Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Is this possible?

Hello - I have 2 different ways out to the Internet in our office, a regular T1 and a Verizon FIOS fiber optic line. RIght now all http traffic goes out over the T1. What I would like to do is take 4 or so of the heavy Internet users and move them to the FIOS line. Do I have to use some sort of plicy based routing to get those 4 so IP's to use a different link for http traffic than the rest?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Is this possible?

Andy

You need to apply the route-map to an interface. Assuming that fa0/0.1 is the interface that 192.168.2.x addresses arrive at the router

int fa0/0.1

ip policy route-map IT_Internet

Your next hop in your route-map is 72.93.114.2 - this next hop router is adjacent to this router yes ?. By this i mean that the router that has an interface with the address of 72.93.114.2 is one hop away from this router.

Jon

12 REPLIES
Hall of Fame Super Blue

Re: Is this possible?

Andy

Yes PBR is exactly what you would do.

Define an access-list that includes the 4 heavy internet users and then use a route-map to set the next hop to the link you want to use.

You also need to think about return traffic. If you are using different public addresses on each linnk just make sure you NAT the source addresses to that public address or a public address allocated to you within that subnet.

Jon

New Member

Re: Is this possible?

Hi Jon

Thanks for the response. I am fairly new to this so bear with me. So if the interface I want to use for my heavy hitters in IT is X.X.X.6 (if name Internet) (I have X.2-X.6 available), my access list would look something like this? (using 192.168.2.8 as an example of a user)

access-list IT_Internet_acl permit tcp 192.168.2.8 host X.X.X.5 eq www

access-list IT_Internet_acl permit tcp 192.168.2.8 host X.X.X.5 eq https

static (Inside,Internet) X.X.X.5 192.168.2.8 netmask 255.255.255.255

Then what would the route-map line look like?

Ok, go easy if I am way off base here :-)

Andy

Hall of Fame Super Blue

Re: Is this possible?

Andy

No problem, no one should give you a hard time on these forums, that's one of the best things about them :-)

Firstly you have added this line in your config

static (Inside,Internet) X.X.X.5 192.168.2.8 netmask 255.255.255.255

Couple of things confusing me. The above is syntax from a pix and you can't do PBR on a pix. Are we talking about a pix or a router ?

Assuming a router

If your heavy hitter was 192.168.2.8

access-list 101 permit tcp host 192.168.2.8 any eq www

access-list 101 permit tcp host 192.168.2.8 any eq https

Note that i have used any as the destination address. if you know the sites these users hit by IP address you could use the specific IP addresses but any would cover all their http/https traffic.

route-map INTERNET permit 10

match ip address 101

set ip next-hop

This will route all traffic from 192.168.2.8 to the upstream router of the link you want to use.

My point about NAT was that 192.168.2.8 will not route on the Internet so you must be Natting to a public address. If you are already doing this on your 2 interfaces that connect to the Internet you don't need to do anything else.

Does this make sense ?

Jon

New Member

Re: Is this possible?

Hi Jon

This is an ASA 5520 that I am using here. This makes a lot of sense now. Let me try it with one user and I'll let you know how it goes.

Thanks!

Hall of Fame Super Blue

Re: Is this possible?

Andy

ASA's do not support PBR either as far as i am aware.

Jon

New Member

Re: Is this possible?

Hi Jon

Thanks for the update. Ok, so I put those commands on my router instead (my workstations default gateway), but I am still getting out to the internet via the default route on the router, meaning it's still taking 192.168.2.8 out via the t1.

Andy

Hall of Fame Super Blue

Re: Is this possible?

Andy

If you do a "sh ip access-list 101" do you see any hits on the entries ?

Could you post config if possible.

Jon

New Member

Re: Is this possible?

Hi Jon - sorry for the delay - got wrapped up in another project. Ok, so a sh ip access-list 101 gives me:

Extended IP access list 101

permit tcp host 192.168.2.8 any eq www

permit tcp host 192.168.2.8 any eq 443

permit tcp host 192.168.2.8 any

I am attaching a config as well. Thanks for your help!

Hall of Fame Super Blue

Re: Is this possible?

Andy

You need to apply the route-map to an interface. Assuming that fa0/0.1 is the interface that 192.168.2.x addresses arrive at the router

int fa0/0.1

ip policy route-map IT_Internet

Your next hop in your route-map is 72.93.114.2 - this next hop router is adjacent to this router yes ?. By this i mean that the router that has an interface with the address of 72.93.114.2 is one hop away from this router.

Jon

New Member

Re: Is this possible?

That was it Jon. I did have to change the next hop address to the inside address of that router rather than the outside. But its working great now, thanks for all your help!

Hall of Fame Super Blue

Re: Is this possible?

Glad you got it working Andy, and i appreciate the rating.

Jon

Cisco Employee

Re: Is this possible?

!!!!!!!!Change your passwords now that you posted your configs !!!!!!!!!!!!

151
Views
0
Helpful
12
Replies
CreatePlease to create content