07-19-2007 08:33 AM - edited 03-09-2019 06:26 PM
I have two internet connections on an 1841, through ethernet. I'm using subinterfaces. I have two default routes with floating static.
ip route 0.0.0.0 0.0.0.0 Y.Y.Y.209 5
ip route 0.0.0.0 0.0.0.0 X.X.X.65 10
When I remove the first route at weight 5, everything fails over properly and I can ping the x.x.x.65 address.
However if the first y.y.y.209 is in the routing table I cannot ping x.x.x.65 correctly.
Which of course I need one system within the LAN to route over that other connection. So I have setup a PBR statement, but seemingly since I cannot ping that next hop, (from the router or the server, it doesn't work.)
I see the policy-map matching the traffic coming from the server, but I just can't ping that other hop when the first default route is in place. Have gotten something similar to this working before on a 1760, but for whatever reason can't ping the second hop, on this 1841. Here's a config. I would have the expectation that I could ping both default gateways, since they are technically on the same subnet.
ip cef
no ip dhcp use vrf connected
no ip domain lookup
interface FastEthernet0/0
description PORT to DMZ VLAN
ip address 172.16.20.2 255.255.255.0
ip nat inside
ip policy route-map stn_util
no ip mroute-cache
duplex auto
speed auto
!
interface FastEthernet0/1
description PORT to TRUNK for MPOWER/COMCAST
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.30
description PORT to MPOWER
encapsulation dot1Q 30
ip address X.X.X.115 255.255.255.192
ip verify unicast reverse-path
ip nat outside
no ip mroute-cache
no snmp trap link-status
!
interface FastEthernet0/1.40
description PORT to COMCAST
encapsulation dot1Q 40
ip address Y.Y.Y.210 255.255.255.240
ip verify unicast reverse-path
ip nat outside
no ip mroute-cache
no snmp trap link-status
!
ip classless
ip route 0.0.0.0 0.0.0.0 Y.Y.Y.209 5
ip route 0.0.0.0 0.0.0.0 X.X.X.65 10
!
no ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map NAT1-MPOWER interface FastEthernet0/1.30 overload
ip nat inside source route-map NAT2-COMCAST interface FastEthernet0/1.40 overloa
d
ip nat inside source static 172.16.20.1 Y.Y.Y.211 route-map NAT2-Static-COMC
AST
ip nat inside source static 172.16.20.10 Y.Y.Y.212 route-map NAT2-Static-COM
CAST
ip nat inside source static 172.16.20.11 Y.Y.Y.213 route-map NAT2-Static-COM
CAST
ip nat inside source static 172.16.20.12 Y.Y.Y.214 route-map NAT2-Static-COM
CAST
ip nat inside source static 172.16.20.12 X.X.X.112 route-map NAT1-Static-MP
OWER
ip nat inside source static 172.16.20.10 X.X.X.113 route-map NAT1-Static-MP
OWER
ip nat inside source static 172.16.20.11 X.X.X.114 route-map NAT1-Static-MP
OWER
!
access-list 150 permit ip host 172.16.20.12 any
access-list 160 remark DYNAMIC NAT
access-list 160 deny ip host 172.16.20.1 any
access-list 160 deny ip host 172.16.20.10 any
access-list 160 deny ip host 172.16.20.11 any
access-list 160 deny ip host 172.16.20.12 any
access-list 160 permit ip 172.16.20.0 0.0.0.255 any
access-list 170 remark STATIC NATS
access-list 170 permit ip host 172.16.20.1 any
access-list 170 permit ip host 172.16.20.10 any
access-list 170 permit ip host 172.16.20.11 any
access-list 170 permit ip host 172.16.20.12 any
access-list 170 deny ip 172.16.20.0 0.0.0.255 any
route-map NAT2-COMCAST permit 10
match ip address 160
match interface FastEthernet0/1.40
!
route-map NAT2-Static-COMCAST permit 10
match ip address 170
match interface FastEthernet0/1.40
!
route-map stn_util permit 10
description change UTIL server default route
match ip address 150
set ip next-hop X.X.X.65
!
route-map NAT1-Static-MPOWER permit 10
match ip address 170
match interface FastEthernet0/1.30
!
route-map NAT1-MPOWER permit 10
match ip address 160
match interface FastEthernet0/1.30
07-19-2007 12:43 PM
Have you tried without 'ip verify unicast reverse-path' on interface FastEthernet0/1.30?
07-19-2007 01:35 PM
Indeed I have. I actually added that statement and turned on CEF, (have to, in order to enable that statement.) With or without the CEF and the 'ip verify unicast reverse-path' it still can't ping the second default gateway. Thanks for the reply.
07-19-2007 02:10 PM
You are trying to ping from the router?
You can verify the prefix in the arp table and with 'sh ip cef'. It should be there and pointing to the right interface.
07-19-2007 02:34 PM
I haven't checked yet, but if that information is missing, then what can I do to make it work.
07-19-2007 02:52 PM
It depends on the result. Compare the output for the attached network from sh ip route and sh ip cef.
You can also run debug arp and try some pings, does it send requests? replies?
Which version of IOS are you running? Older versions had issues between CEF and route-maps. You can try to disable CEF.
You do not have an "ip local policy" configured?
I know it is not in what you attaced but it does not look complete.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: