Local policy route-map for policy route

Hi 
this is related my previous question:
I want to set policy route on asr1004, that redirect vpn traffic. 
my case is:
  asr1004 import a default route 0.0.0.0 from int 0 with bgp neibour address 10.100.100.100
assume internal traffic 10.10.10.0/24 coming into asr1004 on int 1.
assume vpn with ip address 10.2.2.2 is direct linked to asr1004 int 2, and int 2 ip address is 10.2.2.1
assume taget network is 10.200.200.0/24
I want internal traffic (10.10.10.0/24) go to target (10.200.200.0/24)  to be redirect to10.2.2.2 (vpn)  first, so I add  "ip route 10.200.200.0/24 10.2.2.2" on asr1004.
Than, I want vpn (10.2.2.2) encrypt traffic and send it to one of ip in10.200.200.0/24 range again. at this point if I put local policy route-map below, is it will work?
ip local policy route-map vpn-out
access-list 100 permit ip 10.2.2.2 any
route-map vpn-out permit 10
  match ip address 100
  set ip next-hop 10.100.100.100
if not, do I have any change to do policy route for this case?
any comment will be appreciated
Thanks in advance
Julxu

hi Jon
can I refresh the question again:
my case is:
  asr1004 import a default route 0.0.0.0 from int 0 with bgp neibour address 10.100.100.100
assume internal traffic 10.10.0.0/16 coming into asr1004 on int 1 with ip address 10.3.3.3
assume vpn with ip address 10.10.2.2 is direct linked to asr1004 int 2, and int 2 ip address is 10.10.2.1
assume taget network is 10.200.200.0/24
I want internal traffic (10.10.0.0/16) go to target (10.200.200.0/24)  to be redirect to10.10.2.2 (vpn)  first, so I add  "ip route 10.200.200.0/24 10.10.2.2" on asr1004.
Than, I want vpn (10.10.2.2) encrypt traffic and send it to one of ip in10.200.200.0/24 range again. at this point if I put local policy route-map below, is it will work?
ip local policy route-map vpn-out
access-list 100 permit ip 10.10.2.2 any
route-map vpn-out permit 10
  match ip address 100
  set ip next-hop 10.100.100.100
such as:
interface TenGigabitEthernet0/0/0
 description bgp to get default
 ip address 10.100.100.100 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
interface TenGigabitEthernet0/1/0
 description get internaltraffic
 ip address 10.3.3.3 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
interface GigabitEthernet0/2/1
 description vpn
 ip address 10.10.2.1 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 media-type rj45
 negotiation auto
ip local policy route-map vpn-out
access-list 100 permit ip 10.10.2.2 any
route-map vpn-out permit 10
  match ip address 100
  set ip next-hop 10.100.100.100
ip route 10.200.200.0/24 10.10.2.2
Could you please advise if it is correct?

Similar Messages

  • Router script for Automated router changes

    I am new to the scripting world and do need assistance in developing a script that will assist me to perform the following tasks when executed
    1] remove all existing tunnels
    2] remove dialer/BVI interface
    3] create new DMVPN tunnel
    - tunnel x--- MPLS connection to data center
    -tunnel y--- Guest traffic
    4] Configure interface gi0/2 for broadband connection
    - negotiate DHCP addresses
    5] remove RIP routing
    6] remove EIGRP routing
    7] remove route-map pbr-dsl
    8] remove route-map pbr-extsrv
    9] create route-map for internet traffic over verizon ( pbr-verizon)
    - set interface gi0/2
    10] create route-map for internet traffic over mpls (pbr-mpls)
    - set interface ser0/0
    11] apply pbr-verizon to VLANS 10,20,30,40
    12] modify NAT statement
    13] create inbound and outbound ACL for Gi0/2 interface
    - permit udp gre traffic from VIP
    - permit tcp any any established
    -permit tcp any any eq ftp-data
    -permit udp any any eq domain
    14] combine all other ACL to ensure no blocking will occur based on all internet traffic from verizon and not mpls

    Joseph,
    My question is on syntax when using username and password.  I'm stuck on a script that I found here on the support forums that is using the Expect command. 
    My goal is to run the script from a host monitoring server using a device list file to go out and telnet into each one of the routers to run a "Show Inventory" command. 
    All the routers are using local AAA with username and password to get to the Privledged Exec mode.  Here's a copy of my script.  I have bolded the parts that I'm curious if correct.  If you could check over it and let me know where my mistakes (If any) are located, I'd appreciate it.  Thanks, Brandon
    # Here, we specify all our commands in a list, that we will issue one
    # by one at a later time.
    set commands {
        "show inventory"
    # This variable is for a file called hosts.txt that has the hostname/IP
    # of all of the routers you are collecting information from.
    set device_list [read [open "hosts.txt"]]
    # Specify the username and password, as well as what we expect the routers'
    # prompt to be.
    set username "blah"
    set pass "mypassword1234"
    set prompt "#"
    # This command tells expect not to echo the output to the console.
    exp_log_user 0
    # We loop through each device in our list, one by one...
    foreach device $device_list {
        # Set each device's log file to be the name of the device...
        # (i.e. router1.location.com-log.txt)
        set file_name "$device-log.txt"
        # Assuming you are using PuTTY, and have plink.exe, we initiate the SSH
        # connection
        exp_spawn plink.exe -telnet $device
        # If we see a message asking about the device's host key, accept it.
        expect -re ".*ogin:" {
            exp_send "$username\r"
            exp_send "$pass\r"
        # We log our output from each router to its specified file.
        exp_log_file -a $file_name
        # Loop through each command that we specified earlier.
        foreach cmd $commands {
            expect -re $prompt {
                exp_send "$cmd\r"
                exp_sleep 1
        # Now we enter enable mode for the running-config
        expect -re $prompt {
            send "en\r"
        expect -re ".*assword:" {
            send "$enable_pass\r"
        expect -re $prompt {
            send "term len 0\r"
        expect -re $prompt {
            send "show running-config\r"
        expect -re $prompt {
            exp_send "quit\r"
        # Turn off logging.
        exp_log_file

  • Map Not Update...Unable to See Traffic....No Route Map for any destination

    Yesterday updated IO6 and found map they are using is too old, compare to earlier version, cannot see Traffic, No Route Map there, Cannot Hear Voice..
    This is very big problem...

    If images are missing then check that you aren't blocking images from some domains.
    *Check the permissions for the domain in the current tab in "Tools > Page Info > Permissions"
    *Check that images are enabled: Tools > Options > Content: [X] Load images automatically
    *Check the exceptions in "Tools > Options > Content: Load Images > Exceptions"
    *Check the "Tools > Page Info > Media" tab for blocked images (scroll through all the images with the cursor Down key).
    If an image in the list is grayed and there is a check-mark in the box "<i>Block Images from...</i>" then remove that mark to unblock the images from that domain.
    Make sure that you do not block third-party images permissions.default.images
    There are also extensions (Tools > Add-ons > Extensions) and security software (firewall, anti-virus) that can block images.
    *http://kb.mozillazine.org/Images_or_animations_do_not_load

  • Inter-VPN routing with export map for host routes

    Hi,
    I am trying to export host routes from a connected network from one VRF to multiple other VRFs. This is to allow the leaking specific host routes for management purposes. However, I suspect that the /32 host route(s) actually need to be present in the management VRF so the RTs are added accordingly, rather than just specified in the match clause of the MGMT VRF export map.
    Ideally here, I only want to export 10.111.111.254/32 from the connected network 10.111.111.0/24 in the MGMT VRF. The only way around this I can see it to move 10.111.111.0/24 behind another device, and add specific host route(s) within the MGMT VRF for the 10.111.111.X/32 host routes (which are redistributed into the MGMT VRF), using the additional device as the next-hop.
    ip vrf MGMT
    rd 1:1
    export map MGMT-EXPORT-MAP
    route-target export 1:1
    route-target import 1:1
    route-target import 1:1001
    ip vrf CUST-B
    rd 1:2
    export map CUSTOMERS-EXPORT-MAP
    route-target export 1:2
    route-target import 1:2
    route-target import 1:1000
    interface FastEthernet0/0.100
    encapsulation dot1Q 100
    ip vrf forwarding MGMT
    ip address 10.111.111.1 255.255.255.0
    interface FastEthernet0/0.200
    encapsulation dot1Q 101
    ip vrf forwarding CUST-B
    ip address 10.96.2.1 255.255.254.0
    router bgp 65000
    bgp router-id 1.1.1.1
    no bgp default ipv4-unicast
    bgp log-neighbor-changes
    address-family ipv4 vrf CUST-B
      redistribute connected
      no synchronization
    exit-address-family
    address-family ipv4 vrf MGMT
      redistribute connected
      no synchronization
    exit-address-family
    ip prefix-list CUSTOMERS seq 5 permit 10.96.2.0/23
    ip prefix-list ONPREMISE seq 5 permit 10.111.111.0/24
    ip prefix-list ONPREMISE seq 10 permit 10.111.111.254/32
    route-map CUSTOMERS-EXPORT-MAP permit 10
    match ip address prefix-list CUSTOMERS
    set extcommunity rt  1:1001 additive
    route-map MGMT-EXPORT-MAP permit 10
    match ip address prefix-list ONPREMISE
    set extcommunity rt  1:1000 additive
    Cheers,
    Matt

    Hi Matt
    Yes the X/32 routes needs to be present in the VRF Routing-Table and if they are to be learnt statically then the MP-iBGP config for that particular VRF address-family has to redistribute static routes as well.
    Regards
    Varma

  • Lync router configuration for MI424WR Router

    Has anybody gotten the router port forwarding configuration to work for Microsoft Lync?  I can hear everybody on Lync but nobody can hear me.  I've followed the recommendations from Microsoft as much as I can figure on adding the port forwarding information but it's still not working.

    -->NAT the current public IP to the internal IP of the 2 new CAS server (which also got the HT
    role installed),
    You should NAT 2 internal IPs of the (CAS servers) to 1 external IP. Add these CAS servers as the source
    servers in the send connector.
    -->Internally, I would need to update the CASArray DNS record (currently pointing to old CAS server) to
    point to the WNLB virtual IP
    This is correct
    Configure send connector to use external DNS for dns lookup
    Go to send connector properties and tick "use the external dns lookup settings on the transport
    server" and add external DNS IPs in your transport server properties using this command.
    Set-TransportServer Hub01 -ExternalDNSAdapterEnabled $false -ExternalDNSServers {192.168.1.1, 192.168.1.2}
    You may face some unknown issues depends on how you maintain. 
    I had one issue long back in exchange2007 CCR with NLB. I
    was clearing the DNS cache every1-2 days due to email delay.
    Final I gave them a script to clear the DNS cache.

  • BGP Outbound Route-Map Question

    Hi Experts,
    Just need your help again. I was trying to do some lab and I came across this weird behaviour with BGP outbound route-map. The diagram is simple.
    Please see attached diagram. Sorry for the very poor illustration. R6 has iBGP peering to both R4 and R1. Both R1 and R4 have eBGP peering to R5. No IGP running on any routers as well to keep things simple. There are 2 things to do.
    * Create a static route for 160.1.0.0/16 pointing to Null0 on both R1 and R4 and advertise to BGP via network statement but only R5 should be able to see the 160.1.0.0/16 route. R6 should not receive it.
    * Advertise R5's /32 loopback interface to BGP but ensure R6 to have that route in its routing table. Don't use next-hop-self on both R1 and R4. Don't advertise WAN link via network command.
    I'll just illustrate R4 and R6 here to keep things straight forward.
    R4#sh ip bgp
    BGP table version is 5, local router ID is 150.1.4.4
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                  r RIB-failure, S Stale
    Origin codes: i - IGP, e - EGP, ? - incomplete
       Network          Next Hop            Metric LocPrf Weight Path
    *> 150.1.5.5/32     155.1.45.5               0             0 100 i
    *> 160.1.0.0        0.0.0.0                  0         32768 i
    R6#sh ip bgp
    BGP table version is 11, local router ID is 150.1.6.6
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                  r RIB-failure, S Stale
    Origin codes: i - IGP, e - EGP, ? - incomplete
       Network          Next Hop            Metric LocPrf Weight Path
    * i150.1.5.5/32     155.1.45.5               0    100      0 100 i
    * i                 155.1.0.5                0    100      0 100 i
    The first task was achieved as the 160.0.0.0/16 route is not present in R6's table. I used these commands in R4.
    router bgp 65000
     no synchronization
     bgp log-neighbor-changes
     network 160.1.0.0
     neighbor 155.1.45.5 remote-as 100
     neighbor 155.1.146.6 remote-as 65000
     neighbor 155.1.146.6 route-map R6_OUT out
     no auto-summary
    route-map R6_OUT deny 5
     match ip address prefix-list AGGR
    route-map R6_OUT permit 1000
    ip prefix-list AGGR seq 5 permit 160.1.0.0/16
    So with the configuration above, it is clear that R4 is hitting route-map line 5 to deny 160.1.0.0/16 being advertised to R6. I tried to remove line 5 to validate as well if the /16 route will be advertised to R6 and it did so route-map configuration above is confirmed working.
    Next, advertise loopback 0 of R5 to R6 and make sure it is a valid route in BGP table without the use of next-hop-self or WAN advertisement.
    I used the following configuration.
    ip prefix-list R5_LINK seq 5 permit 155.1.45.5/32
    route-map R6_OUT permit 10
     match ip route-source R5_LINK
     set ip next-hop 155.1.146.4
    I inserted line 10 in between route-map 5 and 1000. So R4 would check its route table for routes with 155.1.45.5 as route-source then advertise it to R6 with next-hop address of 155.1.146.4. It worked!
    R6#sh ip bgp
    BGP table version is 15, local router ID is 150.1.6.6
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                  r RIB-failure, S Stale
    Origin codes: i - IGP, e - EGP, ? - incomplete
       Network          Next Hop            Metric LocPrf Weight Path
    *>i150.1.5.5/32     155.1.146.4              0    100      0 100 i
    * i                 155.1.0.5                0    100      0 100 i
    *>i160.1.0.0        155.1.146.4              0    100      0 i
    As you can see above, 150.1.5.5 route is now a valid BGP route but surprisingly, the 160.1.0.0/16 route is there! From what I have seen, BGP skipped line 5 and started at 10. Even if I insert the same rule as line 5 and make it as line 15, it's not working. The /16 route is still being advertised. If I remove the match ip route-source clause in sequence 10 then it will withdraw the 160.1.0.0/16 route again. Looks like "match ip route-source" is not very friendly with direct filtering to BGP neighbors but I saw this being used with BGP inject-map and it worked well.
    R4#sh route-map
    route-map R6_OUT, deny, sequence 5
      Match clauses:
        ip address prefix-lists: AGGR
      Set clauses:
      Policy routing matches: 0 packets, 0 bytes
    route-map R6_OUT, permit, sequence 10
      Match clauses:
        ip route-source (access-lists): R5_LINK
      Set clauses:
        ip next-hop 155.1.146.4
      Policy routing matches: 0 packets, 0 bytes
    route-map R6_OUT, permit, sequence 1000
      Match clauses:
      Set clauses:
      Policy routing matches: 0 packets, 0 bytes
    Any thoughts why this is happening?
    Thanks in advance.

    Hi John,
    I did a small lab to test feature "match ip route-source" and it is working fine. Please check below config and output.
    R4 does not have 172.16.16.0/24 and also routes for which next-hop is not 1.1.1.1. In case you still facing issue, please share output of "debug ip bgp updates out"
    Topology
    R1--ebgp--R3---ibgp---R4
    R3#show ip b su | b Nei
    Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    1.1.1.1         4          100      34      36       29    0    0 00:27:37        7
    4.4.4.4         4          300       9      12       29    0    0 00:04:12        0
    R3#
    R3#sh route-map TO-R4
    route-map TO-R4, deny, sequence 10
      Match clauses:
        ip address prefix-lists: DENY-PREFIX 
      Set clauses:
      Policy routing matches: 0 packets, 0 bytes
    route-map TO-R4, permit, sequence 20
      Match clauses:
        ip route-source (access-lists): 20 
      Set clauses:
      Policy routing matches: 0 packets, 0 bytes
    R3#
    R3#show ip prefix-list DENY-PREFIX
    ip prefix-list DENY-PREFIX: 1 entries
       seq 5 permit 172.16.16.0/24
    R3#
    R3#sh ip access-lists 20
    Standard IP access list 20
        20 permit 1.1.1.1 (25 matches)
    R3#
    R3#show ip b
    BGP table version is 29, local router ID is 3.3.3.3
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                  r RIB-failure, S Stale, m multipath, b backup-path, x best-external
    Origin codes: i - IGP, e - EGP, ? - incomplete
       Network          Next Hop            Metric LocPrf Weight Path
    *  172.16.8.0/22    1.1.1.1                  0             0 100 i
    *>                  172.31.13.1             20         32768 i
    *> 172.16.16.0/24   1.1.1.1                  0             0 100 i
    *> 172.16.17.0/24   1.1.1.1                  0             0 100 i
    *> 172.16.19.0/24   1.1.1.1                  0             0 100 i
    *> 172.16.20.0/22   1.1.1.1                  0             0 100 i
    *  172.16.24.0/30   1.1.1.1                  0             0 100 i
    *>                  172.31.13.1             20         32768 i
    *> 172.16.80.0/22   1.1.1.1                  0             0 100 i
    R3#
    R4#show ip b
    BGP table version is 53, local router ID is 4.4.4.4
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                  r RIB-failure, S Stale, m multipath, b backup-path, x best-external
    Origin codes: i - IGP, e - EGP, ? - incomplete
       Network          Next Hop            Metric LocPrf Weight Path
    r>i172.16.17.0/24   1.1.1.1                  0    100      0 100 i
    r>i172.16.19.0/24   1.1.1.1                  0    100      0 100 i
    r>i172.16.20.0/22   1.1.1.1                  0    100      0 100 i
    *>i172.16.80.0/22   1.1.1.1                  0    100      0 100 i
    R4#
    --Pls dont forget to rate helpful posts--
    Regards,
    Akash

  • Route-map continue, in CRS RPL

    Dear all,
    what is the replacement for continue command in route-map for CRS IOS XR RPL ?
    is it ? pass command ??
    actually i had some issue matching almost 15 community attribute ingress from customer network...
    and i think, is it can be done with pass command ?
    like :
    if community (a:a) then
    action
    pass
    else if community (b:b) then
    action
    pass
    end if
    so, when the route contain community a:a, will get action assigned, and not yet to be forwarded, instead, will continue to run the next if, to check if the route also contain b:b community...
    so with this i dont have to create almost 2^15 combination if format on RPL.
    is it do able ? or is there any command that work simillar with "continue" command in route-map, if match, the route still get processed until the end of policy.
    Thanks a lot,
    Budi L

    Hello Budi
    Yes, the pass statement allows a policy to continue executing even though the route has not been modified. When a policy has finished executing, any route that has been modified in the policy or any route that has received a pass disposition in the policy, successfully passes the policy and completes the execution. Note, a policy does not modify route attribute values until all tests have been completed. In other words, comparison operators always run on the initial data in the route. Intermediate modifications of the route attributes do not have a cascading effect on the evaluation of the policy.
    Here is the PASS example:
    route-policy ak-community
    if community matches-any (11:11, 44:44) then
       set community (55:55) additive
       pass
    endif
    if community matches-any (22:22) then
       set community (77:77) additive
    endif
    end-policy
    If a route contains a community 11:11 then we add 55:55 and continue. So If the same route contain 22:22 as well, we’d add another community 77:77 to the same route. Note, if we have an action (like SET here), a PASS statement is not needed and we continue with the policy.
    Example 2. Here we can see nested IF. So if a route contains 11:11 then we add 55:55 and verify it further if the route has 22:22 and if so, add 77:77
    route-policy ak-community
    if community matches-any (11:11, 44:44) then
       set community (55:55) additive
       if community matches-any (22:22) then
         set community (77:77) additive
       endif
    endif
    end-policy
    Example 3.  In this example we add 55:55 to routes matching 11:11 or 44:44. Otherwise, if a route has 22:22, we add 77:77. Note, if a route has 11:11 AND 22:22 (or 44:44 AND 22:22) we’d add 55:55 only.
    route-policy ak-community
    if community matches-any (11:11, 44:44) then
       set community (55:55) additive
    elseif community matches-any (22:22) then
       set community (77:77) additive
    endif
    end-policy
    IF statement are flexible too. You noted we used MATCHES-ANY in the IF statement. We can use a list of different conations in one IF. For example:
    If community matches-every (11:11, 22:22) or destination in (11.1.3.0/24) then
       set local-preference 500
    Regards,
    /A

  • Route-Map Equal Access

    Dears
    please if i configure route-map for two access list like below '
    interface tengig 1
    ip policy route-map ABC
    access-list 101 permit any eq www  1.1.1.0 0.0.0.255
    access-list 102 permit any eq www  2.2.2.0 0.0.0.255
    route-map ABC permit 10
    match ip add 101
    set ip next-hop 50.1.1.1
    route-map ABC permit 20
    match ip add 102
    set ip next-hop 60.1.1.1
    is it need to write this string below ?
    route-map ABC permit 30
    set default interface null0

    Rawa
    If you do that any packets that don't match acl 101 or acl 102 and there is no explicit route in the routing table they will be routed to null0. So it depends on whether you want that or not.
    I explained this before in that if a packet does not match any PBR route map statements then those packets will be routed using the routing table. However in your example in the last statement, because you have not specified a match statement, all packets that didn't match the acls or have an explicit route in the routing table will be routed to null0.
    Jon

  • ASA 5585-X Route-Map

    Hi,
    how can apply  route-map rules to an interface ?
    i set up some rules but i cannot apply these rules any interface.
    Thanks a lot.

    Thank you Kanwal.
    in a cisco router you can apply your route-map by using command ip policy map ... İ didnt find any command like this. İ set up some match and set conditions but i do not apply any interface.
    can i use route-map to manipulate routing table İn asa 5585-x.?
    sincerely

  • Route-Map Config

    HI All
    i configured the route-map on router ,
    r
    oute-map Client_side_map permit 20
    match ip address Client_side2
    set ip next-hop xx.xx.xx.xx 
    but when i enter show run  i see the following config thats marvel
    route-map Client_side_map permit 20
    match ip address Client_side2 Internet_side1
    set ip next-hop xx.xx.xx.xx  xx.xx.xx.xx
    any one can tell me what is the underline ?

    Hi,
    R4(config)#access-list 100 permit ip any any
    R4(config)#access-list 101 permit ip any any
    R4(config)#route-map test p 10
    R4(config-route-map)#match ip add 100
    R4(config-route-map)#set ip next
    R4(config-route-map)#set ip next-hop 20.20.20.20
    R4(config-route-map)#do sh route-map
    route-map test, permit, sequence 10
      Match clauses:
        ip address (access-lists): 100
      Set clauses:
        ip next-hop 20.20.20.20
      Policy routing matches: 0 packets, 0 bytes
    R4(config-route-map)#match ip add 101
    R4(config-route-map)#set ip nex
    R4(config-route-map)#set ip next-hop 22.22.22.22
    R4(config-route-map)#do sh route-map
    route-map test, permit, sequence 10
      Match clauses:
        ip address (access-lists): 100 101
      Set clauses:
        ip next-hop 20.20.20.20 22.22.22.22
      Policy routing matches: 0 packets, 0 bytes
    As you see in this example multiple  same match or set statement are automatically rearranged in a OR fashion instead of  a AND fashion.
    So I presume you already had a 20 clause in your route-map and so you edited it in the way I showed above.
    Regards
    Alain
    Don't forget to rate helpful posts.

  • Cisco 4900m, pbr, route-map

    Hi,
    My customer has a question, what is the limit for entries for the route-map for PBR that will be done in hardware? This applies to soft-4900M 12.2 (53) SG2. I need a reference to documentation.
    Regards,
    lb

    Hi Lukasz,
    the 4900M is a Data Center Switch and not a Metro one, so it is more appropriate if you post these types of questions on Network Infrastructure > LAN Switching and Routing section
    (the 4900M should not be confused with the ME4900 series, which are Metro switches instead).
    Anyway it supports 128.000 Security and Quality-of-Service (QoS) Hardware Entries as documented here:
    http://www.cisco.com/en/US/products/ps6021/prod_models_comparison.html
    and here:
    http://www.cisco.com/en/US/partner/prod/collateral/switches/ps5718/ps6021/ps9310/Data_Sheet_Cat_4900M.html
    regards,
    Riccardo

  • Packets not hitting the route-map's NAT access-list

    Hi Everyone,
    I've been struggling with this issue for two days, I have couple of VPN tunnels on a router and all are working fine with NAT because I created route-maps for nat to deny the packets that are going to the tunnel from getting NATed, I have the same config for all the tunnels but the issue is with xxx_NAT access-list that is not even being hit by the packets so my xxx tunnel wont come up. I am positive that the problem is NAT because when I remove NAT from the 0/1.102 interface it starts to work. here is my config :
    interface GigabitEthernet0/1.102
    description "xxx"
    encapsulation dot1Q 102
    ip address 10.300.301.1 255.255.255.0
    ip access-group xxx_ACL in
    ip nat inside
    ip virtual-reassembly
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip nat pool ???_POOL ??
    ip nat pool ???_POOL ??
    ip nat pool ???_POOL ??
    ip nat pool xxx_POOL ??
    ip nat inside source route-map ??? pool ???_POOL overload
    ip nat inside source route-map ??? pool ???_POOL overload
    ip nat inside source route-map xxx pool xxx_POOL overload
    ip nat inside source route-map ??? pool ???_POOL overload
    ip access-list extended xxx-VPN
    remark VPN to xxx
    permit ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255
    permit ip 192.168.45.0 0.0.0.255 10.300.301.0 0.0.0.255
    ip access-list extended xxx_ACL
    deny   ip 10.300.301.0 0.0.0.255 192.168.56.0 0.0.0.255
    permit ip any any
    ip access-list extended xxx_NAT
    deny   ip 10.300.301.0 0.0.0.255 110.110.2.0 0.0.0.255
    deny   ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255
    permit ip 10.300.301.0 0.0.0.255 any
    route-map ??? permit 10
    match ip address ???_NAT
    route-map xxx permit 10
    match ip address xxx_NAT
    route-map ??? permit 10
    match ip address NAT_???
    route-map ??? permit 10
    match ip address ???_NAT
    control-plane
    banner motd ^C

    As that is probably *not* the config you are having problems with (or are your route-maps really named ???, xxx etc. ?) it is hard to help.
    So just a guess:
    The "ip nat inside source route-map-"staements are processed in a lexical order. The naming of your route-maps has to reflect the order you want to achieve. If you have the wrong order your traffic will end in the wrong translation which you should see with "show ip nat translation".
    HTH, Karsten

  • Best practice for web servers behind a router (NAT, ACL, policy-map, VLAN)

    Hi,
    I'm a new Network admin, and I have some configuration questions about my installation (see attachment).
    I have 3 web servers behind a router.
    Public interface: 3 public ip adresses
    Private interface: router on a stick config ( 3 sub-interfaces, 3 different networks, 3 VLAN)
    I would to know the best way to redirect http traffic to the right server.
    My idea is to map a public address to a private address, via NAT, but I'm not sure for the configuration.  I could also redirect via Policy-map and filter by url content.
    So if you have some advise for this case, it would be really appreciated.
    Thank you.
    Chris.

    Hello Christophe,
    As I understand you want 1st that ; 
    if somebody go to A.local.com from internet then he will redirect to 192.168.1.10 in your internal network. 
    That means, you need static mapping between your public @ip address and your local ip address. 
    for this example, your local interface is Fa0/0.1 and I dont your public interface because it is not mention in your diagram. I will suppose S0/0 for public interface. 
    that is the config for the Web Server1. You can do the same with the remaining servers:
    interface fa0/0.1 
    ip nat inside
    interface serial0/0
     ip nat outside
    ip nat inside source static 192.168.1.10 172.1.2.3 
    static mapping from local to public. 
    I suppose you have done the dns mapping in your network and the ISP have done the same in his network. 
    ip route 171.1.2.3 interface serial0/0 
    or 
    ip route 0.0.0.0 0.0.0.0 interface serial0/0. 
    After these step for each web server, you will get the mapping. 
    Now you can restrict access to this ip only to http or https protocol on your isp and after on your local network 
    like
    ip access-list extended ACL_WebServer1
    permit ip any 192.168.1.10 eq www
    deny ip any 192.168.1.10
    exit
    interface fa0/0.1
     ip acess-group ACL_WebServer1 in
    no shut
    exit
    That is the first step. 
    Second step : you want to filter traffic by url, that means layer 5 to 7 filtering. 
    I am not sure that it is possible using cisco router with (ZBF + Regex).
    Check the first step and let us know ! 
    Please rate and mark as correct if it is the case. 
    Regards,

  • In which add-family,routing policy should apply for MPBGP ?

    Hi,
    IN MPBGP protocol, where i will apply routing policy to apply  as- path prepand    so that Route  would be secondary to  neighbor.
    IGP-OSPF and BGP over MPLS is running.
    on Which  address-familiy nbr,should i apply, is it in VPNV4 or IPV4 or IPV4  VRF ?
    if i want 10.36.128.0/26 prefix should go to Neigbhor MPLS R2, what should i use access-list or Prefix list?
    please provide the reply with its config .
    Topology like
    regards,
    Ajay

    Hi Harlold,
    Thanks for reply...
    Please find the topology diagram
    1. Yes ,both are MPLS Network.
    2. L3VPN intraAS.
    3.Mpls router 1 and 2  are PE to connect the SPs MPLS rtr.
    4.My administration is upto Router R1.
    5.Both MPLS Router R1 and R2 belongs to other Vendor which giving us mpls service . and they want from to advertise only VRF MGMT subnets only with AS Prepend .
    So i want to where should Route-map apply? is it in address-family vpnv4 or ?
    router bgp 64513
      synchronization disable
      neighbor 10.49.5.230 remote-as 64513
      neighbor 10.49.5.230 update-source loopback1
    address-family vpnv4
        neighbor 10.49.5.230 activate
        neighbor 10.49.5.230 send-community both
        neighbor 10.49.5.230 route-map ONM_TO_AIR
    Route-map ONM_TO_AIR
    match ip add prefix-list ONM_TO_AIR
    set as-path prepend 64513  64513 64513 64513.
    ip prefix-list ONM_TO_AIR permit 10.49.30.128/26
    will it work?
    or I have to match extcommuntity in Route-map   as it apply to vpnv4 add-family ?
    Regards,
    Ajay

  • Route Map Policy on SVI - Trunk from ESX

    Hi,
    I have a question regarding the following configuration.
    A route map matches traffic from a particular subnet, say on VLAN 10 (using an ACL).
    A route map policy is applied on this SVI (int vlan 10)
    A server on this subnet is running on ESX which is connected to the switch on a trunk port.
    The ESX host tags all frames from this server as VLAN 10.
    In this scenario, should the route map pick up the traffic from this server? I don't see why not, but in my testing it doesn't seem to be working :)
    Thanks for any help.

    Hi Alex,
    It's a 3750x (stack) with 12.2(55)SE5.
    I've already changed the SDM template to routing and rebooted the switch.
    I don't think the route map is working at all actually :) See config below, let me know if you can spot anything obvious but the networks on the ACL are definitely correct.
    Thanks again.
    Extended IP access list UPLINK2
        10 permit ip 192.168.1.0 0.0.0.255 any
        20 permit ip 192.168.4.0 0.0.1.255 any (305 matches)
    route-map ROUTE1 permit 10
     match ip address UPLINK2
     set ip next-hop 10.1.1.253
    interface Vlan10
     ip address 192.168.5.254 255.255.254.0
     ip policy route-map ROUTE1
    end

Maybe you are looking for

  • How to find out if the company account for developing windows store apps is verified/approved?

    We have created the account for windows store app. How can I find out if the account was approved (the identity of the company)? 

  • Change Report Title

    Hello Guys, I have an editable ALV in which the user is able to change the entries by clicking a Change Button. For this purpose i have used the class <b>cl_gui_alv_grid</b>. I need to change the Report Title from 'Display Report' & 'Change Report' w

  • Can I use separate camera For ipad iOS 5.1.1

    I want to use camera with iPad ios5.1.1 as I know it hasn't in built camera. Can one use separate camera device connecting iPad ios 5.1.1 ?

  • Can't upgrade to 10.5

    Got new MacBook last September or so. Ordered 10.5 upgrade with it. Immediately after receiving, I upgraded the drive to a 250gb. Now, trying to apply the upgrade (current is 10.4.11), and it isn't allowing - says I have to go to a GUID partition(? w

  • Posting sensitive data via href's

    Hey all Is it possible to send sensitive data which you don't want the user to see via a hyperlink to a servlet? As far as I know hyperlinks can only call the doGet method so the passed parameters are viewable to the user. Are there any best practice