cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5778
Views
0
Helpful
26
Replies

Reg: Policy based Routing with two Default Routes

Dear Support Team,

I have a 1941 router configured for Policy based routing with two ISPs.

Two static default routes configured to point the gateways of respoective ISPs with same metric.

But the problem is, packets are going throug the one ISP only while doing traceroute.

N/W connectivity:

ISP1----->                <----------------------> LAN1   

               |  Router |

ISP------->                <----------------------> LAN 2

Below is my configuration :

Current configuration : 5958 bytes

!

! Last configuration change at 05:18:56 UTC Mon Jun 25 2012

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname GMRIT-WAN-GATEWAY

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 $1$k/Kw$pS1VX17m0hwtKWNxUkBtW0

enable password XXXXX

!

no aaa new-model

!

no ipv6 cef

no ip source-route

ip cef

!

!

!

!

ip domain name yourdomain.com

ip name-server 8.8.8.8

ip name-server 8.4.4.4

multilink bundle-name authenticated

!

!


!

!


!

!

!

!

!

interface GigabitEthernet0/0

description GMRIT-VSNL-ISP-Connection

ip address 111.93.14.250 255.255.255.252

ip policy route-map VSNL-1

duplex auto

speed auto

!

interface GigabitEthernet0/1

description GMRIT-BSNL-ISP-CONNECTION

ip address 172.24.9.149 255.255.255.252

ip policy route-map BSNL-1

duplex auto

speed auto

!

interface FastEthernet0/0/0

!

interface FastEthernet0/0/1

!

interface FastEthernet0/0/2

switchport access vlan 2

!

interface FastEthernet0/0/3

!

interface Vlan1

ip address 111.93.20.154 255.255.255.248

ip policy route-map VSNL

!

interface Vlan2

ip address 117.239.50.209 255.255.255.248

ip policy route-map BSNL

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 0.0.0.0 0.0.0.0 111.93.14.249

ip route 0.0.0.0 0.0.0.0 172.24.9.150

!

access-list 110 permit ip 111.93.20.152 0.0.0.7 any log

access-list 111 permit ip 117.239.50.208 0.0.0.7 any log

access-list 112 permit ip any 111.93.20.152 0.0.0.7 log

access-list 113 permit ip any 117.239.50.208 0.0.0.7 log

!

route-map VSNL permit 10

match ip address 110

set default interface GigabitEthernet0/0

!

route-map BSNL-1 permit 5

match ip address 111

set ip default next-hop 172.24.9.150

!

route-map BSNL-1 permit 10

match ip address 113

set default interface Vlan2

!

route-map BSNL permit 10

match ip address 111

set default interface GigabitEthernet0/1

!

route-map VSNL-1 permit 5

match ip address 110

set ip default next-hop 111.93.14.249

!

route-map VSNL-1 permit 10

match ip address 112

set default interface Vlan1


!

!

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to

use.

-----------------------------------------------------------------------

^C

banner login ^C

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device.

This feature requires the one-time use of the username "cisco" with the

password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN

CREDENTIALS

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>

no username cisco

Replace <myuser> and <mypassword> with the username and password you want

to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE

TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the

QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp

-----------------------------------------------------------------------

^C

!

line con 0

login local

line aux 0

line vty 0 4

exec-timeout 0 0

privilege level 15

password gmrit@123

login

transport input none

line vty 5 15

exec-timeout 0 0

privilege level 15

password gmrit@123

login

transport input telnet ssh

!

scheduler allocate 20000 1000

end

GMRIT-WAN-GATEWAY#

GMRIT-WAN-GATEWAY#sh route-map

route-map VSNL, permit, sequence 10

  Match clauses:

    ip address (access-lists): 110

  Set clauses:

    default interface GigabitEthernet0/0

  Policy routing matches: 1720296 packets, 207823775 bytes

route-map BSNL-1, permit, sequence 5

  Match clauses:

    ip address (access-lists): 111

  Set clauses:

    ip default next-hop 172.24.9.150

  Policy routing matches: 790 packets, 1103956 bytes

route-map BSNL-1, permit, sequence 10

  Match clauses:

    ip address (access-lists): 113

  Set clauses:

    default interface Vlan2

  Policy routing matches: 615 packets, 39086 bytes

route-map BSNL, permit, sequence 10

  Match clauses:

    ip address (access-lists): 111

  Set clauses:

    default interface GigabitEthernet0/1

  Policy routing matches: 9583 packets, 914281 bytes

route-map VSNL-1, permit, sequence 5

  Match clauses:

    ip address (access-lists): 110

  Set clauses:

    ip default next-hop 111.93.14.249

  Policy routing matches: 1724 packets, 1104143 bytes

route-map VSNL-1, permit, sequence 10

  Match clauses:

    ip address (access-lists): 112

  Set clauses:

    default interface Vlan1

  Policy routing matches: 2294332 packets, 1914372311 bytes

GMRIT-WAN-GATEWAY#

Please help me to solve this issue.

Cheers,

Janardhan



26 Replies 26

GMRIT-WAN-GATEWAY#sh route-map

route-map VSNL, permit, sequence 10

  Match clauses:

    ip address (access-lists): 110

  Set clauses:

    ip next-hop 111.93.14.249

  Policy routing matches: 5051 packets, 1096683 bytes

route-map BSNL, permit, sequence 10

  Match clauses:

    ip address (access-lists): 111

  Set clauses:

    ip next-hop 172.24.9.150

  Policy routing matches: 10 packets, 2438 bytes

GMRIT-WAN-GATEWAY#

GMRIT-WAN-GATEWAY#

GMRIT-WAN-GATEWAY#

GMRIT-WAN-GATEWAY#

GMRIT-WAN-GATEWAY#

GMRIT-WAN-GATEWAY#sh acc

GMRIT-WAN-GATEWAY#sh acces

GMRIT-WAN-GATEWAY#sh access-li

GMRIT-WAN-GATEWAY#sh access-lists

Extended IP access list 110

    10 permit ip 111.93.20.152 0.0.0.7 any log (14129176 matches)

Extended IP access list 111

    10 permit ip 117.239.50.208 0.0.0.7 any log (36791 matches)

    20 deny ip any any log (648657 matches)

GMRIT-WAN-GATEWAY#

Hi,

can you remove the log keyword from your access-lists used for PBR as well as the explicit deny all in access-list 111 as it has no use  then verify it is working with debug ip policy

Regards.

Alain.

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hi Cadet,

What is the significance of removing log in the ACL????

Regards,

Janaardhan

Hi,

if I remember well these are not supported in PBR but maybe I'm wrong anyway what does debug ip policy outputs when leaving the log keyword ?

Regards.

Alain.

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

HI Cadet,

THis is my new output:

GMRIT-WAN-GATEWAY#sh route-map

route-map VSNL, permit, sequence 10

  Match clauses:

    ip address (access-lists): 110

  Set clauses:

    ip next-hop 111.93.14.249

  Policy routing matches: 17843 packets, 3185109 bytes

route-map BSNL, permit, sequence 10

  Match clauses:

    ip address (access-lists): 111

  Set clauses:

    ip next-hop 172.24.9.150

  Policy routing matches: 1082 packets, 84039 bytes

GMRIT-WAN-GATEWAY#sh run

Building configuration...

Current configuration : 5823 bytes

!

! Last configuration change at 13:51:51 UTC Fri Jun 29 2012

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname GMRIT-WAN-GATEWAY

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

logging monitor informational

enable secret 5 $1$k/Kw$pS1VX17m0hwtKWNxUkBtW0

enable password 7 121E08051B1F2C557878

!

no aaa new-model

!

no ipv6 cef

no ip source-route

ip cef

!

!

!

!

ip domain name yourdomain.com

ip name-server 8.8.8.8

ip name-server 8.4.4.4

multilink bundle-name authenticated

!

!

crypto pki trustpoint TP-self-signed-1432443274

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1432443274

revocation-check none

rsakeypair TP-self-signed-1432443274

!

!

crypto pki certificate chain TP-self-signed-1432443274

certificate self-signed 01

  30820259 308201C2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31343332 34343332 3734301E 170D3131 31323032 30393333

  33355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34333234

  34333237 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100D483 AD3634F1 8349C67B 7554F74E 6FF39064 25FAA8B6 4D5EBF2E 9D2C199A

  DFD2C7F0 185D10DF 6791BA58 80CE9A5F ECCA5F08 45D34429 170FC24F 6AFA8C43

  F1261CE9 541C8E64 6E2E2411 5DE5933B AFC788F4 6BB24CA0 D74AFF51 6E5D1194

  5B8247AA 3E233EC8 F0EC5A77 C2EB933B 97627DE7 CCE77049 8A9AF3AF 98000825

  1D1F0203 010001A3 8180307E 300F0603 551D1301 01FF0405 30030101 FF302B06

  03551D11 04243022 8220474D 5249542D 57414E2D 47415445 5741592E 796F7572

  646F6D61 696E2E63 6F6D301F 0603551D 23041830 168014E3 F006E059 661B2269

  F18B4A47 6FEF6C30 87DF6030 1D060355 1D0E0416 0414E3F0 06E05966 1B2269F1

  8B4A476F EF6C3087 DF60300D 06092A86 4886F70D 01010405 00038181 009E2659

  C1010031 29DDAACD 6A5C6BC6 DC907082 F5D1CD61 F168B323 AAB542ED 5718A0B5

  EF4E9BBB B910E39D 2DA63DC3 834A8AA5 9CF9BDD4 75317E95 C7FE19C7 467A1D3D

  1827BDD7 E0D66AF1 445F2B2C E6EE7352 0CE476FF F132D86C 26DCA701 3CBDDACB

  48FC5292 E8C135E1 90CEAF33 5876A07D 63BE9D80 08BEA784 BB8BF652 FD

        quit

license udi pid CISCO1941/K9 sn FGL152126R0

!

!

username Nipun1 privilege 15 password 7 0721285C5B0748

username gmrit privilege 15 secret 5 $1$vOh0$8GaLCjGKqbt./QU6VmSJl0

!

!

!

!

!

!

interface GigabitEthernet0/0

description GMRIT-VSNL-ISP-Connection

ip address 111.93.14.250 255.255.255.252

duplex auto

speed auto

!

interface GigabitEthernet0/1

description GMRIT-BSNL-ISP-CONNECTION

ip address 172.24.9.149 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/0/0

!

interface FastEthernet0/0/1

!

interface FastEthernet0/0/2

switchport access vlan 2

!

interface FastEthernet0/0/3

!

interface Vlan1

ip address 111.93.20.154 255.255.255.248

ip policy route-map VSNL

!

interface Vlan2

ip address 117.239.50.209 255.255.255.248

ip policy route-map BSNL

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 0.0.0.0 0.0.0.0 111.93.14.249

ip route 0.0.0.0 0.0.0.0 172.24.9.150 100

ip route 111.93.14.249 255.255.255.255 GigabitEthernet0/0

ip route 172.24.9.150 255.255.255.255 GigabitEthernet0/1

!

access-list 110 permit ip 111.93.20.152 0.0.0.7 any

access-list 111 permit ip 117.239.50.208 0.0.0.7 any

!

route-map VSNL permit 10

match ip address 110

set ip next-hop 111.93.14.249

!

route-map BSNL permit 10

match ip address 111

set ip next-hop 172.24.9.150

!

!

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you want to

use.

-----------------------------------------------------------------------

^C

banner login ^C

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device.

This feature requires the one-time use of the username "cisco" with the

password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN

CREDENTIALS

Here are the Cisco IOS commands.

username   privilege 15 secret 0

no username cisco

Replace and with the username and password you want

to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE

TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the

QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp

-----------------------------------------------------------------------

^C

!

line con 0

login local

line aux 0

line vty 0 4

exec-timeout 0 0

privilege level 15

password 7 14101F1905100A6A046B

login

transport input none

line vty 5 15

exec-timeout 0 0

privilege level 15

password 7 0826415C000D25563248

login

transport input telnet ssh

!

scheduler allocate 20000 1000

end

GMRIT-WAN-GATEWAY#

GMRIT-WAN-GATEWAY#

Reg,

Janardhan

Hi,

can you get rid of these  , they have no use.

ip route 111.93.14.249 255.255.255.255 GigabitEthernet0/0

ip route 172.24.9.150 255.255.255.255 GigabitEthernet0/1

and post the output from debug ip policy when pinging from each vlan

Regards.

Alain.

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

HI  Alain.

debug ip policy

After entering this command, i loss my cooncetion from outside.

Regards,

Janardhan

Hi,

I don't think you can lose the connection just by enabling  this debug command.

It's still not working as you intend to ?

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

While doing ping from outside, it is dropping......Let me check from tomorrow as no one will available at this time..

Regards,

Janardhan

Hi Alain,

If i enable debug ip policy , got ping drops from inside and outside.( Losing total connection)

I taken this O/P by connecting directly from console!!!!!!!!!!

Please find the enclosed debug output file.

Regards,

Janardhan


HI Alain,

Now, Policy based routing working fine....

Thanks for all your support..

Regards,

Janardhan

Hi,

I'm happy it is working now.

Regards.

Alain.

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: