06-25-2012 03:55 AM - edited 03-07-2019 07:26 AM
Dear Support Team,
I have a 1941 router configured for Policy based routing with two ISPs.
Two static default routes configured to point the gateways of respoective ISPs with same metric.
But the problem is, packets are going throug the one ISP only while doing traceroute.
N/W connectivity:
ISP1-----> <----------------------> LAN1
| Router |
ISP-------> <----------------------> LAN 2
Below is my configuration :
Current configuration : 5958 bytes
!
! Last configuration change at 05:18:56 UTC Mon Jun 25 2012
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GMRIT-WAN-GATEWAY
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$k/Kw$pS1VX17m0hwtKWNxUkBtW0
enable password XXXXX
!
no aaa new-model
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip name-server 8.4.4.4
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description GMRIT-VSNL-ISP-Connection
ip address 111.93.14.250 255.255.255.252
ip policy route-map VSNL-1
duplex auto
speed auto
!
interface GigabitEthernet0/1
description GMRIT-BSNL-ISP-CONNECTION
ip address 172.24.9.149 255.255.255.252
ip policy route-map BSNL-1
duplex auto
speed auto
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
switchport access vlan 2
!
interface FastEthernet0/0/3
!
interface Vlan1
ip address 111.93.20.154 255.255.255.248
ip policy route-map VSNL
!
interface Vlan2
ip address 117.239.50.209 255.255.255.248
ip policy route-map BSNL
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 111.93.14.249
ip route 0.0.0.0 0.0.0.0 172.24.9.150
!
access-list 110 permit ip 111.93.20.152 0.0.0.7 any log
access-list 111 permit ip 117.239.50.208 0.0.0.7 any log
access-list 112 permit ip any 111.93.20.152 0.0.0.7 log
access-list 113 permit ip any 117.239.50.208 0.0.0.7 log
!
route-map VSNL permit 10
match ip address 110
set default interface GigabitEthernet0/0
!
route-map BSNL-1 permit 5
match ip address 111
set ip default next-hop 172.24.9.150
!
route-map BSNL-1 permit 10
match ip address 113
set default interface Vlan2
!
route-map BSNL permit 10
match ip address 111
set default interface GigabitEthernet0/1
!
route-map VSNL-1 permit 5
match ip address 110
set ip default next-hop 111.93.14.249
!
route-map VSNL-1 permit 10
match ip address 112
set default interface Vlan1
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
login local
line aux 0
line vty 0 4
exec-timeout 0 0
privilege level 15
password gmrit@123
login
transport input none
line vty 5 15
exec-timeout 0 0
privilege level 15
password gmrit@123
login
transport input telnet ssh
!
scheduler allocate 20000 1000
end
GMRIT-WAN-GATEWAY#
GMRIT-WAN-GATEWAY#sh route-map
route-map VSNL, permit, sequence 10
Match clauses:
ip address (access-lists): 110
Set clauses:
default interface GigabitEthernet0/0
Policy routing matches: 1720296 packets, 207823775 bytes
route-map BSNL-1, permit, sequence 5
Match clauses:
ip address (access-lists): 111
Set clauses:
ip default next-hop 172.24.9.150
Policy routing matches: 790 packets, 1103956 bytes
route-map BSNL-1, permit, sequence 10
Match clauses:
ip address (access-lists): 113
Set clauses:
default interface Vlan2
Policy routing matches: 615 packets, 39086 bytes
route-map BSNL, permit, sequence 10
Match clauses:
ip address (access-lists): 111
Set clauses:
default interface GigabitEthernet0/1
Policy routing matches: 9583 packets, 914281 bytes
route-map VSNL-1, permit, sequence 5
Match clauses:
ip address (access-lists): 110
Set clauses:
ip default next-hop 111.93.14.249
Policy routing matches: 1724 packets, 1104143 bytes
route-map VSNL-1, permit, sequence 10
Match clauses:
ip address (access-lists): 112
Set clauses:
default interface Vlan1
Policy routing matches: 2294332 packets, 1914372311 bytes
GMRIT-WAN-GATEWAY#
Please help me to solve this issue.
Cheers,
Janardhan
Solved! Go to Solution.
06-29-2012 04:44 AM
GMRIT-WAN-GATEWAY#sh route-map
route-map VSNL, permit, sequence 10
Match clauses:
ip address (access-lists): 110
Set clauses:
ip next-hop 111.93.14.249
Policy routing matches: 5051 packets, 1096683 bytes
route-map BSNL, permit, sequence 10
Match clauses:
ip address (access-lists): 111
Set clauses:
ip next-hop 172.24.9.150
Policy routing matches: 10 packets, 2438 bytes
GMRIT-WAN-GATEWAY#
GMRIT-WAN-GATEWAY#
GMRIT-WAN-GATEWAY#
GMRIT-WAN-GATEWAY#
GMRIT-WAN-GATEWAY#
GMRIT-WAN-GATEWAY#sh acc
GMRIT-WAN-GATEWAY#sh acces
GMRIT-WAN-GATEWAY#sh access-li
GMRIT-WAN-GATEWAY#sh access-lists
Extended IP access list 110
10 permit ip 111.93.20.152 0.0.0.7 any log (14129176 matches)
Extended IP access list 111
10 permit ip 117.239.50.208 0.0.0.7 any log (36791 matches)
20 deny ip any any log (648657 matches)
GMRIT-WAN-GATEWAY#
06-29-2012 05:17 AM
Hi,
can you remove the log keyword from your access-lists used for PBR as well as the explicit deny all in access-list 111 as it has no use then verify it is working with debug ip policy
Regards.
Alain.
Don't forget to rate helpful posts.
06-29-2012 06:27 AM
Hi Cadet,
What is the significance of removing log in the ACL????
Regards,
Janaardhan
06-29-2012 06:37 AM
Hi,
if I remember well these are not supported in PBR but maybe I'm wrong anyway what does debug ip policy outputs when leaving the log keyword ?
Regards.
Alain.
Don't forget to rate helpful posts.
06-29-2012 06:53 AM
HI Cadet,
THis is my new output:
GMRIT-WAN-GATEWAY#sh route-map
route-map VSNL, permit, sequence 10
Match clauses:
ip address (access-lists): 110
Set clauses:
ip next-hop 111.93.14.249
Policy routing matches: 17843 packets, 3185109 bytes
route-map BSNL, permit, sequence 10
Match clauses:
ip address (access-lists): 111
Set clauses:
ip next-hop 172.24.9.150
Policy routing matches: 1082 packets, 84039 bytes
GMRIT-WAN-GATEWAY#sh run
Building configuration...
Current configuration : 5823 bytes
!
! Last configuration change at 13:51:51 UTC Fri Jun 29 2012
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname GMRIT-WAN-GATEWAY
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
logging monitor informational
enable secret 5 $1$k/Kw$pS1VX17m0hwtKWNxUkBtW0
enable password 7 121E08051B1F2C557878
!
no aaa new-model
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip name-server 8.4.4.4
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-1432443274
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1432443274
revocation-check none
rsakeypair TP-self-signed-1432443274
!
!
crypto pki certificate chain TP-self-signed-1432443274
certificate self-signed 01
30820259 308201C2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31343332 34343332 3734301E 170D3131 31323032 30393333
33355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34333234
34333237 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D483 AD3634F1 8349C67B 7554F74E 6FF39064 25FAA8B6 4D5EBF2E 9D2C199A
DFD2C7F0 185D10DF 6791BA58 80CE9A5F ECCA5F08 45D34429 170FC24F 6AFA8C43
F1261CE9 541C8E64 6E2E2411 5DE5933B AFC788F4 6BB24CA0 D74AFF51 6E5D1194
5B8247AA 3E233EC8 F0EC5A77 C2EB933B 97627DE7 CCE77049 8A9AF3AF 98000825
1D1F0203 010001A3 8180307E 300F0603 551D1301 01FF0405 30030101 FF302B06
03551D11 04243022 8220474D 5249542D 57414E2D 47415445 5741592E 796F7572
646F6D61 696E2E63 6F6D301F 0603551D 23041830 168014E3 F006E059 661B2269
F18B4A47 6FEF6C30 87DF6030 1D060355 1D0E0416 0414E3F0 06E05966 1B2269F1
8B4A476F EF6C3087 DF60300D 06092A86 4886F70D 01010405 00038181 009E2659
C1010031 29DDAACD 6A5C6BC6 DC907082 F5D1CD61 F168B323 AAB542ED 5718A0B5
EF4E9BBB B910E39D 2DA63DC3 834A8AA5 9CF9BDD4 75317E95 C7FE19C7 467A1D3D
1827BDD7 E0D66AF1 445F2B2C E6EE7352 0CE476FF F132D86C 26DCA701 3CBDDACB
48FC5292 E8C135E1 90CEAF33 5876A07D 63BE9D80 08BEA784 BB8BF652 FD
quit
license udi pid CISCO1941/K9 sn FGL152126R0
!
!
username Nipun1 privilege 15 password 7 0721285C5B0748
username gmrit privilege 15 secret 5 $1$vOh0$8GaLCjGKqbt./QU6VmSJl0
!
!
!
!
!
!
interface GigabitEthernet0/0
description GMRIT-VSNL-ISP-Connection
ip address 111.93.14.250 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
description GMRIT-BSNL-ISP-CONNECTION
ip address 172.24.9.149 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
switchport access vlan 2
!
interface FastEthernet0/0/3
!
interface Vlan1
ip address 111.93.20.154 255.255.255.248
ip policy route-map VSNL
!
interface Vlan2
ip address 117.239.50.209 255.255.255.248
ip policy route-map BSNL
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 111.93.14.249
ip route 0.0.0.0 0.0.0.0 172.24.9.150 100
ip route 111.93.14.249 255.255.255.255 GigabitEthernet0/0
ip route 172.24.9.150 255.255.255.255 GigabitEthernet0/1
!
access-list 110 permit ip 111.93.20.152 0.0.0.7 any
access-list 111 permit ip 117.239.50.208 0.0.0.7 any
!
route-map VSNL permit 10
match ip address 110
set ip next-hop 111.93.14.249
!
route-map BSNL permit 10
match ip address 111
set ip next-hop 172.24.9.150
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username
Replace
use.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username
no username cisco
Replace
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
login local
line aux 0
line vty 0 4
exec-timeout 0 0
privilege level 15
password 7 14101F1905100A6A046B
login
transport input none
line vty 5 15
exec-timeout 0 0
privilege level 15
password 7 0826415C000D25563248
login
transport input telnet ssh
!
scheduler allocate 20000 1000
end
GMRIT-WAN-GATEWAY#
GMRIT-WAN-GATEWAY#
Reg,
Janardhan
06-29-2012 06:59 AM
Hi,
can you get rid of these , they have no use.
ip route 111.93.14.249 255.255.255.255 GigabitEthernet0/0
ip route 172.24.9.150 255.255.255.255 GigabitEthernet0/1
and post the output from debug ip policy when pinging from each vlan
Regards.
Alain.
Don't forget to rate helpful posts.
06-29-2012 07:00 AM
HI Alain.
debug ip policy
After entering this command, i loss my cooncetion from outside.
Regards,
Janardhan
06-29-2012 07:26 AM
Hi,
I don't think you can lose the connection just by enabling this debug command.
It's still not working as you intend to ?
Regards.
Alain
Don't forget to rate helpful posts.
06-29-2012 07:59 AM
While doing ping from outside, it is dropping......Let me check from tomorrow as no one will available at this time..
Regards,
Janardhan
06-30-2012 12:00 AM
07-02-2012 10:15 PM
HI Alain,
Now, Policy based routing working fine....
Thanks for all your support..
Regards,
Janardhan
07-03-2012 01:07 AM
Hi,
I'm happy it is working now.
Regards.
Alain.
Don't forget to rate helpful posts.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: