Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
472
Views
0
Helpful
0
Replies

Policy Based Routing

chris
Level 1
Level 1

ā€Ž04-09-2014 09:12 AM - edited ā€Ž03-04-2019 10:45 PM

Hi,

I have a production network that I can't take down for maintenance. There is an ASA5505 in site A and a C800 router in site B. There is a leased line between the sites but the client also has an ADSL line which is currently being used as a backup in case the first link fails. I would like to enable policy based routing so that selected traffic will pass over the ADSL line over a VPN instead of using the leased line. This traffic will have the same destination device of site A but will be from a different subnet. I obviously can't break the network while adding the config so I would really appreciate it if someone could let me know what config is needed. Here is the current config from the router at site B:

 

#CMRTR

version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CMRTR
!
boot-start-marker
boot-end-marker
!
logging console critical
logging monitor informational
!
aaa new-model
!
aaa authentication login default group radius local
aaa authentication enable default group radius enable
aaa authorization exec default group radius local
!
aaa session-id common
crypto pki token default removal timeout 0
!
no ip source-route
ip cef
!
ip dhcp excluded-address 10.135.135.1
ip dhcp excluded-address 192.168.101.1
ip dhcp excluded-address 10.150.150.1
ip dhcp excluded-address 192.168.100.254
!
ip dhcp pool 429
 network 10.135.135.0 255.255.255.0
 default-router 10.135.135.1
 dns-server 8.8.8.8
!
ip dhcp pool 428
 network 192.168.101.0 255.255.255.0
 default-router 192.168.101.1
 dns-server 81.19.56.10 8.8.8.8
!
no ip bootp server
no ip domain lookup
no ipv6 cef
!
archive
 log config
  logging enable
  notify syslog contenttype plaintext
  hidekeys
object-group network OFF-TRU-LAN
 192.168.100.0 255.255.255.0
!
object-group network OFF-TRU-WLAN
 192.168.101.0 255.255.255.0
!
controller VDSL 0
!
ip tcp synwait-time 10
!
track 1 ip sla 1 reachability
 delay down 1 up 1
!
track 2 ip sla 2 reachability
 delay down 1 up 1
!
crypto logging session
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxxxxxxxxxxxxxxxx address x.x.x.102
!
crypto ipsec transform-set QU esp-3des esp-md5-hmac
!
crypto map CM-MAP 10 ipsec-isakmp
 set peer x.x.x.102
 set transform-set QU
 match address VPN-L-OFF
!
interface ATM0
 description ADSL
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 no ip redirects
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
interface Ethernet0
 description $ES_WAN$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 pppoe-client dial-pool-number 2
 no fair-queue
!
interface FastEthernet0
 description TLOC
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport mode trunk
 no ip address
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip address 10.150.150.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.100.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1412
!
interface Vlan428
 description CM-TRU
 ip address 192.168.101.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1412
!
interface Vlan429
 description CM-PUB
 ip address 10.135.135.1 255.255.255.0
 ip access-group 133 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1412
!
interface Dialer0
 ip address x.x.x.70 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 no ip route-cache
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin

 no cdp enable
 crypto map CM-MAP
!
ip forward-protocol nd
ip http server
ip http access-class 13
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map ADSL-NAT interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 192.168.100.1 track 1
ip route 0.0.0.0 0.0.0.0 Dialer0 200 track 2
!
ip access-list standard NAT_ACL
 permit 10.135.135.0 0.0.0.255
 permit 192.168.101.0 0.0.0.255
 permit 192.168.100.0 0.0.0.255
ip access-list standard TEST7
 permit 8.8.8.8
 permit 8.8.9.9
 permit 8.9.9.9
 permit 81.19.62.186
!
ip access-list extended VPN-LN-OFF
 permit ip object-group OFF-TRU-LAN host x.x.x.7
 permit ip object-group OFF-TRU-WLAN host x.x.x.7
!
ip sla 1
 icmp-echo 192.168.100.1 source-interface Vlan1
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo x.x.x.69 source-interface Dialer0
ip sla schedule 2 life forever start-time now
logging history debugging
logging facility local1
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run
!
route-map TRU-NAT permit 10
 match ip address NAT_ACL
!
route-map TRU-WLAN-POLICY permit 10
 match ip address TRU-WLAN acl_TRU-WLAN
 set ip next-hop verify-availability x.x.x.102 1 track 1
 set ip next-hop verify-availability 100.100.100.1 2 track 2
!
route-map PUB-WLAN-POLICY permit 10
 match ip address acl_PUB-WLAN
 set ip next-hop verify-availability 192.168.100.1 2 track 1
!
route-map ADSL-NAT permit 10
 match ip address NAT_ACL
!
route-map QU-NAT permit 10
 match ip address NAT_ACL
!
line con 0
 password 7
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 stopbits 1
line vty 0 4
 access-class 13 in
 exec-timeout 60 0
 privilege level 15
 password 7
 transport input ssh
!
scheduler allocate 20000 1000
scheduler interval 500

 

In order to see what route maps are currently being used I ran the following:

 

CMRTR#sh route-map
route-map TRU-NAT, permit, sequence 10
  Match clauses:
    ip address (access-lists): NAT_ACL
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map TRU-WLAN-POLICY, permit, sequence 10
  Match clauses:
    ip address (access-lists): TRU-WLAN acl_TRU-WLAN
  Set clauses:
    ip next-hop verify-availability x.x.x.102 1 track 1  [up]
    ip next-hop verify-availability 100.100.100.1 2 track 2  [up]
  Policy routing matches: 0 packets, 0 bytes
route-map PUB-WLAN-POLICY, permit, sequence 10
  Match clauses:
    ip address (access-lists): acl_PUB-WLAN
  Set clauses:
    ip next-hop verify-availability 192.168.100.1 2 track 1  [up]
  Policy routing matches: 0 packets, 0 bytes
route-map ADSL-NAT, permit, sequence 10
  Match clauses:
    ip address (access-lists): NAT_ACL
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map QU-NAT, permit, sequence 10
  Match clauses:
    ip address (access-lists): NAT_ACL
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes

 

Am I right to assume that if it shows as up it is in use? As I think there is quite a bit that can be cleaned up if not being used.

Thanks in advance!

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card