Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

More PBR questions...

I have a 2801 with a T1 on S 0/2/0 and DSL PPPoE on FE 0/1/0. I can set default route to either and both work fine. I'm trying to force http/https traffic just to the DSL connection.

When I monitor the connections in the SDM, and start a big download via http, I can see the TI link bandwidth go up, while the DSL doesn't...

If I debug ip policy I get:

000960: Aug 14 16:02:16.349 MDT: IP: route map toDSL, item 10, permit

000961: Aug 14 16:02:16.369 MDT: IP: route map toDSL, item 10, permit

000962: Aug 14 16:02:16.373 MDT: IP: route map toDSL, item 10, permit

000963: Aug 14 16:02:16.389 MDT: IP: route map toDSL, item 10, permit

How can I determine if the policy is indeed sending http through the correct link?

7 REPLIES

Re: More PBR questions...

Using PBR you're setting the way traffic leaves your network (i.e. from client to server). Return traffic will follow path what your upstream routers think will lead to your client. So if packets leave with unmodified IP address that routed from your provider over your T1 interface, then traffic from server will return over T1 link.

New Member

Re: More PBR questions...

That makes sense.

So how do I ensure that packets return via DSL link?

Gold

Re: More PBR questions...

You need to source them with addresses that are provided to you from the ISP that runs the DSL connection.

It is sorta strange that you could even send packets out the DSL sourced with ip's routed to you via your t1. The ISP should detect that IP address spoofing and drop your traffic.

You will need to nat the addresses as the leave the DSL to a range that is routed to the DSL connection.

I am assuming that you do not have your own block of ip's that is being routed via the DSL and the T1. Get a little harder then.

The only other way to do this is if same ISP provides both the T1 and the DSL. Some offer this kind of service as part of a package normally sold as a backup connection. Can't hurt to ask them.

New Member

Re: More PBR questions...

FE 0/0, the inside interface, is natted "inside".

FE 0/1, the DSL, is natted "outside".

The connection to the DSL is PPPoE, so both sides of the PPPoE "tunnel" are /32.

How do I nat the PPPoE interface Dialer1 to use the addresses from that assigned PPPoE connection?

Here is the config, edited for brevity:

router#show run

Building configuration...

Current configuration : 4513 bytes

!

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

!

boot-start-marker

boot system flash c2801-ipbasek9-mz.124-8.bin

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

logging console critical

enable secret xxx

!

no aaa new-model

!

resource policy

!

clock timezone MDT -7

clock summer-time MDT date Apr 6 2006 2:00 Oct 26 2006 2:00

no ip source-route

no ip cef

!

!

ip tcp synwait-time 10

!

!

no ip bootp server

!

!

interface FastEthernet0/0 (Inside interface)

ip address xxx.xxx.xxx.xxx 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

ip policy route-map toDSL

no ip mroute-cache

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1 (DSL connection via Qwest)

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no ip mroute-cache

duplex auto

speed auto

pppoe enable

pppoe-client dial-pool-number 1

no mop enabled

!

interface FastEthernet0/1/0

!

interface FastEthernet0/1/1

!

interface FastEthernet0/1/2

!

interface FastEthernet0/1/3

!

interface Serial0/2/0

ip address xxx.xxx.xxx.xxx 255.255.255.252 (T1 connection via XO, default route)

!

interface Vlan1

no ip address

ip mtu 1492

!

interface Dialer1

description Qwest DSL

ip address negotiated

ip mtu 1492

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap callin

ppp pap sent-username user@qwest.net password 7 password

!

no ip classless

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx (S 0/2/0, T1 default route)

!

no ip http server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map int1 interface Dialer1 overload

!

logging trap debugging

access-list 100 permit ip host xxx.xxx.xxx.xxx any (FE 0/0, inside interface)

access-list 111 permit tcp any any eq www

no cdp run

route-map toDSL permit 10

match ip address 111

match interface Dialer1

!

route-map int1 permit 10

match ip address 100

match interface Dialer1

!

!

control-plane

!

end

Re: More PBR questions...

Your access-list 100 matches only FE0/0 address, so only traffic sources from IP of FE 0/0 (literally single IP that configured on FE 0/0) will be NAT'ed to Dialer1 address, however all PC behind your router will not be NAT'ed. I'd allow everything that goes out of that interface to be NAT'ed.

This appears the only reason why your HTTP traffic returns over main line. Change access-list 100 appropriately and all should work.

Re: More PBR questions...

So you need to ensure that packets leave with source IP that would lead return traffic back over the same interface. One possibility is to apply NAT to such client connections, so the source of the packets is modified to become WAN IP of your DSL link.

Silver

Re: More PBR questions...

I found you applied correct access-list 111, which is configured at the route-map. However, you do not configure the next-hop for the PBR. Your route-map should be as below :

route-map toDSL permit 10

match ip address 111

set interface Dialer1

Please try it and advise the result.

Check below for more details:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_configuration_guide_chapter09186a00800ca590.html

Hope this helps.

143
Views
4
Helpful
7
Replies
CreatePlease login to create content