03-23-2006 02:46 AM - edited 03-03-2019 12:09 PM
Hi there ! My problem is very similar to some recent ones solved here, but I need more help from you, dear IOS specialist.
As our main Internet link is very often saturated (it is shared with many other schools), we want to set up a DSL link to add some bandwidth (mainly for HTTP incoming traffic).
Our school workstations are connected to a Catalyst 6509 whose default gateway is a Cobalt cache box (172.18.32.101). The default gateway of the Cobalt is our main Internet connection firewall (172.18.32.100). The DSL router is also connected to the 6509 (172.18.32.102).
See network diagram here : http://darwin.gobelins.fr/public/network-diag.jpg
We want to redirect some incoming traffic (mainly HTTP and FTP) through that DSL link, using an acces-list and routing-map setup.
!
interface Vlan5
ip address 172.18.32.1 255.255.240.0
ip helper-address 172.18.1.2
no ip redirects
ip policy route-map http-redir
!
!
ip classless
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 172.18.32.101
ip route 192.168.3.0 255.255.255.0 172.18.32.100
ip route 192.168.205.0 255.255.255.0 172.18.32.100
ip route 194.57.100.0 255.255.255.0 172.18.32.100
ip route 195.68.194.128 255.255.255.128 172.18.32.100
ip http server
!
!
access-list 110 permit tcp host 172.18.32.21 any eq http
access-list 110 deny tcp any any
!
route-map http-redir permit 110
match ip address 110
set ip next-hop 172.18.32.102
!
When I apply that route mapping to the VLAN interface, it does not route HTTP packets through the DSL link, even if the route-map seems to match :
CAT6509#sh route-map
route-map http-redir, permit, sequence 110
Match clauses:
ip address (access-lists): 110
Set clauses:
ip next-hop 172.18.32.102
Policy routing matches: 119802 packets, 34026305 bytes
Have you any idea why it does not work as supposed ?
Thanks
- Jean-Claude
Solved! Go to Solution.
03-23-2006 03:46 AM
Ok,
I'd be curious to see if the redirected traffic makes it to your DSL router....
Is there any chance you could run 'debug ip policy' on your 6509 at all, to see whether the traffic is getting policy routed at all ?
Paresh
03-23-2006 03:01 AM
Hi Jean,
Can you paste the output of
sh ip route 172.18.32.102
Regards,
Ankur
03-23-2006 03:14 AM
OK, here it is :
CAT6509#sh ip route 172.18.32.102
Routing entry for 172.18.32.0/20
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via Vlan5
Route metric is 0, traffic share count is 1
Hope this help ...
- JC
03-23-2006 03:30 AM
Hi,
You indicated that you wanted to redirect incoming http traffic but your route-map seems to suggest that you are acting on outgoing HTTP traffic. Is that what you want ? Could you elaborate on what type of http traffic you are trying to act on - is it traffic from an internal web server ?
Paresh
03-23-2006 03:42 AM
Paresh,
Yes, I want incoming HTTP traffic from the Internet to come from the DSL link, so I redirect HTTP requests via that link ... or the response will never come through DSL .. (172.18.32.21 is my workstation IP@)
The DSL router is doing NAT translation on 172.18.32.102.
Maybe the problem is due to the fact that the DSL router is not connected to a dedicated port on the 6509 switch. (behind a 2950 switch on VLAN 5).
Hope this help
- JC
03-23-2006 03:46 AM
Ok,
I'd be curious to see if the redirected traffic makes it to your DSL router....
Is there any chance you could run 'debug ip policy' on your 6509 at all, to see whether the traffic is getting policy routed at all ?
Paresh
03-23-2006 08:05 AM
The 6509 is in production (450 users using it) so I prefer not to do mistakes with debug mode.
May you give me the way to go to limit the debugging on routing-maps ?
I plan to do that :
access-list 123 permit ip host 172.18.32.21 host 172.18.32.101
access-list 123 permit ip host 172.18.32.101 host 172.18.32.21
debug ip packet 123 detail
[conf terminal] int vlan5
[conf terminal] no ip route-cache
Am I correct ?
Thx JC
03-27-2006 07:08 AM
I finally was able to use debug on the router and it showed that in fact, everything worked fine !!
The http packets are correctly directed through the DSL link.
My error was to use "ping" and "traceroute" to test the redirection and off course, it was not working with an access-list made for HTTP traffic .. oups !
Thanks to you all
- Jean-Claude
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide