Jaffer,
Question #1) What you are asking is "how do I forward packets through my
router based on something other than the destination IP address?". The
answer is a feature called "policy-based routing". It will allow you to
forward packets based on source IP address.
Here's a quick example:
interface ethernet 0
ip route-cache policy <--- you'll need IOS 11.3 or higher for this
ip policy route-map test
route-map test permit 10
match ip address 101
set interface serial 0
route-map test permit 20
set interface serial 1
access-list 101 permit ip a.b.c.0 0.0.0.128 any
Without running 11.3, policy-based routing causes all packets to be
processed in process switching mode and will create a substantial load
on the CPU. You won't be able to do much else except policy-based
routing. (i.e. no other "value-added" features)
Additionally, there are a couple of caveats to doing this:
1) No fault-tolerance. If one of your serial lines goes down, half of
your hosts won't be able to reach the Internet. I have not yet found a
way around this using policy-based routing
2) Your balancing the load of your serial lines based on the traffic
generated _from_ the hosts. If your hosts aren't sending a lot of
traffic, this is probably adding additional complexity for no reason
I would step back and say "why do you want to balance your traffic
based on source IP address? Is there an identified need to do this?"
If there is not a compelling reason to do this, it would be much simpler
to just load-share based on destination IP address by having 2 static
default routes and just using fast-switching:
interface serial 0
ip route-cache
interface serial 1
ip route-cache
ip route 0.0.0.0 0.0.0.0 serial 0
ip route 0.0.0.0 0.0.0.0 serial 1
This is essentially what you were doing, without the access-lists.
Question #2) First, let's be clear that the 2509 is a low-end router.
It's processor is antiquated by todays standards, so it doesn't take a
lot to max out the CPU. It is, in fact, incapable of filling more than
a single T1, so if you have any desire to be able to fully load your 2
T1's then you'll need a higher end router.
Now, your provider is somewhate correct, adding access-lists can
increase the load on the router CPU, but the real answer is "it
depends". Beginning in IOS 11.1 (perhaps 11.0), extended
IP access-lists are fast-switched, meaning that the load on the CPU is
reduced substantially. However, if you have an access-list with 100's
of entries and the most used entries are toward the bottom, the
fast-switching feature may not help you all that much because for every
new connection the router must search through the entire access-list
until it finds a match. (not new packets, new connections)
If you have an access-list with 20-30 entries and the most used entries
are near the top, you should be ok with a 2500 model, provided it isn't
doing much more. Be aware though that each of those dialup connections
is going to take a piece of the CPU, so if you load up all 8 async
connecitons and have lots of traffic going through the router and
additionally load several access-lists, you will probably hit the wall
on the CPU.
It all goes back to my earlier statement, the 2500 series is a very low
end router. It's not intended to do a lot of things at once, so you
might consider upgrading to at least a 2600 or even a 3600. Of course,
you can stick with the 2509 until it falls over, and then you'll know
for sure if it meets your needs or not. :-)
One additional point, if your provider isn't willing to work with you to
ensure proper network design, get a new provider. It's unacceptable for
a provider to tell you that "they won't run a routing protocol". If the
design calls for a routing protocol, that's what you should use. There
are far too many providers that are more than willing to assist with
whatever requirements your design calls for to accept laziness or
incompetance on the part of the provider.
HTH,
Kent
Kent Hundley
INS
-------------------------------------------------------------
hell'o all firewallers
i have 2 questions, for the same cisco 2509 router:
1. i have a C class x.x.x.0, and 2 serial sync lines to the same
provider,
s0 and s1, each of them with the same bandwidth. i want to split the
traffic like this: all ip's from the first half, x.x.x.1-x.x.x.126 to
use
serial0, and all ip's from the second half, x.x.x.129-x.x.x.254 to use
serial1. incoming traffic is solved by the provider, it all comes
through
the correct interface, but the problem is the outgoing traffic. how can
i
set up some routes to make it go through the interface that i want ? i
have ip's from both halfs on the eth0 and also on async1-8. i _dont_
want
all outgoing traffic to go through one default interface, and only
incoming to be routed. i have already tried the following:
- two default routes
ip route 0.0.0.0 0.0.0.0 ip.of.peer.of.serial.0
ip route 0.0.0.0 0.0.0.0 ip.of.peer.of.serial.1
traffic goes crazy on both interfaces, and applications
are confused by that; for instance i get a traceroute hop like this:
5 ip.of.serial.0 10ms ip.of.serial.1 20ms ip.of.serial.0 15ms
- two default routes and access lists as follows:
access-list 101 permit ip x.x.x.0 0.0.0.127 any
access-list 102 permit ip x.x.x.128 0.0.0.127 any
on interface serial 0: ip access-group 101 out
on interface serial 1: ip access-group 102 out
traffic also goes like crazy on both interfaces, and it
is
denied on the wrong half, so the traceroute looks like this:
5 ip.of.serial.0 10ms !X ip.of.serial.0 10ms (for the first half)
or
5 ip.of.serial.1 10ms !X ip.of.serial.1 20ms (for the second half)
the traceroute finally goes to the destination, but any application
(like browser, ftp, etc) says "no route to host". i must also mention
that
the router has 2 ip addresses, one from the first half, and one from the
second half, and the tests were made using 2 machines, one wit ip from
the
first half, using as default gateway the first ip of the router, and 1
from the second half, using the second ip pf the router as default
gateway.
also, my provider is not willing to use dynamic routing protocols. so i
need to solve this statically, or using dynamic protocols only on my
side,
on this 2509. any suggestions are welcome.
second question:
2. same cisco, one C class for now, maybe more classes in the future. i
have about 10 machines on the LAN, and 3 async lines are 33.6 leased
lines
to clients, other 5 are free at this moment. the router is loaded 19%
cpu,
with no access lists defined. my provider told me that it is not good to
make access lists, as they would load the cpu very high and it may slow
the traffic, and even crash. so i need some advices: how many
access-lists
are "safe" ? and what type are especially cpu-overloading ? what happens
if i use all 8 asyncs and i have lots of computers on the lan, maybe use
all 254 addresses ? will it load to, say, 50% even without any
access-lists? then why do access-lists still exist, if we cannot use
them
safely ? or simply my provider is wrong ?
thanx
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
