Ip helper address with Policy Base Routing

Similar Messages

• Ip helper-address with two dhcp server

  I have two dhcp server running on vlan1, which serving our workstation on vlan2. 10.10.10.51 is our primary and 10.10.10.52 is secondary server.
  My question is:
  - Which server would my workstation get the dhcp from?
  - If the primary server is down, could I reach the second dhcp server? and if the primary server back online.. Which server would be serving our dhcp client?
  interface Vlan1
  ip address 10.10.10.1 255.255.255.0
  no ip redirects
  ip directed-broadcast
  interface Vlan2
  ip address 10.10.20.1 255.255.255.0
  ip helper-address 10.10.10.51
  ip helper-address 10.10.10.52
  no ip redirects
  ip directed-broadcast

  Hi,
  I don't agree.
  AFAIK, using two ip helper-address entries in a router config will cause the dhcp request being sent to BOTH dhcp servers.
  So both the primary and secondary dhcp server will send a dhcp offer to the workstation. The workstation will choose one of the offers and confirm it to the server.
  So ip helper-address command will not help you to choose if dhcp server is primary or secondary.
  You can either use different dynamic address pools on primary and secondary dhcp server (and the same static entries) or to arrange some kind of dhcp server failover:
  See
  http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_DHCP_imp_ClusteringSupport.htm
  There is also RFC 2131 describing DHCP Failover Protocol.
  Regards,
  Milan

• CAT 3750 Policy base routing preformance

  Does anybody know where i can find data about preformance of routing on Catalyst 3750 when i use the policy base routing on it. And what methods of packets switching is availalbe witch policy base routing.

  check out the following link on configuring PBR on Catalyst 3750 switches :
  http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_guide_chapter09186a0080502417.html#wp1228588

• Does icmp redirect work with policy based route

  Setup:
  R1 and R2 on same ip net.
  On R1 policy based route is configured with R2 as next hop.
  Will R1 send icmp redirect (to use R2 instead) to those hosts that match the policy based routing ?
  Thanks.
  Gert Schaarup

  HI Gert,
  The answer to your question is yes. I have verified this in a lab previously. As long as all the conditions for ICMP redirect have been met (source address on same net, best gateway on same net) then ICMP redirects are sent regardless of whether PBR or normal routing is being used.
  Hope that helps - pls rate the post if it does.
  Paresh

• Cisco 3945 Policy Base Routing

  I have a Cisco 3945, it has on it two DS3 lines which I like to treat independent from each other.
  I can ping both Serial interfaces from the internet, and I can ping only GIG 0/0 from the internet.  but since the router is configured with one static route, GIG 0/1 can't be ping from the outside
  Any help would be greatly appreciated
  This is my current config:
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname MOVLABT3-CA-ES
  boot-start-marker
  boot-end-marker
  card type t3 1
  card type t3 2
  enable secret 4 oMCBqgRTCeX5XeEW3HsBW6zI763Fibuq/UrLhF/91Rs
  no aaa new-model
  no ipv6 cef
  ip source-route
  ip cef
  multilink bundle-name authenticated
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-1015775704
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1015775704
  revocation-check none
  rsakeypair TP-self-signed-1015775704
  crypto pki certificate chain TP-self-signed-1015775704
  certificate self-signed 01
    3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31303135 37373537 3034301E 170D3132 30393237 31383132
    32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30313537
    37353730 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    810097B2 EE9BF6EF F19DDD93 71CA6D5B D672A749 6997BB7E 81256BFA A2BE8B0F
    E8EC5D36 F8618878 88C7016D D8998B95 293DE6F3 C0BB5CFE F2356AFD 26645A29
    F3BB69C9 46B6959B 98F35193 9729499A 8C9097FE BD0A80A4 727C87F8 963200CE
    E852DD3E 1F9F3B97 1DA1902D 7B352FAE 4FA08D32 95362373 887C6D02 6209152F
    73850203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
    551D2304 18301680 14BCCEA0 AF8EBDF2 05F01968 14CAE720 A41AE8FE EA301D06
    03551D0E 04160414 BCCEA0AF 8EBDF205 F0196814 CAE720A4 1AE8FEEA 300D0609
    2A864886 F70D0101 05050003 81810066 18505A9D 0D3C4C8F 0C90108D F0606014
    0EAE4129 2908928E D4DA7FDC 17D2A21A 4B2689F3 AF6CA062 82A5E7EF 1A0EDA37
    297AE79B 65F7182E ED4A57D7 081EC729 A85F2AFB 5A46136A F0F91853 46C89FA7
    A1D9F67F 83961EFF E92D7363 D2862517 D1214501 84D675A0 8561891F 4E791F32
    6E67990A 9A7B49F9 8D1A8CA0 51AAF2
          quit
  license udi pid C3900-SPE150/K9 sn FOC16313DE8
  hw-module sm 1
  hw-module sm 2
  controller T3 1/0
  cablelength 75
  controller T3 2/0
  cablelength 75
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  ip address 207.168.4.49 255.255.255.240
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  ip address 206.135.120.114 255.255.255.240
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface GigabitEthernet0/2
  no ip address
  shutdown
  duplex auto
  speed auto
  interface Serial1/0
  ip address 206.135.100.202 255.255.255.252
  ip nat outside
  ip virtual-reassembly in
  dsu bandwidth 44210
  interface Serial2/0
  ip address 205.214.40.6 255.255.255.252
  ip nat outside
  ip virtual-reassembly in
  encapsulation ppp
  dsu bandwidth 44210
  no ip classless
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip route 0.0.0.0 0.0.0.0 206.135.100.201
  access-list 1 permit 10.0.0.0 0.0.0.255
  snmp-server community RO-N1mS0ft RO
  control-plane
  line con 0
  line aux 0
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  line vty 0 4
  login
  transport input all
  scheduler allocate 20000 1000
  end

  This is what it looks like now, and I still can't ping gig 0/1 from the internet
  interface GigabitEthernet0/0
  ip address 207.168.4.49 255.255.255.240
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  ip address 206.135.120.114 255.255.255.240
  ip virtual-reassembly in
  ip policy route-map pbr
  duplex auto
  speed auto
  interface GigabitEthernet0/2
  no ip address
  shutdown
  duplex auto
  speed auto
  interface Serial1/0
  ip address 206.135.100.202 255.255.255.252
  ip virtual-reassembly in
  dsu bandwidth 44210
  interface Serial2/0
  ip address 205.214.40.6 255.255.255.252
  ip virtual-reassembly in
  encapsulation ppp
  dsu bandwidth 44210
  ip local policy route-map PBR
  no ip classless
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip route 0.0.0.0 0.0.0.0 206.135.100.201
  access-list 1 permit 10.0.0.0 0.0.0.255
  access-list 101 permit ip 206.135.120.112 0.0.0.15 any
  route-map pbr permit 10
  match ip address 101
  set ip next-hop 205.214.40.5
  snmp-server community RO-N1mS0ft RO
  control-plane
  line con 0
  line aux 0
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  line vty 0 4
  login
  transport input all
  scheduler allocate 20000 1000
  end

• Policy base routing in asa

  hi 
  i attach picture
  i want answer to any user from the same router
  example :
  request user1 from isp1 , i answer it from same isp1 router
  i think asa dose not support pbr ,, please help me with same senario .

  policy-based routing, similar to what an IOS router can do  based on incoming traffic and then overriding the routing table for the next hop, isn't a feature in the ASA.
  We can do policy based NAT, inspection and filtering, but not policy based routing.

• Need basic Help - SG300 with vlan and routing

  Hi,
  i need some basic help with configuring vlan/routing.
  Situation:
  DSL Router - Cisco 300 - XenServer
  192.168.1.253 - 192.168.1.19 - 192.168.1.10 (mgmt ip)
  goal is, to reach from inside xenserver vms the internet.
  vms = 192.168.2.x
  gateway ip = 192.168.2.1
  what i did:
  - configured vlan 102, tagged, with the xenserver port
  - configured on xenserver a network with vlan id 102, attached to the vm
  - this network is conntected to an external bond
  - configured ipva4 interface: vlan102 - Static - IP 192.168.2.1 (this is the gateway ip of the vms)
  - automatic configured IPv4 Route: 192.168.2.0/24 next hop 0.0.0.0, Directly connected
  So at the moment i cant ping from inside a vm to the DSL Router (192.168.2.2 to 192.168.1.253)
  any ideas what i misconfigured or whats wrong?
  cheers,
  -Marco

  Hi Tom,
  ok, that make sense. I can ping the router now inside vms from 192.168.2.x network.
  But i cant ping external adresses, error: Destination net unreachable.
  My other problem i have, i cant reach any server from outside over router portforwarding.
  How do i have to configure the upload port to the dsl router? Is it a access port or a trunk
  port with all vlans (tagged or untagged?) At the moment ive a tagged Trunkport with all vlans.
  IPv4 Interface Table
  Interface
  IP Address Type
  IP Address
  Mask
  Status
  VLAN 1
  Static
  192.168.1.19
  255.255.255.0
  Valid
  Should the VLAN1 ip adress not the router ip adress ? Do i need an additional vlan for
  the router ? At the end i like to change the switch ip from dhcp to static (change automaticly
  when switching to layer 3 mode), but ive to look for the ios commands first.
  What else do i missing ?
  Thanks a lot,
  Marcus

• Is there someone in the St. Louis area I can get to help me with a new router

  I have to install a new router for my Apple 10.7.4.  Is there someone in the St Louis MO area I can get to help me with this?

  Hi Robert, perhaps we can help you here, what is the question(s)?

• Help me with my WRT54GL router plz :(((((

  when i connect my router to the adapter the power led still blinking and all the other leds still green unless the DMZ and WLAN leds dont work.i tried make reset but dont work and when connect it to my pc i cant access the main page at 192.168.1.1.plz i want help

  i have pc and laptop and connect the pc to the router and the laptop to the wireless.and i never play with the ip adress or such things cuz i dont know and affraid to damage.so i thing its still have the ip 192.168.1.1 and i try connect the modem direct to the pc and worked the internet and ping too.but with my router no .also try put the cable in all the port 1,2,3,4 and still give me the same lose 100% when make the ping.

• Please help me with my wireless router WRT54G

  Hi, I have a wireless linksys router model WRT54G. what i want to do it´s configure a network in my home. I have 2 pc´s, a laptop an a desktop. what I should do to be able to share files,music,videos. between both computers? the laptop has Windows Vista, the desktop has Windows XP Professional. Please Help me. Thank You really Much.

  Try this link for file and printer sharing. Also make sure you are running latest firmware on router. You can check it from www.linksys.com/download

• Help me with a WRT54GS Router

  If you can help me any amount I will be grateful I have 3 Laptops in my house and when one of them is online (like playing online games and stuff like that) when the second gets on the router drops the first laptop for a couple minutes then it reconnects the first laptop so they are both online. Then the third gets on and the router drops the first and second laptop for a couple minutes then reconnects to both of them. So they are all three connected. I want to know if there is a way to make it so that the router wont disconnect any of the laptops when another accesses it.
  Message Edited by PaintballFreak on 07-15-2007 08:41 PM

  Hi… logon to router’s setup page, try changing wireless channel to 1 or 11, go to advanced wireless settings reduce beacon interval to 50, fragmentation and RTS threshold to 2304, change Transmission rate to 54 MBps…click on "application & gamings" >> QoS >> enable the WMM feature...also try upgrading latest firmware on router, check whether it makes any difference or not and let me know.

• Policy Base Routing

  Hi all,
  I have one ASA 5525 with 2 ISP connected to ASA and have 4 LAN be-hide The ASA. I need sunbet1 and subnet2 access internet via ISP1 and subnet3 and subnet4 access internet via ISP2. so What step by step to complete this requirement. pls see diagram with attached file. thank for support.

  Hi,
  Have a look at this link for config example:
  https://supportforums.cisco.com/document/32186/dual-internet-links-nating-pbr-and-ip-sla
  HTH

• Switches that do dhcp relay (ip helper address)

  Hi all,
  I'm looking at this switch the 1810 24g and I was wondering whether it dose dhcp relay (ip helper address) ie forward dhcp addresses from the dhcp server to the switch?
  Many thanks
  Rob

  Hi,
  on all the vlan interfaces where the DHCP server doesn't reside you must configure
  interface Vlan
  description Client VLAN
  ip helper-address
  When a client now sends DHCP request, the router
  forwards this request to the ip helper-address.
  Because the router also puts in its own interface ip address as source ip, the packet finds the way back.
  DHCP uses UDP port 67 and 68. With the command ip helper-address, there are also some other ports which are opened for udp. To close this ports you configure (global command)
  no ip forward-protocol udp tftp
  no ip forward-protocol udp nameserver
  no ip forward-protocol udp domain
  no ip forward-protocol udp time
  no ip forward-protocol udp netbios-ns
  no ip forward-protocol udp netbios-dgm
  no ip forward-protocol udp tacacs
  On your DHCP Server you have to configure a scope for each ip subnet.
  If your dhcp server is located at ther server vlan, do NOT configure a helper-address there.
  For the migration I would suggest to use two different ip subnets. Image all your clients are now in VLAN2 10.2.0.0/16. If you have this IP subnet on your Router you can't add a new VLAN with 10.2.1.0/24, because this overlaps.
  So make the new VLANs with 10.3.1.0/24, 10.3.2.0/24, ... and move the clients to the new
  vlans by change the vlan of the port where the PC is conneted to. When you then reboot the PC it shoud get a new ip from the dhcp and everything sould be fine.
  Bye
  Jo

• How can I set up my time capsule as the primary base station with a centurylink router? I'm trying to extend my coverage, increase signal strength, and be able to connect a printer.

  I recently moved and now I'm trying to set up my Time Capsule as the primary base station or router with an existing network that has a Centurylink modem/router. The TC still has the settings for my old network. I also have backups on it. I have the data backed up to another HD so it's not an issue to return it to factory settings if doing so deletes the back ups. Do I need to restore it to the factory settings to set it up? Also, what settings would I select on the TC (and the Centurylink modem/router) in order for the TC to serve as the router, instead of the Centurylink router? I want to be able to use the TC to back up my Mac's, print wirelessly, and improve overall performance. I tried setting the TC up and ended with 2 different networks. Can anyone please help me with this?

  The TC has to plug into the existing modem router by ethernet.. you cannot use wireless.
  You have a choice of which is router.. only if Centurylink agree to bridge their modem router.. this has to be done by the ISP and often they do not allow it.
  Is your broadband cable or adsl or fibre or ???
  If it is cable and you are allowed to purchase your own cable modem pick a pure modem version with no router in it.. plug the TC into it by ethernet.
  Setup the TC in DHCP and NAT mode.. (depending on broadband type).
  You must reset the TC to factory to do the setup.. no files are lost at all.
  Here is my current recommended setup.. with Yosemite life has become harder than ever.
  Factory reset universal
  Power off the TC.. ie pull the power cord or power off at the wall.. wait 10sec.. hold in the reset button.. be gentle.. power on again still holding in reset.. and keep holding it in for another 10sec. You may need some help as it is hard to both hold in reset and apply power. It will show success by rapidly blinking the front led. Release the reset.. and wait a couple of min for the TC to reset and come back with factory settings. If the front LED doesn’t blink rapidly you missed it and simply try again. The reset is fairly fragile in these.. press it so you feel it just click and no more.. I have seen people bend the lever or even break it. I use a toothpick as tool.
  N.B. None of your files on the hard disk of the TC are deleted.. this simply clears out the router settings of the TC.
  Setup the TC again.
  ie Start from a factory reset. No files are lost on the hard disk doing this.
  Then redo the setup from the computer with Yosemite.
  1. Use very short names.. NOT APPLE RECOMMENDED names. No spaces and pure alphanumerics.
  eg TCgen5 and TCwifi for basestation and wireless respectively.
  Even better if the issue is more wireless use TC24ghz and TC5ghz with fixed channels as this also seems to help stop the nonsense. But this can be tried in the second round.
  2. Use all passwords that also comply but can be a bit longer. ie 8-20 characters mixed case and numbers.. no non-alphanumerics.
  3. Ensure the TC always takes the same IP address.. you will need to do this on the main router using dhcp reservation.. or a bit more complex setup using static IP in the TC. But this is important.. having IP drift all over the place when Yosemite cannot remember its own name for 5 min after a reboot makes for poor networking. If the TC is main router it will not be an issue.
  4. Check your share name on the computer is not changing.. make sure it also complies with the above.. short no spaces and pure alphanumeric.. but this change will mess up your TM backup.. so be prepared to do a new full backup. Sorry.. keep this one for second round if you want to avoid a new backup.
  5. Mount the TC disk in the computer manually.
  In Finder, Go, Connect to server from the top menu,
  Type in SMB://192.168.0.254 (or whatever the TC ip is which you have now made static. As a router by default it is 10.0.1.1 and I encourage people to stick with that unless you know what you are doing).
  You can use name.. SMB://TCgen5.local where you replace TCgen5 with your TC name.. local is the default domain of the TC and doesn't change.
  However names are not so easy as IP address.. nor as reliable. At least not in Yosemite they aren't. The domain can also be an issue if you are not plugged or wireless directly to the TC.
  6. Make sure IPv6 is set to link-local only in the computer. For example wireless open the network preferences, wireless and advanced / TCP/IP.. and fix the IPv6. to link-local only.
  There is a lot more jiggery pokery you can try but the above is a good start.. if you find it still unreliable.. don't be surprised.
  You might need to do some more work on the laptop itself. eg Reset the PRAM.. has helped some people. Clean install of the OS is also helpful if you upgrade installed.
  Tell us how you go.
  Someone posted a solution.. See this thread.
  Macbook can't find Time Capsule anymore
  Start from the bottom and work up.. I have a list of good network practice changes but I have avoided Yosemites bug heaven.
  This user has had success and a few others as well.
  RáNdÓm GéÉzÁ
  Here is why Yosemite has fundamental issues.
  http://arstechnica.com/apple/2015/01/why-dns-in-os-x-10-10-is-broken-and-what-yo u-can-do-to-fix-it/

• Policy Based Routing and IP Helper

  Can anyone help with an issue i am having with PBR and an IP Helper.  I cannot get devices in the VLAN with the associated SVI to get DHCP addresses, there is no DHCP server in the VLAN so an IP Helper is used but whenever i enable PBR on the SVI, DHCP stops working.  The switch is a 6506 Catalyst running Version 12.2(17d)SXB11 of IOS
  The SVI config for the VLAN is as below
  ip address 10.2.60.254 255.255.255.0
  ip helper-address 10.10.80.200
  ip helper-address 10.10.80.201
  ip policy route-map ACPBR
  no ip igmp snooping explicit-tracking
  no ipv6 mld snooping explicit-tracking
  no ipv6 mld snooping
  a route map configured as follows
  route-map ACPBR permit 10
  match ip address ACPBR_ACL
  set ip default next-hop 10.99.1.252
  route-map ACPBR permit 20
  set default interface Null0
  and an access list as follows
  ip access-list extended ACPBR_ACL
  deny udp any any eq bootps log
  permit ip 10.2.60.0 0.0.0.255 any
  So any DHCP traffic should hit the deny command and drop back to the normal routing process, at least thats my understanding.  The logs on the 6506 even show the DENY being hit, see below
  list ACPBR_ACL denied udp 0.0.0.0(68) -> 255.255.255.255(67), 1 packet
  Can anyone advise why this may be happening, if i add the PBR to the SVI DHCP stops working, if i remove it then it starts working so it is definately PBR doing something.
  Thanks
  Ryan

  Ryan,
  The deny line in your ACL merely causes the DHCP traffic to be not processed in the ACPBR block 10. However, for this traffic, the processing of the route-map continues to block 20 with the set default interface Null0 command. This could be the cause of the drops you are seeing. Remember, the permit/deny in ACL here only select packets to be dealt with in the particular route-map block. However, it is the permit/deny in the route-map block header that determines whether the packet is going to be PBR-ed or normally routed.
  Assuming you want to keep the DHCP traffic to be normally routed, one of ways of doing that would be:
  ip access-list extended ACPBR_ACL deny udp any any eq bootps log permit ip 10.2.60.0 0.0.0.255 any!ip access-list extended ACPBR_DHCP permit udp any any eq bootps!route-map ACPBR permit 10 match ip address ACPBR_ACL set ip default next-hop 10.99.1.252!route-map ACPBR deny 15 match ip address ACPBR_DHCP!route-map ACPBR permit 20 set default interface Null0
  This configuration causes the DHCP traffic to be processed in block 15, and because of the deny action in the block header, the traffic should fall back to normal routing.
  While I am somewhat surprised that the PBR would affect broadcasts (it should not, and perhaps it affects only a part of the DHCP communication that does happen to be unicasted), I believe this modification of your config is worth trying.
  Best regards,
  Peter