This should be simple, but I am spinning my wheels. I have a customer that has a 3448 that has three VLAN's configured. Two need to go out the primary route and one needs to go out over the DSL connection. I know I should be able to accomplish this using Policy Based Routing, but none of the examples in the documentation match what I am trying to accomplish. Any help would be appreciated.
Thanks for the replies. I've got a config working now.
Building configuration...
!
!
! ADTRAN, Inc. OS version R10.9.2
! Boot ROM version 13.03.00.SB
! Platform: NetVanta 3448, part number 1200821E1
! Serial number LBADTN1326FQ168
!
!
hostname "XXXX-ROUTER"
enable password encrypted xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
clock timezone -6-Central-Time
!
ip subnet-zero
ip classless
ip routing
ipv6 unicast-routing
!
!
name-server 205.171.203.226 205.171.2.226
!
!
no auto-config
auto-config authname adtran encrypted password xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
event-history on
no logging forwarding
no logging console
no logging email
!
service password-encryption
!
username "xxxxxxx" password encrypted "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
!
!
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
!
!
!
!
!
!
!
!
dot11ap access-point-control
!
!
!
!
!
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp excluded-address 10.10.10.200 10.10.10.254
ip dhcp excluded-address 192.168.254.1 192.168.254.50
ip dhcp excluded-address 192.168.254.150 192.168.254.254
ip dhcp excluded-address 192.168.110.1 192.168.110.50
ip dhcp excluded-address 192.168.110.150 192.168.110.254
!
ip dhcp pool "Management"
network 10.10.10.0 255.255.255.0
domain-name "centurylink.com"
dns-server 205.171.203.226 205.171.2.226
default-router 10.10.10.254
!
ip dhcp pool "LAN"
network 192.168.254.0 255.255.255.0
domain-name "xxxx.org"
dns-server 205.171.203.226 205.171.2.226
default-router 192.168.254.254
!
ip dhcp pool "Guest-Wireless"
network 192.168.110.0 255.255.255.0
domain-name "centurylink.com"
dns-server 205.171.203.226 205.171.2.226
default-router 192.168.110.254
!
!
!
!
!
!
!
!
!
!
!
!
vlan 1
name "Default"
!
vlan 10
name "Management"
!
vlan 101
name "LAN"
!
vlan 110
name "Guest-Wireless"
!
!
!
no ethernet cfm
!
interface eth 0/1
description METRO Ethernet Circuit xx.xxxx.xxxxxx..xxxx
speed 100
ip address xxx.xxx.xxx.xxx 255.255.255.248
ip address range xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 255.255.255.248 secondary
ip access-policy Public
no shutdown
!
!
interface eth 0/2
description DSL for Guest network
ip address <DSL IP> 255.255.255.128
ip access-policy Public
no shutdown
!
!
!
interface switchport 0/1
description link to customer LAN
spanning-tree edgeport
no shutdown
switchport mode trunk
switchport trunk native vlan 101
!
interface switchport 0/2
description link to customer WAP
spanning-tree edgeport
no shutdown
switchport mode trunk
switchport trunk native vlan 10
!
interface switchport 0/3
no shutdown
!
interface switchport 0/4
shutdown
!
interface switchport 0/5
shutdown
!
interface switchport 0/6
shutdown
!
interface switchport 0/7
shutdown
!
interface switchport 0/8
description Management
spanning-tree edgeport
no shutdown
switchport mode trunk
switchport trunk native vlan 10
!
!
!
interface vlan 1
no ip address
shutdown
!
interface vlan 10
description Management
ip address 10.10.10.254 255.255.255.0
ip access-policy Private
no shutdown
!
interface vlan 101
description LAN
ip address 192.168.254.254 255.255.255.0
ip access-policy Private
no shutdown
!
interface vlan 110
description Guest-Wireless
ip address 192.168.110.254 255.255.255.0
ip policy route-map Guest
ip access-policy Private
no shutdown
!
!
interface dot11ap 1 ap-type nv16x
access-point mac-address xx:xx:xx:xx:xx:xx
name XXXX
ip address 10.10.10.2 255.255.255.0
ip default-gateway 10.10.10.254
encapsulation 802.1q awcp-vlan 10 native priority 7
!
!
interface dot11ap 1/1 radio-type 802.11bg
no shutdown
!
!
interface dot11ap 1/1.1
description XXXX-Secure
vlan-id 101
ssid broadcast-mode "XXXX-Secure"
security mode wpa tkip aes-ccmp psk xxxxxxxx
no shutdown
!
interface dot11ap 1/1.2
description XXXX-Guest
vlan-id 110
ssid broadcast-mode "XXXX-Guest"
security mode wpa tkip aes-ccmp psk xxxxxxxx
no shutdown
!
!
interface dot11ap 1/2 radio-type 802.11a
shutdown
!
!
!
!
!
route-map Guest permit 10
match ip address Guest-Wireless
set ip next-hop <DSL Gateway>
set interface eth 0/2
!
!
!
!
ip access-list extended Guest-Wireless
permit ip 192.168.110.0 0.0.0.255 any log
!
ip access-list extended LAN
permit ip 192.168.254.0 0.0.0.255 any log
!
ip access-list extended Management
permit ip 10.10.10.0 0.0.0.255 any log
!
ip access-list extended remote-access
permit tcp any any eq ssh log
permit icmp any any echo log
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
!
!
!
ip policy-class Private
allow list self self
nat source list Management address xxx.xxx.xxx.xxx overload
nat source list LAN address xxx.xxx.xxx.xxx overload
nat source list Guest-Wireless address <DSL IP> overload
!
ip policy-class Public
allow list remote-access
!
!
!
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
no tftp server
no tftp server overwrite
no http server
no http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
!
sip udp 5060
sip tcp 5060
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
line con 0
login local-userlist
!
line telnet 0 4
no login
shutdown
line ssh 0 4
login local-userlist
no shutdown
!
!
ntp server pool.ntp.org prefer
!
!
!
!
!
end
I believe your config should look something like this. Substitute the correct IP addressing where appropriate, of course. I also am assuming that you intend to NAT out your 3448, but if not you can ignore the firewall policies and just substitute the public IPs of your connections into each ACL and route map where appropriate.
interface eth 0/1
description WAN1
ip address WAN.1.IP.Address 255.255.255.xxx
ip access-policy Public1
no shutdown
!
!
interface eth 0/2
description WAN to DSL
ip address DSL.WAN.IP.Address 255.255.255.xxx
ip access-policy Public_DSL
no shutdown
interface vlan 10
description Customer LAN
ip address 192.168.1.1 255.255.255.0
ip policy route-map VLAN10_OUT
ip access-policy Private
no shutdown
!
interface vlan 20
description IAD for Voice
ip address 192.168.2.1 255.255.255.0
ip policy route-map VLAN20_OUT
ip access-policy Private
no shutdown
!
interface vlan 30
description IAD for Voice
ip address 192.168.3.1 255.255.255.0
ip policy route-map VLAN30_OUT
ip access-policy Private_DSL
no shutdown
!
route-map VLAN10_OUT permit 20
match ip address LAN1
set ip next-hop "gw.add.WAN.1"
set interface null 0
route-map VLAN20_OUT permit 20
match ip address LAN_2
set ip next-hop "gw.add.WAN.1"
set interface null 0
route-map VLAN30_OUT permit 20
match ip address LAN_3
set ip next-hop "gw.add.WAN.2"
set interface null 0
!
!
ip access-list extended LAN_1
permit ip 192.168.1.0 0.0.0.255 any
!
ip access-list extended LAN_2
permit ip 192.168.2.0 0.0.0.255 any
!
ip access-list extended LAN_3
permit ip 192.168.3.0 0.0.0.255 any
!
ip policy-class Private1
allow list self self
nat source list LAN_1 address WAN.1.IP.Address overload policy Public1
!
ip policy-class Private1
allow list self self
nat source list LAN_2 address WAN.1.IP.Address overload policy Public1
!
ip policy-class Private_DSL
allow list self self
nat source list LAN_3 address DSL.WAN.IP.Address overload policy Public_DSL
You will still need to have your default route built on the router. If you intend to initiate traffic from a particular interface out to the internet, you may also need to build a PBR for anything originating from the none default route interface.
Also, another approach that may work would be to build the route maps into the same policy and apply that policy as the local route map policy to the router. Would save you the trouble of applying a separate map to each interface, although I like to keep certain config pieces as separate as possible.
Hope this helps.
I would suggest using VRF's to accomplish what you want to do. I have implemented it on several occasions and it works great.
Thanks for the replies. I've got a config working now.
Building configuration...
!
!
! ADTRAN, Inc. OS version R10.9.2
! Boot ROM version 13.03.00.SB
! Platform: NetVanta 3448, part number 1200821E1
! Serial number LBADTN1326FQ168
!
!
hostname "XXXX-ROUTER"
enable password encrypted xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
clock timezone -6-Central-Time
!
ip subnet-zero
ip classless
ip routing
ipv6 unicast-routing
!
!
name-server 205.171.203.226 205.171.2.226
!
!
no auto-config
auto-config authname adtran encrypted password xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
event-history on
no logging forwarding
no logging console
no logging email
!
service password-encryption
!
username "xxxxxxx" password encrypted "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
!
!
ip firewall
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
!
!
!
!
!
!
!
!
!
!
dot11ap access-point-control
!
!
!
!
!
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp excluded-address 10.10.10.200 10.10.10.254
ip dhcp excluded-address 192.168.254.1 192.168.254.50
ip dhcp excluded-address 192.168.254.150 192.168.254.254
ip dhcp excluded-address 192.168.110.1 192.168.110.50
ip dhcp excluded-address 192.168.110.150 192.168.110.254
!
ip dhcp pool "Management"
network 10.10.10.0 255.255.255.0
domain-name "centurylink.com"
dns-server 205.171.203.226 205.171.2.226
default-router 10.10.10.254
!
ip dhcp pool "LAN"
network 192.168.254.0 255.255.255.0
domain-name "xxxx.org"
dns-server 205.171.203.226 205.171.2.226
default-router 192.168.254.254
!
ip dhcp pool "Guest-Wireless"
network 192.168.110.0 255.255.255.0
domain-name "centurylink.com"
dns-server 205.171.203.226 205.171.2.226
default-router 192.168.110.254
!
!
!
!
!
!
!
!
!
!
!
!
vlan 1
name "Default"
!
vlan 10
name "Management"
!
vlan 101
name "LAN"
!
vlan 110
name "Guest-Wireless"
!
!
!
no ethernet cfm
!
interface eth 0/1
description METRO Ethernet Circuit xx.xxxx.xxxxxx..xxxx
speed 100
ip address xxx.xxx.xxx.xxx 255.255.255.248
ip address range xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 255.255.255.248 secondary
ip access-policy Public
no shutdown
!
!
interface eth 0/2
description DSL for Guest network
ip address <DSL IP> 255.255.255.128
ip access-policy Public
no shutdown
!
!
!
interface switchport 0/1
description link to customer LAN
spanning-tree edgeport
no shutdown
switchport mode trunk
switchport trunk native vlan 101
!
interface switchport 0/2
description link to customer WAP
spanning-tree edgeport
no shutdown
switchport mode trunk
switchport trunk native vlan 10
!
interface switchport 0/3
no shutdown
!
interface switchport 0/4
shutdown
!
interface switchport 0/5
shutdown
!
interface switchport 0/6
shutdown
!
interface switchport 0/7
shutdown
!
interface switchport 0/8
description Management
spanning-tree edgeport
no shutdown
switchport mode trunk
switchport trunk native vlan 10
!
!
!
interface vlan 1
no ip address
shutdown
!
interface vlan 10
description Management
ip address 10.10.10.254 255.255.255.0
ip access-policy Private
no shutdown
!
interface vlan 101
description LAN
ip address 192.168.254.254 255.255.255.0
ip access-policy Private
no shutdown
!
interface vlan 110
description Guest-Wireless
ip address 192.168.110.254 255.255.255.0
ip policy route-map Guest
ip access-policy Private
no shutdown
!
!
interface dot11ap 1 ap-type nv16x
access-point mac-address xx:xx:xx:xx:xx:xx
name XXXX
ip address 10.10.10.2 255.255.255.0
ip default-gateway 10.10.10.254
encapsulation 802.1q awcp-vlan 10 native priority 7
!
!
interface dot11ap 1/1 radio-type 802.11bg
no shutdown
!
!
interface dot11ap 1/1.1
description XXXX-Secure
vlan-id 101
ssid broadcast-mode "XXXX-Secure"
security mode wpa tkip aes-ccmp psk xxxxxxxx
no shutdown
!
interface dot11ap 1/1.2
description XXXX-Guest
vlan-id 110
ssid broadcast-mode "XXXX-Guest"
security mode wpa tkip aes-ccmp psk xxxxxxxx
no shutdown
!
!
interface dot11ap 1/2 radio-type 802.11a
shutdown
!
!
!
!
!
route-map Guest permit 10
match ip address Guest-Wireless
set ip next-hop <DSL Gateway>
set interface eth 0/2
!
!
!
!
ip access-list extended Guest-Wireless
permit ip 192.168.110.0 0.0.0.255 any log
!
ip access-list extended LAN
permit ip 192.168.254.0 0.0.0.255 any log
!
ip access-list extended Management
permit ip 10.10.10.0 0.0.0.255 any log
!
ip access-list extended remote-access
permit tcp any any eq ssh log
permit icmp any any echo log
!
ip access-list extended self
remark Traffic to NetVanta
permit ip any any log
!
!
!
!
ip policy-class Private
allow list self self
nat source list Management address xxx.xxx.xxx.xxx overload
nat source list LAN address xxx.xxx.xxx.xxx overload
nat source list Guest-Wireless address <DSL IP> overload
!
ip policy-class Public
allow list remote-access
!
!
!
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
no tftp server
no tftp server overwrite
no http server
no http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
!
!
!
!
!
!
!
sip udp 5060
sip tcp 5060
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
line con 0
login local-userlist
!
line telnet 0 4
no login
shutdown
line ssh 0 4
login local-userlist
no shutdown
!
!
ntp server pool.ntp.org prefer
!
!
!
!
!
end