cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1527
Views
0
Helpful
12
Replies

Question on route-map

Scott Fella
Hall of Fame
Hall of Fame

I have a 1941W that has a connection to my ISP (Gi0/1) and another connection to a remote lab (Gi0/0). Everything is working fine how it is setup. All my traffic from my internal networks can access the Internet and devices on the 192.168.201.0 /24 can access the Internet and the lab 10.89.0.0/16.

Now I want to have two devices (192.168.201.51 & .147) use Gi0/0 when accessing host 63.85.190.67. There is no route to this subnet since it reside in the remote lab. Here is what I have right now. How would I setup a PBR to have those two host use Gi0/0 when accessing 63.85.190.67

interface Vlan192

ip address 192.168.201.1 255.255.255.0

ip nat inside

ip virtual-reassembly

interface GigabitEthernet0/0

description LAB

ip address 10.89.67.170 255.255.255.192

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

interface GigabitEthernet0/1

description INTERNET_CONNECTION

ip address dhcp

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

ip nat inside source list 101 interface GigabitEthernet0/1 overload

ip nat inside source list 103 interface GigabitEthernet0/0 overload

ip route 10.89.0.0 255.255.0.0 GigabitEthernet0/0

access-list 101 remark INSIDE_NETWORK

access-list 101 deny ip 192.168.201.0 0.0.0.255 10.89.0.0 0.0.255.255

access-list 101 permit ip 192.168.201.0 0.0.0.255 any

access-list 103 remark LAB
access-list 103 permit ip 192.168.201.0 0.0.0.255 10.89.0.0 0.0.255.255

Gateway of last resort is 72.57.36.1 to network 0.0.0.0

S* 0.0.0.0/0 [254/0] via 72.57.36.1

.

.

.

.

.
S 10.89.0.0/16 is directly connected, GigabitEthernet0/0
C 10.89.67.128/26 is directly connected, GigabitEthernet0/0
L 10.89.67.170/32 is directly connected, GigabitEthernet0/0
69.0.0.0/32 is subnetted, 1 subnets
S 69.252.202.6 [254/0] via 71.57.36.1, GigabitEthernet0/1
72.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 72.57.36.0/23 is directly connected, GigabitEthernet0/1
L 72.57.36.242/32 is directly connected, GigabitEthernet0/1
192.168.201.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.201.0/24 is directly connected, Vlan192
L 192.168.201.1/32 is directly connected, Vlan192

Thanks,

Scott

-Scott
*** Please rate helpful posts ***
2 Accepted Solutions

Accepted Solutions

Hello,

     Let me change this ACL.  Please let me see the output of "show ip nat trans"

access-list 101 remark INSIDE_NETWORK

access-list 101 deny   ip 192.168.201.0 0.0.0.255 10.89.0.0 0.0.255.255

access-list 101 deny ip host 192.168.201.51 host 63.85.196.67

access-list 101 deny ip host 192.168.201.147 host 63.85.196.67

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 101 permit ip 10.10.100.0 0.0.0.255 any

access-list 101 permit ip 10.10.200.0 0.0.0.255 any

access-list 101 permit ip 10.10.210.0 0.0.0.255 any

access-list 101 permit ip 192.168.201.0 0.0.0.255 any

HTH,

Toshi

View solution in original post

Scott

I would suggest a change in the route map that you are using for PBR. Instead of setting the interface

set interface GigabitEthernet0/0

I would suggest that you set the next hop address to be used instead of just setting the interface. If you set the interface then it forces the router to arp for the destination address. And if the next hop router does not respond to the arp request (proxy arp) then the traffic will fail.

HTH

Rick

HTH

Rick

View solution in original post

12 Replies 12

pjmonline
Level 1
Level 1

Ip route 63.85.190.67 255.255.255.255 192.168.201.1 would route the whole subnet to be able to get to the ipaddress. If it is only needed on 2 devices you may want to add a static route to the computers. In windows you can do it via route add command.

Hth

Sent from Cisco Technical Support iPhone App

Hi Scott,

    You just try this link : http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcpolicy.html

F.e.

!

ip access ex mytraffic

permit ip host 192.168.201.51 host 63.85.190.67

permit ip host 192.168.201.147 host 63.85.190.67

!

route-map GotoGi0/0 permit 10

match ip address mytraffic

set interface Gi0/0

!

Int vlan 192

ip policy route-map GotoGi0/0

!

HTH,

Toshi

Thanks… just tried it and still no go. I do see hits on the route-map though. Since Gi0/0 requires Nat, is there something special I need to also do?

interface Vlan192

ip address 192.168.201.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip policy route-map GotoGi0/0

ip access-list extended mytraffic

permit ip host 192.168.201.51 host 63.85.190.67

permit ip host 192.168.201.147 host 63.85.190.67

route-map GotoGi0/0 permit 10

match ip address mytraffic

set interface GigabitEthernet0/0

ip nat inside source list 101 interface GigabitEthernet0/1 overload

ip nat inside source list 103 interface GigabitEthernet0/0 overload

access-list 101 remark INSIDE_NETWORK

access-list 101 deny ip 192.168.201.0 0.0.0.255 10.89.0.0 0.0.255.255

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 101 permit ip 10.10.100.0 0.0.0.255 any

access-list 101 permit ip 10.10.200.0 0.0.0.255 any

access-list 101 permit ip 10.10.210.0 0.0.0.255 any

access-list 101 permit ip 192.168.201.0 0.0.0.255 any

access-list 103 remark LAB

access-list 103 permit ip host 192.168.201.51 host 63.85.190.67

access-list 103 permit ip host 192.168.201.147 host 63.85.190.67

access-list 103 permit ip 192.168.201.0 0.0.0.255 10.89.0.0 0.0.255.255

route-map GotoGi0/0, permit, sequence 10

Match clauses:

ip address (access-lists): mytraffic

Set clauses:

interface GigabitEthernet0/0

Policy routing matches: 241 packets, 33749 bytes

icmp 10.89.66.170:1 192.168.201.147:1 10.89.66.66:1 10.89.66.66:1

icmp 71.57.36.242:1 192.168.201.147:1 63.85.190.67:1 63.85.190.67:1

-Scott
*** Please rate helpful posts ***

Hi,

   It always happens when you have 2 WAN links. To remedy this problem. You just try this.

F.e.

#Assuming that ACLs are correct.

!

route-map TrafficG0/0 permit 10

match ip address 101

match interface G0/0

!

route-map TrafficG0/1 permit 10

match ip address 103

match interface G0/1

!

ip nat inside source route-map TrafficG0/0 interface GigabitEthernet0/0 overload

ip nat inside source route-map TrafficG0/1 interface GigabitEthernet0/1 overload

!

HTH,

Toshi

Well no go yet☺

icmp 10.89.66.170:1 192.168.201.147:1 10.89.66.67:1 10.89.66.67:1

icmp 71.57.36.242:1 192.168.201.147:1 63.85.190.67:1 63.85.190.67:1

I had to move the rules around since it was switched around a bit.

route-map TrafficG0/0 permit 10

match ip address 103

match interface G0/0

!

route-map TrafficG0/1 permit 10

match ip address 101

match interface G0/1

!

ip nat inside source route-map TrafficG0/0 interface GigabitEthernet0/0 overload

ip nat inside source route-map TrafficG0/1 interface GigabitEthernet0/1 overload

IL-AUR-1941W#sh route-map all

STATIC routemaps

route-map TrafficG0/1, permit, sequence 10

Match clauses:

ip address (access-lists): 101

interface GigabitEthernet0/1

Set clauses:

Policy routing matches: 0 packets, 0 bytes

route-map TrafficG0/0, permit, sequence 10

Match clauses:

ip address (access-lists): 103

interface GigabitEthernet0/0

Set clauses:

Policy routing matches: 0 packets, 0 bytes

route-map GotoGi0/0, permit, sequence 10

Match clauses:

ip address (access-lists): mytraffic

Set clauses:

interface GigabitEthernet0/0

Policy routing matches: 145 packets, 10730 bytes

DYNAMIC routemaps

Current active dynamic routemaps = 0

-Scott
*** Please rate helpful posts ***

Hi,

   Let me see your current configuration.

Toshi

Thanks… I did look at that link and other that are out there. I did have routes set in my windows, but wanted to get this working instead, because every time I reboot I have to add that route back.

It’s weird, because if I stop pining from host 192.168.201.147 to host 63.85.190.67, the counters on the route-map stops, so I know its hitting the route-map. Must be something with Nat, even though my other devices are fine getting to the other devices in the lab from Gi0/0.

-Scott
*** Please rate helpful posts ***

Here you go.

-Scott
*** Please rate helpful posts ***

Hello,

     Let me change this ACL.  Please let me see the output of "show ip nat trans"

access-list 101 remark INSIDE_NETWORK

access-list 101 deny   ip 192.168.201.0 0.0.0.255 10.89.0.0 0.0.255.255

access-list 101 deny ip host 192.168.201.51 host 63.85.196.67

access-list 101 deny ip host 192.168.201.147 host 63.85.196.67

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 101 permit ip 10.10.100.0 0.0.0.255 any

access-list 101 permit ip 10.10.200.0 0.0.0.255 any

access-list 101 permit ip 10.10.210.0 0.0.0.255 any

access-list 101 permit ip 192.168.201.0 0.0.0.255 any

HTH,

Toshi

That worked:)

icmp 10.89.66.170:1       192.168.201.147:1     10.89.66.67:1         10.89.66.67:1

icmp 10.89.66.170:1       192.168.201.147:1     63.85.196.67:1        63.85.196.67:1

-Scott
*** Please rate helpful posts ***

Scott

I would suggest a change in the route map that you are using for PBR. Instead of setting the interface

set interface GigabitEthernet0/0

I would suggest that you set the next hop address to be used instead of just setting the interface. If you set the interface then it forces the router to arp for the destination address. And if the next hop router does not respond to the arp request (proxy arp) then the traffic will fail.

HTH

Rick

HTH

Rick

Rick,

Well that worked... i initially just looked at the nat translation without even trying to ping that address.  Well I'm able to ping it now.  Thanks for all the help guy's!

-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco