Can Policy Routing be configured on the RPR interface?
We have three 10720 routers connected via RPR ring. And we found the policy routing is not working, however the same config works on Ethernet interfaces.
Are you applying the config on the DPT interface or the Ethernet interface? I'd be suprised if you could configure any policy routing on the DPT interface. Rather I would have thought it should be applied on the Ethernet interfaces involved in the connection. Bear in mind that the router function of the 10720 does not really see the DPT ring, but as logical point to point links.
Similar Messages
-
How can I get a reference to the Local interface of a EJB 3 session?
Hi,
How can I get a reference to the Local interface of a EJB 3 session?
My session implements both the local and remote interfaces, so in my client, when I look up the remote interface using the following code, I did get a reference
processor = (IItemProcessorRemote)initialContext.lookup(IItemProcessorRemote.class.getName());but if I also look up the local interface in th eclient using this:
processorLocal =(IItemProcessor)initialContext.lookup(IItemProcessor.class.getName());I got errors like the following, do you know why? Thanks a lot!
Exception in thread "main" javax.naming.NameNotFoundException: sessions.IItemProcessor not found
at com.sun.enterprise.naming.TransientContext.doLookup(TransientContext.java:203)
at com.sun.enterprise.naming.TransientContext.lookup(TransientContext.java:175)
at com.sun.enterprise.naming.SerialContextProviderImpl.lookup(SerialContextProviderImpl.java:61)
at com.sun.enterprise.naming.RemoteSerialContextProviderImpl.lookup(RemoteSerialContextProviderImpl.java:116)
at sun.reflect.GeneratedMethodAccessor114.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.sun.corba.ee.impl.presentation.rmi.ReflectiveTie._invoke(ReflectiveTie.java:121)
at com.sun.corba.ee.impl.protocol.CorbaServerRequestDispatcherImpl.dispatchToServant(CorbaServerRequestDispatcherImpl.java:650)
at com.sun.corba.ee.impl.protocol.CorbaServerRequestDispatcherImpl.dispatch(CorbaServerRequestDispatcherImpl.java:193)
at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.handleRequestRequest(CorbaMessageMediatorImpl.java:1705)
at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.handleRequest(CorbaMessageMediatorImpl.java:1565)
at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.handleInput(CorbaMessageMediatorImpl.java:947)
at com.sun.corba.ee.impl.protocol.giopmsgheaders.RequestMessage_1_2.callback(RequestMessage_1_2.java:178)
at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.handleRequest(CorbaMessageMediatorImpl.java:717)
at com.sun.corba.ee.impl.transport.SocketOrChannelConnectionImpl.dispatch(SocketOrChannelConnectionImpl.java:473)
at com.sun.corba.ee.impl.transport.SocketOrChannelConnectionImpl.doWork(SocketOrChannelConnectionImpl.java:1270)
at com.sun.corba.ee.impl.orbutil.threadpool.ThreadPoolImpl$WorkerThread.run(ThreadPoolImpl.java:479)BTW, findItemByTitle(String title) is a business method in my ItemProcessor session bean.
public String findItemByTitle(String title) {
AuctionItem item;
String result = null;
try {
Query query = entityManager
.createNativeQuery("SELECT i from AuctionItem i WHERE i.title LIKE : aTitle");
query.setParameter("aTitle", title);
item = (AuctionItem) query.getSingleResult();
result = item.toString();
} catch (EntityNotFoundException notFound) {
} catch (NonUniqueResultException nonUnique) {
return result;
} -
Can't apply policy route-map on C3750 stack vlan interface
Hi All.
I've come up with this problem and i could see some people have had the same issue. I've tried to overlook and check other replies but it didn't help me. So I'm hoping someone could spot the problem. Here are the details:
2 x WS-C3750G-24T-E in stack
Cisco IOS Software, C3750 Software (C3750-ADVIPSERVICESK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)
switch#sh sdm prefe
The current template is "desktop IPv4 and IPv6 routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 1.5K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 2.75K
number of directly-connected IPv4 hosts: 1.5K
number of indirect IPv4 routes: 1.25K
number of IPv6 multicast groups: 1.125k
number of directly-connected IPv6 addresses: 1.5K
number of indirect IPv6 unicast routes: 1.25K
number of IPv4 policy based routing aces: 0.25K
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 0.5K
number of IPv6 policy based routing aces: 0.25K
number of IPv6 qos aces: 0.5K
number of IPv6 security aces: 0.5K
There are 2 ISPs, G1/0/1 and G2/0/1. After creating a route-map i can apply a policy route-map to Vlan5 and it accepts without any errors. But when you do sh run vlan5 the command is not there, it's not applied.
Any help will be appretiated.
Thanks.Hi Jon.
Thanks for your reply. I didn't put those configs as they're basic without use of VRF and WCCP. Also i've checked or tried to find the list of unsupported commands and didn't see them in that list. See config below with some extras:
track 11 rtr 1 reachability
track 22 rtr 2 reachability
ip routing
no ip dhcp use vrf connected
interface GigabitEthernet1/0/1
description ISP1
no switchport
ip address 9.9.9.2 255.255.255.252
no ip proxy-arp
no ip mroute-cache
speed 100
duplex full
ipv6 address 2B01:4B8:0:3::2/64
ipv6 ospf 1 area 0
no mdix auto
no cdp enable
interface GigabitEthernet2/0/1
description ISP2
no switchport
ip address 9.9.9.5 255.255.255.252
ip ospf cost 10000
speed 1000
duplex full
ipv6 address 2B01:4B8:0:7::2/64
ipv6 enable
ipv6 ospf cost 10000
ipv6 ospf 1 area 0
interface Vlan5
description Company Ext Subnet
ip address 9.9.8.1 255.255.255.128
no ip proxy-arp
no ip mroute-cache
ipv6 address 2B01:4B8:1:22::1/64
ipv6 ospf 1 area 15
access-list 111 permit tcp any any eq www
route-map pbr1 permit 10
match ip address 111
set interface GigabitEthernet2/0/1 GigabitEthernet1/0/1
route-map pbr1 permit 20
set interface GigabitEthernet1/0/1 GigabitEthernet2/0/1
route-map pbr2 permit 10
match ip address 111
set ip next-hop verify-availability 9.9.9.6 1 track 11
set ip next-hop 9.9.9.1
route-map pbr2 permit 20
set ip next-hop verify-availability 9.9.9.1 1 track 22
set ip next-hop 9.9.9.6
I've tried to apply both policies pbr1 and pbr2, it allowed to do that without errors but at the end it wasn't there.
Cheers, -
NM-16ESW - adding a switch into a 3725 router slot - can i route traffic out of the switch ?
Hi all,
I have added the above module (16 switch port) into my router.
R16#show ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet0/1 unassigned YES unset administratively down down
FastEthernet1/0 unassigned YES unset administratively down down
FastEthernet1/1 unassigned YES unset administratively down down
FastEthernet1/2 unassigned YES unset administratively down down
FastEthernet1/3 unassigned YES unset administratively down down
FastEthernet1/4 unassigned YES unset administratively down down
FastEthernet1/5 unassigned YES unset administratively down down
FastEthernet1/6 unassigned YES unset administratively down down
FastEthernet1/7 unassigned YES unset administratively down down
FastEthernet1/8 unassigned YES unset administratively down down
FastEthernet1/9 unassigned YES unset administratively down down
FastEthernet1/10 unassigned YES unset administratively down down
FastEthernet1/11 unassigned YES unset administratively down down
FastEthernet1/12 unassigned YES unset administratively down down
FastEthernet1/13 unassigned YES unset administratively down down
FastEthernet1/14 unassigned YES unset administratively down down
FastEthernet1/15 unassigned YES unset administratively down down
Vlan1 unassigned YES unset up down
R16(config-if)#int fa1/0
R16(config-if)#ip address 192.168.10.1 255.255.255.0
% IP addresses may not be configured on L2 links.
R16(config-if)#
q1) Not being able to set IP to the interface as shown above, I would believe it is really a switch port. Is there anyway I can see what kind of port a interface is or can be ? (switch port, routed port etc ?) or whether is it a L2 or L3 switch ?
q2) in that case, since the switch is already inside the router, how do i route L3 traffic out of the switch ?
Assuming fe0/1 on the router is the interface connected to external network.
and 2 workstations attached to the switch ports fe1/1 and and fe1/2, how can i set their gateway to point to fe0/1's IP ? Can fe0/1 to be connected to fe1/0 internally ?
Regards,
NoobHi KOE SIZE JIE,
q1) I tried the no switchport command on the 16switch port module and it works. I can set an IP on the switch port. But according to Liam, it is a L2 switch, how come we can assign no switchport command ?
As Bilal pointed out, I was mistaken you can issue the "no switchport" for a L3 routed port on that specific module.
q2) it is said that on a L2 switch only 1 SVI can be connected (for management purpose only) and L2 switch is not able to do routing. With the L2 switch module inserted into the router, will the SVI be able to do routing then ?
I believe this goes back to what Bilal was saying about limited functionality on the EtherSwitch. I will have to play with one in GNS3 to give you a solid answer.
But I think what it is trying to say is... You cannot use SVI's for inter-vlan routing. You can only have a single SVI for management purposes.
q3)Liam, you mention earlier fa0/0 is pointing to some network. is fa0/0 in the same router as the 16 switchport module ?
ip route 10.10.10.0 255.255.255.0 192.168.1.254 -- this command seems to be saying to access the 10.10.10.0 network, please go to the next hop IP 192.168.1.254 (but again, you are setting this next hop IP on the current router interface itself) - did i get anything wrong ?
I have read back my post and this reads wrong.
When i showed you the code snippet, 192.168.1.254 would be the interface on the next hop router. Not the router you are issuing the ip route command on. You would also need an IP address on the router interface directly connected to the next hop router. I.E 192.168.1.253
You will not then receive that error. Sorry about that, my sloppy config without a diagram!
HTHs,
Liam -
Can't NetFlow be configured on the port of F2 serise module?
According to "sm_nx.pdf(OL-25775-02) p.19-21",
"NetFlow 6.0(1) NetFlow is not supported on F2 Series modules."
Does it mean just configuring "flow exporter source" not allowed for, for ex, "ethernet 3/1" on F2 lincecard, and configuring "interface Ethernet3/1" on F2 module and "ip flow monitor MONITOR1 input", "ip flow monitor MONITOR1 output" are remaing abled to be used and worked normally, I think, am I wrong?
And I've found this page... http://www.cisco.com/en/US/products/ps9402/prod_models_comparison.html#~tab-c
NetFlow N7K-F248XP-25 Sampled
Does it mean when I need to use NetFlow as an alternative to packet capturing, so I need to pickup just only each "ip.src", "ip.dst", "tcp.srcport" and "tcp.dstport" only 4 fields but also in all packets through the target interface, May I configure NetFlow on F2 as this?
--------------- from here ---------------
config t
feature netflow
sampler SAMPLE
mode 1 out-of 1
! I'm trying to use NetFlow as an alternative to packet capturing,
! so I need to pickup just only 4 feilds but in for all packets through the target interface.
flow exporter EXPORT
destination 192.168.0.254 use-vrf management
source mgmt0
! Avobe is the interface mgmt0.
version 5
flow record RECORD
match ip protocol
match ipv4 source address
match ipv4 destination address
match transport source-address
match transport destination-address
collect flow sampler id
collect interface input
collect interface output
flow monitor MONITOR
exporter EXPORT
record ipv4
interface vlan 1000
ip flow monitor MONITOR input sampler SAMPLE.
ip flow monitor MONITOR output sampler SAMPLE.
--------------- to here ---------------Thanks for the suggestion kcell. I've tried both versions
9.0.115 and 9.0.124 and both fail with the policy permission error.
I also tried with and without your crossdomain.xml file but
with the same result. It looks like this file is intended for URL
policy, instead of socket policy. Recently Adobe separated the two.
When I run with the files installed on my dev PC, it does
work, which makes sense because the flash player isn't loaded from
an unknown domain.
I did get one step closer. If a crossdomain.xml in the server
root exists and the socketpolicy file is loaded from the app folder
then the first two warnings disappear. The logs now show:
OK: Root-level SWF loaded:
https://192.168.2.5/trunk/myapp.swf
OK: Policy file accepted: https://192.168.2.5/crossdomain.xml
OK: Policy file accepted:
https://192.168.2.5/trunk/socketpolicy.xml
Warning: Timeout on xmlsocket://192.168.2.5:843 (at 3
seconds) while waiting for socket policy file. This should not
cause any problems, but see
http://www.adobe.com/go/strict_policy_files
for an explanation.
Warning: [strict] Ignoring policy file with incorrect syntax:
xmlsocket://192.168.2.5:993
Error: Request for resource at xmlsocket://192.168.2.5:993 by
requestor from https://192.168.2.5/trunk/myapp.swf is denied due to
lack of policy file permissions.
Which basically says, everything is okay, but you stay out
anyway.
PS: I found the XML schema files here:
http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_02.html
and the socket policy schema:
http://www.adobe.com/xml/schemas/PolicyFileSocket.xsd.
UPDATE: When serving up the policy file on port 843 using the
example perl script then the socket connection seems to be accepted
and the connect succeeds. After that flex hangs trying to logon to
the IMAP server. -
Can I modify cluster configuration on the fly
If we have say 3 iAS instances in a cluster.
Is it in any way possible to remove one of the iAS instances from the cluster while the cluster is still online. My understanding is that any change to cluster requires restarting all instances in cluster. Is that correct?The answer to your question depends on how you set up your cluster in the first place. If all your servers are "sync servers" then the anser is no. A restart of the cluster is required if you want to change or remove a node from the cluster. However, if the machine you wanted to remove was a "sync local", then you would be able to remove it from the cluster without restart.
(It probably won't be a sync local if you used iASAT to create your cluster) -
Facebook apps like Farmvill and snagbar etc. won't connect to facebook. Won't connect to be able to share or post to feeds from Farmville. Won't connect to snagbar. Have removed that for now. Stopped working last night and nothing had been changed. Have done everything suggested. Please help as I like Firefox more than other browsers. Everything is working ok on IE and Chrome.
Hello,
Some problems with Flash video playback can be resolved by disabling hardware acceleration in your Flash Player settings. (See [[Flash Plugin - Keep it up to date and troubleshoot problems|this article]] for more information on using the Flash plugin in Firefox).
To disable hardware acceleration in Flash Player:
#Go to this [http://helpx.adobe.com/flash-player/kb/video-playback-issues.html#main_Solve_video_playback_issues Adobe Flash Player Help page].
#Right-click on the Flash Player logo on that page.
#Click on '''Settings''' in the context menu. The Adobe Flash Player Settings screen will open.
# Click on the icon at the bottom-left of the Adobe Flash Player Settings window to open the Display panel. <br/> <br/>[[Image:fpSettings1.PNG]] <br/>
# Remove the check mark from '''Enable hardware acceleration'''.
# Click '''Close''' to close the Adobe Flash Player Settings Window.
# Restart Firefox.
This [http://www.macromedia.com/support/documentation/en/flashplayer/help/help01.html Flash Player Help - Display Settings page] has more information on Flash Player hardware acceleration, if you're interested.
Does this solve the problem? Let us know. -
How can I report an error in the French interface of FCP X ?
Hello All,
I'm building an EXCEL shortcuts sheet for FCP X 10.0.7 Fr and discovered a few errors in the translation.
How can I report them to Apple Localization Engineering, pls?
Thanks.http://www.apple.com/feedback/finalcutpro.html
-
Can someone explain to me about the "Facebook" interfacing with mountain lion?
I've been hearing about one of the new features of Mountain Lion can now interact with facebook? If this is true how?
Pending. Facebook integration will be launched in the fall.
http://www.apple.com/osx/whats-new/features.html#facebook -
help can't find my Airport anywhere? can not bring it back on or up, it doesn't appear anywhere?
Since you have an OS X 10.6.8 Snow Leopard question......and we handle questions about the AirPort routers here...... your best resource would be the Snow Leopard support community forum.
I suggest that you post in that location. The link is here:
Mac OS X v10.6 Snow Leopard -
Hello,
Can i do policy routing only if a route it´s present?. My problem is that i want send some traffic to other router but if this router loose the internet conection my router continues send it this traffic and it´s droped
Regards.If all of the routers are connected via a common Ethernet segment you could run HSRP between the Internet router and the other router with the Internet router being the primary. Then you can policy route your traffic to the HSRP address. If you configure HSRP to track your internet connection and there is a failure, HSRP would fail over to the standby router. PBR would then be sending the traffic to the other router to meet your requirement.
-
I can't open the configuration from the mail.
I can't use the mail because i can't open de configuration from the e-mail.
the other configurations works correct. How do i solf this problem?Weer terug:
op je scherm "instellingen", dan in de lijst de titel "Algemeen" aantikken, dan in de volgende lijst "Beperkingen" aantikken, als daar staat "schakel beperkingen in" is het goed; indien daar staat "Schakel beperkingen uit" aantikken, zodat daar staat "schakel beperkingen in".
Je mail accounts zijn bereikbaar: terug naar het eerste scherm van Instellingen, tik aan "email, contacten, agenda's", de lijst die je dan ziet begint met "Accounts", daar staat "voeg account toe", aanklikken, daar staan dan zeven accounts met voorinstellingen met daaronder "anders" indien je niet een van die zeven wilt. -
Ipfilter: does policy routing work on Solaris 10?
Hello,
- Does the ipf redirection (aka policy routing) feature work with the
ipfilter that comes with Solaris 10?
I would like to use the the ipf redirection statements "to
interface:router_ip" or "reply-to interface:router_ip" as decribed in
http://coombs.anu.edu.au/~avalon/ipf.new.txt
(The syntax is mentionned in the BNF of the Solaris 10 ipf(4) man
page, but the explanations there are lacking.)
On a machine that has two interfaces, the purpose is to send output
reply packets of a TCP session to the same interface that the input
packets came from. The idea to use ipfilter to do this comes from the
blog entry:
Packets out of the wrong interface
http://blogs.sun.com/carlson/entry/packets_out_of_the_wrong
My first try was to use "reply-to" in a "keep state" rule:
pass in quick on e1000g305000 reply-to e1000g305000:10.13.5.1 proto tcp from any to any port = 443 keep state keep frags group i_sso-test1
Which I understand as "once a connection to port 443 starts on
interface e1000g305000 send all reply packets to the same interface to
the gateway 10.13.5.1"
But it does not work; in the ipf log it shows that the rule matched:
22:56:32.770690 e1000g305000 @i_sso-test1:1 p 10.194.17.11,5648 -> 10.13.5.181,443 PR tcp len 20 60 -S K-S K-F IN
22:56:32.770783 e1000g0 @i_sso-test1:1 p 10.13.5.181,443 -> 10.194.17.11,5648 PR tcp len 20 44 -AS K-S K-F OUT
But the reply packet is not seen on the router (10.13.5.1), nor does
it get to 10.194.17.11 through another route (no firewall on that
machine).
My second try was to use two stateless rules, and to do "source port
routing" for outgoing packets:
pass in quick proto tcp from any to any port = 443 group i_sso-test1
pass out quick on e1000g0 to e1000g305000:10.13.5.1 proto tcp from any port = 443 to any group o_sso-test1
pass out quick proto tcp from any port = 443 to any group o_sso-test1
Which I understand as "incoming packets to port 443 are allowed and
outgoing packets from port 443, if passing on interface e1000g0, are
redirected through interface e1000g305000 via the gateway 10.13.5.1,
if not, are just allowed".
It does not work either; in the ipf log it shows that both the in and
the first out rules matched:
23:09:00.591163 e1000g305000 @i_sso-test1:1 p 10.194.17.11,26080 -> 10.13.5.181,443 PR tcp len 20 60 -S IN
23:09:00.591363 e1000g0 @o_sso-test1:1 p 10.13.5.181,443 -> 10.194.17.11,26080 PR tcp len 20 44 -AS OUT
But again the reply packet seems to be lost in thin air.
I have tried various other rules to no avail.
- Should this work with ipfilter v4.1.9 (592) coming with Solaris 10
u7?
- Am I missing something in the configuration?
- Shouldn't the ipf log show the outgoing reply packet twice? (Once on
the "wrong" interface e1000g0 and once on the interface it is
redirected to e1000g305000.) Or indicate in another manner that the
redirection occurred (like it indicates K-S for "keep state")?
Context:
# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
default 10.194.7.1 UG 1 2407
default 10.194.7.1 UG 1 5104 e1000g0
10.13.5.0 10.13.5.181 U 1 5 e1000g305000:1
10.194.7.0 10.194.7.81 U 1 3 e1000g0:2
224.0.0.0 10.194.7.81 U 1 0 e1000g0:2
127.0.0.1 127.0.0.1 UH 1 7 lo0:7
# cat /etc/release
Solaris 10 5/09 s10s_u7wos_08 SPARC
Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
Assembled 30 March 2009
# ipf -V
ipf: IP Filter: v4.1.9 (592)
Kernel: IP Filter: v4.1.9
Running: yes
Log Flags: 0x70000000 = pass, block, nomatch
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x107
If it matters, this is occuring in a Solaris 10 zone, whith virtual
interfaces one of which uses 801.q tagging (vlan 305, subnet
10.13.5.0/24), and the "router" is a Cisco ACE load balancer with
interface 10.13.5.1 on the server side.
Thanks in advance for your help in this matter!
Best regards,
Dominique
Mr Dominique Petitpierre Email: User@Domain
Division Informatique User=Dominique.Petitpierre
University of Geneva Domain=unige.chI was saying
If it matters, this is occurring in a Solaris 10 zone, whith virtual
interfaces one of which uses 801.q tagging (vlan 305, subnet
10.13.5.0/24),...Well, it turns out that 802.1q tagging does matter: packets redirected
by an ipf policy based routing rule to an interface with tagging are
not transmitted.
In order to better see what was happening the ipf rules were extended
like this (stateless case):
@1 pass in quick on e1000g0 proto tcp from any to any port = 443 group i_sso-test1
@2 pass in quick on e1000g305000 proto tcp from any to any port = 443 group i_sso-test1
@1 pass out quick on e1000g0 to e1000g305000:10.13.5.1 proto tcp from 10.13.5.181/32 port = 443 to any group o_sso-test1
@2 pass out quick on e1000g305000 to e1000g0:10.194.7.1 proto tcp from 10.194.7.81/32 port = 443 to any group o_sso-test1
@3 pass out quick on e1000g305000 proto tcp from any port = 443 to any group o_sso-test1
@4 pass out quick on e1000g0 proto tcp from any port = 443 to any group o_sso-test1Also, for the purpose of the demonstration, the zone configuration was
modified to direct all packets to the same interface with tagging,
thus having just one default route:
zonecfg -z sso-test1 info net
net:
address: 10.13.5.181/24
physical: e1000g305000
defrouter: 10.13.5.1
net:
address: 10.194.7.81/24
physical: e1000g305000
defrouter: 10.13.5.1
netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
default 10.194.7.1 UG 1 2867
default 10.13.5.1 UG 1 86 e1000g305000
10.13.5.0 10.13.5.181 U 1 2 e1000g305000:1
10.194.7.0 10.194.7.81 U 1 0 e1000g305000:3
224.0.0.0 10.13.5.181 U 1 0 e1000g305000:1
127.0.0.1 127.0.0.1 UH 1 7 lo0:7 (In this peculiar case the default route to 10.194.7.1 is an artifact
displayed by netstat due to the zone isolation mechanism, but it is
not actually used for routing at the zone level; the interface without
tagging, e1000g0, is only displayed on the global zone where ipfilter
operates)
When testing from 10.194.17.11 with "telnet 10.13.4.180 443", it
works. And one can see in the ipf logs that it is the third out rule
that matched (@o_sso-test1:3), i.e. there was no redirection on
another interface (proof that there is nothing wrong with the context
setup):
16:59:30.479660 e1000g305000 @i_sso-test1:2 p 10.194.17.11,2111 -> 10.13.5.181,443 PR tcp len 20 60 -S IN
16:59:30.479844 e1000g305000 @o_sso-test1:3 p 10.13.5.181,443 -> 10.194.17.11,2111 PR tcp len 20 44 -AS OUT
16:59:30.480182 e1000g305000 @i_sso-test1:2 p 10.194.17.11,2111 -> 10.13.5.181,443 PR tcp len 20 40 -A INWhen testing from 10.194.17.11 with "telnet 10.194.7.81 443", it works
also. This time one can see in the ipf logs that it is the second out
rule that matched (@o_sso-test1:2), i.e. there was redirection from
e1000g305000 to e1000g0.
16:59:41.247101 e1000g0 @i_sso-test1:1 p 10.194.17.11,3851 -> 10.194.7.81,443 PR tcp len 20 60 -S IN
16:59:41.247206 e1000g305000 @o_sso-test1:2 p 10.194.7.81,443 -> 10.194.17.11,3851 PR tcp len 20 64 -AS OUT
16:59:41.247508 e1000g0 @i_sso-test1:1 p 10.194.17.11,3851 -> 10.194.7.81,443 PR tcp len 20 52 -A INA packet capture confirms this and one can see in the capture the
SYN-ACK reply packet go out on e1000g0.
The reverse case, essentially the original setup shown in my first
post, where the default route is the interface without tagging
(e1000g0) and the reply packet matches the redirection rule from
e1000g0 to the interface with tagging e1000g305000, the packet is lost
(i.e. is not visible in the packet capture on either interface).
Further tests with stateful redirection ("reply-to") show the same
pattern (does not work when packets are redirected to an interface
with tagging).
It looks like it is a bug: may be ipfilter injects the redirected
packet at a processing stage where it should already have a 802.1q tag
but does not, or something similar; in the working case, ipfilter acts
on a not yet tagged packet which can be used "as is" at the same
processing stage on the non tagging interface, and thus is correctly
transmitted.
Conclusion: ipfilter policy based routing does work on Solaris 10u7,
but, at least in my setup, not when redirection occurs to a 802.1q
tagging interface.
- Could somebody confirm this?
- Is this a known bug? (I didn't find anything relevant on sunsolve or
on the ipfilter mailing list)
Edited by: kleinstein on Oct 1, 2009 4:22 AM
Edited by: kleinstein on Oct 1, 2009 4:25 AM
Edited by: kleinstein on Oct 1, 2009 4:30 AM
Edited by: kleinstein on Oct 1, 2009 4:32 AM
Edited by: kleinstein on Oct 1, 2009 4:37 AM
Edited by: kleinstein on Oct 1, 2009 4:40 AM
Edited by: kleinstein on Oct 1, 2009 4:41 AM -
Hello,
We currently have our gateway / web filter routing setup in this manor:
lan --- 2921 ---asa(firewall) ---internet
|
------ web filter
So the traffic destined to the internet that is not supposed to be filtered goes right through the router to the asa. The traffice that is destined to be filtered gets policy routed to the web filter which then gets routed back to the 2921 and out to the asa. This is a bad design, I will admit that.
What I want to do is this:
lan - 2921 --- asa(firewall) --- internet
| |
--- web filter ---
With this change the traffic will not have to go back to the router and then back out to the asa. This will cut the traffic going through the router in half, which will result in lower cpu usage.
My question about changing this is as follows.
The asa has a route to the lan networks that are getting filtered. Lets say they are 172.16.0.0/16. The route comes from the lan which is advertiesed to the router which in turn is advertized to the asa. If I use a route-map to policy route certain networks to the web filter, will the return traffic go back through the web filter or will it go back directly to the router? I don'th have a spare ASA to test this with.
Thanks,
Dan.not possible.
If you want this behavior, you can achieve it by source nating on the next-hop all traffic going to the CSS. This will force the CSS to responds back to the nated ip address on the same interface.
Gilles. -
Policy route on CSS11506 management interface?
can I setup policy route, so that, all the response traffic came from management interface will go out by it?
If so, please advice how to do it.
Any comments will be appreciated
Thanks in advancenot possible.
If you want this behavior, you can achieve it by source nating on the next-hop all traffic going to the CSS. This will force the CSS to responds back to the nated ip address on the same interface.
Gilles.
Maybe you are looking for
-
How to execute report in Background from Dialog process?
How, or what is the best way, to lauch an executable program (report) into the background from a dialog program (dynpro)? <b>Example:</b> The SUBMIT...AND RETURN still executes the called program before it returns control to the calling program. I
-
I'm using same icloud and same apple ID on two iphones. Now i get calls from same number on both iphones at the same time. How to turn off that?
-
On Parallel Execution of SQL Queries
Hi All, We have forced Parallel hint in a query and if its without any where clause it uses parallel hint but where as if we add few where clauses it goes through few indexes and does not show parallel hint in the explain plan. Is it because we need
-
Safari gives "Missing Plug-in" message only on .mov to .flv converted files
I've converted an iMovie file to .flv but when I try to view I get a "Missing Plug-In" message. Though I have no problem viewing Youtube or any other flash videos. Could you please try my link below. If you can view it, it tells me the problem is wit
-
Hi All, My scenario is Proxy to File scenario. I used content conversion for generating flatfile in receiver side. In FCC i used fieldFixed Lengths, The flatfile is generated. I gave the Target Directory as AL11 directory(NFS). In my scenario length