Cisco config example for Policy Based Routing

  • I find my self in a situation I was in not too long ago, but I can't remember how I resolved it :)

    The Scenario

    I have a Cisco IOS router with a LAN interface (fa0/0) and a WAN interface (fa0/1), and 2nd WAN interface (fa0/2).

    • There are two LAN sub-interfaces fa0/0.10 and fa0/0.20 lets say.
    • There is a default route via fa0/1. However, there is a static route to a specific subnet, lets say via fa0/2 (fa0/2 is closer to this subnet, but a more expensive $$$ WAN link)

    All my fa0/0.10 users are accessing and so the static route sends them out of fa0/2 (WAN2). For all other destinations fa0/0.10 users go via the DHCP default route I receive on the WAN1 interface fa0/1.

    The problem definition;

    Users in the fa0/0.20 subnet just access the Internet. No user in my fa0/0.20 subnet every really has the need to access the remote subnet. Rarely they do though, in which case the static route sends them via fa0/2. I don't want this though, I want them to access via fa0/1, the default WAN interface. I believe I can achieve this via PBR, but I can't seem to get it to work?

    This is the config I am trying at present;

    interface FastEthernet0/0.10
     description LAN1
     encapsulation dot1Q 10
     ip address
     ip nat inside
     ip virtual-reassembly
    interface FastEthernet0/0.20
     description LAN2
     encapsulation dot1Q 20
     ip address
     ip nat inside
     ip virtual-reassembly
     ip policy route-map FORCE-LAN2-VIA-WAN1
    interface FastEthernet0/1
     description WAN1
     ip address dhcp
     ip nat outside
     ip virtual-reassembly
    interface FastEthernet0/2
     description WAN2 - Used for
     ip address
    ! Static route to route to a remote subnet via 2nd WAN link
    ip route
    ! A default route is received on fa0/1 (WAN1) via DHCP from ISP
    ! for all other traffic
    ! NAT fa0/0.10 users when accessing the Internet via WAN1
    ip nat inside source route-map ROUTE-WAN1 interface FastEthernet0/1 overload
    ! NAT fa0/0.20 users out via WAN1
    ip nat inside source route-map FORCE-LAN2-VIA-WAN1 interface FastEthernet0/1 overload
    route-map ROUTE-WAN1 permit 10
     match interface FastEthernet0/1
    route-map FORCE-LAN2-VIA-WAN1 permit 10
     match interface FastEthernet0/0.20
     set default interface FastEthernet0/1

    I am trying to apply policy based routing directly to the fa0/0.20 sub interface to force all traffic via WAN1, fa0/1. My understanding is, that because there is a more specific route than the default route received by DHCP on fa0/1 in the FIB, it overrides the PBR and traffic from fa0/0.20 to is still using WAN2, fa0/2. Or at least, I believe this to be the case when using "set default interface...". If I were to use "set ip next-hop" for example, this would force the PBR to take precedence, but WAN1, fa0/1, receives an IP by DHCP and is thusly changing :)

    As a side note; There are actually many static routes via WAN2, so I don't want to reverse the situation and policy route fa0/0.10 via WAN2 for specific subnets. The config there is more complex than I have let on, long and short of it is though, it is not viable to change that. Additionally, if there is a better way to tackle this problem other than PBR, I'm all ears. I am fighting with this method because it is the best solution I am aware of.

    Update Added a spectacularly drawn topology diagram


    What routing behavior do you want if either WAN1 or WAN2 go down? Do you want traffic to then flow over the remaining WAN interface that is UP or will you drop traffic instead of going over your costly WAN2 if WAN1 fails?

    Could you please show us a network diagram? A picture is worth a thousand words :)

  • Ricky

    Ricky Correct answer

    9 years ago

    I would recommend using a route-map for only one purpose (one for nat, another to pbr); mixed use can make for a mess. For NAT, the match interface will apply post-routing -- handy to make conditional nat entries.

    The route-map for PBR should use an ACL to match the traffic coming from LAN2 and then set the next-hop to the desired interface with set interface not set default -- or set ip next-hop dynamic dhcp as you won't know the actual gw address. This bypasses / overrides any routing logic that would otherwise send then traffic to your expensive WAN.

    Could you give an example configuration of this setup?

    `set ip next-hop dynamic dhcp` was what I needed, how did I miss that? :) Still, thanks for being so prompt and for the sound advice!

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM