Re: Policy routing with route map [7:70567]

[ramesh_cisco]

In match IP address , which Ip address are you trying to match?


 


ramesh ,ccnp
Get Your Private, Free E-mail from Indiatimes at  http://email.indiatimes.com
Buy The Best In BOOKS at http://www.bestsellers.indiatimes.com
Bid for Air Tickets @ Re.1 on Air Sahara Flights. Just log on to
http://airsahara.indiatimes.com and Bid Now !




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70627t=70567
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Policy routing with route map [7:70567]

[Chiam Chin Tiong]

Hi guys , 

Just wanna to ask can loading balacing achieve in this config. Or e1 is use
only , follow by e2 unless e1 is down.

interface serial e0 
ip policy route-map ABC 
! 
route-map ABC 
match ip address X.X.X.X 
set interface e1 e2 e3 e4 

Thank you ! 


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70567t=70567
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Policy routing with route map [7:70567]

[[EMAIL PROTECTED]]

If the first interface specified with the set interface command is down,
the optionally specified interfaces are tried in turn.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fiprrp_r/ind_r/1rfindp2.htm#1020572


Thanks...Nabil

I have never let my schooling interfere with my education.


   

  Chiam Chin
Tiong
 
cc:
  Sent by: Subject:  Policy routing with
route map [7:70567]
 
[EMAIL PROTECTED]
 
.com
   

   

  06/12/2003
01:17
 
AM
  Please respond
to
  Chiam Chin
Tiong
   

   





Hi guys ,

Just wanna to ask can loading balacing achieve in this config. Or e1 is
use
only , follow by e2 unless e1 is down.

interface serial e0
ip policy route-map ABC
!
route-map ABC
match ip address X.X.X.X
set interface e1 e2 e3 e4

Thank you !




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70581t=70567
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Policy Routing on the 3550? [7:64074]

[W. Alan Robertson]

Thanks for the replies...

My TAC case worker believes the same to be true, although he's still
trying to verify this with absolute certainty.

I'll have to cross my fingers and hope that they add it in the future,
although by then, it won't matter for this project.  We're going to
have to go another route for now.


- Original Message -
From: Erick B. 
To: 
Sent: Saturday, March 01, 2003 1:28 AM
Subject: Re: Policy Routing on the 3550? [7:64074]


 route-map isn't listed as a command in the
 documentation so it's probably something from full IOS
 that isn't supported. They may add support in the
 future.


http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12112cea/355
0scg/swuncli.htm#xtocid24

 Unsupported route map commands on 3550 (latest code):

 match route-type {level-1 | level-2}
 set as-path {tag | prepend as-path-string}
 set automatic-tag
 set dampening
 set ip destination ip-address mask
 set ip next-hop
 set ip precedence value
 set ip qos-group
 set metric-type internal
 set metric-type internal
 set tag tag-value


 --- W. Alan Robertson
 wrote:
  Howdy folks...
 
  I need to set the next hop on a 3550 (with the EMI
  Image) based on the
  protocol type.  We've got a number of transparent
  proxy servers, each
  one handling a different type of traffic (One for
  HTTP...  One for
  SMTP...  Etc.).
 
  No problem, right?  Wrong.
 
  Merrily, I configured my access-lists to identify
  the various traffic
  types.  I then created the route-map statements to
  set ip next-hop for
  each of the types of traffic.  I then went to my
  vlan interface to
  apply the route-maps, but lo and behold, no ip
  policy command.
 
  How can I apply the route-maps to my interface?
 
  Is there another way to accomplish this?
 
  Thanks,
 
  Alan


 __
 Do you Yahoo!?
 Yahoo! Tax Center - forms, calculators, tips, more
 http://taxes.yahoo.com/
[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=64162t=64074
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Policy Routing on the 3550? [7:64074]

[W. Alan Robertson]

Howdy folks...

I need to set the next hop on a 3550 (with the EMI Image) based on the
protocol type.  We've got a number of transparent proxy servers, each
one handling a different type of traffic (One for HTTP...  One for
SMTP...  Etc.).

No problem, right?  Wrong.

Merrily, I configured my access-lists to identify the various traffic
types.  I then created the route-map statements to set ip next-hop for
each of the types of traffic.  I then went to my vlan interface to
apply the route-maps, but lo and behold, no ip policy command.

How can I apply the route-maps to my interface?

Is there another way to accomplish this?

Thanks,

Alan




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=64074t=64074
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Policy Routing on the 3550? [7:64074]

[The Long and Winding Road]

one of the gotchas of the 3550 IOS images.

There is no reference to the ip policy route-map command in the
documentation. Policy is not mentioned in the configuration guide.

I did check the unsupported commands section and did not see anything
specific. But I can say that there are commands that appear in the IOS
menus, and there are commands that you can enter and receive no error
message. And they still have no effect.

guessing now, but because of the experiences above, I would suggest that
policy routing is not supported in the 3550 IOS at this time.

one of the frustrations of this IOS on this platform


W. Alan Robertson  wrote in message
news:[EMAIL PROTECTED]
 Howdy folks...

 I need to set the next hop on a 3550 (with the EMI Image) based on the
 protocol type.  We've got a number of transparent proxy servers, each
 one handling a different type of traffic (One for HTTP...  One for
 SMTP...  Etc.).

 No problem, right?  Wrong.

 Merrily, I configured my access-lists to identify the various traffic
 types.  I then created the route-map statements to set ip next-hop for
 each of the types of traffic.  I then went to my vlan interface to
 apply the route-maps, but lo and behold, no ip policy command.

 How can I apply the route-maps to my interface?

 Is there another way to accomplish this?

 Thanks,

 Alan




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=64101t=64074
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Policy Routing on the 3550? [7:64074]

[Jay Mathias]

PBR is not available in current image.
I understand it will be available soon.

- Original Message -
From: W. Alan Robertson 
To: 
Sent: Friday, February 28, 2003 9:04 AM
Subject: Policy Routing on the 3550? [7:64074]


 Howdy folks...

 I need to set the next hop on a 3550 (with the EMI Image) based on the
 protocol type.  We've got a number of transparent proxy servers, each
 one handling a different type of traffic (One for HTTP...  One for
 SMTP...  Etc.).

 No problem, right?  Wrong.

 Merrily, I configured my access-lists to identify the various traffic
 types.  I then created the route-map statements to set ip next-hop for
 each of the types of traffic.  I then went to my vlan interface to
 apply the route-maps, but lo and behold, no ip policy command.

 How can I apply the route-maps to my interface?

 Is there another way to accomplish this?

 Thanks,

 Alan




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=64121t=64074
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Policy Routing on the 3550? [7:64074]

[Erick B.]

route-map isn't listed as a command in the
documentation so it's probably something from full IOS
that isn't supported. They may add support in the
future.

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12112cea/3550scg/swuncli.htm#xtocid24

Unsupported route map commands on 3550 (latest code):

match route-type {level-1 | level-2}
set as-path {tag | prepend as-path-string}
set automatic-tag
set dampening 
set ip destination ip-address mask 
set ip next-hop
set ip precedence value 
set ip qos-group
set metric-type internal
set metric-type internal
set tag tag-value


--- W. Alan Robertson 
wrote:
 Howdy folks...
 
 I need to set the next hop on a 3550 (with the EMI
 Image) based on the
 protocol type.  We've got a number of transparent
 proxy servers, each
 one handling a different type of traffic (One for
 HTTP...  One for
 SMTP...  Etc.).
 
 No problem, right?  Wrong.
 
 Merrily, I configured my access-lists to identify
 the various traffic
 types.  I then created the route-map statements to
 set ip next-hop for
 each of the types of traffic.  I then went to my
 vlan interface to
 apply the route-maps, but lo and behold, no ip
 policy command.
 
 How can I apply the route-maps to my interface?
 
 Is there another way to accomplish this?
 
 Thanks,
 
 Alan


__
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=64137t=64074
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Policy Routing Help. [7:63692]

[fahim]

Hi Guys
Need Help in Policy Routing. I have a Cisco 2610 router with Pix behind, The
2610 has two WAN Connections, S0-256Kbps leased line and ATM0-DSL line
512Kbps, going to two differenct ISP, with different IP addresses.E0 will
connect to PIX outside interface,
I need to configure SMTP Traffic to route thru leased line, HTTP traffic to
route thru ATM0, DSL line.  I think it can be done by Route Map (policy
Routing), cannot find documents in Cisco's website, or do I need additional
router to do this.
If anybody had done similar setup pls do provide a sample configuration, or
if this setup will not work, what is the alternate suggestion.

appreciate your early reply.

thanks n regards
fahim




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=63692t=63692
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Policy Routing Help. [7:63692]

[The Long and Winding Road]

fahim  wrote in message
news:[EMAIL PROTECTED]
 Hi Guys
 Need Help in Policy Routing. I have a Cisco 2610 router with Pix behind,
The
 2610 has two WAN Connections, S0-256Kbps leased line and ATM0-DSL line
 512Kbps, going to two differenct ISP, with different IP addresses.E0 will
 connect to PIX outside interface,
 I need to configure SMTP Traffic to route thru leased line, HTTP traffic
to
 route thru ATM0, DSL line.  I think it can be done by Route Map (policy
 Routing), cannot find documents in Cisco's website, or do I need
additional
 router to do this.
 If anybody had done similar setup pls do provide a sample configuration,
or
 if this setup will not work, what is the alternate suggestion.

 appreciate your early reply.


have you got your access-lists set up correctly? something like:

access-list x permit tcp any any eq smtp

access-list y permit tcp any any eq www

and so on. it seems important that you have a default set somewhere also.
undefined traffic goes to which provider?

once you have your access-lists set up then the route-map part is relatively
simple:

route-map policy permit 10
match ip addr x
set ip next-hop a.b.c.d
OR
set interface atm etc

route-map policy permit 20
etc

policy maps apply to nbound traffic only, so you place the policy on the
interface inbound from your network. I assume this is the ethernet
interface.

check out CCO

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_r
/iprprt2/1rdindep.htm#1017974
watch the wrap

sometimes it makes more sense if you draw a picture or two so you can
actually see what is happening.





 thanks n regards
 fahim




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=63696t=63692
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Policy Routing Help. [7:63692]

[news.groupstudy.com]

Dear Fahim

  Here
  Define The traffic for policy routing:
 access-list 150 tcp any any eq smtp

  Then Make a Route-map policy
  route-map  permit 
  match ip address 150
  set ip next-hop 

  Now assign it to some interface:
  Interface configuration modeip policy route-map 

Hope it helps
Hakopian



fahim  wrote in message
news:[EMAIL PROTECTED]
 Hi Guys
 Need Help in Policy Routing. I have a Cisco 2610 router with Pix behind,
The
 2610 has two WAN Connections, S0-256Kbps leased line and ATM0-DSL line
 512Kbps, going to two differenct ISP, with different IP addresses.E0 will
 connect to PIX outside interface,
 I need to configure SMTP Traffic to route thru leased line, HTTP traffic to
 route thru ATM0, DSL line.  I think it can be done by Route Map (policy
 Routing), cannot find documents in Cisco's website, or do I need additional
 router to do this.
 If anybody had done similar setup pls do provide a sample configuration, or
 if this setup will not work, what is the alternate suggestion.

 appreciate your early reply.

 thanks n regards
 fahim




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=63695t=63692
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Policy Routing Help. [7:63692]

[Symon Thurlow]

You can do this with route maps, 
A search on google for route map cisco gave the first result as:

! Enable policy routing 

interface Ethernet0 
ip policy route-map proxy-redirect 
! Route to proxy server 
route-map proxy-redirect permit 10 
match ip address 110 
set ip next-hop 10.11.12.13 
! Only policy route client www traffic 
access-list 110 deny tcp any any neq www 
access-list 110 deny tcp host 10.11.12.13 any 
access-list 110 permit tcp any any

Just bear in mind the flow of traffic coming back.

If your HTTP requests get natted at the PIX to an ISP A address, then
when you send those requests down the ISP B DSL line, they will return
down the ISP A leased line.

To get around this, perform NAT on the 2610, using an ISP B address,
for all traffic going out the DSL ISP B line. This will make the traffic
return down the DSL line.

Symon

-Original Message-
From: fahim [mailto:[EMAIL PROTECTED] 
Sent: 25 February 2003 08:42
To: [EMAIL PROTECTED]
Subject: Policy Routing Help. [7:63692]


Hi Guys
Need Help in Policy Routing. I have a Cisco 2610 router with Pix behind,
The 2610 has two WAN Connections, S0-256Kbps leased line and ATM0-DSL
line 512Kbps, going to two differenct ISP, with different IP
addresses.E0 will connect to PIX outside interface, I need to configure
SMTP Traffic to route thru leased line, HTTP traffic to route thru ATM0,
DSL line.  I think it can be done by Route Map (policy Routing), cannot
find documents in Cisco's website, or do I need additional router to do
this. If anybody had done similar setup pls do provide a sample
configuration, or if this setup will not work, what is the alternate
suggestion.

appreciate your early reply.

thanks n regards
fahim
=

 This email has been content filtered and
 subject to spam filtering. If you consider
 this email is unsolicited please forward
 the email to [EMAIL PROTECTED] and
 request that the sender's domain be
 blocked from sending any further emails.

=




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=63702t=63692
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Policy Routing Question [7:51689]

[John Matney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Thanks for the through reply and the verifying that I have a decent grip
on policy routing. I'm less concerned that i'm not following the
author's train of thought than I am the the concept in general.

I agree that I muddied the waters by bringing bgp into the picture. I
understand the usage of route-maps in bgp relates to controling bgp
routing information between neighbors not in the actual routing of data
packets as it does with policy routing. I appreciate the example,
though, it helped me further clarify things.

Thanks again,
John

Chuck's Long Road wrote:
| you pretty much understand how it works. You might be muddying the
waters a
| bit by bringing BGP into the picture

| comment below:
|
|
|
| John Matney  wrote in message
| [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
|
|-BEGIN PGP SIGNED MESSAGE-
|Hash: SHA1
|
|
|I've been reading the Cisco CCNP Cert Guide in partial preparation for
|the BSCI exan and I've come across a bit in the Policy Routing section
|that I just don't understand.
|
|The text states:
|
|Policy routing does not allow traffic sent into another autonomous
|system to take a different path from the one that would have been chosen
|by that autonomous system. (pp. 551)
|
|
|
| CL: sure. makes sense. I'm not sure why the authors would take this
tack, as
| policy routing applies only to inbound traffic. at best, it can set next
| hop, as you note.  But nothing that the policy sets is untouchable by
other
| routers, same autonomous ystem or not.
|
|
|
|~From the reading, I understand that policy routing is configured on an
|inbound interface and can filter on either source or both source and
|destination addresses. PR, via a route map, can set properties such as
|precedence, QoS and next-hop. All of these items only really have
|relevance on the router in which policy routing is being done. In other
|words, once the router policy routes the packet and specifies, for
|instance, the next-hop interface. Now, if that next-hop router chooses
|to drop, fragment or otherwise mangle the packet so be it, the first
|router has no control over it anymore, its done its job.
|
|
|
| CL: yep
|
|
|
|So then, how does this quote apply? Perhaps, I'm completely missing the
|point (wouldn't be the first time). A router can only do what its
|configured to do. If I tell a packet to take path a to get to network b
|but network b would perfer its incoming traffic to come in via path c,
|the most network a can do to prevent this is to drop incoming traffic
|via path a. Correct?
|
|
|
| CL: yep
|
|
|Even if we were running a EGP such as BGP4 and the
|distant router had a MED set to perfer path c, I could still push
|packets via path a given that I knew it existed.
|
|
|
| CL: you can send a packet anyplace. that doesn't mean the destination
router
| has to accept it.
|
| CL: but mixing policy routing and BGP in your mind is probably not a good
| idea. the BGP settings that are done via route-maps associated with
neighbor
| statements apply to BGP routing information. Policy routing applies to
data
| packets, not to routing protocol information. Does that make sense?
|
| CL: examples:
|
| router bgp 9902
| neighbor 1.1.1.1 remote-as 9990
| neighbor 1.1.1.1 route-map take_my_sttings out
| neighbor 1.1.1.1 route-map screw_your_settings in
|
| as opposed to
|
| interface s 0
| ip policy route-map zzyzx
|
|
|
|Make sense? I'm a bit confused as to what the authors are getting to in
|this passage. Could someone help?
|
|
|
| CL: HTH
|
|
|Thanks,
|John
|
|
|- --
|http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x88EE7695
|Key fingerprint = DBD7 6AE2 E7BE 1572 B245  BF54 4913 C85A 88EE 7695
|-BEGIN PGP SIGNATURE-
|Version: GnuPG v1.1.90-nr1 (Windows XP)
|Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
|
|iD8DBQE9YZ1hSRPIWojudpURAoAQAKCMOZu+TQcZOSW39mqtZooDzRGoBwCgm+Ti
|YMQGvYkbcXWMn/IhQZTmpnk=
|=hAME
|-END PGP SIGNATURE-
|
|
|
|
|
- --
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x88EE7695
Key fingerprint = DBD7 6AE2 E7BE 1572 B245  BF54 4913 C85A 88EE 7695
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.1.90-nr1 (Windows XP)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE9Yrq3SRPIWojudpURAlOYAKCN0aK4OmWODW1vqCXXvjpHfucnogCfS8z2
UyXADenqyRqCNTwZ3tOiIiQ=
=5d1G
-END PGP SIGNATURE-




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=51794t=51689
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Policy Routing Question [7:51689]

[John Matney]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


I've been reading the Cisco CCNP Cert Guide in partial preparation for
the BSCI exan and I've come across a bit in the Policy Routing section
that I just don't understand.

The text states:

Policy routing does not allow traffic sent into another autonomous
system to take a different path from the one that would have been chosen
by that autonomous system. (pp. 551)

~From the reading, I understand that policy routing is configured on an
inbound interface and can filter on either source or both source and
destination addresses. PR, via a route map, can set properties such as
precedence, QoS and next-hop. All of these items only really have
relevance on the router in which policy routing is being done. In other
words, once the router policy routes the packet and specifies, for
instance, the next-hop interface. Now, if that next-hop router chooses
to drop, fragment or otherwise mangle the packet so be it, the first
router has no control over it anymore, its done its job.

So then, how does this quote apply? Perhaps, I'm completely missing the
point (wouldn't be the first time). A router can only do what its
configured to do. If I tell a packet to take path a to get to network b
but network b would perfer its incoming traffic to come in via path c,
the most network a can do to prevent this is to drop incoming traffic
via path a. Correct? Even if we were running a EGP such as BGP4 and the
distant router had a MED set to perfer path c, I could still push
packets via path a given that I knew it existed.

Make sense? I'm a bit confused as to what the authors are getting to in
this passage. Could someone help?

Thanks,
John


- --
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x88EE7695
Key fingerprint = DBD7 6AE2 E7BE 1572 B245  BF54 4913 C85A 88EE 7695
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.1.90-nr1 (Windows XP)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE9YZ1hSRPIWojudpURAoAQAKCMOZu+TQcZOSW39mqtZooDzRGoBwCgm+Ti
YMQGvYkbcXWMn/IhQZTmpnk=
=hAME
-END PGP SIGNATURE-




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=51689t=51689
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Policy routing - directly connected interfaces [7:45628]

[Kris Keen]

You asking if its directly connected would it be switched and not effected
by policy routing? i think not. To my understanding any packet destined for
a remote desination that is directly connected or via a next hop would be
routed and subject to your policy. This is strange.

Ip local policy will only effect packets orginated by the router, this
wouldnt effect the directly connected scenario.
Perhaps you can add another match for packets going to a directly connected
interface to be subjected to the policy?
I'd be intrested to see how you get on


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45799t=45628
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Policy routing - directly connected interfaces [7:45628]

[Chuck]

my results seem to disagree with your thought.


172.31.1.1  loop0---router--WAN--172.31.5.0 network
 |
 --WAN--
172.31.3.0 network



the route-map I used went something like this

access-list 101 permit ip 172.31.5.0 0.0.0.255 172.31.1.0 0.0.0.255
access-list 101 permit ip 172.31.5.0 0.0.0.255 172.31.3.0 0.0.0.255

route-map filter permit 10
match ip address 101
set interface null0

when I pinged from the 172.31.5.0 net to 172.31.3.0 net, the debug ip policy
showed packets matching the policy and being forwarded to null0

when I pinged from 172.31.1.1 there was no debug generated, and the
172.31.5.0 network received ICMP replies.

that's why I asked the question.


- Original Message -
From: Kris Keen 
Newsgroups: groupstudy.cisco
Sent: Tuesday, 04 June, 2002 8:34 PM
Subject: Re: Policy routing - directly connected interfaces [7:45628]


 You asking if its directly connected would it be switched and not effected
 by policy routing? i think not. To my understanding any packet destined
for
 a remote desination that is directly connected or via a next hop would be
 routed and subject to your policy. This is strange.

 Ip local policy will only effect packets orginated by the router, this
 wouldnt effect the directly connected scenario.
 Perhaps you can add another match for packets going to a directly
connected
 interface to be subjected to the policy?
 I'd be intrested to see how you get on
Kris Keen  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 You asking if its directly connected would it be switched and not effected
 by policy routing? i think not. To my understanding any packet destined
for
 a remote desination that is directly connected or via a next hop would be
 routed and subject to your policy. This is strange.

 Ip local policy will only effect packets orginated by the router, this
 wouldnt effect the directly connected scenario.
 Perhaps you can add another match for packets going to a directly
connected
 interface to be subjected to the policy?
 I'd be intrested to see how you get on




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45807t=45628
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Policy routing - directly connected interfaces [7:45628]

[Chuck]

coincidentally, I opened up Doyle as part of my research into the question.

As I understand things, the ip local policy command and process is for
packets that the router originates, such as routing protocol advertisements,
hellos, pings, etc. As such, ip local policy is for traffic originated by
the router itself, and outbound.

OTOH, ip policy is for inbound traffic on an interface that ( and here is
the point of clarification required ) is routed. My question is essentially,
if the packet destination is on a directly connected network, does that mean
it is not routed and therefore is not policy routed either. Does that
make sense?

In solution to my particular problem, I rewrote my nat list on the external
router such that I referenced a route map:

! access-list 101 determines which source addresses are allowed onto the CCC
network
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 host 10.1.1.1   ! business
partner extranet server
access-list 101 permit ip 192.168.1.0 0.0.0.255 host 172.31.2.1   ! shared
e-mail services server
access-list 101 deny ip 192.168.1.0 0.0.0.255 172.31.0.0 0.0.255.255  !
other organization subnets that are forbidden
access-list 101 permit ip 192.168.1.0 0.0.0.255 any  ! shared internet
access
! INSIDE_NET CCC, DPH, OR INTERNET
! used with nat pool construct

!
ip nat pool cccnat 172.31.10.25 172.31.10.250 netmask 255.255.255.0
ip nat inside source route-map CCC pool cccnat
!
route-map CCC permit 10
match ip address 101

route-map CCC deny 20  ! probably unnecessary

the neat thing about this construct is that only those packets with the
appropriate source AND destination addresses get out onto the network, NAT
or otherwise. Packets that are not NAT'ed can't be routed because there is
no gateway of last resort on the edge/NAT routers, nor does policy routing
on the central router permit anything other than packets with a source that
was created by the NAT process.

Chuck


Daniel Cotts  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Check out page 819 of Doyle Vol 1. ip local policy route-map
 HTH

  -Original Message-
  From: Chuck [mailto:[EMAIL PROTECTED]]
  Sent: Sunday, June 02, 2002 12:36 PM
  To: [EMAIL PROTECTED]
  Subject: Policy routing - directly connected interfaces [7:45628]
 
 
  Continued policy routing testing of a customer network
  simulation in my lab
  has revealed something of interest to me. Can't find a
  revelation in the
  config and command references on CCO.
 
  I have a policy set up such that packets with a particular
  source address
  and a particular destination address are treated in various manners.
 
  debug ip policy is showing me that the policy is doing
  exactly what I want
  it to do EXCEPT when the destination address is a directly connected
  network.
 
  that is, if the destination is a network on some other
  router, with a route
  in the routing table, everything is fine. the next hop is set
  appropriately,
  and the debug shows that policy is applied properly.
 
  however, when the destination is a directly connected network
  ( either a
  loopback or a LAN interface ) policy routing is not engaged.
 
  true? experience? reference? as I said, can't find anything in the
  documentation on CCO.
 
  Chuck




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45704t=45628
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Policy routing - directly connected interfaces [7:45628]

[Chuck]

Continued policy routing testing of a customer network simulation in my lab
has revealed something of interest to me. Can't find a revelation in the
config and command references on CCO.

I have a policy set up such that packets with a particular source address
and a particular destination address are treated in various manners.

debug ip policy is showing me that the policy is doing exactly what I want
it to do EXCEPT when the destination address is a directly connected
network.

that is, if the destination is a network on some other router, with a route
in the routing table, everything is fine. the next hop is set appropriately,
and the debug shows that policy is applied properly.

however, when the destination is a directly connected network ( either a
loopback or a LAN interface ) policy routing is not engaged.

true? experience? reference? as I said, can't find anything in the
documentation on CCO.

Chuck




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45628t=45628
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Policy routing - directly connected interfaces [7:45628]

[Daniel Cotts]

Check out page 819 of Doyle Vol 1. ip local policy route-map
HTH

 -Original Message-
 From: Chuck [mailto:[EMAIL PROTECTED]]
 Sent: Sunday, June 02, 2002 12:36 PM
 To: [EMAIL PROTECTED]
 Subject: Policy routing - directly connected interfaces [7:45628]
 
 
 Continued policy routing testing of a customer network 
 simulation in my lab
 has revealed something of interest to me. Can't find a 
 revelation in the
 config and command references on CCO.
 
 I have a policy set up such that packets with a particular 
 source address
 and a particular destination address are treated in various manners.
 
 debug ip policy is showing me that the policy is doing 
 exactly what I want
 it to do EXCEPT when the destination address is a directly connected
 network.
 
 that is, if the destination is a network on some other 
 router, with a route
 in the routing table, everything is fine. the next hop is set 
 appropriately,
 and the debug shows that policy is applied properly.
 
 however, when the destination is a directly connected network 
 ( either a
 loopback or a LAN interface ) policy routing is not engaged.
 
 true? experience? reference? as I said, can't find anything in the
 documentation on CCO.
 
 Chuck




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45645t=45628
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Policy Routing Resources.. [7:43915]

[Georg Pauwen]

Hi Rudy,

I find the following links on the Cisco site useful; you probably have found
them already yourself. Just from personal experience, remember that policy
routing can put a heavy load on your router, so be careful when you
implement it.

http://www.cisco.com/warp/public/cc/techno/protocol/tech/plicy_wp.htm

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/qos_c/qcprt1/qcdpbr.htm

Regards,

Georg


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=43929t=43915
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Policy Routing Resources.. [7:43915]

[B Rudy]

Hey guys,

If anybody has any good links or reading material on Policy routing please
respond to this posting.  I really want to get it down.  Ive searched
everywehere and found about 3 links on the Cisco Website with pertinent
information.  If anybody knows where i can find all about policy routing
just reply.. Thanx again my fellow Technologists!!! TIA.. =0)

Rudy B


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=43915t=43915
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Policy routing - further tidbits [7:38551]

[Chuck]

Should be obvious when considered logically. But one can never trust logic
when it comes to how things work

Policy can be applied on a subinterface by subinterface basis.

Policies applied to the physical interface have no effect on traffic
arriving via the subinterface

Policies do not apply to traffic for which the interface / subinterface are
the end points. e.g. routing protocol updates.

Therefore, policies behave slightly differently than do access-lists, and
one should use the different tools differently, depending upon the desired
outcome.

Obvious stuff, but not necessarily covered specifically in the study
material.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=38551t=38551
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Policy routing - interface or subinterface? [7:38528]

[Chuck]

Just verifying something I am seeing in my lab.

All examples of policy routing that I can find, both in Doyle and on CCO,
show policy routing as taking place on the physical interface. I can find no
examples indicating that policies can be set on a subinterface.

However, I am finding in my lab that separate policies can indeed be set up
on different subinterfaces.

Any comments from the field, based either on real world or lab rat
experience?

( and yes, I have a customer, and I am testing this because I did the design
before I studied the feasibility :-  )

Chuck




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=38528t=38528
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Policy routing - interface or subinterface? [7:38528]

[John Neiberger]

Yes, you can do this on a subinterface.  I was doing it just 
yesterday in conjunction with an IPsec, GRE, NAT, and policy 
routing scenario.  And -- surprisingly -- it worked!

John



 On Sat, 16 Mar 2002, Chuck ([EMAIL PROTECTED]) wrote:

 Just verifying something I am seeing in my lab.
 
 All examples of policy routing that I can find, both in Doyle 
and on
 CCO,
 show policy routing as taking place on the physical 
interface. I can
 find no
 examples indicating that policies can be set on a 
subinterface.
 
 However, I am finding in my lab that separate policies can 
indeed be set
 up
 on different subinterfaces.
 
 Any comments from the field, based either on real world or 
lab rat
 experience?
 
 ( and yes, I have a customer, and I am testing this because I 
did the
 design
 before I studied the feasibility :-  )
 
 Chuck
[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=38529t=38528
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

policy routing and route tags [7:37258]

[bergenpeak]

Is it possible to tag routes (via an IGP or BGP) and then perform
a policy route decision which in part does a check for this tag?

Specifically, the logic I'm looking for is a route-map which is
applied in the packet forwarding phase which will change the forwarding
behavior if the packet is for a destination which is covered by
a route advertisement which has one of these special tags.

Pseudo-logic for route-map:

route-map permit 10
  if (dst IP is covered by most specific route adverstisement which
  has a tag = XYZ) then
set attribute=value
  etc.

Extra credit for details on how this can be done on a Juniper or other
platform.

Thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=37258t=37258
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Question about Policy routing [7:32560]

[K Paré]

Recall that unlike access lists, if no match is found in a route map, the
packet is forwarded through the normal routing process. If you look at the
routing table, is the next hop for the destination 10.1.1.2?

Dovelet  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi all,

 I have a question about policy route and I hope someone can help me. The
 Cisco router's config is as follow:

  :
  :
 interface ethernet0
 ip policy route-map route1
 !
 route-map route1 10
 match ip address 11
 match ip next-hop 12
 set ip next-hop 10.1.1.2
 !
 access-list 11 permit ip 10.2.2.1
 access-list 12 permit ip 10.1.1.1
  :
  :

 In the configuration, I suppose if the packet goes into ethernet 0 with
 source ip address 10.2.2.1 AND the next-hop 10.1.1.1 will match the
 route-map and change its next-hop to 10.1.1.2. However, I found that the
 route-map does not check the second MATCH statement (i.e. match ip
next-hop
 12). I found that if the packet's source ip is 10.2.2.1 and no matter
what
 the next-hop ip address is, the route-map will change its next-hop to
 10.1.1.2. In the menu, it state that every MATCH statements must be
 matched for the set statement to be executed. Can anyone help me?

 The router is Cisco 7200 and the IOS version is 12.0

 Regards,
 Dovelet




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=32571t=32560
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Question about Policy routing [7:32560]

[Dovelet]

Hi all,

I have a question about policy route and I hope someone can help me. The
Cisco router's config is as follow:

 :
 :
interface ethernet0
ip policy route-map route1
!
route-map route1 10
match ip address 11
match ip next-hop 12
set ip next-hop 10.1.1.2
!
access-list 11 permit ip 10.2.2.1
access-list 12 permit ip 10.1.1.1
 :
 :

In the configuration, I suppose if the packet goes into ethernet 0 with
source ip address 10.2.2.1 AND the next-hop 10.1.1.1 will match the
route-map and change its next-hop to 10.1.1.2. However, I found that the
route-map does not check the second MATCH statement (i.e. match ip next-hop
12). I found that if the packet's source ip is 10.2.2.1 and no matter what
the next-hop ip address is, the route-map will change its next-hop to
10.1.1.2. In the menu, it state that every MATCH statements must be
matched for the set statement to be executed. Can anyone help me?

The router is Cisco 7200 and the IOS version is 12.0

Regards,
Dovelet




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=32560t=32560
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Policy routing BGP Neighbor relationships [7:27976]

[Baety Wayne A1C 18 CS/SCBX]

Is it me or does BGP not allow you to form a peering session unless you have
a route to the host in the routing table, no matter what.  It closes
connected sessions even if I have policy route data forwarding configured
and even if traffic is forwarding correctly.  Is there some knob I'm
forgetting about (other than using a static classful route to null0)?
 
My little diagram...
  
178.24.1.1/32 204.22.10.1/32
  Lo Lo
   ||
R6   R7
  
   ||
 S0  S0
  192.1.1/24   (.3)  (.1)
 
a.  No static routes entered on R6 or R7
b.  BGP peers w/ loopback addresses
 
 
Here's 11.3 (R7) forgetting that it can reach the 12.0 router via policy
(debug output on R7)
3d05h: BGP: 178.24.1.1 remote close, state CLOSEWAIT
3d05h: BGP: 178.24.1.1 closing
 
(This message repeated indefinitely)
3d05h: BGP: 178.24.1.1 multihop open delayed 10112ms (no route)
3d05h: BGP: 178.24.1.1 multihop open delayed 12784ms (no route)
 
(traffic is forwarding!)
r7#ping 178.24.1.1
Sending 5, 100-byte ICMP Echos to 178.24.1.1, timeout is 2 seconds:
!
 
r7#config t
r7(config)#ip route 178.24.1.1 255.255.255.255 192.1.1.3[Ctl-Z]
 
[a few seconds later]
(debug output on R7)
3d05h: BGP: 178.24.1.1 open active, local address 204.22.10.1
 
r7#config t
r7(config)#no ip route 178.24.1.1 255.255.255.255 192.1.1.3[Ctl-Z]
 
[a few seconds later]
(debug output on R7)
3d07h: BGP: 178.24.1.1 multihop open delayed 17648ms (no route)
 
grrr.
 
(configs below)
 
 
Thanks for looking this over.
 
WAYNE BAETY, MCSE, A1C, USAF
Network Systems Trainer
 
 
ROUTER 6 CONFIG
 
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r6
!
logging buffered warnings
logging console warnings
enable password cisco
!
username cisco password 0 cisco
!
!
!
!
ip subnet-zero
!
!
!
process-max-time 200
!
interface Loopback0
 ip address 178.24.1.1 255.255.255.255
 no ip directed-broadcast
!
interface Ethernet0
 ip address 10.0.0.6 255.255.255.0 secondary
 ip address 6.6.6.6 255.255.255.0
 no ip directed-broadcast
!
interface Serial0
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay
 no ip mroute-cache
 no fair-queue
 clockrate 25
 cdp enable
 frame-relay lmi-type cisco
!
interface Serial0.1 point-to-point
 ip address 10.255.1.2 255.255.255.252
 no ip directed-broadcast
 ip nat inside
 frame-relay interface-dlci 601
!
interface Serial0.2 point-to-point
 ip address 192.1.1.3 255.255.255.0
 no ip directed-broadcast
 ip nat outside
 ip policy route-map ebgp-rehop
 frame-relay interface-dlci 607
!
interface Serial1
 no ip address
 no ip directed-broadcast
 shutdown
!
router bgp 300
 network 178.24.0.0
 neighbor 204.22.10.1 remote-as 100
 neighbor 204.22.10.1 ebgp-multihop 2
 neighbor 204.22.10.1 update-source Loopback0
!
ip local policy route-map ebgp-rehop
ip nat pool dynamic-net-pool 178.24.16.1 178.24.191.254 prefix-length 16
ip nat inside source list 1 pool dynamic-net-pool
ip nat inside source static 178.24.3.13 10.253.1.1
ip classless
no ip http server
!
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 101 permit tcp any host 204.22.10.1 eq bgp
access-list 101 permit icmp any host 204.22.10.1 echo
access-list 101 permit icmp any host 204.22.10.1 echo-reply
route-map ebgp-rehop permit 10
 match ip address 101
 set ip default next-hop 192.1.1.1
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 transport input none
line aux 0
line vty 0 4
 exec-timeout 0 0
 logging synchronous
 login local
 monitor
 
END ROUTER 6 CONFIG
 
ROUTER 7 CONFIG 
 
version 11.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r7
!
enable password cisco
!
username cisco password 0 cisco
ip subnet-zero
ip nat pool dynamic-net-pool 204.22.10.16 204.22.10.191 prefix-length 24
ip nat inside source list 1 pool dynamic-net-pool
ip nat inside source static 204.22.10.13 20.255.1.5
!
!
interface Loopback0
 ip address 204.22.10.1 255.255.255.255
!
interface Ethernet0
 ip address 10.0.0.7 255.255.255.0 secondary
 ip address 7.7.7.7 255.255.255.0
!
interface Serial0
 no ip address
 encapsulation frame-relay
 no ip mroute-cache
 no fair-queue
 clockrate 25
 frame-relay lmi-type cisco
!
interface Serial0.1 point-to-point
 ip address 20.255.1.2 255.255.255.252
 ip nat inside
 no arp frame-relay
 frame-relay interface-dlci 705
!
interface Serial0.2 point-to-point
 ip address 192.1.1.1 255.255.255.0
 ip nat outside
frame-relay interface-dlci 706
!
interface Serial1
 no ip address
 

Re: Policy routing BGP Neighbor relationships [7:27976]

[Engelhard M. Labiro]

 Is it me or does BGP not allow you to form a peering session unless you
have
 a route to the host in the routing table, no matter what.

Yes, eBGP won`t form a session if the peer address is not in
its route table.

 It closes
 connected sessions even if I have policy route data forwarding configured
 and even if traffic is forwarding correctly.

The default for  ip local policy route-map command is packets
that are generated by the router itself are not policy routed.
So the BGP session to port 179 that generated by the router
will not hit the route-map.

 Is there some knob I'm
 forgetting about (other than using a static classful route to null0)?

None that I know other than static route to the loopback.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=27982t=27976
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

can policy routing be used on one-arm rtr? [7:17618]

[b h]

Hi,
I have a 3640 acting as a one-arm router to route between vlans. I would 
like to apply policy routing from vlan1 so that traffic leaving vlan2 from 
vlan1 is policy routed and traffic leaving vlan2 from other sources sees no 
policy.
Is this possible even though policy routing affects inbound interfaces?
Servers in vlan2 are behind a nat-ting firewall which translates legal ip's 
to 10. nets. I need internal users from their own 10. net to be able to 
access these servers behind the firewall and let the public have access thru 
the firewall. Presently, I have no problem with public access but my 
route-map wont send internally sourced traffic back the way it came. It gets 
sent out thru the firewall.

vlan2 Servers  -vlan1 internal users
   ^
   |
Public access

Any help is greatly appreciated.



_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=17618t=17618
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Policy routing [7:16529]

[Rodel P Hipolito]

Hey guys,

Can u help me on this?

I have a 2610, and i have 2 leased line, is there a way that i can
balance the load?

thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=16529t=16529
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

QOS/Policy routing [7:5227]

[Frank Kim]

Hi folks,
I like to setup a policy so that any traffic destined to 1.1.1.0/24 will
take precedence over the rest.  My outbound link is a single T1.  Please
throw me a short sample config.  Thanks for helping.

-Frank




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=5227t=5227
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: QOS/Policy routing [7:5227]

[Curtis Call]

How about this?:

access-list 100 permit ip any 1.1.1.0 0.0.0.255
priority-list 1 protocol ip high list 100

Then on the interface do a priority-group 1

At 03:32 AM 5/21/01, you wrote:
Hi folks,
I like to setup a policy so that any traffic destined to 1.1.1.0/24 will
take precedence over the rest.  My outbound link is a single T1.  Please
throw me a short sample config.  Thanks for helping.

-Frank
FAQ, list archives, and subscription info: 
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=5232t=5227
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: QOS/Policy routing [7:5227]

[Vincent Chong]

Hi;

Policy Routing sample

interface serial 0
ip address x.w.y.z /netmask
ip policy route-map frank
!
access-list 101 permit ip any 1.1.1.0 0.0.0.25
!
route-map frank permt 10
match ip address 101
set ip precedence critical
!

Prority Queue is another option.

HTH
Vincent Chong


Frank Kim   Hi folks,
 I like to setup a policy so that any traffic destined to 1.1.1.0/24 will
 take precedence over the rest.  My outbound link is a single T1.  Please
 throw me a short sample config.  Thanks for helping.

 -Frank
 FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=5250t=5227
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Policy routing [7:2871]

[Andy Low]

Hi,

I am having problem with my policy routing, hope that anyone can help me.

1) 1.1.1.1 is a low-end router connected to my high-end router ( multihomed,
running HSRP).
2) 1.1.1.1 is in VLAN 154
3) 5.5.5.1 is the another neighbour router peering with my high-router
router.

The problem is whenever I implement ip policy route-map TEST on the int
fa1/1/0.154, the routing to router 1.1.1.1 will fail and the policy-routing
won't work.

Please advise.

Andy


Configuration:

interface FastEthernet1/1/0.154
 encapsulation isl 154
 ip address 2.2.2.253 255.255.255.0
 no ip redirects
 no ip directed-broadcast
 standby 154 priority 120 preempt
 standby 154 ip 2.2.2.1


ip access-list 1 permit 1.1.1.1

route-map TEST permit 1
 match ip address 1
 set ip next-hop 5.5.5.1




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=2871t=2871
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Policy routing [7:2871]

[EA Louie]

This would be a good case of making it work before adding the other
commands, and then knowing why you're doing it.  Hence, I'd ask these
questions:

1.  How can 1.1.1.1 and 2.2.2.x/24 be in the same VLAN/subnet unless one is
a secondary off the high-end router? (traceroute 1.1.1.1)
2.  If they are indeed in the same subnet, then does the policy-map really
'route' to 1.1.1.1? (show route-map)
3.  Do you understanding policy routing and the purpose of performing it?
(show ip policy)
4.  Have you checked the status of the ACL used for the route-map? (show
access-list 1)
5.  What happens when the policy route is not implemented?  Is your routing
to 1.1.1.1 working then? (show ip route)
6.  Are you sure your configuration is correct?
(http://www.cisco.com/warp/public/105/36.html)

-e-

- Original Message -
From: Andy Low 
To: 
Sent: Wednesday, May 02, 2001 4:44 AM
Subject: Policy routing [7:2871]


 Hi,

 I am having problem with my policy routing, hope that anyone can help me.

 1) 1.1.1.1 is a low-end router connected to my high-end router (
multihomed,
 running HSRP).
 2) 1.1.1.1 is in VLAN 154
 3) 5.5.5.1 is the another neighbour router peering with my high-router
 router.

 The problem is whenever I implement ip policy route-map TEST on the int
 fa1/1/0.154, the routing to router 1.1.1.1 will fail and the
policy-routing
 won't work.

 Please advise.

 Andy


 Configuration:

 interface FastEthernet1/1/0.154
  encapsulation isl 154
  ip address 2.2.2.253 255.255.255.0
  no ip redirects
  no ip directed-broadcast
  standby 154 priority 120 preempt
  standby 154 ip 2.2.2.1


 ip access-list 1 permit 1.1.1.1

 route-map TEST permit 1
  match ip address 1
  set ip next-hop 5.5.5.1
 FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=2924t=2871
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Fast-switched policy routing forwarding table entries..

[Curtis Phillips]

Hello,

Does anyone know if source-based policy-routing entries are entered
in the cache in the form of  source, next-hop or source, dest, next-hop or ? 

What I am trying to establish is whether a seperate route table look up is performed 
for every unique source-destination pair, or whether since it is source-base policy 
routed, is simply does a single route table look up 
and uses the cached entry for every packet initiated from the same source?


Thanks,

Curtis

__
Get your own FREE, personal Netscape Webmail account today at 
http://webmail.netscape.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Fast-switched policy routing forwarding table entries..

[David Kurnik]

Curtis,

For fast switching a hash table is stored in the cache that consists of the
hashed network destination and the next hop MAC header.  CEF is a great
improvement over fast switching but even that caches only the destination,
and not the source.  For source destination cache your have to go to Netflow
which is only available in the high end platforms, 72xx or better.  This is
why access lists and process switching can tank your router performance.

Check out Phill Harris'  'Router Switching Performance Characteristics'
session that he gives at Networkers--I pasted the link to the presentation
below.  It is easily one of the best sessions you can take at Networkers,
and the only place I know to get no-nonsense Cisco Architecture info
including information that Cisco will _never_ document.

http://www.cisco.com/networkers/nw00/pres/2203.pdf

If you can't attend Networkers you can buy the tape of the session.


--David


- Original Message -
From: "Curtis Phillips" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Friday, March 23, 2001 8:48 AM
Subject: Fast-switched policy routing forwarding table entries..


 Hello,

 Does anyone know if source-based policy-routing entries are entered
 in the cache in the form of  source, next-hop or source, dest,
next-hop or ?

 What I am trying to establish is whether a seperate route table look up is
performed for every unique source-destination pair, or whether since it is
source-base policy routed, is simply does a single route table look up
 and uses the cached entry for every packet initiated from the same source?


 Thanks,

 Curtis

 __
 Get your own FREE, personal Netscape Webmail account today at
http://webmail.netscape.com/

 _
 FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Policy routing: CPU util and counter-measures.

[Curtis Phillips]

I was wondering whether anyone has been able to determine the approximate 
level of increased CPU utilization that is introduced by policy routing.

Also, whether Netflow, CEF or any other known means has been used 
successfully to establish flow information and faster switching using
policy routing. If so, does the process base it's flow/cache information 
exclusively on the the source IP? or does it need to establish an individual 
entry for each source/destination pair?

Thanks,

Curtis
_
Get your FREE download of MSN Explorer at http://explorer.msn.com

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Policy routing question

[vtam]

What i want to do is how to backup. It is always have serveral path to a
Network 1, let's said path A,B,C. I want the traffic from 172.16.0.0 to 1
always go path A, but is path A down, i want the traffic go the best path in
routing table to Net1( Maybe B or C, according to the IGP).
So how should i config?

"Brian" [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 On Tue, 5 Dec 2000, vtam wrote:

  But the route table is learn through dynamic routing, so i cannot
specify
  the next_hop. So are there any solution? Thanks.

 I don't understand.  You want to policy route based on source address
 right?  What address would you like the traffic to be sent to?  How that
 address is learned is of no consequence.  If it must be recursivly looked
 up so be it.  Are you saying you don't know where you want to send the
 traffic?

 Brian




_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Policy routing question

[Frank B.]

First thing I noticed was that any packet that would match your
access-list 2 would also match access-list 1 in the first sequence ( 10
in this case ) of the route map.  So no packets with the first two
octets of 172.16..  would ever make it to sequence 20 of the route map
where access-list 2 is called.  The result would be ALL packets
172.16.y.z would have the next-hop set to 172.1.1.1

So, I'd recommend referencing the more specific access-list first then
folow the guidance below from Brian.  Hope this helps,  Frank

  
   vtam,
  
   You must specify multiple hops on the "set ip next-hop" line.like:
  
route-map test permit 10
match ip address 1
set ip next-hop 172.1.1.1 172.1.1.2
  
   if 172.1.1.1 is down, it will use 172.1.1.2
  
   Brian
  
  
  
   On Mon, 4 Dec 2000, vtam wrote:
  
I don't really know how the policy routing run.
This is my quetion: i want to apply policy routing according to the
  source,
but when the set next-hop is not accessible, it should be route as
  normal
routing process( route according to dest. ip address).
   
This is the config i do.
   
int ser 1/0
ip policy route-map test
   
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 2 permit 172.16.112.0 0.255.255.255
   
route-map test permit 10
match ip address 1
set ip next-hop 172.1.1.1
   
route-map test permit 20
match ip address 2
set ip next-hop 172.1.1.3
   
   
   
I want to ask some question:
1. If 172.1.1.1 is down, can the traffice sourced by 172.16.0.0 will be
routed, or it would be drop?
2. Where should be the other traffic route? Is it routed or drop?
3. If question 1 is drop, how should i do to route that traffic?
   
Thanks.
   
   
_
FAQ, list archives, and subscription info:
  http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
   
  
   ---
   Brian Feeny, CCNP, CCDP   [EMAIL PROTECTED]
   Network Administrator
   ShreveNet Inc. (ASN 11881)
  
   _
   FAQ, list archives, and subscription info:
  http://www.groupstudy.com/list/cisco.html
   Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
  
 
 
  _
  FAQ, list archives, and subscription info: 
http://www.groupstudy.com/list/cisco.html
  Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
 
 
 ---
 Brian Feeny, CCNP+ATM, CCDP   [EMAIL PROTECTED]
 Network Administrator
 ShreveNet Inc. (ASN 11881)
 
 _
 FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Policy routing question

[vtam]

But the route table is learn through dynamic routing, so i cannot specify
the next_hop. So are there any solution? Thanks.

"Brian" [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...

 vtam,

 You must specify multiple hops on the "set ip next-hop" line.like:

  route-map test permit 10
  match ip address 1
  set ip next-hop 172.1.1.1 172.1.1.2

 if 172.1.1.1 is down, it will use 172.1.1.2

 Brian



 On Mon, 4 Dec 2000, vtam wrote:

  I don't really know how the policy routing run.
  This is my quetion: i want to apply policy routing according to the
source,
  but when the set next-hop is not accessible, it should be route as
normal
  routing process( route according to dest. ip address).
 
  This is the config i do.
 
  int ser 1/0
  ip policy route-map test
 
  access-list 1 permit 172.16.0.0 0.0.255.255
  access-list 2 permit 172.16.112.0 0.255.255.255
 
  route-map test permit 10
  match ip address 1
  set ip next-hop 172.1.1.1
 
  route-map test permit 20
  match ip address 2
  set ip next-hop 172.1.1.3
 
 
 
  I want to ask some question:
  1. If 172.1.1.1 is down, can the traffice sourced by 172.16.0.0 will be
  routed, or it would be drop?
  2. Where should be the other traffic route? Is it routed or drop?
  3. If question 1 is drop, how should i do to route that traffic?
 
  Thanks.
 
 
  _
  FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
  Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
 

 ---
 Brian Feeny, CCNP, CCDP   [EMAIL PROTECTED]
 Network Administrator
 ShreveNet Inc. (ASN 11881)

 _
 FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Policy routing question

[Brian]

On Tue, 5 Dec 2000, vtam wrote:

 But the route table is learn through dynamic routing, so i cannot specify
 the next_hop. So are there any solution? Thanks.

I don't understand.  You want to policy route based on source address
right?  What address would you like the traffic to be sent to?  How that
address is learned is of no consequence.  If it must be recursivly looked
up so be it.  Are you saying you don't know where you want to send the
traffic?

Brian



 "Brian" [EMAIL PROTECTED] wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 
  vtam,
 
  You must specify multiple hops on the "set ip next-hop" line.like:
 
   route-map test permit 10
   match ip address 1
   set ip next-hop 172.1.1.1 172.1.1.2
 
  if 172.1.1.1 is down, it will use 172.1.1.2
 
  Brian
 
 
 
  On Mon, 4 Dec 2000, vtam wrote:
 
   I don't really know how the policy routing run.
   This is my quetion: i want to apply policy routing according to the
 source,
   but when the set next-hop is not accessible, it should be route as
 normal
   routing process( route according to dest. ip address).
  
   This is the config i do.
  
   int ser 1/0
   ip policy route-map test
  
   access-list 1 permit 172.16.0.0 0.0.255.255
   access-list 2 permit 172.16.112.0 0.255.255.255
  
   route-map test permit 10
   match ip address 1
   set ip next-hop 172.1.1.1
  
   route-map test permit 20
   match ip address 2
   set ip next-hop 172.1.1.3
  
  
  
   I want to ask some question:
   1. If 172.1.1.1 is down, can the traffice sourced by 172.16.0.0 will be
   routed, or it would be drop?
   2. Where should be the other traffic route? Is it routed or drop?
   3. If question 1 is drop, how should i do to route that traffic?
  
   Thanks.
  
  
   _
   FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
   Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
  
 
  ---
  Brian Feeny, CCNP, CCDP   [EMAIL PROTECTED]
  Network Administrator
  ShreveNet Inc. (ASN 11881)
 
  _
  FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
  Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
 


 _
 FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]


---
Brian Feeny, CCNP+ATM, CCDP   [EMAIL PROTECTED]
Network Administrator
ShreveNet Inc. (ASN 11881)

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Policy routing question

[Chuck Larrieu]

May I take a stab, recognizing my experience here is limited to my reading.

Original questions:

1. If 172.1.1.1 is down, can the traffic sourced by 172.16.0.0 will be
routed, or it would be drop?

CL: I don't know. My guess is the traffic would be black-holed. Same as if,
in the regular routing process, and interface was down.

2. Where should be the other traffic route? Is it routed or drop?

CL: based on the construction of your original route-map, all other traffic
would be dropped. Like an access list, a route map list has an implicit deny
at the end.  To correct this ( if that is your intention ) you would need to
add a third section to the route map

e.g. route-map test permit 30

this line would pass all remaining traffic into the regular routing process.

*  3. If question 1 is drop, how should I do to route that traffic?

CL: answer as part f #2


A further comment:

  access-list 1 permit 172.16.0.0 0.0.255.255
 access-list 2 permit 172.16.112.0 0.255.255.255

CL: I am not sure what access-list 2 accomplishes, particularly in the
context of your route-map construction. All traffic from the 172.16.0.0
network would be covered by access-list 1, which in turn is processed as
part of the route-map test 10 section. Nothing from the 172.16.0.0 network
would ever reach the route-map test 20 section.

Also, 172.16.112.0 0.255.255.255 is a bit uncharacteristic. It is
effectively the same as saying 172.0.0.0 0.255.255.255, but less easy to
read, and hence a bit more confusing.

Chuck


-Original Message-
From:   [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of vtam
Sent:   Monday, December 04, 2000 5:23 PM
To: [EMAIL PROTECTED]
Subject:Re: Policy routing question

But the route table is learn through dynamic routing, so i cannot specify
the next_hop. So are there any solution? Thanks.

"Brian" [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...

 vtam,

 You must specify multiple hops on the "set ip next-hop" line.like:

  route-map test permit 10
  match ip address 1
  set ip next-hop 172.1.1.1 172.1.1.2

 if 172.1.1.1 is down, it will use 172.1.1.2

 Brian



 On Mon, 4 Dec 2000, vtam wrote:

  I don't really know how the policy routing run.
  This is my quetion: i want to apply policy routing according to the
source,
  but when the set next-hop is not accessible, it should be route as
normal
  routing process( route according to dest. ip address).
 
  This is the config i do.
 
  int ser 1/0
  ip policy route-map test
 
  access-list 1 permit 172.16.0.0 0.0.255.255
  access-list 2 permit 172.16.112.0 0.255.255.255
 
  route-map test permit 10
  match ip address 1
  set ip next-hop 172.1.1.1
 
  route-map test permit 20
  match ip address 2
  set ip next-hop 172.1.1.3
 
 
 
  I want to ask some question:
  1. If 172.1.1.1 is down, can the traffice sourced by 172.16.0.0 will be
  routed, or it would be drop?
  2. Where should be the other traffic route? Is it routed or drop?
  3. If question 1 is drop, how should i do to route that traffic?
 
  Thanks.
 
 
  _
  FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
  Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
 

 ---
 Brian Feeny, CCNP, CCDP   [EMAIL PROTECTED]
 Network Administrator
 ShreveNet Inc. (ASN 11881)

 _
 FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Policy routing question

[vtam]

I don't really know how the policy routing run.
This is my quetion: i want to apply policy routing according to the source,
but when the set next-hop is not accessible, it should be route as normal
routing process( route according to dest. ip address).

This is the config i do.

int ser 1/0
ip policy route-map test

access-list 1 permit 172.16.0.0 0.0.255.255
access-list 2 permit 172.16.112.0 0.255.255.255

route-map test permit 10
match ip address 1
set ip next-hop 172.1.1.1

route-map test permit 20
match ip address 2
set ip next-hop 172.1.1.3



I want to ask some question:
1. If 172.1.1.1 is down, can the traffice sourced by 172.16.0.0 will be
routed, or it would be drop?
2. Where should be the other traffic route? Is it routed or drop?
3. If question 1 is drop, how should i do to route that traffic?

Thanks.


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Policy routing question

[Brian]

vtam,

You must specify multiple hops on the "set ip next-hop" line.like:

 route-map test permit 10
 match ip address 1
 set ip next-hop 172.1.1.1 172.1.1.2

if 172.1.1.1 is down, it will use 172.1.1.2

Brian



On Mon, 4 Dec 2000, vtam wrote:

 I don't really know how the policy routing run.
 This is my quetion: i want to apply policy routing according to the source,
 but when the set next-hop is not accessible, it should be route as normal
 routing process( route according to dest. ip address).

 This is the config i do.

 int ser 1/0
 ip policy route-map test

 access-list 1 permit 172.16.0.0 0.0.255.255
 access-list 2 permit 172.16.112.0 0.255.255.255

 route-map test permit 10
 match ip address 1
 set ip next-hop 172.1.1.1

 route-map test permit 20
 match ip address 2
 set ip next-hop 172.1.1.3



 I want to ask some question:
 1. If 172.1.1.1 is down, can the traffice sourced by 172.16.0.0 will be
 routed, or it would be drop?
 2. Where should be the other traffic route? Is it routed or drop?
 3. If question 1 is drop, how should i do to route that traffic?

 Thanks.


 _
 FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]


---
Brian Feeny, CCNP, CCDP   [EMAIL PROTECTED]
Network Administrator
ShreveNet Inc. (ASN 11881)

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Policy routing as security - thoughts?

[Robert O'Brien]

Chuck,

As the area I work in is using this methodology, we are happy with it's traffic
separation and security. The implementation we use is one lot of traffic uses a gre
tunnel and policy mapping into and out of the tunnel at the ends.

Rob O'Brien
CCNA
Canberra Australia.

Chuck Larrieu wrote:

 I swear the digressions will be the death of me yet!

 I've been reading up on route-maps and policy routing. Got to thinking about
 something one of my associates at work said to me. He likes to use policy
 routing as a means of securing networks in extranet situations. You know -
 central site sells services to a number of unrelated partners. Sometimes
 even internet access. Of course, one can't allow customer A to see customer
 B's network, and visa versa. But both A and B should get to a particular
 service, be that a database, a server, internet access, or whatever.

 So my comrade throws in policy routing. Source addresses from whatever
 interface or source address are only permitted to proceed out a particular
 interface or to a particular destination IP.

 Sounds good on the surface. The question I have is the risk, particularly
 from spoofed addresses. I suppose that matching the source interface
 eliminates the address issue. Still, I gotta wonder  My associate says
 this isn't an issue and that I worry too much.

 Anyone have any thoughts?

 Chuck
 --
 I am Locutus, a CCIE Lab Proctor. Xx_Brain_dumps_xX are futile. Your life as
 it has been is over ( if you hope to pass ) From this time forward, you will
 study US!
 ( apologies to the folks at Star Trek TNG )

 _
 FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

policy routing

[Gabriel . Neagoe]

Hello,

if you configure policy routing to route certain packets through interface
S0
is there a way to automatically redirect packets through interface S1 if S0
is down ?

thanks,
---
Gabriel Neagoe, GN379-RIPE
Networking solutions consultant
Cisco Certified Network Professional
Cisco Certified Design Associate
ST Romania
tel: +401 20 40 300
fax: +401 20 40 310
---

**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: policy routing

[Gabriel . Neagoe]

this is basic setup :-)
i'm thinking on something more complicated so i want to keep policy routing
:-)

---
Gabriel Neagoe, GN379-RIPE
Networking solutions consultant
Cisco Certified Network Professional
Cisco Certified Design Associate
ST Romania
tel: +401 20 40 300
fax: +401 20 40 310
---

 -Original Message-
 From: Ejay Hire [SMTP:[EMAIL PROTECTED]]
 Sent: Tuesday, October 03, 2000 5:11 PM
 To:   [EMAIL PROTECTED]
 Cc:   [EMAIL PROTECTED]
 Subject:  Re: policy routing
 
 Not using policy routing, it's actually much simpler than that.
 
 ...
 ip classless
 ip subnet-zero
 
 int serial 0
 ip addr 10.0.0.1 255.255.255.0
 backup-interface serial 1
 !
 int serial 1
 ip addr 10.0.1.1 255.255.255.0
 ...
 
 Alternately, you can have a route with a higher administrative distance
 than 
 the normal route for Destination XXX, and if the connection to destination
 
 XXX evaporates, then the new route will enter the routing table.  This is 
 popular when migrating routing protocols.
 
 
 
 Original Message Follows
 From: [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: policy routing
 Date: Tue, 3 Oct 2000 17:16:38 +0200
 
 
 Hello,
 
 if you configure policy routing to route certain packets through interface
 S0
 is there a way to automatically redirect packets through interface S1 if
 S0
 is down ?
 
 thanks,
 ---
 Gabriel Neagoe, GN379-RIPE
 Networking solutions consultant
 Cisco Certified Network Professional
 Cisco Certified Design Associate
 ST Romania
 tel: +401 20 40 300
 fax: +401 20 40 310
 ---
 
 **NOTE: New CCNA/CCDA List has been formed. For more information go to
 http://www.groupstudy.com/list/Associates.html
 _
 UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
 FAQ, list archives, and subscription info: http://www.groupstudy.com
 Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
 
 _
 Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
 
 Share information about yourself, create your own public profile at 
 http://profiles.msn.com.

**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: policy routing

[Jeff Kell]

[EMAIL PROTECTED] wrote:
 
 this is basic setup :-)
 i'm thinking on something more complicated so i want to keep policy routing
 :-)

Assuming you are doing policy routing with a route map, you would use
something like...

route-map foobar permit 10
  match ip address some-access-list
  set [default] interface S0

but if you want it to failover to S1 when S0 is down, just change the
last line to:

  set [default] interface S0 S1

You can supply multiple interfaces, it uses the first one that is up.

This won't work with 'set ip default next-hop' though.

Bear in mind that using the 'default' keyword makes it process-switched
and eats up CPU.

Jeff Kell [EMAIL PROTECTED]

**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: policy routing

[Jamie Byrne]

At 09:53 AM 7/4/00 -0700, Cormac Long wrote:
There are 2 problems with the route-map.

1. Syntax should be "set ip next-hop serial0"
2. There is no match in the map for 192.168.2.0 so
those packets will get dropped.


I agree with point#1, but not point#2.  The original route-map was like so...

 route-map test permit 10
  match ip address 10
  set interface serial0
 
 route-map test permit 20
  set interface serial1
 
 access-list 10 permit 192.168.1.0 0.0.0.255 

  
Sequence #20 in the route-map, because it contains no match and is a permit
statement, is going to act like a "permit ip any any" at the end of an
access-list.  So anything that doesn't match sequence #10 will definitely
match #20 and be sent out serial1 (once the 'set' command syntax has been
corrected).  The packets wouldn't be dropped unless it was a deny statement.


Jamie Byrne

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: policy routing

[Tim Evens]

Try changing the set interface to set next-hop. Use set next hop when you
know the next hop address. In your case: change "set interface serial0"
to "set ip next-hop 192.168.3.2" and "set interface serial1" to "set ip
next-hop 192.168.4.2"
When you said that your configuration wasn't working; was the traffic
being dropped or routed out only one interface?
Tim
Nurarif Wibawa wrote:

Hi
guys,Please see configurations
below :ISP A owned 192.168.1.0/24
and ISP B owned 192.168.2.0/24
ISP A
ISP B
|
|
|
|
serial0 serial1
ethernet0 -> using secondary address
| |
| |192.168.1.0/24
192.168.2.0/24Customer
which has 2 ISP using 2 serial interfaces and 1 ethernet interface.Lets
say, user which configured with network 192.168.1.0 should go through serial0
and user which configured with network 192.168.2.0 should go through serial1Please
correct the router configuration below :-interface
serial0ip address
192.168.3.1 255.255.255.252interface
serial1ip address
192.168.4.1 255.255.255.252interface
ethernet0ip address
192.168.1.1 255.255.255.0ip
address 192.168.2.1 255.255.255.0 secondaryip
policy route-map testroute-map
test permit 10match
ip address 10set interface
serial0route-map test
permit 20set interface
serial1access-list
10 permit 192.168.1.0 0.0.0.255--Did
I miss something ? because it won't work.Thank
you

policy routing

[Nurarif Wibawa]

Hi guys,

Please see configurations below :
ISP A owned 192.168.1.0/24 and ISP B owned 
192.168.2.0/24

 ISP 
A ISP 
B
| 
|
 
| 
|
serial0 
serial1
 
 ethernet0 - using secondary address
 
|  |
 
 | 
|
192.168.1.0/24192.168.2.0/24

Customer which has 2 ISP using2 serial 
interfaces and 1 ethernet interface.
Lets say, user which configured with network 
192.168.1.0 should go through serial0 and user which configured with network 
192.168.2.0 should gothrough serial1
Please correct the router configuration below 
:
-
interface serial0
ip address 192.168.3.1 
255.255.255.252

interface serial1
ip address 192.168.4.1 
255.255.255.252

interface ethernet0
ip address 192.168.1.1 
255.255.255.0
ip address 192.168.2.1 255.255.255.0 
secondary
ip policy route-map test

route-map test permit 10
match ip address 10
set interface serial0

route-map test permit 20
set interface serial1

access-list 10 permit 192.168.1.0 0.0.0.255 

--

DidI miss something ? because it won't 
work.


Thank you

 

Re: policy routing

[Cormac Long]

There are 2 problems with the route-map.

1. Syntax should be "set ip next-hop serial0"
2. There is no match in the map for 192.168.2.0 so
those packets will get dropped.

Correct config should be:

route-map test permit 10
  match ip address 10
  set ip next-hop interface serial0
 
 route-map test permit 20
  match ip address 11
   set ip next-hop interface serial1
 
 access-list 10 permit 192.168.1.0 0.0.0.255 
  access-list 11 permit 192.168.2.0 0.0.0.255

Regards,

Cormac Long CCSI#21600
http://www.cormaclong.com

--- Nurarif Wibawa [EMAIL PROTECTED] wrote:
 Hi guys,
 
 Please see configurations below :
 ISP A owned 192.168.1.0/24 and ISP B owned
 192.168.2.0/24
 
 ISP AISP B
| |
| |
 serial0   serial1
  ethernet0 - using secondary
 address
   |  |
   |  |
 192.168.1.0/24   192.168.2.0/24
 
 Customer which has 2 ISP using 2 serial interfaces
 and 1 ethernet interface.
 Lets say, user which configured with network
 192.168.1.0 should go through serial0 and user which
 configured with network 192.168.2.0 should go
 through serial1
 Please correct the router configuration below :

-
 interface serial0
  ip address 192.168.3.1 255.255.255.252
 
 interface serial1
  ip address 192.168.4.1 255.255.255.252
 
 interface ethernet0
  ip address 192.168.1.1 255.255.255.0
  ip address 192.168.2.1 255.255.255.0 secondary
  ip policy route-map test
  
 route-map test permit 10
  match ip address 10
  set interface serial0
 
 route-map test permit 20
  set interface serial1
 
 access-list 10 permit 192.168.1.0 0.0.0.255 

--
 
 Did I miss something ? because it won't work.
 
 
 Thank you
 
 
 


=
http://www.cormaclong.com

__
Do You Yahoo!?
Kick off your party with Yahoo! Invites.
http://invites.yahoo.com/

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]