Ip helper address with Policy Base Routing
Does ip helper work with Policy Base Routing? and if so how and what version of the router software do you need?
thanks
As first function at the ingress interface is ip_helper, as second function at the same ingress interface is policy-based-routing.
We have the same situation regarding ip nat in combination with policy-based-routing.
Similar Messages
-
Ip helper-address with two dhcp server
I have two dhcp server running on vlan1, which serving our workstation on vlan2. 10.10.10.51 is our primary and 10.10.10.52 is secondary server.
My question is:
- Which server would my workstation get the dhcp from?
- If the primary server is down, could I reach the second dhcp server? and if the primary server back online.. Which server would be serving our dhcp client?
interface Vlan1
ip address 10.10.10.1 255.255.255.0
no ip redirects
ip directed-broadcast
interface Vlan2
ip address 10.10.20.1 255.255.255.0
ip helper-address 10.10.10.51
ip helper-address 10.10.10.52
no ip redirects
ip directed-broadcastHi,
I don't agree.
AFAIK, using two ip helper-address entries in a router config will cause the dhcp request being sent to BOTH dhcp servers.
So both the primary and secondary dhcp server will send a dhcp offer to the workstation. The workstation will choose one of the offers and confirm it to the server.
So ip helper-address command will not help you to choose if dhcp server is primary or secondary.
You can either use different dynamic address pools on primary and secondary dhcp server (and the same static entries) or to arrange some kind of dhcp server failover:
See
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_DHCP_imp_ClusteringSupport.htm
There is also RFC 2131 describing DHCP Failover Protocol.
Regards,
Milan -
CAT 3750 Policy base routing preformance
Does anybody know where i can find data about preformance of routing on Catalyst 3750 when i use the policy base routing on it. And what methods of packets switching is availalbe witch policy base routing.
check out the following link on configuring PBR on Catalyst 3750 switches :
http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_guide_chapter09186a0080502417.html#wp1228588 -
Does icmp redirect work with policy based route
Setup:
R1 and R2 on same ip net.
On R1 policy based route is configured with R2 as next hop.
Will R1 send icmp redirect (to use R2 instead) to those hosts that match the policy based routing ?
Thanks.
Gert SchaarupHI Gert,
The answer to your question is yes. I have verified this in a lab previously. As long as all the conditions for ICMP redirect have been met (source address on same net, best gateway on same net) then ICMP redirects are sent regardless of whether PBR or normal routing is being used.
Hope that helps - pls rate the post if it does.
Paresh -
Cisco 3945 Policy Base Routing
I have a Cisco 3945, it has on it two DS3 lines which I like to treat independent from each other.
I can ping both Serial interfaces from the internet, and I can ping only GIG 0/0 from the internet. but since the router is configured with one static route, GIG 0/1 can't be ping from the outside
Any help would be greatly appreciated
This is my current config:
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname MOVLABT3-CA-ES
boot-start-marker
boot-end-marker
card type t3 1
card type t3 2
enable secret 4 oMCBqgRTCeX5XeEW3HsBW6zI763Fibuq/UrLhF/91Rs
no aaa new-model
no ipv6 cef
ip source-route
ip cef
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1015775704
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1015775704
revocation-check none
rsakeypair TP-self-signed-1015775704
crypto pki certificate chain TP-self-signed-1015775704
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303135 37373537 3034301E 170D3132 30393237 31383132
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30313537
37353730 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
810097B2 EE9BF6EF F19DDD93 71CA6D5B D672A749 6997BB7E 81256BFA A2BE8B0F
E8EC5D36 F8618878 88C7016D D8998B95 293DE6F3 C0BB5CFE F2356AFD 26645A29
F3BB69C9 46B6959B 98F35193 9729499A 8C9097FE BD0A80A4 727C87F8 963200CE
E852DD3E 1F9F3B97 1DA1902D 7B352FAE 4FA08D32 95362373 887C6D02 6209152F
73850203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14BCCEA0 AF8EBDF2 05F01968 14CAE720 A41AE8FE EA301D06
03551D0E 04160414 BCCEA0AF 8EBDF205 F0196814 CAE720A4 1AE8FEEA 300D0609
2A864886 F70D0101 05050003 81810066 18505A9D 0D3C4C8F 0C90108D F0606014
0EAE4129 2908928E D4DA7FDC 17D2A21A 4B2689F3 AF6CA062 82A5E7EF 1A0EDA37
297AE79B 65F7182E ED4A57D7 081EC729 A85F2AFB 5A46136A F0F91853 46C89FA7
A1D9F67F 83961EFF E92D7363 D2862517 D1214501 84D675A0 8561891F 4E791F32
6E67990A 9A7B49F9 8D1A8CA0 51AAF2
quit
license udi pid C3900-SPE150/K9 sn FOC16313DE8
hw-module sm 1
hw-module sm 2
controller T3 1/0
cablelength 75
controller T3 2/0
cablelength 75
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 207.168.4.49 255.255.255.240
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 206.135.120.114 255.255.255.240
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
interface Serial1/0
ip address 206.135.100.202 255.255.255.252
ip nat outside
ip virtual-reassembly in
dsu bandwidth 44210
interface Serial2/0
ip address 205.214.40.6 255.255.255.252
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dsu bandwidth 44210
no ip classless
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 206.135.100.201
access-list 1 permit 10.0.0.0 0.0.0.255
snmp-server community RO-N1mS0ft RO
control-plane
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
scheduler allocate 20000 1000
endThis is what it looks like now, and I still can't ping gig 0/1 from the internet
interface GigabitEthernet0/0
ip address 207.168.4.49 255.255.255.240
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 206.135.120.114 255.255.255.240
ip virtual-reassembly in
ip policy route-map pbr
duplex auto
speed auto
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
interface Serial1/0
ip address 206.135.100.202 255.255.255.252
ip virtual-reassembly in
dsu bandwidth 44210
interface Serial2/0
ip address 205.214.40.6 255.255.255.252
ip virtual-reassembly in
encapsulation ppp
dsu bandwidth 44210
ip local policy route-map PBR
no ip classless
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 206.135.100.201
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 101 permit ip 206.135.120.112 0.0.0.15 any
route-map pbr permit 10
match ip address 101
set ip next-hop 205.214.40.5
snmp-server community RO-N1mS0ft RO
control-plane
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
scheduler allocate 20000 1000
end -
hi
i attach picture
i want answer to any user from the same router
example :
request user1 from isp1 , i answer it from same isp1 router
i think asa dose not support pbr ,, please help me with same senario .policy-based routing, similar to what an IOS router can do based on incoming traffic and then overriding the routing table for the next hop, isn't a feature in the ASA.
We can do policy based NAT, inspection and filtering, but not policy based routing. -
Need basic Help - SG300 with vlan and routing
Hi,
i need some basic help with configuring vlan/routing.
Situation:
DSL Router - Cisco 300 - XenServer
192.168.1.253 - 192.168.1.19 - 192.168.1.10 (mgmt ip)
goal is, to reach from inside xenserver vms the internet.
vms = 192.168.2.x
gateway ip = 192.168.2.1
what i did:
- configured vlan 102, tagged, with the xenserver port
- configured on xenserver a network with vlan id 102, attached to the vm
- this network is conntected to an external bond
- configured ipva4 interface: vlan102 - Static - IP 192.168.2.1 (this is the gateway ip of the vms)
- automatic configured IPv4 Route: 192.168.2.0/24 next hop 0.0.0.0, Directly connected
So at the moment i cant ping from inside a vm to the DSL Router (192.168.2.2 to 192.168.1.253)
any ideas what i misconfigured or whats wrong?
cheers,
-MarcoHi Tom,
ok, that make sense. I can ping the router now inside vms from 192.168.2.x network.
But i cant ping external adresses, error: Destination net unreachable.
My other problem i have, i cant reach any server from outside over router portforwarding.
How do i have to configure the upload port to the dsl router? Is it a access port or a trunk
port with all vlans (tagged or untagged?) At the moment ive a tagged Trunkport with all vlans.
IPv4 Interface Table
Interface
IP Address Type
IP Address
Mask
Status
VLAN 1
Static
192.168.1.19
255.255.255.0
Valid
Should the VLAN1 ip adress not the router ip adress ? Do i need an additional vlan for
the router ? At the end i like to change the switch ip from dhcp to static (change automaticly
when switching to layer 3 mode), but ive to look for the ios commands first.
What else do i missing ?
Thanks a lot,
Marcus -
Is there someone in the St. Louis area I can get to help me with a new router
I have to install a new router for my Apple 10.7.4. Is there someone in the St Louis MO area I can get to help me with this?
Hi Robert, perhaps we can help you here, what is the question(s)?
-
Help me with my WRT54GL router plz :(((((
when i connect my router to the adapter the power led still blinking and all the other leds still green unless the DMZ and WLAN leds dont work.i tried make reset but dont work and when connect it to my pc i cant access the main page at 192.168.1.1.plz i want help
i have pc and laptop and connect the pc to the router and the laptop to the wireless.and i never play with the ip adress or such things cuz i dont know and affraid to damage.so i thing its still have the ip 192.168.1.1 and i try connect the modem direct to the pc and worked the internet and ping too.but with my router no .also try put the cable in all the port 1,2,3,4 and still give me the same lose 100% when make the ping.
-
Please help me with my wireless router WRT54G
Hi, I have a wireless linksys router model WRT54G. what i want to do it´s configure a network in my home. I have 2 pc´s, a laptop an a desktop. what I should do to be able to share files,music,videos. between both computers? the laptop has Windows Vista, the desktop has Windows XP Professional. Please Help me. Thank You really Much.
Try this link for file and printer sharing. Also make sure you are running latest firmware on router. You can check it from www.linksys.com/download
-
If you can help me any amount I will be grateful I have 3 Laptops in my house and when one of them is online (like playing online games and stuff like that) when the second gets on the router drops the first laptop for a couple minutes then it reconnects the first laptop so they are both online. Then the third gets on and the router drops the first and second laptop for a couple minutes then reconnects to both of them. So they are all three connected. I want to know if there is a way to make it so that the router wont disconnect any of the laptops when another accesses it.
Message Edited by PaintballFreak on 07-15-2007 08:41 PMHi… logon to router’s setup page, try changing wireless channel to 1 or 11, go to advanced wireless settings reduce beacon interval to 50, fragmentation and RTS threshold to 2304, change Transmission rate to 54 MBps…click on "application & gamings" >> QoS >> enable the WMM feature...also try upgrading latest firmware on router, check whether it makes any difference or not and let me know.
-
Hi all,
I have one ASA 5525 with 2 ISP connected to ASA and have 4 LAN be-hide The ASA. I need sunbet1 and subnet2 access internet via ISP1 and subnet3 and subnet4 access internet via ISP2. so What step by step to complete this requirement. pls see diagram with attached file. thank for support.Hi,
Have a look at this link for config example:
https://supportforums.cisco.com/document/32186/dual-internet-links-nating-pbr-and-ip-sla
HTH -
Switches that do dhcp relay (ip helper address)
Hi all,
I'm looking at this switch the 1810 24g and I was wondering whether it dose dhcp relay (ip helper address) ie forward dhcp addresses from the dhcp server to the switch?
Many thanks
RobHi,
on all the vlan interfaces where the DHCP server doesn't reside you must configure
interface Vlan
description Client VLAN
ip helper-address
When a client now sends DHCP request, the router
forwards this request to the ip helper-address.
Because the router also puts in its own interface ip address as source ip, the packet finds the way back.
DHCP uses UDP port 67 and 68. With the command ip helper-address, there are also some other ports which are opened for udp. To close this ports you configure (global command)
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
On your DHCP Server you have to configure a scope for each ip subnet.
If your dhcp server is located at ther server vlan, do NOT configure a helper-address there.
For the migration I would suggest to use two different ip subnets. Image all your clients are now in VLAN2 10.2.0.0/16. If you have this IP subnet on your Router you can't add a new VLAN with 10.2.1.0/24, because this overlaps.
So make the new VLANs with 10.3.1.0/24, 10.3.2.0/24, ... and move the clients to the new
vlans by change the vlan of the port where the PC is conneted to. When you then reboot the PC it shoud get a new ip from the dhcp and everything sould be fine.
Bye
Jo -
I recently moved and now I'm trying to set up my Time Capsule as the primary base station or router with an existing network that has a Centurylink modem/router. The TC still has the settings for my old network. I also have backups on it. I have the data backed up to another HD so it's not an issue to return it to factory settings if doing so deletes the back ups. Do I need to restore it to the factory settings to set it up? Also, what settings would I select on the TC (and the Centurylink modem/router) in order for the TC to serve as the router, instead of the Centurylink router? I want to be able to use the TC to back up my Mac's, print wirelessly, and improve overall performance. I tried setting the TC up and ended with 2 different networks. Can anyone please help me with this?
The TC has to plug into the existing modem router by ethernet.. you cannot use wireless.
You have a choice of which is router.. only if Centurylink agree to bridge their modem router.. this has to be done by the ISP and often they do not allow it.
Is your broadband cable or adsl or fibre or ???
If it is cable and you are allowed to purchase your own cable modem pick a pure modem version with no router in it.. plug the TC into it by ethernet.
Setup the TC in DHCP and NAT mode.. (depending on broadband type).
You must reset the TC to factory to do the setup.. no files are lost at all.
Here is my current recommended setup.. with Yosemite life has become harder than ever.
Factory reset universal
Power off the TC.. ie pull the power cord or power off at the wall.. wait 10sec.. hold in the reset button.. be gentle.. power on again still holding in reset.. and keep holding it in for another 10sec. You may need some help as it is hard to both hold in reset and apply power. It will show success by rapidly blinking the front led. Release the reset.. and wait a couple of min for the TC to reset and come back with factory settings. If the front LED doesn’t blink rapidly you missed it and simply try again. The reset is fairly fragile in these.. press it so you feel it just click and no more.. I have seen people bend the lever or even break it. I use a toothpick as tool.
N.B. None of your files on the hard disk of the TC are deleted.. this simply clears out the router settings of the TC.
Setup the TC again.
ie Start from a factory reset. No files are lost on the hard disk doing this.
Then redo the setup from the computer with Yosemite.
1. Use very short names.. NOT APPLE RECOMMENDED names. No spaces and pure alphanumerics.
eg TCgen5 and TCwifi for basestation and wireless respectively.
Even better if the issue is more wireless use TC24ghz and TC5ghz with fixed channels as this also seems to help stop the nonsense. But this can be tried in the second round.
2. Use all passwords that also comply but can be a bit longer. ie 8-20 characters mixed case and numbers.. no non-alphanumerics.
3. Ensure the TC always takes the same IP address.. you will need to do this on the main router using dhcp reservation.. or a bit more complex setup using static IP in the TC. But this is important.. having IP drift all over the place when Yosemite cannot remember its own name for 5 min after a reboot makes for poor networking. If the TC is main router it will not be an issue.
4. Check your share name on the computer is not changing.. make sure it also complies with the above.. short no spaces and pure alphanumeric.. but this change will mess up your TM backup.. so be prepared to do a new full backup. Sorry.. keep this one for second round if you want to avoid a new backup.
5. Mount the TC disk in the computer manually.
In Finder, Go, Connect to server from the top menu,
Type in SMB://192.168.0.254 (or whatever the TC ip is which you have now made static. As a router by default it is 10.0.1.1 and I encourage people to stick with that unless you know what you are doing).
You can use name.. SMB://TCgen5.local where you replace TCgen5 with your TC name.. local is the default domain of the TC and doesn't change.
However names are not so easy as IP address.. nor as reliable. At least not in Yosemite they aren't. The domain can also be an issue if you are not plugged or wireless directly to the TC.
6. Make sure IPv6 is set to link-local only in the computer. For example wireless open the network preferences, wireless and advanced / TCP/IP.. and fix the IPv6. to link-local only.
There is a lot more jiggery pokery you can try but the above is a good start.. if you find it still unreliable.. don't be surprised.
You might need to do some more work on the laptop itself. eg Reset the PRAM.. has helped some people. Clean install of the OS is also helpful if you upgrade installed.
Tell us how you go.
Someone posted a solution.. See this thread.
Macbook can't find Time Capsule anymore
Start from the bottom and work up.. I have a list of good network practice changes but I have avoided Yosemites bug heaven.
This user has had success and a few others as well.
RáNdÓm GéÉzÁ
Here is why Yosemite has fundamental issues.
http://arstechnica.com/apple/2015/01/why-dns-in-os-x-10-10-is-broken-and-what-yo u-can-do-to-fix-it/ -
Policy Based Routing and IP Helper
Can anyone help with an issue i am having with PBR and an IP Helper. I cannot get devices in the VLAN with the associated SVI to get DHCP addresses, there is no DHCP server in the VLAN so an IP Helper is used but whenever i enable PBR on the SVI, DHCP stops working. The switch is a 6506 Catalyst running Version 12.2(17d)SXB11 of IOS
The SVI config for the VLAN is as below
ip address 10.2.60.254 255.255.255.0
ip helper-address 10.10.80.200
ip helper-address 10.10.80.201
ip policy route-map ACPBR
no ip igmp snooping explicit-tracking
no ipv6 mld snooping explicit-tracking
no ipv6 mld snooping
a route map configured as follows
route-map ACPBR permit 10
match ip address ACPBR_ACL
set ip default next-hop 10.99.1.252
route-map ACPBR permit 20
set default interface Null0
and an access list as follows
ip access-list extended ACPBR_ACL
deny udp any any eq bootps log
permit ip 10.2.60.0 0.0.0.255 any
So any DHCP traffic should hit the deny command and drop back to the normal routing process, at least thats my understanding. The logs on the 6506 even show the DENY being hit, see below
list ACPBR_ACL denied udp 0.0.0.0(68) -> 255.255.255.255(67), 1 packet
Can anyone advise why this may be happening, if i add the PBR to the SVI DHCP stops working, if i remove it then it starts working so it is definately PBR doing something.
Thanks
RyanRyan,
The deny line in your ACL merely causes the DHCP traffic to be not processed in the ACPBR block 10. However, for this traffic, the processing of the route-map continues to block 20 with the set default interface Null0 command. This could be the cause of the drops you are seeing. Remember, the permit/deny in ACL here only select packets to be dealt with in the particular route-map block. However, it is the permit/deny in the route-map block header that determines whether the packet is going to be PBR-ed or normally routed.
Assuming you want to keep the DHCP traffic to be normally routed, one of ways of doing that would be:
ip access-list extended ACPBR_ACL deny udp any any eq bootps log permit ip 10.2.60.0 0.0.0.255 any!ip access-list extended ACPBR_DHCP permit udp any any eq bootps!route-map ACPBR permit 10 match ip address ACPBR_ACL set ip default next-hop 10.99.1.252!route-map ACPBR deny 15 match ip address ACPBR_DHCP!route-map ACPBR permit 20 set default interface Null0
This configuration causes the DHCP traffic to be processed in block 15, and because of the deny action in the block header, the traffic should fall back to normal routing.
While I am somewhat surprised that the PBR would affect broadcasts (it should not, and perhaps it affects only a part of the DHCP communication that does happen to be unicasted), I believe this modification of your config is worth trying.
Best regards,
Peter
Maybe you are looking for
-
Hi All, I would like to know what are the minimum required parameters to pass in BAPI BAPI_SHIPMENT_COST_ESTIMATE. And from which tables I can pull out that information to pass to this BAPI. Does this BAPI creates a shipment cost document in the
-
Trying to locate/reload my ringtones after hard drive re-imaged
My hard drive was recently re-imaged. Prior to this, I copied my entire music folder to an external hard drive. After reinstalling iTunes, I recreated my iTunes Library, and my music was back. I also sync'd my iPhone to Outlook and was able to recrea
-
Hello, I'm not sure if this is a JDeveloper question or Enterprise Manager question, but I am having a problem with the deployment of a JSP application that contains BC4J components. The way I am deploying is I create a .WAR file through JDeveloper,
-
Performance Tuning for BAM 11G
Hi All Can anyone guide me for any documents or any tips realted to performance tuning for BAM 11G on on Linux
-
DC Build Fail in Enterprise Portal DC
DC Build Fails in Enterprise Portal DC The DC uses JCA to execute BAPI's in the backend system. What DC should be added to the Used Dc to make the DC build successfull? Thanks and Regards, Prasanna Krishnamurthy