I have a production network that I can't take down for maintenance. There is an ASA5505 in site A and a C800 router in site B. There is a leased line between the sites but the client also has an ADSL line which is currently being used as a backup in case the first link fails. I would like to enable policy based routing so that selected traffic will pass over the ADSL line over a VPN instead of using the leased line. This traffic will have the same destination device of site A but will be from a different subnet. I obviously can't break the network while adding the config so I would really appreciate it if someone could let me know what config is needed. Here is the current config from the router at site B:
version 15.1 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname CMRTR ! boot-start-marker boot-end-marker ! logging console critical logging monitor informational ! aaa new-model ! aaa authentication login default group radius local aaa authentication enable default group radius enable aaa authorization exec default group radius local ! aaa session-id common crypto pki token default removal timeout 0 ! no ip source-route ip cef ! ip dhcp excluded-address 10.135.135.1 ip dhcp excluded-address 192.168.101.1 ip dhcp excluded-address 10.150.150.1 ip dhcp excluded-address 192.168.100.254 ! ip dhcp pool 429 network 10.135.135.0 255.255.255.0 default-router 10.135.135.1 dns-server 184.108.40.206 ! ip dhcp pool 428 network 192.168.101.0 255.255.255.0 default-router 192.168.101.1 dns-server 220.127.116.11 18.104.22.168 ! no ip bootp server no ip domain lookup no ipv6 cef ! archive log config logging enable notify syslog contenttype plaintext hidekeys object-group network OFF-TRU-LAN 192.168.100.0 255.255.255.0 ! object-group network OFF-TRU-WLAN 192.168.101.0 255.255.255.0 ! controller VDSL 0 ! ip tcp synwait-time 10 ! track 1 ip sla 1 reachability delay down 1 up 1 ! track 2 ip sla 2 reachability delay down 1 up 1 ! crypto logging session ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key xxxxxxxxxxxxxxxxxxxxxx address x.x.x.102 ! crypto ipsec transform-set QU esp-3des esp-md5-hmac ! crypto map CM-MAP 10 ipsec-isakmp set peer x.x.x.102 set transform-set QU match address VPN-L-OFF ! interface ATM0 description ADSL no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress no atm ilmi-keepalive ! interface ATM0.1 point-to-point no ip redirects pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! interface Ethernet0 description $ES_WAN$ no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress pppoe-client dial-pool-number 2 no fair-queue ! interface FastEthernet0 description TLOC no ip address ! interface FastEthernet1 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface Wlan-GigabitEthernet0 description Internal switch interface connecting to the embedded AP switchport mode trunk no ip address ! interface wlan-ap0 description Service module interface to manage the embedded AP ip address 10.150.150.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$ ip address 192.168.100.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly in ip tcp adjust-mss 1412 ! interface Vlan428 description CM-TRU ip address 192.168.101.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly in ip tcp adjust-mss 1412 ! interface Vlan429 description CM-PUB ip address 10.135.135.1 255.255.255.0 ip access-group 133 in no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly in ip tcp adjust-mss 1412 ! interface Dialer0 ip address x.x.x.70 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp ip mtu 1452 ip flow ingress ip nat outside ip virtual-reassembly in encapsulation ppp no ip route-cache dialer pool 1 dialer-group 1 ppp authentication chap pap callin
no cdp enable crypto map CM-MAP ! ip forward-protocol nd ip http server ip http access-class 13 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ip nat inside source route-map ADSL-NAT interface Dialer0 overload ip route 0.0.0.0 0.0.0.0 192.168.100.1 track 1 ip route 0.0.0.0 0.0.0.0 Dialer0 200 track 2 ! ip access-list standard NAT_ACL permit 10.135.135.0 0.0.0.255 permit 192.168.101.0 0.0.0.255 permit 192.168.100.0 0.0.0.255 ip access-list standard TEST7 permit 22.214.171.124 permit 126.96.36.199 permit 188.8.131.52 permit 184.108.40.206 ! ip access-list extended VPN-LN-OFF permit ip object-group OFF-TRU-LAN host x.x.x.7 permit ip object-group OFF-TRU-WLAN host x.x.x.7 ! ip sla 1 icmp-echo 192.168.100.1 source-interface Vlan1 ip sla schedule 1 life forever start-time now ip sla 2 icmp-echo x.x.x.69 source-interface Dialer0 ip sla schedule 2 life forever start-time now logging history debugging logging facility local1 dialer-list 1 protocol ip permit dialer-list 2 protocol ip permit no cdp run ! route-map TRU-NAT permit 10 match ip address NAT_ACL ! route-map TRU-WLAN-POLICY permit 10 match ip address TRU-WLAN acl_TRU-WLAN set ip next-hop verify-availability x.x.x.102 1 track 1 set ip next-hop verify-availability 100.100.100.1 2 track 2 ! route-map PUB-WLAN-POLICY permit 10 match ip address acl_PUB-WLAN set ip next-hop verify-availability 192.168.100.1 2 track 1 ! route-map ADSL-NAT permit 10 match ip address NAT_ACL ! route-map QU-NAT permit 10 match ip address NAT_ACL ! line con 0 password 7 line aux 0 line 2 no activation-character no exec transport preferred none transport input all stopbits 1 line vty 0 4 access-class 13 in exec-timeout 60 0 privilege level 15 password 7 transport input ssh ! scheduler allocate 20000 1000 scheduler interval 500
In order to see what route maps are currently being used I ran the following:
CMRTR#sh route-map route-map TRU-NAT, permit, sequence 10 Match clauses: ip address (access-lists): NAT_ACL Set clauses: Policy routing matches: 0 packets, 0 bytes route-map TRU-WLAN-POLICY, permit, sequence 10 Match clauses: ip address (access-lists): TRU-WLAN acl_TRU-WLAN Set clauses: ip next-hop verify-availability x.x.x.102 1 track 1 [up] ip next-hop verify-availability 100.100.100.1 2 track 2 [up] Policy routing matches: 0 packets, 0 bytes route-map PUB-WLAN-POLICY, permit, sequence 10 Match clauses: ip address (access-lists): acl_PUB-WLAN Set clauses: ip next-hop verify-availability 192.168.100.1 2 track 1 [up] Policy routing matches: 0 packets, 0 bytes route-map ADSL-NAT, permit, sequence 10 Match clauses: ip address (access-lists): NAT_ACL Set clauses: Policy routing matches: 0 packets, 0 bytes route-map QU-NAT, permit, sequence 10 Match clauses: ip address (access-lists): NAT_ACL Set clauses: Policy routing matches: 0 packets, 0 bytes
Am I right to assume that if it shows as up it is in use? As I think there is quite a bit that can be cleaned up if not being used.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...