Hi there ! My problem is very similar to some recent ones solved here, but I need more help from you, dear IOS specialist.
As our main Internet link is very often saturated (it is shared with many other schools), we want to set up a DSL link to add some bandwidth (mainly for HTTP incoming traffic).
Our school workstations are connected to a Catalyst 6509 whose default gateway is a Cobalt cache box (172.18.32.101). The default gateway of the Cobalt is our main Internet connection firewall (172.18.32.100). The DSL router is also connected to the 6509 (172.18.32.102).
See network diagram here : http://darwin.gobelins.fr/public/network-diag.jpg
We want to redirect some incoming traffic (mainly HTTP and FTP) through that DSL link, using an acces-list and routing-map setup.
ip address 172.18.32.1 255.255.240.0
ip helper-address 172.18.1.2
no ip redirects
ip policy route-map http-redir
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 172.18.32.101
ip route 192.168.3.0 255.255.255.0 172.18.32.100
ip route 192.168.205.0 255.255.255.0 172.18.32.100
ip route 18.104.22.168 255.255.255.0 172.18.32.100
ip route 22.214.171.124 255.255.255.128 172.18.32.100
ip http server
access-list 110 permit tcp host 172.18.32.21 any eq http
access-list 110 deny tcp any any
route-map http-redir permit 110
match ip address 110
set ip next-hop 172.18.32.102
When I apply that route mapping to the VLAN interface, it does not route HTTP packets through the DSL link, even if the route-map seems to match :
route-map http-redir, permit, sequence 110
ip address (access-lists): 110
ip next-hop 172.18.32.102
Policy routing matches: 119802 packets, 34026305 bytes
Have you any idea why it does not work as supposed ?
Solved! Go to Solution.
OK, here it is :
CAT6509#sh ip route 172.18.32.102
Routing entry for 172.18.32.0/20
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via Vlan5
Route metric is 0, traffic share count is 1
Hope this help ...
You indicated that you wanted to redirect incoming http traffic but your route-map seems to suggest that you are acting on outgoing HTTP traffic. Is that what you want ? Could you elaborate on what type of http traffic you are trying to act on - is it traffic from an internal web server ?
Yes, I want incoming HTTP traffic from the Internet to come from the DSL link, so I redirect HTTP requests via that link ... or the response will never come through DSL .. (172.18.32.21 is my workstation IP@)
The DSL router is doing NAT translation on 172.18.32.102.
Maybe the problem is due to the fact that the DSL router is not connected to a dedicated port on the 6509 switch. (behind a 2950 switch on VLAN 5).
Hope this help
The 6509 is in production (450 users using it) so I prefer not to do mistakes with debug mode.
May you give me the way to go to limit the debugging on routing-maps ?
I plan to do that :
access-list 123 permit ip host 172.18.32.21 host 172.18.32.101
access-list 123 permit ip host 172.18.32.101 host 172.18.32.21
debug ip packet 123 detail
[conf terminal] int vlan5
[conf terminal] no ip route-cache
Am I correct ?
I finally was able to use debug on the router and it showed that in fact, everything worked fine !!
The http packets are correctly directed through the DSL link.
My error was to use "ping" and "traceroute" to test the redirection and off course, it was not working with an access-list made for HTTP traffic .. oups !
Thanks to you all