Re: Policy routing with route map [7:70567]
In match IP address , which Ip address are you trying to match? ramesh ,ccnp Get Your Private, Free E-mail from Indiatimes at http://email.indiatimes.com Buy The Best In BOOKS at http://www.bestsellers.indiatimes.com Bid for Air Tickets @ Re.1 on Air Sahara Flights. Just log on to http://airsahara.indiatimes.com and Bid Now ! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70627t=70567 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Policy routing with route map [7:70567]
Hi guys , Just wanna to ask can loading balacing achieve in this config. Or e1 is use only , follow by e2 unless e1 is down. interface serial e0 ip policy route-map ABC ! route-map ABC match ip address X.X.X.X set interface e1 e2 e3 e4 Thank you ! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70567t=70567 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Policy routing with route map [7:70567]
If the first interface specified with the set interface command is down, the optionally specified interfaces are tried in turn. http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fiprrp_r/ind_r/1rfindp2.htm#1020572 Thanks...Nabil I have never let my schooling interfere with my education. Chiam Chin Tiong cc: Sent by: Subject: Policy routing with route map [7:70567] [EMAIL PROTECTED] .com 06/12/2003 01:17 AM Please respond to Chiam Chin Tiong Hi guys , Just wanna to ask can loading balacing achieve in this config. Or e1 is use only , follow by e2 unless e1 is down. interface serial e0 ip policy route-map ABC ! route-map ABC match ip address X.X.X.X set interface e1 e2 e3 e4 Thank you ! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70581t=70567 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Policy Routing on the 3550? [7:64074]
Thanks for the replies... My TAC case worker believes the same to be true, although he's still trying to verify this with absolute certainty. I'll have to cross my fingers and hope that they add it in the future, although by then, it won't matter for this project. We're going to have to go another route for now. - Original Message - From: Erick B. To: Sent: Saturday, March 01, 2003 1:28 AM Subject: Re: Policy Routing on the 3550? [7:64074] route-map isn't listed as a command in the documentation so it's probably something from full IOS that isn't supported. They may add support in the future. http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12112cea/355 0scg/swuncli.htm#xtocid24 Unsupported route map commands on 3550 (latest code): match route-type {level-1 | level-2} set as-path {tag | prepend as-path-string} set automatic-tag set dampening set ip destination ip-address mask set ip next-hop set ip precedence value set ip qos-group set metric-type internal set metric-type internal set tag tag-value --- W. Alan Robertson wrote: Howdy folks... I need to set the next hop on a 3550 (with the EMI Image) based on the protocol type. We've got a number of transparent proxy servers, each one handling a different type of traffic (One for HTTP... One for SMTP... Etc.). No problem, right? Wrong. Merrily, I configured my access-lists to identify the various traffic types. I then created the route-map statements to set ip next-hop for each of the types of traffic. I then went to my vlan interface to apply the route-maps, but lo and behold, no ip policy command. How can I apply the route-maps to my interface? Is there another way to accomplish this? Thanks, Alan __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64162t=64074 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Policy Routing on the 3550? [7:64074]
Howdy folks... I need to set the next hop on a 3550 (with the EMI Image) based on the protocol type. We've got a number of transparent proxy servers, each one handling a different type of traffic (One for HTTP... One for SMTP... Etc.). No problem, right? Wrong. Merrily, I configured my access-lists to identify the various traffic types. I then created the route-map statements to set ip next-hop for each of the types of traffic. I then went to my vlan interface to apply the route-maps, but lo and behold, no ip policy command. How can I apply the route-maps to my interface? Is there another way to accomplish this? Thanks, Alan Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64074t=64074 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Policy Routing on the 3550? [7:64074]
one of the gotchas of the 3550 IOS images. There is no reference to the ip policy route-map command in the documentation. Policy is not mentioned in the configuration guide. I did check the unsupported commands section and did not see anything specific. But I can say that there are commands that appear in the IOS menus, and there are commands that you can enter and receive no error message. And they still have no effect. guessing now, but because of the experiences above, I would suggest that policy routing is not supported in the 3550 IOS at this time. one of the frustrations of this IOS on this platform W. Alan Robertson wrote in message news:[EMAIL PROTECTED] Howdy folks... I need to set the next hop on a 3550 (with the EMI Image) based on the protocol type. We've got a number of transparent proxy servers, each one handling a different type of traffic (One for HTTP... One for SMTP... Etc.). No problem, right? Wrong. Merrily, I configured my access-lists to identify the various traffic types. I then created the route-map statements to set ip next-hop for each of the types of traffic. I then went to my vlan interface to apply the route-maps, but lo and behold, no ip policy command. How can I apply the route-maps to my interface? Is there another way to accomplish this? Thanks, Alan Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64101t=64074 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Policy Routing on the 3550? [7:64074]
PBR is not available in current image. I understand it will be available soon. - Original Message - From: W. Alan Robertson To: Sent: Friday, February 28, 2003 9:04 AM Subject: Policy Routing on the 3550? [7:64074] Howdy folks... I need to set the next hop on a 3550 (with the EMI Image) based on the protocol type. We've got a number of transparent proxy servers, each one handling a different type of traffic (One for HTTP... One for SMTP... Etc.). No problem, right? Wrong. Merrily, I configured my access-lists to identify the various traffic types. I then created the route-map statements to set ip next-hop for each of the types of traffic. I then went to my vlan interface to apply the route-maps, but lo and behold, no ip policy command. How can I apply the route-maps to my interface? Is there another way to accomplish this? Thanks, Alan Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64121t=64074 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Policy Routing on the 3550? [7:64074]
route-map isn't listed as a command in the documentation so it's probably something from full IOS that isn't supported. They may add support in the future. http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12112cea/3550scg/swuncli.htm#xtocid24 Unsupported route map commands on 3550 (latest code): match route-type {level-1 | level-2} set as-path {tag | prepend as-path-string} set automatic-tag set dampening set ip destination ip-address mask set ip next-hop set ip precedence value set ip qos-group set metric-type internal set metric-type internal set tag tag-value --- W. Alan Robertson wrote: Howdy folks... I need to set the next hop on a 3550 (with the EMI Image) based on the protocol type. We've got a number of transparent proxy servers, each one handling a different type of traffic (One for HTTP... One for SMTP... Etc.). No problem, right? Wrong. Merrily, I configured my access-lists to identify the various traffic types. I then created the route-map statements to set ip next-hop for each of the types of traffic. I then went to my vlan interface to apply the route-maps, but lo and behold, no ip policy command. How can I apply the route-maps to my interface? Is there another way to accomplish this? Thanks, Alan __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64137t=64074 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Policy Routing Help. [7:63692]
Hi Guys Need Help in Policy Routing. I have a Cisco 2610 router with Pix behind, The 2610 has two WAN Connections, S0-256Kbps leased line and ATM0-DSL line 512Kbps, going to two differenct ISP, with different IP addresses.E0 will connect to PIX outside interface, I need to configure SMTP Traffic to route thru leased line, HTTP traffic to route thru ATM0, DSL line. I think it can be done by Route Map (policy Routing), cannot find documents in Cisco's website, or do I need additional router to do this. If anybody had done similar setup pls do provide a sample configuration, or if this setup will not work, what is the alternate suggestion. appreciate your early reply. thanks n regards fahim Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63692t=63692 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Policy Routing Help. [7:63692]
fahim wrote in message news:[EMAIL PROTECTED] Hi Guys Need Help in Policy Routing. I have a Cisco 2610 router with Pix behind, The 2610 has two WAN Connections, S0-256Kbps leased line and ATM0-DSL line 512Kbps, going to two differenct ISP, with different IP addresses.E0 will connect to PIX outside interface, I need to configure SMTP Traffic to route thru leased line, HTTP traffic to route thru ATM0, DSL line. I think it can be done by Route Map (policy Routing), cannot find documents in Cisco's website, or do I need additional router to do this. If anybody had done similar setup pls do provide a sample configuration, or if this setup will not work, what is the alternate suggestion. appreciate your early reply. have you got your access-lists set up correctly? something like: access-list x permit tcp any any eq smtp access-list y permit tcp any any eq www and so on. it seems important that you have a default set somewhere also. undefined traffic goes to which provider? once you have your access-lists set up then the route-map part is relatively simple: route-map policy permit 10 match ip addr x set ip next-hop a.b.c.d OR set interface atm etc route-map policy permit 20 etc policy maps apply to nbound traffic only, so you place the policy on the interface inbound from your network. I assume this is the ethernet interface. check out CCO http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_r /iprprt2/1rdindep.htm#1017974 watch the wrap sometimes it makes more sense if you draw a picture or two so you can actually see what is happening. thanks n regards fahim Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63696t=63692 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Policy Routing Help. [7:63692]
Dear Fahim Here Define The traffic for policy routing: access-list 150 tcp any any eq smtp Then Make a Route-map policy route-map permit match ip address 150 set ip next-hop Now assign it to some interface: Interface configuration modeip policy route-map Hope it helps Hakopian fahim wrote in message news:[EMAIL PROTECTED] Hi Guys Need Help in Policy Routing. I have a Cisco 2610 router with Pix behind, The 2610 has two WAN Connections, S0-256Kbps leased line and ATM0-DSL line 512Kbps, going to two differenct ISP, with different IP addresses.E0 will connect to PIX outside interface, I need to configure SMTP Traffic to route thru leased line, HTTP traffic to route thru ATM0, DSL line. I think it can be done by Route Map (policy Routing), cannot find documents in Cisco's website, or do I need additional router to do this. If anybody had done similar setup pls do provide a sample configuration, or if this setup will not work, what is the alternate suggestion. appreciate your early reply. thanks n regards fahim Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63695t=63692 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Policy Routing Help. [7:63692]
You can do this with route maps, A search on google for route map cisco gave the first result as: ! Enable policy routing interface Ethernet0 ip policy route-map proxy-redirect ! Route to proxy server route-map proxy-redirect permit 10 match ip address 110 set ip next-hop 10.11.12.13 ! Only policy route client www traffic access-list 110 deny tcp any any neq www access-list 110 deny tcp host 10.11.12.13 any access-list 110 permit tcp any any Just bear in mind the flow of traffic coming back. If your HTTP requests get natted at the PIX to an ISP A address, then when you send those requests down the ISP B DSL line, they will return down the ISP A leased line. To get around this, perform NAT on the 2610, using an ISP B address, for all traffic going out the DSL ISP B line. This will make the traffic return down the DSL line. Symon -Original Message- From: fahim [mailto:[EMAIL PROTECTED] Sent: 25 February 2003 08:42 To: [EMAIL PROTECTED] Subject: Policy Routing Help. [7:63692] Hi Guys Need Help in Policy Routing. I have a Cisco 2610 router with Pix behind, The 2610 has two WAN Connections, S0-256Kbps leased line and ATM0-DSL line 512Kbps, going to two differenct ISP, with different IP addresses.E0 will connect to PIX outside interface, I need to configure SMTP Traffic to route thru leased line, HTTP traffic to route thru ATM0, DSL line. I think it can be done by Route Map (policy Routing), cannot find documents in Cisco's website, or do I need additional router to do this. If anybody had done similar setup pls do provide a sample configuration, or if this setup will not work, what is the alternate suggestion. appreciate your early reply. thanks n regards fahim = This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to [EMAIL PROTECTED] and request that the sender's domain be blocked from sending any further emails. = Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63702t=63692 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Policy Routing Question [7:51689]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thanks for the through reply and the verifying that I have a decent grip on policy routing. I'm less concerned that i'm not following the author's train of thought than I am the the concept in general. I agree that I muddied the waters by bringing bgp into the picture. I understand the usage of route-maps in bgp relates to controling bgp routing information between neighbors not in the actual routing of data packets as it does with policy routing. I appreciate the example, though, it helped me further clarify things. Thanks again, John Chuck's Long Road wrote: | you pretty much understand how it works. You might be muddying the waters a | bit by bringing BGP into the picture | comment below: | | | | John Matney wrote in message | [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... | |-BEGIN PGP SIGNED MESSAGE- |Hash: SHA1 | | |I've been reading the Cisco CCNP Cert Guide in partial preparation for |the BSCI exan and I've come across a bit in the Policy Routing section |that I just don't understand. | |The text states: | |Policy routing does not allow traffic sent into another autonomous |system to take a different path from the one that would have been chosen |by that autonomous system. (pp. 551) | | | | CL: sure. makes sense. I'm not sure why the authors would take this tack, as | policy routing applies only to inbound traffic. at best, it can set next | hop, as you note. But nothing that the policy sets is untouchable by other | routers, same autonomous ystem or not. | | | |~From the reading, I understand that policy routing is configured on an |inbound interface and can filter on either source or both source and |destination addresses. PR, via a route map, can set properties such as |precedence, QoS and next-hop. All of these items only really have |relevance on the router in which policy routing is being done. In other |words, once the router policy routes the packet and specifies, for |instance, the next-hop interface. Now, if that next-hop router chooses |to drop, fragment or otherwise mangle the packet so be it, the first |router has no control over it anymore, its done its job. | | | | CL: yep | | | |So then, how does this quote apply? Perhaps, I'm completely missing the |point (wouldn't be the first time). A router can only do what its |configured to do. If I tell a packet to take path a to get to network b |but network b would perfer its incoming traffic to come in via path c, |the most network a can do to prevent this is to drop incoming traffic |via path a. Correct? | | | | CL: yep | | |Even if we were running a EGP such as BGP4 and the |distant router had a MED set to perfer path c, I could still push |packets via path a given that I knew it existed. | | | | CL: you can send a packet anyplace. that doesn't mean the destination router | has to accept it. | | CL: but mixing policy routing and BGP in your mind is probably not a good | idea. the BGP settings that are done via route-maps associated with neighbor | statements apply to BGP routing information. Policy routing applies to data | packets, not to routing protocol information. Does that make sense? | | CL: examples: | | router bgp 9902 | neighbor 1.1.1.1 remote-as 9990 | neighbor 1.1.1.1 route-map take_my_sttings out | neighbor 1.1.1.1 route-map screw_your_settings in | | as opposed to | | interface s 0 | ip policy route-map zzyzx | | | |Make sense? I'm a bit confused as to what the authors are getting to in |this passage. Could someone help? | | | | CL: HTH | | |Thanks, |John | | |- -- |http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x88EE7695 |Key fingerprint = DBD7 6AE2 E7BE 1572 B245 BF54 4913 C85A 88EE 7695 |-BEGIN PGP SIGNATURE- |Version: GnuPG v1.1.90-nr1 (Windows XP) |Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org | |iD8DBQE9YZ1hSRPIWojudpURAoAQAKCMOZu+TQcZOSW39mqtZooDzRGoBwCgm+Ti |YMQGvYkbcXWMn/IhQZTmpnk= |=hAME |-END PGP SIGNATURE- | | | | | - -- http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x88EE7695 Key fingerprint = DBD7 6AE2 E7BE 1572 B245 BF54 4913 C85A 88EE 7695 -BEGIN PGP SIGNATURE- Version: GnuPG v1.1.90-nr1 (Windows XP) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9Yrq3SRPIWojudpURAlOYAKCN0aK4OmWODW1vqCXXvjpHfucnogCfS8z2 UyXADenqyRqCNTwZ3tOiIiQ= =5d1G -END PGP SIGNATURE- Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51794t=51689 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Policy Routing Question [7:51689]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I've been reading the Cisco CCNP Cert Guide in partial preparation for the BSCI exan and I've come across a bit in the Policy Routing section that I just don't understand. The text states: Policy routing does not allow traffic sent into another autonomous system to take a different path from the one that would have been chosen by that autonomous system. (pp. 551) ~From the reading, I understand that policy routing is configured on an inbound interface and can filter on either source or both source and destination addresses. PR, via a route map, can set properties such as precedence, QoS and next-hop. All of these items only really have relevance on the router in which policy routing is being done. In other words, once the router policy routes the packet and specifies, for instance, the next-hop interface. Now, if that next-hop router chooses to drop, fragment or otherwise mangle the packet so be it, the first router has no control over it anymore, its done its job. So then, how does this quote apply? Perhaps, I'm completely missing the point (wouldn't be the first time). A router can only do what its configured to do. If I tell a packet to take path a to get to network b but network b would perfer its incoming traffic to come in via path c, the most network a can do to prevent this is to drop incoming traffic via path a. Correct? Even if we were running a EGP such as BGP4 and the distant router had a MED set to perfer path c, I could still push packets via path a given that I knew it existed. Make sense? I'm a bit confused as to what the authors are getting to in this passage. Could someone help? Thanks, John - -- http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x88EE7695 Key fingerprint = DBD7 6AE2 E7BE 1572 B245 BF54 4913 C85A 88EE 7695 -BEGIN PGP SIGNATURE- Version: GnuPG v1.1.90-nr1 (Windows XP) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9YZ1hSRPIWojudpURAoAQAKCMOZu+TQcZOSW39mqtZooDzRGoBwCgm+Ti YMQGvYkbcXWMn/IhQZTmpnk= =hAME -END PGP SIGNATURE- Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51689t=51689 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Policy routing - directly connected interfaces [7:45628]
You asking if its directly connected would it be switched and not effected by policy routing? i think not. To my understanding any packet destined for a remote desination that is directly connected or via a next hop would be routed and subject to your policy. This is strange. Ip local policy will only effect packets orginated by the router, this wouldnt effect the directly connected scenario. Perhaps you can add another match for packets going to a directly connected interface to be subjected to the policy? I'd be intrested to see how you get on Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45799t=45628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Policy routing - directly connected interfaces [7:45628]
my results seem to disagree with your thought. 172.31.1.1 loop0---router--WAN--172.31.5.0 network | --WAN-- 172.31.3.0 network the route-map I used went something like this access-list 101 permit ip 172.31.5.0 0.0.0.255 172.31.1.0 0.0.0.255 access-list 101 permit ip 172.31.5.0 0.0.0.255 172.31.3.0 0.0.0.255 route-map filter permit 10 match ip address 101 set interface null0 when I pinged from the 172.31.5.0 net to 172.31.3.0 net, the debug ip policy showed packets matching the policy and being forwarded to null0 when I pinged from 172.31.1.1 there was no debug generated, and the 172.31.5.0 network received ICMP replies. that's why I asked the question. - Original Message - From: Kris Keen Newsgroups: groupstudy.cisco Sent: Tuesday, 04 June, 2002 8:34 PM Subject: Re: Policy routing - directly connected interfaces [7:45628] You asking if its directly connected would it be switched and not effected by policy routing? i think not. To my understanding any packet destined for a remote desination that is directly connected or via a next hop would be routed and subject to your policy. This is strange. Ip local policy will only effect packets orginated by the router, this wouldnt effect the directly connected scenario. Perhaps you can add another match for packets going to a directly connected interface to be subjected to the policy? I'd be intrested to see how you get on Kris Keen wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... You asking if its directly connected would it be switched and not effected by policy routing? i think not. To my understanding any packet destined for a remote desination that is directly connected or via a next hop would be routed and subject to your policy. This is strange. Ip local policy will only effect packets orginated by the router, this wouldnt effect the directly connected scenario. Perhaps you can add another match for packets going to a directly connected interface to be subjected to the policy? I'd be intrested to see how you get on Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45807t=45628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Policy routing - directly connected interfaces [7:45628]
coincidentally, I opened up Doyle as part of my research into the question. As I understand things, the ip local policy command and process is for packets that the router originates, such as routing protocol advertisements, hellos, pings, etc. As such, ip local policy is for traffic originated by the router itself, and outbound. OTOH, ip policy is for inbound traffic on an interface that ( and here is the point of clarification required ) is routed. My question is essentially, if the packet destination is on a directly connected network, does that mean it is not routed and therefore is not policy routed either. Does that make sense? In solution to my particular problem, I rewrote my nat list on the external router such that I referenced a route map: ! access-list 101 determines which source addresses are allowed onto the CCC network ! access-list 101 permit ip 192.168.1.0 0.0.0.255 host 10.1.1.1 ! business partner extranet server access-list 101 permit ip 192.168.1.0 0.0.0.255 host 172.31.2.1 ! shared e-mail services server access-list 101 deny ip 192.168.1.0 0.0.0.255 172.31.0.0 0.0.255.255 ! other organization subnets that are forbidden access-list 101 permit ip 192.168.1.0 0.0.0.255 any ! shared internet access ! INSIDE_NET CCC, DPH, OR INTERNET ! used with nat pool construct ! ip nat pool cccnat 172.31.10.25 172.31.10.250 netmask 255.255.255.0 ip nat inside source route-map CCC pool cccnat ! route-map CCC permit 10 match ip address 101 route-map CCC deny 20 ! probably unnecessary the neat thing about this construct is that only those packets with the appropriate source AND destination addresses get out onto the network, NAT or otherwise. Packets that are not NAT'ed can't be routed because there is no gateway of last resort on the edge/NAT routers, nor does policy routing on the central router permit anything other than packets with a source that was created by the NAT process. Chuck Daniel Cotts wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Check out page 819 of Doyle Vol 1. ip local policy route-map HTH -Original Message- From: Chuck [mailto:[EMAIL PROTECTED]] Sent: Sunday, June 02, 2002 12:36 PM To: [EMAIL PROTECTED] Subject: Policy routing - directly connected interfaces [7:45628] Continued policy routing testing of a customer network simulation in my lab has revealed something of interest to me. Can't find a revelation in the config and command references on CCO. I have a policy set up such that packets with a particular source address and a particular destination address are treated in various manners. debug ip policy is showing me that the policy is doing exactly what I want it to do EXCEPT when the destination address is a directly connected network. that is, if the destination is a network on some other router, with a route in the routing table, everything is fine. the next hop is set appropriately, and the debug shows that policy is applied properly. however, when the destination is a directly connected network ( either a loopback or a LAN interface ) policy routing is not engaged. true? experience? reference? as I said, can't find anything in the documentation on CCO. Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45704t=45628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Policy routing - directly connected interfaces [7:45628]
Continued policy routing testing of a customer network simulation in my lab has revealed something of interest to me. Can't find a revelation in the config and command references on CCO. I have a policy set up such that packets with a particular source address and a particular destination address are treated in various manners. debug ip policy is showing me that the policy is doing exactly what I want it to do EXCEPT when the destination address is a directly connected network. that is, if the destination is a network on some other router, with a route in the routing table, everything is fine. the next hop is set appropriately, and the debug shows that policy is applied properly. however, when the destination is a directly connected network ( either a loopback or a LAN interface ) policy routing is not engaged. true? experience? reference? as I said, can't find anything in the documentation on CCO. Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45628t=45628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Policy routing - directly connected interfaces [7:45628]
Check out page 819 of Doyle Vol 1. ip local policy route-map HTH -Original Message- From: Chuck [mailto:[EMAIL PROTECTED]] Sent: Sunday, June 02, 2002 12:36 PM To: [EMAIL PROTECTED] Subject: Policy routing - directly connected interfaces [7:45628] Continued policy routing testing of a customer network simulation in my lab has revealed something of interest to me. Can't find a revelation in the config and command references on CCO. I have a policy set up such that packets with a particular source address and a particular destination address are treated in various manners. debug ip policy is showing me that the policy is doing exactly what I want it to do EXCEPT when the destination address is a directly connected network. that is, if the destination is a network on some other router, with a route in the routing table, everything is fine. the next hop is set appropriately, and the debug shows that policy is applied properly. however, when the destination is a directly connected network ( either a loopback or a LAN interface ) policy routing is not engaged. true? experience? reference? as I said, can't find anything in the documentation on CCO. Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45645t=45628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Policy Routing Resources.. [7:43915]
Hi Rudy, I find the following links on the Cisco site useful; you probably have found them already yourself. Just from personal experience, remember that policy routing can put a heavy load on your router, so be careful when you implement it. http://www.cisco.com/warp/public/cc/techno/protocol/tech/plicy_wp.htm http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/qos_c/qcprt1/qcdpbr.htm Regards, Georg Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=43929t=43915 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Policy Routing Resources.. [7:43915]
Hey guys, If anybody has any good links or reading material on Policy routing please respond to this posting. I really want to get it down. Ive searched everywehere and found about 3 links on the Cisco Website with pertinent information. If anybody knows where i can find all about policy routing just reply.. Thanx again my fellow Technologists!!! TIA.. =0) Rudy B Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=43915t=43915 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Policy routing - further tidbits [7:38551]
Should be obvious when considered logically. But one can never trust logic when it comes to how things work Policy can be applied on a subinterface by subinterface basis. Policies applied to the physical interface have no effect on traffic arriving via the subinterface Policies do not apply to traffic for which the interface / subinterface are the end points. e.g. routing protocol updates. Therefore, policies behave slightly differently than do access-lists, and one should use the different tools differently, depending upon the desired outcome. Obvious stuff, but not necessarily covered specifically in the study material. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38551t=38551 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Policy routing - interface or subinterface? [7:38528]
Just verifying something I am seeing in my lab. All examples of policy routing that I can find, both in Doyle and on CCO, show policy routing as taking place on the physical interface. I can find no examples indicating that policies can be set on a subinterface. However, I am finding in my lab that separate policies can indeed be set up on different subinterfaces. Any comments from the field, based either on real world or lab rat experience? ( and yes, I have a customer, and I am testing this because I did the design before I studied the feasibility :- ) Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38528t=38528 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Policy routing - interface or subinterface? [7:38528]
Yes, you can do this on a subinterface. I was doing it just yesterday in conjunction with an IPsec, GRE, NAT, and policy routing scenario. And -- surprisingly -- it worked! John On Sat, 16 Mar 2002, Chuck ([EMAIL PROTECTED]) wrote: Just verifying something I am seeing in my lab. All examples of policy routing that I can find, both in Doyle and on CCO, show policy routing as taking place on the physical interface. I can find no examples indicating that policies can be set on a subinterface. However, I am finding in my lab that separate policies can indeed be set up on different subinterfaces. Any comments from the field, based either on real world or lab rat experience? ( and yes, I have a customer, and I am testing this because I did the design before I studied the feasibility :- ) Chuck [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38529t=38528 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
policy routing and route tags [7:37258]
Is it possible to tag routes (via an IGP or BGP) and then perform a policy route decision which in part does a check for this tag? Specifically, the logic I'm looking for is a route-map which is applied in the packet forwarding phase which will change the forwarding behavior if the packet is for a destination which is covered by a route advertisement which has one of these special tags. Pseudo-logic for route-map: route-map permit 10 if (dst IP is covered by most specific route adverstisement which has a tag = XYZ) then set attribute=value etc. Extra credit for details on how this can be done on a Juniper or other platform. Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=37258t=37258 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Question about Policy routing [7:32560]
Recall that unlike access lists, if no match is found in a route map, the packet is forwarded through the normal routing process. If you look at the routing table, is the next hop for the destination 10.1.1.2? Dovelet wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi all, I have a question about policy route and I hope someone can help me. The Cisco router's config is as follow: : : interface ethernet0 ip policy route-map route1 ! route-map route1 10 match ip address 11 match ip next-hop 12 set ip next-hop 10.1.1.2 ! access-list 11 permit ip 10.2.2.1 access-list 12 permit ip 10.1.1.1 : : In the configuration, I suppose if the packet goes into ethernet 0 with source ip address 10.2.2.1 AND the next-hop 10.1.1.1 will match the route-map and change its next-hop to 10.1.1.2. However, I found that the route-map does not check the second MATCH statement (i.e. match ip next-hop 12). I found that if the packet's source ip is 10.2.2.1 and no matter what the next-hop ip address is, the route-map will change its next-hop to 10.1.1.2. In the menu, it state that every MATCH statements must be matched for the set statement to be executed. Can anyone help me? The router is Cisco 7200 and the IOS version is 12.0 Regards, Dovelet Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=32571t=32560 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Question about Policy routing [7:32560]
Hi all, I have a question about policy route and I hope someone can help me. The Cisco router's config is as follow: : : interface ethernet0 ip policy route-map route1 ! route-map route1 10 match ip address 11 match ip next-hop 12 set ip next-hop 10.1.1.2 ! access-list 11 permit ip 10.2.2.1 access-list 12 permit ip 10.1.1.1 : : In the configuration, I suppose if the packet goes into ethernet 0 with source ip address 10.2.2.1 AND the next-hop 10.1.1.1 will match the route-map and change its next-hop to 10.1.1.2. However, I found that the route-map does not check the second MATCH statement (i.e. match ip next-hop 12). I found that if the packet's source ip is 10.2.2.1 and no matter what the next-hop ip address is, the route-map will change its next-hop to 10.1.1.2. In the menu, it state that every MATCH statements must be matched for the set statement to be executed. Can anyone help me? The router is Cisco 7200 and the IOS version is 12.0 Regards, Dovelet Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=32560t=32560 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Policy routing BGP Neighbor relationships [7:27976]
Is it me or does BGP not allow you to form a peering session unless you have a route to the host in the routing table, no matter what. It closes connected sessions even if I have policy route data forwarding configured and even if traffic is forwarding correctly. Is there some knob I'm forgetting about (other than using a static classful route to null0)? My little diagram... 178.24.1.1/32 204.22.10.1/32 Lo Lo || R6 R7 || S0 S0 192.1.1/24 (.3) (.1) a. No static routes entered on R6 or R7 b. BGP peers w/ loopback addresses Here's 11.3 (R7) forgetting that it can reach the 12.0 router via policy (debug output on R7) 3d05h: BGP: 178.24.1.1 remote close, state CLOSEWAIT 3d05h: BGP: 178.24.1.1 closing (This message repeated indefinitely) 3d05h: BGP: 178.24.1.1 multihop open delayed 10112ms (no route) 3d05h: BGP: 178.24.1.1 multihop open delayed 12784ms (no route) (traffic is forwarding!) r7#ping 178.24.1.1 Sending 5, 100-byte ICMP Echos to 178.24.1.1, timeout is 2 seconds: ! r7#config t r7(config)#ip route 178.24.1.1 255.255.255.255 192.1.1.3[Ctl-Z] [a few seconds later] (debug output on R7) 3d05h: BGP: 178.24.1.1 open active, local address 204.22.10.1 r7#config t r7(config)#no ip route 178.24.1.1 255.255.255.255 192.1.1.3[Ctl-Z] [a few seconds later] (debug output on R7) 3d07h: BGP: 178.24.1.1 multihop open delayed 17648ms (no route) grrr. (configs below) Thanks for looking this over. WAYNE BAETY, MCSE, A1C, USAF Network Systems Trainer ROUTER 6 CONFIG version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname r6 ! logging buffered warnings logging console warnings enable password cisco ! username cisco password 0 cisco ! ! ! ! ip subnet-zero ! ! ! process-max-time 200 ! interface Loopback0 ip address 178.24.1.1 255.255.255.255 no ip directed-broadcast ! interface Ethernet0 ip address 10.0.0.6 255.255.255.0 secondary ip address 6.6.6.6 255.255.255.0 no ip directed-broadcast ! interface Serial0 no ip address no ip directed-broadcast encapsulation frame-relay no ip mroute-cache no fair-queue clockrate 25 cdp enable frame-relay lmi-type cisco ! interface Serial0.1 point-to-point ip address 10.255.1.2 255.255.255.252 no ip directed-broadcast ip nat inside frame-relay interface-dlci 601 ! interface Serial0.2 point-to-point ip address 192.1.1.3 255.255.255.0 no ip directed-broadcast ip nat outside ip policy route-map ebgp-rehop frame-relay interface-dlci 607 ! interface Serial1 no ip address no ip directed-broadcast shutdown ! router bgp 300 network 178.24.0.0 neighbor 204.22.10.1 remote-as 100 neighbor 204.22.10.1 ebgp-multihop 2 neighbor 204.22.10.1 update-source Loopback0 ! ip local policy route-map ebgp-rehop ip nat pool dynamic-net-pool 178.24.16.1 178.24.191.254 prefix-length 16 ip nat inside source list 1 pool dynamic-net-pool ip nat inside source static 178.24.3.13 10.253.1.1 ip classless no ip http server ! access-list 1 permit 10.0.0.0 0.255.255.255 access-list 101 permit tcp any host 204.22.10.1 eq bgp access-list 101 permit icmp any host 204.22.10.1 echo access-list 101 permit icmp any host 204.22.10.1 echo-reply route-map ebgp-rehop permit 10 match ip address 101 set ip default next-hop 192.1.1.1 ! ! line con 0 exec-timeout 0 0 logging synchronous transport input none line aux 0 line vty 0 4 exec-timeout 0 0 logging synchronous login local monitor END ROUTER 6 CONFIG ROUTER 7 CONFIG version 11.3 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname r7 ! enable password cisco ! username cisco password 0 cisco ip subnet-zero ip nat pool dynamic-net-pool 204.22.10.16 204.22.10.191 prefix-length 24 ip nat inside source list 1 pool dynamic-net-pool ip nat inside source static 204.22.10.13 20.255.1.5 ! ! interface Loopback0 ip address 204.22.10.1 255.255.255.255 ! interface Ethernet0 ip address 10.0.0.7 255.255.255.0 secondary ip address 7.7.7.7 255.255.255.0 ! interface Serial0 no ip address encapsulation frame-relay no ip mroute-cache no fair-queue clockrate 25 frame-relay lmi-type cisco ! interface Serial0.1 point-to-point ip address 20.255.1.2 255.255.255.252 ip nat inside no arp frame-relay frame-relay interface-dlci 705 ! interface Serial0.2 point-to-point ip address 192.1.1.1 255.255.255.0 ip nat outside frame-relay interface-dlci 706 ! interface Serial1 no ip address
Re: Policy routing BGP Neighbor relationships [7:27976]
Is it me or does BGP not allow you to form a peering session unless you have a route to the host in the routing table, no matter what. Yes, eBGP won`t form a session if the peer address is not in its route table. It closes connected sessions even if I have policy route data forwarding configured and even if traffic is forwarding correctly. The default for ip local policy route-map command is packets that are generated by the router itself are not policy routed. So the BGP session to port 179 that generated by the router will not hit the route-map. Is there some knob I'm forgetting about (other than using a static classful route to null0)? None that I know other than static route to the loopback. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27982t=27976 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
can policy routing be used on one-arm rtr? [7:17618]
Hi, I have a 3640 acting as a one-arm router to route between vlans. I would like to apply policy routing from vlan1 so that traffic leaving vlan2 from vlan1 is policy routed and traffic leaving vlan2 from other sources sees no policy. Is this possible even though policy routing affects inbound interfaces? Servers in vlan2 are behind a nat-ting firewall which translates legal ip's to 10. nets. I need internal users from their own 10. net to be able to access these servers behind the firewall and let the public have access thru the firewall. Presently, I have no problem with public access but my route-map wont send internally sourced traffic back the way it came. It gets sent out thru the firewall. vlan2 Servers -vlan1 internal users ^ | Public access Any help is greatly appreciated. _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17618t=17618 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Policy routing [7:16529]
Hey guys, Can u help me on this? I have a 2610, and i have 2 leased line, is there a way that i can balance the load? thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=16529t=16529 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
QOS/Policy routing [7:5227]
Hi folks, I like to setup a policy so that any traffic destined to 1.1.1.0/24 will take precedence over the rest. My outbound link is a single T1. Please throw me a short sample config. Thanks for helping. -Frank Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=5227t=5227 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: QOS/Policy routing [7:5227]
How about this?: access-list 100 permit ip any 1.1.1.0 0.0.0.255 priority-list 1 protocol ip high list 100 Then on the interface do a priority-group 1 At 03:32 AM 5/21/01, you wrote: Hi folks, I like to setup a policy so that any traffic destined to 1.1.1.0/24 will take precedence over the rest. My outbound link is a single T1. Please throw me a short sample config. Thanks for helping. -Frank FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=5232t=5227 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: QOS/Policy routing [7:5227]
Hi; Policy Routing sample interface serial 0 ip address x.w.y.z /netmask ip policy route-map frank ! access-list 101 permit ip any 1.1.1.0 0.0.0.25 ! route-map frank permt 10 match ip address 101 set ip precedence critical ! Prority Queue is another option. HTH Vincent Chong Frank Kim Hi folks, I like to setup a policy so that any traffic destined to 1.1.1.0/24 will take precedence over the rest. My outbound link is a single T1. Please throw me a short sample config. Thanks for helping. -Frank FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=5250t=5227 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Policy routing [7:2871]
Hi, I am having problem with my policy routing, hope that anyone can help me. 1) 1.1.1.1 is a low-end router connected to my high-end router ( multihomed, running HSRP). 2) 1.1.1.1 is in VLAN 154 3) 5.5.5.1 is the another neighbour router peering with my high-router router. The problem is whenever I implement ip policy route-map TEST on the int fa1/1/0.154, the routing to router 1.1.1.1 will fail and the policy-routing won't work. Please advise. Andy Configuration: interface FastEthernet1/1/0.154 encapsulation isl 154 ip address 2.2.2.253 255.255.255.0 no ip redirects no ip directed-broadcast standby 154 priority 120 preempt standby 154 ip 2.2.2.1 ip access-list 1 permit 1.1.1.1 route-map TEST permit 1 match ip address 1 set ip next-hop 5.5.5.1 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=2871t=2871 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Policy routing [7:2871]
This would be a good case of making it work before adding the other commands, and then knowing why you're doing it. Hence, I'd ask these questions: 1. How can 1.1.1.1 and 2.2.2.x/24 be in the same VLAN/subnet unless one is a secondary off the high-end router? (traceroute 1.1.1.1) 2. If they are indeed in the same subnet, then does the policy-map really 'route' to 1.1.1.1? (show route-map) 3. Do you understanding policy routing and the purpose of performing it? (show ip policy) 4. Have you checked the status of the ACL used for the route-map? (show access-list 1) 5. What happens when the policy route is not implemented? Is your routing to 1.1.1.1 working then? (show ip route) 6. Are you sure your configuration is correct? (http://www.cisco.com/warp/public/105/36.html) -e- - Original Message - From: Andy Low To: Sent: Wednesday, May 02, 2001 4:44 AM Subject: Policy routing [7:2871] Hi, I am having problem with my policy routing, hope that anyone can help me. 1) 1.1.1.1 is a low-end router connected to my high-end router ( multihomed, running HSRP). 2) 1.1.1.1 is in VLAN 154 3) 5.5.5.1 is the another neighbour router peering with my high-router router. The problem is whenever I implement ip policy route-map TEST on the int fa1/1/0.154, the routing to router 1.1.1.1 will fail and the policy-routing won't work. Please advise. Andy Configuration: interface FastEthernet1/1/0.154 encapsulation isl 154 ip address 2.2.2.253 255.255.255.0 no ip redirects no ip directed-broadcast standby 154 priority 120 preempt standby 154 ip 2.2.2.1 ip access-list 1 permit 1.1.1.1 route-map TEST permit 1 match ip address 1 set ip next-hop 5.5.5.1 FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=2924t=2871 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Fast-switched policy routing forwarding table entries..
Hello, Does anyone know if source-based policy-routing entries are entered in the cache in the form of source, next-hop or source, dest, next-hop or ? What I am trying to establish is whether a seperate route table look up is performed for every unique source-destination pair, or whether since it is source-base policy routed, is simply does a single route table look up and uses the cached entry for every packet initiated from the same source? Thanks, Curtis __ Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Fast-switched policy routing forwarding table entries..
Curtis, For fast switching a hash table is stored in the cache that consists of the hashed network destination and the next hop MAC header. CEF is a great improvement over fast switching but even that caches only the destination, and not the source. For source destination cache your have to go to Netflow which is only available in the high end platforms, 72xx or better. This is why access lists and process switching can tank your router performance. Check out Phill Harris' 'Router Switching Performance Characteristics' session that he gives at Networkers--I pasted the link to the presentation below. It is easily one of the best sessions you can take at Networkers, and the only place I know to get no-nonsense Cisco Architecture info including information that Cisco will _never_ document. http://www.cisco.com/networkers/nw00/pres/2203.pdf If you can't attend Networkers you can buy the tape of the session. --David - Original Message - From: "Curtis Phillips" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, March 23, 2001 8:48 AM Subject: Fast-switched policy routing forwarding table entries.. Hello, Does anyone know if source-based policy-routing entries are entered in the cache in the form of source, next-hop or source, dest, next-hop or ? What I am trying to establish is whether a seperate route table look up is performed for every unique source-destination pair, or whether since it is source-base policy routed, is simply does a single route table look up and uses the cached entry for every packet initiated from the same source? Thanks, Curtis __ Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Policy routing: CPU util and counter-measures.
I was wondering whether anyone has been able to determine the approximate level of increased CPU utilization that is introduced by policy routing. Also, whether Netflow, CEF or any other known means has been used successfully to establish flow information and faster switching using policy routing. If so, does the process base it's flow/cache information exclusively on the the source IP? or does it need to establish an individual entry for each source/destination pair? Thanks, Curtis _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Policy routing question
What i want to do is how to backup. It is always have serveral path to a Network 1, let's said path A,B,C. I want the traffic from 172.16.0.0 to 1 always go path A, but is path A down, i want the traffic go the best path in routing table to Net1( Maybe B or C, according to the IGP). So how should i config? "Brian" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... On Tue, 5 Dec 2000, vtam wrote: But the route table is learn through dynamic routing, so i cannot specify the next_hop. So are there any solution? Thanks. I don't understand. You want to policy route based on source address right? What address would you like the traffic to be sent to? How that address is learned is of no consequence. If it must be recursivly looked up so be it. Are you saying you don't know where you want to send the traffic? Brian _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Policy routing question
First thing I noticed was that any packet that would match your access-list 2 would also match access-list 1 in the first sequence ( 10 in this case ) of the route map. So no packets with the first two octets of 172.16.. would ever make it to sequence 20 of the route map where access-list 2 is called. The result would be ALL packets 172.16.y.z would have the next-hop set to 172.1.1.1 So, I'd recommend referencing the more specific access-list first then folow the guidance below from Brian. Hope this helps, Frank vtam, You must specify multiple hops on the "set ip next-hop" line.like: route-map test permit 10 match ip address 1 set ip next-hop 172.1.1.1 172.1.1.2 if 172.1.1.1 is down, it will use 172.1.1.2 Brian On Mon, 4 Dec 2000, vtam wrote: I don't really know how the policy routing run. This is my quetion: i want to apply policy routing according to the source, but when the set next-hop is not accessible, it should be route as normal routing process( route according to dest. ip address). This is the config i do. int ser 1/0 ip policy route-map test access-list 1 permit 172.16.0.0 0.0.255.255 access-list 2 permit 172.16.112.0 0.255.255.255 route-map test permit 10 match ip address 1 set ip next-hop 172.1.1.1 route-map test permit 20 match ip address 2 set ip next-hop 172.1.1.3 I want to ask some question: 1. If 172.1.1.1 is down, can the traffice sourced by 172.16.0.0 will be routed, or it would be drop? 2. Where should be the other traffic route? Is it routed or drop? 3. If question 1 is drop, how should i do to route that traffic? Thanks. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] --- Brian Feeny, CCNP, CCDP [EMAIL PROTECTED] Network Administrator ShreveNet Inc. (ASN 11881) _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] --- Brian Feeny, CCNP+ATM, CCDP [EMAIL PROTECTED] Network Administrator ShreveNet Inc. (ASN 11881) _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Policy routing question
But the route table is learn through dynamic routing, so i cannot specify the next_hop. So are there any solution? Thanks. "Brian" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... vtam, You must specify multiple hops on the "set ip next-hop" line.like: route-map test permit 10 match ip address 1 set ip next-hop 172.1.1.1 172.1.1.2 if 172.1.1.1 is down, it will use 172.1.1.2 Brian On Mon, 4 Dec 2000, vtam wrote: I don't really know how the policy routing run. This is my quetion: i want to apply policy routing according to the source, but when the set next-hop is not accessible, it should be route as normal routing process( route according to dest. ip address). This is the config i do. int ser 1/0 ip policy route-map test access-list 1 permit 172.16.0.0 0.0.255.255 access-list 2 permit 172.16.112.0 0.255.255.255 route-map test permit 10 match ip address 1 set ip next-hop 172.1.1.1 route-map test permit 20 match ip address 2 set ip next-hop 172.1.1.3 I want to ask some question: 1. If 172.1.1.1 is down, can the traffice sourced by 172.16.0.0 will be routed, or it would be drop? 2. Where should be the other traffic route? Is it routed or drop? 3. If question 1 is drop, how should i do to route that traffic? Thanks. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] --- Brian Feeny, CCNP, CCDP [EMAIL PROTECTED] Network Administrator ShreveNet Inc. (ASN 11881) _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Policy routing question
On Tue, 5 Dec 2000, vtam wrote: But the route table is learn through dynamic routing, so i cannot specify the next_hop. So are there any solution? Thanks. I don't understand. You want to policy route based on source address right? What address would you like the traffic to be sent to? How that address is learned is of no consequence. If it must be recursivly looked up so be it. Are you saying you don't know where you want to send the traffic? Brian "Brian" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... vtam, You must specify multiple hops on the "set ip next-hop" line.like: route-map test permit 10 match ip address 1 set ip next-hop 172.1.1.1 172.1.1.2 if 172.1.1.1 is down, it will use 172.1.1.2 Brian On Mon, 4 Dec 2000, vtam wrote: I don't really know how the policy routing run. This is my quetion: i want to apply policy routing according to the source, but when the set next-hop is not accessible, it should be route as normal routing process( route according to dest. ip address). This is the config i do. int ser 1/0 ip policy route-map test access-list 1 permit 172.16.0.0 0.0.255.255 access-list 2 permit 172.16.112.0 0.255.255.255 route-map test permit 10 match ip address 1 set ip next-hop 172.1.1.1 route-map test permit 20 match ip address 2 set ip next-hop 172.1.1.3 I want to ask some question: 1. If 172.1.1.1 is down, can the traffice sourced by 172.16.0.0 will be routed, or it would be drop? 2. Where should be the other traffic route? Is it routed or drop? 3. If question 1 is drop, how should i do to route that traffic? Thanks. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] --- Brian Feeny, CCNP, CCDP [EMAIL PROTECTED] Network Administrator ShreveNet Inc. (ASN 11881) _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] --- Brian Feeny, CCNP+ATM, CCDP [EMAIL PROTECTED] Network Administrator ShreveNet Inc. (ASN 11881) _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Policy routing question
May I take a stab, recognizing my experience here is limited to my reading. Original questions: 1. If 172.1.1.1 is down, can the traffic sourced by 172.16.0.0 will be routed, or it would be drop? CL: I don't know. My guess is the traffic would be black-holed. Same as if, in the regular routing process, and interface was down. 2. Where should be the other traffic route? Is it routed or drop? CL: based on the construction of your original route-map, all other traffic would be dropped. Like an access list, a route map list has an implicit deny at the end. To correct this ( if that is your intention ) you would need to add a third section to the route map e.g. route-map test permit 30 this line would pass all remaining traffic into the regular routing process. * 3. If question 1 is drop, how should I do to route that traffic? CL: answer as part f #2 A further comment: access-list 1 permit 172.16.0.0 0.0.255.255 access-list 2 permit 172.16.112.0 0.255.255.255 CL: I am not sure what access-list 2 accomplishes, particularly in the context of your route-map construction. All traffic from the 172.16.0.0 network would be covered by access-list 1, which in turn is processed as part of the route-map test 10 section. Nothing from the 172.16.0.0 network would ever reach the route-map test 20 section. Also, 172.16.112.0 0.255.255.255 is a bit uncharacteristic. It is effectively the same as saying 172.0.0.0 0.255.255.255, but less easy to read, and hence a bit more confusing. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of vtam Sent: Monday, December 04, 2000 5:23 PM To: [EMAIL PROTECTED] Subject:Re: Policy routing question But the route table is learn through dynamic routing, so i cannot specify the next_hop. So are there any solution? Thanks. "Brian" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... vtam, You must specify multiple hops on the "set ip next-hop" line.like: route-map test permit 10 match ip address 1 set ip next-hop 172.1.1.1 172.1.1.2 if 172.1.1.1 is down, it will use 172.1.1.2 Brian On Mon, 4 Dec 2000, vtam wrote: I don't really know how the policy routing run. This is my quetion: i want to apply policy routing according to the source, but when the set next-hop is not accessible, it should be route as normal routing process( route according to dest. ip address). This is the config i do. int ser 1/0 ip policy route-map test access-list 1 permit 172.16.0.0 0.0.255.255 access-list 2 permit 172.16.112.0 0.255.255.255 route-map test permit 10 match ip address 1 set ip next-hop 172.1.1.1 route-map test permit 20 match ip address 2 set ip next-hop 172.1.1.3 I want to ask some question: 1. If 172.1.1.1 is down, can the traffice sourced by 172.16.0.0 will be routed, or it would be drop? 2. Where should be the other traffic route? Is it routed or drop? 3. If question 1 is drop, how should i do to route that traffic? Thanks. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] --- Brian Feeny, CCNP, CCDP [EMAIL PROTECTED] Network Administrator ShreveNet Inc. (ASN 11881) _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Policy routing question
I don't really know how the policy routing run. This is my quetion: i want to apply policy routing according to the source, but when the set next-hop is not accessible, it should be route as normal routing process( route according to dest. ip address). This is the config i do. int ser 1/0 ip policy route-map test access-list 1 permit 172.16.0.0 0.0.255.255 access-list 2 permit 172.16.112.0 0.255.255.255 route-map test permit 10 match ip address 1 set ip next-hop 172.1.1.1 route-map test permit 20 match ip address 2 set ip next-hop 172.1.1.3 I want to ask some question: 1. If 172.1.1.1 is down, can the traffice sourced by 172.16.0.0 will be routed, or it would be drop? 2. Where should be the other traffic route? Is it routed or drop? 3. If question 1 is drop, how should i do to route that traffic? Thanks. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Policy routing question
vtam, You must specify multiple hops on the "set ip next-hop" line.like: route-map test permit 10 match ip address 1 set ip next-hop 172.1.1.1 172.1.1.2 if 172.1.1.1 is down, it will use 172.1.1.2 Brian On Mon, 4 Dec 2000, vtam wrote: I don't really know how the policy routing run. This is my quetion: i want to apply policy routing according to the source, but when the set next-hop is not accessible, it should be route as normal routing process( route according to dest. ip address). This is the config i do. int ser 1/0 ip policy route-map test access-list 1 permit 172.16.0.0 0.0.255.255 access-list 2 permit 172.16.112.0 0.255.255.255 route-map test permit 10 match ip address 1 set ip next-hop 172.1.1.1 route-map test permit 20 match ip address 2 set ip next-hop 172.1.1.3 I want to ask some question: 1. If 172.1.1.1 is down, can the traffice sourced by 172.16.0.0 will be routed, or it would be drop? 2. Where should be the other traffic route? Is it routed or drop? 3. If question 1 is drop, how should i do to route that traffic? Thanks. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] --- Brian Feeny, CCNP, CCDP [EMAIL PROTECTED] Network Administrator ShreveNet Inc. (ASN 11881) _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Policy routing as security - thoughts?
Chuck, As the area I work in is using this methodology, we are happy with it's traffic separation and security. The implementation we use is one lot of traffic uses a gre tunnel and policy mapping into and out of the tunnel at the ends. Rob O'Brien CCNA Canberra Australia. Chuck Larrieu wrote: I swear the digressions will be the death of me yet! I've been reading up on route-maps and policy routing. Got to thinking about something one of my associates at work said to me. He likes to use policy routing as a means of securing networks in extranet situations. You know - central site sells services to a number of unrelated partners. Sometimes even internet access. Of course, one can't allow customer A to see customer B's network, and visa versa. But both A and B should get to a particular service, be that a database, a server, internet access, or whatever. So my comrade throws in policy routing. Source addresses from whatever interface or source address are only permitted to proceed out a particular interface or to a particular destination IP. Sounds good on the surface. The question I have is the risk, particularly from spoofed addresses. I suppose that matching the source interface eliminates the address issue. Still, I gotta wonder My associate says this isn't an issue and that I worry too much. Anyone have any thoughts? Chuck -- I am Locutus, a CCIE Lab Proctor. Xx_Brain_dumps_xX are futile. Your life as it has been is over ( if you hope to pass ) From this time forward, you will study US! ( apologies to the folks at Star Trek TNG ) _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
policy routing
Hello, if you configure policy routing to route certain packets through interface S0 is there a way to automatically redirect packets through interface S1 if S0 is down ? thanks, --- Gabriel Neagoe, GN379-RIPE Networking solutions consultant Cisco Certified Network Professional Cisco Certified Design Associate ST Romania tel: +401 20 40 300 fax: +401 20 40 310 --- **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: policy routing
this is basic setup :-) i'm thinking on something more complicated so i want to keep policy routing :-) --- Gabriel Neagoe, GN379-RIPE Networking solutions consultant Cisco Certified Network Professional Cisco Certified Design Associate ST Romania tel: +401 20 40 300 fax: +401 20 40 310 --- -Original Message- From: Ejay Hire [SMTP:[EMAIL PROTECTED]] Sent: Tuesday, October 03, 2000 5:11 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: policy routing Not using policy routing, it's actually much simpler than that. ... ip classless ip subnet-zero int serial 0 ip addr 10.0.0.1 255.255.255.0 backup-interface serial 1 ! int serial 1 ip addr 10.0.1.1 255.255.255.0 ... Alternately, you can have a route with a higher administrative distance than the normal route for Destination XXX, and if the connection to destination XXX evaporates, then the new route will enter the routing table. This is popular when migrating routing protocols. Original Message Follows From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: policy routing Date: Tue, 3 Oct 2000 17:16:38 +0200 Hello, if you configure policy routing to route certain packets through interface S0 is there a way to automatically redirect packets through interface S1 if S0 is down ? thanks, --- Gabriel Neagoe, GN379-RIPE Networking solutions consultant Cisco Certified Network Professional Cisco Certified Design Associate ST Romania tel: +401 20 40 300 fax: +401 20 40 310 --- **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: policy routing
[EMAIL PROTECTED] wrote: this is basic setup :-) i'm thinking on something more complicated so i want to keep policy routing :-) Assuming you are doing policy routing with a route map, you would use something like... route-map foobar permit 10 match ip address some-access-list set [default] interface S0 but if you want it to failover to S1 when S0 is down, just change the last line to: set [default] interface S0 S1 You can supply multiple interfaces, it uses the first one that is up. This won't work with 'set ip default next-hop' though. Bear in mind that using the 'default' keyword makes it process-switched and eats up CPU. Jeff Kell [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: policy routing
At 09:53 AM 7/4/00 -0700, Cormac Long wrote: There are 2 problems with the route-map. 1. Syntax should be "set ip next-hop serial0" 2. There is no match in the map for 192.168.2.0 so those packets will get dropped. I agree with point#1, but not point#2. The original route-map was like so... route-map test permit 10 match ip address 10 set interface serial0 route-map test permit 20 set interface serial1 access-list 10 permit 192.168.1.0 0.0.0.255 Sequence #20 in the route-map, because it contains no match and is a permit statement, is going to act like a "permit ip any any" at the end of an access-list. So anything that doesn't match sequence #10 will definitely match #20 and be sent out serial1 (once the 'set' command syntax has been corrected). The packets wouldn't be dropped unless it was a deny statement. Jamie Byrne ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: policy routing
Try changing the set interface to set next-hop. Use set next hop when you know the next hop address. In your case: change "set interface serial0" to "set ip next-hop 192.168.3.2" and "set interface serial1" to "set ip next-hop 192.168.4.2" When you said that your configuration wasn't working; was the traffic being dropped or routed out only one interface? Tim Nurarif Wibawa wrote: Hi guys,Please see configurations below :ISP A owned 192.168.1.0/24 and ISP B owned 192.168.2.0/24 ISP A ISP B | | | | serial0 serial1 ethernet0 -> using secondary address | | | |192.168.1.0/24 192.168.2.0/24Customer which has 2 ISP using 2 serial interfaces and 1 ethernet interface.Lets say, user which configured with network 192.168.1.0 should go through serial0 and user which configured with network 192.168.2.0 should go through serial1Please correct the router configuration below :-interface serial0ip address 192.168.3.1 255.255.255.252interface serial1ip address 192.168.4.1 255.255.255.252interface ethernet0ip address 192.168.1.1 255.255.255.0ip address 192.168.2.1 255.255.255.0 secondaryip policy route-map testroute-map test permit 10match ip address 10set interface serial0route-map test permit 20set interface serial1access-list 10 permit 192.168.1.0 0.0.0.255--Did I miss something ? because it won't work.Thank you
policy routing
Hi guys, Please see configurations below : ISP A owned 192.168.1.0/24 and ISP B owned 192.168.2.0/24 ISP A ISP B | | | | serial0 serial1 ethernet0 - using secondary address | | | | 192.168.1.0/24192.168.2.0/24 Customer which has 2 ISP using2 serial interfaces and 1 ethernet interface. Lets say, user which configured with network 192.168.1.0 should go through serial0 and user which configured with network 192.168.2.0 should gothrough serial1 Please correct the router configuration below : - interface serial0 ip address 192.168.3.1 255.255.255.252 interface serial1 ip address 192.168.4.1 255.255.255.252 interface ethernet0 ip address 192.168.1.1 255.255.255.0 ip address 192.168.2.1 255.255.255.0 secondary ip policy route-map test route-map test permit 10 match ip address 10 set interface serial0 route-map test permit 20 set interface serial1 access-list 10 permit 192.168.1.0 0.0.0.255 -- DidI miss something ? because it won't work. Thank you
Re: policy routing
There are 2 problems with the route-map. 1. Syntax should be "set ip next-hop serial0" 2. There is no match in the map for 192.168.2.0 so those packets will get dropped. Correct config should be: route-map test permit 10 match ip address 10 set ip next-hop interface serial0 route-map test permit 20 match ip address 11 set ip next-hop interface serial1 access-list 10 permit 192.168.1.0 0.0.0.255 access-list 11 permit 192.168.2.0 0.0.0.255 Regards, Cormac Long CCSI#21600 http://www.cormaclong.com --- Nurarif Wibawa [EMAIL PROTECTED] wrote: Hi guys, Please see configurations below : ISP A owned 192.168.1.0/24 and ISP B owned 192.168.2.0/24 ISP AISP B | | | | serial0 serial1 ethernet0 - using secondary address | | | | 192.168.1.0/24 192.168.2.0/24 Customer which has 2 ISP using 2 serial interfaces and 1 ethernet interface. Lets say, user which configured with network 192.168.1.0 should go through serial0 and user which configured with network 192.168.2.0 should go through serial1 Please correct the router configuration below : - interface serial0 ip address 192.168.3.1 255.255.255.252 interface serial1 ip address 192.168.4.1 255.255.255.252 interface ethernet0 ip address 192.168.1.1 255.255.255.0 ip address 192.168.2.1 255.255.255.0 secondary ip policy route-map test route-map test permit 10 match ip address 10 set interface serial0 route-map test permit 20 set interface serial1 access-list 10 permit 192.168.1.0 0.0.0.255 -- Did I miss something ? because it won't work. Thank you = http://www.cormaclong.com __ Do You Yahoo!? Kick off your party with Yahoo! Invites. http://invites.yahoo.com/ ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]