Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Policy Based Routing

Hi,

I have a production network that I can't take down for maintenance. There is an ASA5505 in site A and a C800 router in site B. There is a leased line between the sites but the client also has an ADSL line which is currently being used as a backup in case the first link fails. I would like to enable policy based routing so that selected traffic will pass over the ADSL line over a VPN instead of using the leased line. This traffic will have the same destination device of site A but will be from a different subnet. I obviously can't break the network while adding the config so I would really appreciate it if someone could let me know what config is needed. Here is the current config from the router at site B:

 

#CMRTR

version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CMRTR
!
boot-start-marker
boot-end-marker
!
logging console critical
logging monitor informational
!
aaa new-model
!
aaa authentication login default group radius local
aaa authentication enable default group radius enable
aaa authorization exec default group radius local
!
aaa session-id common
crypto pki token default removal timeout 0
!
no ip source-route
ip cef
!
ip dhcp excluded-address 10.135.135.1
ip dhcp excluded-address 192.168.101.1
ip dhcp excluded-address 10.150.150.1
ip dhcp excluded-address 192.168.100.254
!
ip dhcp pool 429
 network 10.135.135.0 255.255.255.0
 default-router 10.135.135.1
 dns-server 8.8.8.8
!
ip dhcp pool 428
 network 192.168.101.0 255.255.255.0
 default-router 192.168.101.1
 dns-server 81.19.56.10 8.8.8.8
!
no ip bootp server
no ip domain lookup
no ipv6 cef
!
archive
 log config
  logging enable
  notify syslog contenttype plaintext
  hidekeys
object-group network OFF-TRU-LAN
 192.168.100.0 255.255.255.0
!
object-group network OFF-TRU-WLAN
 192.168.101.0 255.255.255.0
!
controller VDSL 0
!
ip tcp synwait-time 10
!
track 1 ip sla 1 reachability
 delay down 1 up 1
!
track 2 ip sla 2 reachability
 delay down 1 up 1
!
crypto logging session
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxxxxxxxxxxxxxxxx address x.x.x.102
!
crypto ipsec transform-set QU esp-3des esp-md5-hmac
!
crypto map CM-MAP 10 ipsec-isakmp
 set peer x.x.x.102
 set transform-set QU
 match address VPN-L-OFF
!
interface ATM0
 description ADSL
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 no ip redirects
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
interface Ethernet0
 description $ES_WAN$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 pppoe-client dial-pool-number 2
 no fair-queue
!
interface FastEthernet0
 description TLOC
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport mode trunk
 no ip address
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip address 10.150.150.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.100.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1412
!
interface Vlan428
 description CM-TRU
 ip address 192.168.101.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1412
!
interface Vlan429
 description CM-PUB
 ip address 10.135.135.1 255.255.255.0
 ip access-group 133 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1412
!
interface Dialer0
 ip address x.x.x.70 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 no ip route-cache
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin

 no cdp enable
 crypto map CM-MAP
!
ip forward-protocol nd
ip http server
ip http access-class 13
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map ADSL-NAT interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 192.168.100.1 track 1
ip route 0.0.0.0 0.0.0.0 Dialer0 200 track 2
!
ip access-list standard NAT_ACL
 permit 10.135.135.0 0.0.0.255
 permit 192.168.101.0 0.0.0.255
 permit 192.168.100.0 0.0.0.255
ip access-list standard TEST7
 permit 8.8.8.8
 permit 8.8.9.9
 permit 8.9.9.9
 permit 81.19.62.186
!
ip access-list extended VPN-LN-OFF
 permit ip object-group OFF-TRU-LAN host x.x.x.7
 permit ip object-group OFF-TRU-WLAN host x.x.x.7
!
ip sla 1
 icmp-echo 192.168.100.1 source-interface Vlan1
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo x.x.x.69 source-interface Dialer0
ip sla schedule 2 life forever start-time now
logging history debugging
logging facility local1
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run
!
route-map TRU-NAT permit 10
 match ip address NAT_ACL
!
route-map TRU-WLAN-POLICY permit 10
 match ip address TRU-WLAN acl_TRU-WLAN
 set ip next-hop verify-availability x.x.x.102 1 track 1
 set ip next-hop verify-availability 100.100.100.1 2 track 2
!
route-map PUB-WLAN-POLICY permit 10
 match ip address acl_PUB-WLAN
 set ip next-hop verify-availability 192.168.100.1 2 track 1
!
route-map ADSL-NAT permit 10
 match ip address NAT_ACL
!
route-map QU-NAT permit 10
 match ip address NAT_ACL
!
line con 0
 password 7
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 stopbits 1
line vty 0 4
 access-class 13 in
 exec-timeout 60 0
 privilege level 15
 password 7
 transport input ssh
!
scheduler allocate 20000 1000
scheduler interval 500

 

In order to see what route maps are currently being used I ran the following:

 

CMRTR#sh route-map
route-map TRU-NAT, permit, sequence 10
  Match clauses:
    ip address (access-lists): NAT_ACL
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map TRU-WLAN-POLICY, permit, sequence 10
  Match clauses:
    ip address (access-lists): TRU-WLAN acl_TRU-WLAN
  Set clauses:
    ip next-hop verify-availability x.x.x.102 1 track 1  [up]
    ip next-hop verify-availability 100.100.100.1 2 track 2  [up]
  Policy routing matches: 0 packets, 0 bytes
route-map PUB-WLAN-POLICY, permit, sequence 10
  Match clauses:
    ip address (access-lists): acl_PUB-WLAN
  Set clauses:
    ip next-hop verify-availability 192.168.100.1 2 track 1  [up]
  Policy routing matches: 0 packets, 0 bytes
route-map ADSL-NAT, permit, sequence 10
  Match clauses:
    ip address (access-lists): NAT_ACL
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map QU-NAT, permit, sequence 10
  Match clauses:
    ip address (access-lists): NAT_ACL
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes

 

Am I right to assume that if it shows as up it is in use? As I think there is quite a bit that can be cleaned up if not being used.

Thanks in advance!

Everyone's tags (1)
195
Views
0
Helpful
0
Replies
CreatePlease login to create content