we have a branch that is connected via a leased line to the main headquarters.
The connection is terminated to a cisco 1721 fast ethernet subinterface (802.1q VLAN).
We also have an ADSL line which is terminated to a PC running WIN2K and "microsoft internet connection software" (ICS, something like NAT ). Basically that PC has an ethernet interface which is also terminated to the above router. So we have two VLANs.
The aim is to reroute all P2P, WWW, FTP etc traffic through the PC and the ADSL line and we tried to solve it with policy routing. The problem is that when the PC ***and*** the ADSL line are OK, then the policy routing is also OK.
*But* when the ADSL line drops, the router continues to send packets to the Ethernet interface of the PC. The same happens when the PC is down (e.g ethernet interface down) also.
I post the configuration below!
Current configuration : 989 bytes
no ip address
description <<in this vlan the leased line is terminated>>
encapsulation dot1Q 100
ip address 18.104.22.168 255.255.255.0
ip policy route-map redirect_www_to_adsl_PC
encapsulation dot1Q 1 native
ip address 192.168.0.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 22.214.171.124
no ip http server
access-list 100 permit tcp any any eq www
access-list 100 deny ip any any
route-map redirect_www_to_adsl_PC permit 1
match ip address 100
set ip next-hop 192.168.0.10
TIA for your help guys,
When you only have a single address specified after "set ip next-hop", I've read that the routing table is supposed to be consulted. But this isn't working in your case for some reason.
You could try including the failover next-hop (the interface at the other end of the leased line) at the end of your 'set ip next-hop' statement, e.g.:
set ip next-hop 192.168.0.10 126.96.36.199
The way this is supposed to behave is that the traffic is sent to 192.168.0.10 unless it is unreachable, in which case the policy routing "fails over" to 188.8.131.52. But if your issue is that the router isn't detecting 192.168.0.10 as unreachable when the ADSL line fails, this won't make a difference.
Thanx for your hint!
Unfortunately i had tried this from the beginning...the default gateway (184.108.40.206) didn't do any good-packets were still forwarded to 192.168.0.10, (may i remind that this is the ethernet interface of the PC running WIN2K and Microsoft ICS, where the ADSL modem is connected to). I ran debug to check this out. No convergence/failover after several minutes!
However, are you sure that the pc would inform the router that the internet is unreachable in case the ADSL line dropped?
For an Ethernet interface I'd imagine that the only way policy routing can detect that it's down is if it changes state (e.g., to "line protocol down"). This won't happen in your topology when the ADSL line goes down, but you said that your configuration doesn't work when the PC is down either which lead me to believe that there's another problem somewhere.
Now that I look at your config closer I see that you're only using one physical Ethernet interface with two subinterfaces. I don't really understand how you're terminating a leased line on an Ethernet interface, but if interface FastEthernet0.2 doesn't change state when the PC goes down (which I'd guess it doesn't, but again, I don't know the details of the topology), it's hard to imagine policy routing being able to failover to the routing table.
first of all thank you for your kind reply.
Some more notes on the config:
The configuration i use has two 802.1q VLANs.
The router is connected to a switch where the SDSL modem's ethernet interface is terminated (the SDSL modems are used for the leased line, this is not the ADSL line which is connected to the PC running WIN2K).
The FastEthernet0.1 is the subinterface where the WAN connection is "terminated". This is the 220.127.116.11/24 VLAN.
The FastEthernet0.2 is used for the "connection" to the PC running WIN2K.
Of course, that PC is also connected to the switch, but to a differnet VLAN (192.168.0.0/24).
It is true that if the PC or its ethernet interface fails, the subinterface F0.2 won't go down, *but* the next-hop 192.168.0.10 (ie the PC) will be unreachable.
Shouldn't the router in that case forward the packets through the routing table (normal process), especially when the "set ip next-hop address" command contain the second ip? Shouldn't the same happen if the ADSL modem failed, given that the PC has two default routes: One pointing to the ADSL PPP IP address and the second (higher metric?) pointing to the FastEthernet0.2?
Please forgive my long post.
I hope in the end we'll give a solution for everyone!
Firstly there is no way that your router will stop policy routing to the PC [WIN2K] when the ADSL line fails because as far as the router is concerned the policy-routed next-hop 192.168.0.10 is still available.
The only way your router will switch back to normal routing will be when the PC's ethernet interface is down or either unplugged from the switch. This way when your router ARPs for the next-hop it will be unreachable, then it SHOULD revert back to the gateway of last resort configured [normal routing].
If this is not happening then you might want to check your ARP cache on the router when you disconnect the PC. Because the router and the switch should remove their ARP entry for the PC once it's gone.
Hope this helps
i am grateful to you for joining the other fellows in assisting me!
You have just solved one point: (Highly) possible cause for the lack of convergence=ARP issue.
A very good idea would be to have an ADSL WIC, is that correct?
This would provide instant failover to the policy rouitng failure, is that right?
Now, as far as the first comment is concerned let me ask once more:
the routing table of the PC has 2 default routes: one of them is set up automatically and it points to the PPP address of the ADSL "dialup"connection immediately after the IP address is being assigned from the PPP server and the other default route is generated when you install the ethernet interface (if you wish to have a default gateway for that TCP/IP stack of course...).
NOW, let us suppose that we *do* have a deafult gateway set up on the PC, pointing to the router's subinterface F0.2.
When the ADSL connection fails, *shouldn't* the PC sent the packets coming from the ethernet towards the router?
Policy routing would function correctly and the packets would return back from the working PC. Would we have a black hole then?
Thanx once more pal,
First of all when you said ADSL WIC did you mean on the router or on the PC ? It will only make a difference if you install it on the router. If you install it on the PC the you would have to change the policy-routed next-hop on the router to that of the ADSL WIC and then run a routing protocol between the PC and the router so that the PC informs the router when the ADSL is down [highly unlikely solution]
As per the second question If you have 2 default gateways on the PC and the ADSL goes down, all traffic affected by ACL 100 will be policy routed to the PC and routed back to the router [not an elegant solution], you may have a routing loop. You should only have the defauklt gateway pointing out the ADSL line on the PC.
Your best option will be to look into the ARP issue on the router and switch when the PC is disconnected [from the switch]
As far as the WIC is concerned, i was speaking about a WIC on the router. That would solve all problems: PC/NIC failure issue (ARP issue as it seemed!!!) and PPP failure issue (the WIC-ADSL interface would have line protocoll down in case of PPP failure, so the packets would be forwarded through the typical routing-table process (am i correct on that John?).
Installing an ADSL modem on the PC and running RIP (feasible with WIN2K) is not such a good idea. However, what you stated (running a dynamic routing protocoll on the PC and the router) could also be achieved with the current scheme, ie with the USB alcatel ADSL modem. (I'll try it and let you know).
I want to thank you, as well the other fellows on thsis conversation for your assistance, because:
1) You have helped me to find the source and the workaround to the problem, as well as to other problems that could emerge with this scheme.
2) You have helped me undertand typical instances of problems that occur with policy routing.
Best regards from Greece,