01:54 AM
Hi,
I didn't get a chance to try but I don't think it would work ... for a completely different reason : When there is no PPP link, the Dialer0 is still _up_ ... and so it still tries to send packet through. (I had the issue when just having two routes set, it still tried to use Dialer0 even tough the DSL modem was off and had no IP negotiated).
The cisco doc says that indeed you need to track the "ip routing" status of the interface and not just its state.
In the end, I solved 1) & 2) by paying an extra to have a fixed IP on the line connected to Dialer 0 and then using this config:
ip access-list extended acl_src_fix_dsl
permit ip host 80.80.80.80 any
route-map pbr-local permit 10
match ip address acl_src_fix_dsl
set default interface Dialer0
route-map pbr-local permit 20
set default interface Dialer1
ip local policy route-map pbr-local
ip sla 100
icmp-echo 8.8.8.8 source-interface Dialer0
threshold 500
frequency 5
ip sla schedule 100 life forever start-time now
ip sla 101
icmp-echo 8.8.8.8 source-interface Dialer1
threshold 500
frequency 5
ip sla schedule 101 life forever start-time now
track 100 ip sla 100 reachability
delay down 20 up 45
track 101 ip sla 101 reachability
delay down 20 up 45
ip route 0.0.0.0 0.0.0.0 Dialer0 10 track 100
ip route 0.0.0.0 0.0.0.0 Dialer1 20 track 101
For the NAT I use your config for the "ip nat inside ...". For the LAN that must use Dialer0, I don't do anything special, it just takes the same route as the router (Dialer0 and fallback to Dialer1) so that's OK.
For the LAN that must use Dialer1, I currenty do:
route-map pbr-via-guest permit 10
match ip address acl_nat_guest
set default interface Dialer1
interface Vlan2
ip policy route-map pbr-via-guest
But that doesn't include any fallback depending on my 'tracked objects'.
I have two ideas right now :
1) Use VRF to have a distinct routing table for the Vlan2 where I invert the metric for the default route and give Dialer1 the preference. Unfortunately that introduces other problems: I have some routes learned by OSPF that go through a tunnel that should be present in both VRFs ...
2) Use EEM to apply / remove the 'policy route-map' on Vlan2 depending on state of 'track101'
Cheers,
Sylvain
02-09-2012 02:32 AM
Hi,
I think VRFs will add extra complexity but it seems option 2 is a good one but you could maybe also try out Pfr(
http://www.cisco.com/en/US/docs/ios-xml/ios/pfr/configuration/15-1mt/pfr-15-1mt-book.html )
Regards.
Alain.
02-09-2012 04:59 AM
Thanks, yes, I'll go with option 2 for now and I will look into Pfr see if I can get it to work because it definitely seems an interesting path.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: