Re: route traffic based on destination IP and create failover ro

cscusystems · ‎06-02-2010

Hi and thanks for taking the time to read this...

I have 6 branches connect to our Head Office in a star configuration. Each branch has both a T1 and a DSL line connected to an 1841 router. The original idea was that the DSL would act as a failover in the event the T1 goes down, but I'd really like to make more use of the DSL line.

So what I want to do is:
- route all branch traffic with local/internal IP address destinations (192.168.x.x) through the T1 (192.168.x.x is things like email and other business applications)
- route all branch traffic with local/internal IP address destinations (10.10.x.x) through the T1 (10.10.x.x is VOIP)
- route all branch traffic with a few specific IP address destinations (eg 198.200.16.77 and 64.77.8.16) through the T1
- route all branch traffic with other IP address destinations (ie internet) through the DSL
- have the DSL serve as a failover for the T1 and, when this happens, give all the priority to 192.168.x.x and 10.10.x.x traffic and essentially block internet traffic (or make it ultra low priority)
- have the T1 serve as a failover for the DSL, but make sure the internet traffic is low priority

Here is the current configuration for one of our branches
-note: fa0/0 is connected to the DSL, fa0/1 is connected to the T1
-note: IPX routing is no longer required
-note: 192.168.60.x = IP addresses of branch equipment; 192.168.10.x = IP addresses of Head Office equipment

!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname NWT_1841
!
boot-start-marker
boot-end-marker
!
logging buffered 16384 debugging
no logging console
!
no aaa new-model
!
resource policy
!
clock timezone PST -8
clock summer-time PDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip domain list XXXXXXXX.com
ip name-server 192.168.10.8
ip sla monitor 1
type echo protocol ipIcmpEcho 172.16.1.5
timeout 1000
threshold 2
frequency 3
ip sla monitor schedule 1 life forever start-time now
ipx routing 0018.19c2.3394
no ftp-server write-enable
!
!
track 123 rtr 1 reachability
!
class-map match-any SHORETEL_VOIP
match ip dscp ef
match access-group 102
!
!
policy-map SHORETEL_VOIP_POLICY
class SHORETEL_VOIP
priority percent 50
class class-default
set dscp default
fair-queue
random-detect
!
!
!
interface FastEthernet0/0
description Secondary Link to HO Sonicwall
ip address 172.16.20.6 255.255.255.252
ip helper-address 192.168.10.8
no ip mroute-cache
duplex auto
speed auto
no snmp trap link-status
!
interface FastEthernet0/1
description Primary Link to HO Bell
bandwidth 1544
ip address 172.16.1.6 255.255.255.252
ip helper-address 192.168.10.8
speed 10
full-duplex
ipx encapsulation SAP
ipx network 2A
ipx type-20-propagation
service-policy output SHORETEL_VOIP_POLICY
!
interface FastEthernet0/0/0
description Trunk to HP_NWT_2626 Port 24
switchport mode trunk
service-policy output SHORETEL_VOIP_POLICY
!
interface FastEthernet0/0/1
shutdown
!
interface FastEthernet0/0/2
shutdown
!
interface FastEthernet0/0/3
shutdown
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 10.10.60.250 255.255.255.0
ip helper-address 192.168.10.8
!
interface Vlan20
ip address 192.168.60.250 255.255.255.0
ip helper-address 192.168.10.8
!
ip local policy route-map FAILOVER-TO-SONICWALL
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.1.5 name BELL track 123
ip route 0.0.0.0 0.0.0.0 172.16.20.5 254 name SONICWALL
!
ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 101 permit icmp any host 172.16.1.5 echo
access-list 102 remark : Shoretel VOIP ports
access-list 102 permit udp any any eq 2427
access-list 102 permit udp any any eq 2727
access-list 102 permit udp any any range 5440 5446
route-map FAILOVER-TO-SONICWALL permit 10
match ip address 101
set interface Null0
set ip next-hop 172.16.1.5
!
!
!
!
!
!
!
control-plane
!
!
line con 0
login local
line aux 0
line vty 0 4
session-timeout 60
login
transport input telnet
!
ntp update-calendar
ntp server 192.168.10.8
end

So there is basically 2 classes of traffic - business related (192.168.x.x and 10.10.x.x) and non-business (everything else with the exception of three or four specific IP addresses) and within the business related traffic is VOIP and non-VOIP.

Where do I start??
Thanks!

John Blakley · ‎06-03-2010

Eric,

You should identify, either by port or destination, the type of traffic that you want to force over which link. Let's say that you just want your internet traffic to go over the DSL, and you want the T1 line to service your LAN traffic:

Supposing the LAN traffic is ONLY 192.168.0.0/16 addresses:

ip access-list ext LANONLY

permit ip any 192.168.1.0 0.0.0.255

route-map SPLIT permit 10

match ip address LANONLY

set interface s0

route-map SPLIT permit 10

set interface s1

int fa0/0 (internal interface)

ip policy route-map SPLIT

What this SHOULD do is match all traffic destined for 192.168.1.0 and send it over your T1. Anything that doesn't match should go out the DSL line. Obviously, you may need to nat the traffic that goes out of the DSL side in order for it to get back.

HTH,

John

HTH, John *** Please rate all useful posts ***

Richard Burts · ‎06-03-2010

Eric

First a couple of details and then the important point:

- You describe the connection as T1. But your configuration has it on fa0/1. How do you get a T1 onto an Ethernet interface?

- I do not understand the logic of your route map which is:

oute-map FAILOVER-TO-SONICWALL permit 10
match ip address 101
set interface Null0
set ip next-hop 172.16.1.5

why are you setting the interface to null0? I thought that you wanted to forward this traffic but you are sending it to the bit bucket.

- Policy Based Routing is the answer to your requirements. John has made a good suggestion, but I will suggest a somewhat different approach.

+ first let us clarify that what you have configured with ip policy local is policy based routing for packets generated by the router itself. But it does nothing for packets sent to the router and the end stations for the router to forward. What you need to do is to configure ip policy on the interfaces on which the traffic arrives (in this case I believe that it is the VLAN interfaces).

+ John's suggestion specifies setting outbound interfaces for both interfaces. I would suggest that you use a default route to make the DSL the favored outbound interface. Then your route map only needs to specify the traffic which you want to go specifically out the other interface. You can then use a floating static default route so that if the DSL fails (the original default route) all traffic will fail over. You will also need to configure Object Tracking (ip sla) to check to verify that the path through the DSL is working and to withdraw the primary default route if the DSL does fail.

HTH

Rick

HTH

Rick

cscusystems · ‎06-04-2010

Hi John and Rick,

Thanks for responding to my question... I inherited this configuration, so I'm not sure why some of the configurations were made (eg setting the interface to null).

The T1 is provided by what Bell calls a LANx - from what I understand, they installed the line and an "anda box" - I use an RJ45 cable to plug fa0/1 into one of the ports on the anda box.

Should I remove the "ip policy local" - it doesn't sound like it is doing much for me? I already have an "ip sla" set up on the T1 - can I set another one up to monitor the DSL? I'm afraid that I don't understand how I would give the business traffic priority over the internet traffic in the event of a failover of either circuit, and I also don't understand John's comment about needing to nat the traffic on the dsl side.

Would you be able to provide me with a skeleton framework of how this would hang together?

Thanks again.

Eric.

route traffic based on destination IP and create failover routes