PBR - adding a route map to an interface

Similar Messages

• Applying "route-map" in interfaces with encapsulation dot1q

  Hello,
  I would like to ask you if there were some trouble  in applying route-maps in a interface and its subinterfaces, as it is shown:
  interface GigabitEthernet0/2
   ip address 11.0.9.26 255.255.255.252
   ip policy route-map GestionRadios
  interface GigabitEthernet0/2.11
   encapsulation dot1Q 11
   ip address 11.0.9.18 255.255.255.252
   ip policy route-map RedOperativaA
  interface GigabitEthernet0/2.12
   encapsulation dot1Q 12
   ip address 11.0.9.22 255.255.255.252
   ip policy route-map RedOperativaB
  I am not sure if it is correct totally. Besides I get this informacion doing "show ip  policy" and it seems to be right.
  Router#show ip policy
  Interface      Route map
  Gi0/2          GestionRadios
  Gi0/2.11       RedOperativaA
  Gi0/2.12       RedOperativaB
  I would be very grateful for your help.
  Thanks in advance
  Regards,
  Sandro

  Sandro
  We do not have much to work with in your post so giving you really good answers is difficult. You do not tell us what type of device this is (I assume probably a router, but perhaps it is a layer 3 switch?) or what version of code it is running. These things make a difference sometimes in what is supported or is not supported. But since you get output in show ip policy then I assume that the device does support configuration of this feature.
  You show us the configuration of the interfaces but not the configuration of the route maps or the access lists which the route maps probably use. So we can not form an opinion of the validity of the route maps or the access lists.
  And you do not tell us whether the Policy Based Routing is working or not (and in fact you do not tell us for sure that you are doing PBR - though that is generally what route maps on the interfaces are doing) so we are not clear whether there is a problem here or not.
  But based on what you show us in this post I do not see any particular problems with the route maps and the way that you have applied them to interfaces (assuming that your goal is really to do PBR).
  HTH
  Rick

• Route map does not applied on interface vlan

  Hi all,
  could you pls tell me why i can't apply a route-map on an interface vlan,
  belown my config:
  SWBBO(config-if)#ip policy route-map TEST
                             ^
  % Invalid input detected at '^' marker.
  Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.0(2)SE1, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2013 by Cisco Systems, Inc.
  Compiled Fri 04-Jan-13 01:38 by prod_rel_team
  ROM: Bootstrap program is C3750E boot loader
  BOOTLDR: C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(53r)SE2, RELEASE SOFTWARE (fc1)
  BBWMASALE01 uptime is 40 weeks, 1 day, 6 minutes
  System returned to ROM by power-on
  System restarted at 22:12:07 UTC Mon Feb 18 2013
  System image file is "flash:/c3750e-universalk9-mz.150-2.SE1.bin"
  Best regards,
  James

  Hi jon,
  belown the result of sh sdm prefer,so need i a licence ip service to apply the route-maap on the interface vlan,or just entrer the config"sdm prefer routing" and reboot the switch?
  SWBB0#sh sdm prefer
  The current template is "desktop default" template.
  The selected template optimizes the resources in
  the switch to support this level of features for
  8 routed interfaces and 1024 VLANs.
    number of unicast mac addresses:                  6K
    number of IPv4 IGMP groups + multicast routes:    1K
    number of IPv4 unicast routes:                    8K
      number of directly-connected IPv4 hosts:        6K
      number of indirect IPv4 routes:                 2K
    number of IPv6 multicast groups:                  64
    number of directly-connected IPv6 addresses:      74
    number of indirect IPv6 unicast routes:           32
    number of IPv4 policy based routing aces:         0
    number of IPv4/MAC qos aces:                      0.5K
    number of IPv4/MAC security aces:                 0.875k
    number of IPv6 policy based routing aces:         0
    number of IPv6 qos aces:                          0
    number of IPv6 security aces:                     60

• Route-map, vlan routing

  I have a 6509 that I've setup with route-maps in order to route VLANs in different ways. For example, if we wanted some vlans to get out to the internet we would route them to a certain address. Then there is another vlan that we route to another internet gateway. It was all working pretty good until we swapped out another switch gateway in the network and every since things have been wonky. It seems as though the switch is routing packets that would normally stay on that switch out of the switch then back in, even though my access-list are set to deny the traffic. Here are the access-list and route-maps:
  access-list 10 permit 192.168.24.101
  access-list 10 permit 192.168.24.102
  access-list 100 permit tcp any 172.16.0.0 0.0.255.255 established
  access-list 100 permit tcp 192.168.4.0 0.0.3.255 host 172.16.1.10 eq www
  access-list 100 permit tcp 192.168.4.0 0.0.3.255 host 172.16.1.11 eq www
  access-list 104 permit ip host 172.16.4.11 host 65.54.150.19
  access-list 104 permit tcp host 172.16.4.20 any eq www
  ip access-list extended BITCENTRAL_INTERNET
   deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   permit ip host 172.16.1.170 any
   permit ip host 172.16.1.150 any
  ip access-list extended EDIT_BAYS
   deny   ip any 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 any
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   permit ip host 192.168.25.2 any
   permit ip host 192.168.26.80 any
   permit ip host 192.168.25.104 any
   permit ip host 192.168.25.3 any
   permit ip host 192.168.26.69 any
   permit ip host 192.168.26.71 any
   permit ip host 192.168.27.33 any
  ip access-list extended ENPS
   deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   permit ip host 192.168.24.101 any
   permit ip host 192.168.24.102 any
   permit ip host 192.168.24.103 any
  ip access-list extended ENTRIQ
   deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.24.0 0.0.3.255
   deny   ip 192.168.24.0 0.0.3.255 172.16.0.0 0.0.255.255
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   permit ip 172.16.8.0 0.0.0.255 any
  ip access-list extended MISC
   deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.24.0 0.0.3.255
   deny   ip 192.168.24.0 0.0.3.255 172.16.0.0 0.0.255.255
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   permit ip 172.16.11.0 0.0.0.255 any
  ip access-list extended Omneon
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
   deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
   permit ip host 172.16.2.11 any
   permit ip host 172.16.2.2 any
  ip access-list extended ROSS-VLAN
   deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   permit ip host 172.16.4.20 any
   permit ip host 172.16.4.32 any
   permit ip host 172.16.4.31 any
   permit ip host 172.16.4.29 any
   permit ip host 172.16.4.30 any
   permit ip host 172.16.4.28 any
  vlan internal allocation policy ascending
  vlan access-log ratelimit 2000
  interface Vlan1
   no ip address
   shutdown
  interface Vlan10
   ip address 172.16.1.1 255.255.255.0
   ip policy route-map BITCENTRAL
  interface Vlan20
   ip address 172.16.2.1 255.255.255.0
   ip policy route-map OMNEON
  interface Vlan30
   ip address 172.16.3.1 255.255.255.0
  interface Vlan40
   ip address 172.16.4.1 255.255.255.0
   ip policy route-map ROSS-VLAN
  interface Vlan50
   ip address 172.16.5.1 255.255.255.0
  interface Vlan60
   ip address 172.16.6.1 255.255.255.0
  interface Vlan70
   ip address 172.16.7.1 255.255.255.0
  interface Vlan80
   ip address 172.16.8.1 255.255.255.0
   ip policy route-map ENTRIQ
  interface Vlan100
   ip address 192.168.27.1 255.255.252.0
   ip helper-address 192.168.7.255
   ip policy route-map OMNIBUS-VLAN
  interface Vlan110
   ip address 172.16.11.1 255.255.255.0
   ip helper-address 192.168.27.200
   ip policy route-map MISC
  interface Vlan120
   ip address 172.16.10.1 255.255.255.240
   ip policy route-map EDIT_BAYS
  interface Vlan140
   ip address 192.168.4.15 255.255.255.0
   ip directed-broadcast 10
  interface Vlan500
   ip address 192.168.1.19 255.255.255.224
  ip classless
  ip route 172.22.0.0 255.255.255.248 192.168.4.1
  ip route 192.168.0.0 255.255.255.224 192.168.4.254
  ip route 192.168.5.0 255.255.255.0 192.168.4.1
  route-map BITCENTRAL permit 60
   match ip address BITCENTRAL_INTERNET
   set ip next-hop 192.168.4.1
  route-map EDIT_BAYS permit 50
   match ip address EDIT_BAYS
   set ip next-hop 192.168.4.1
  route-map ENTRIQ permit 80
   match ip address ENTRIQ
   set ip next-hop 172.16.8.254
  route-map MISC permit 40
   match ip address MISC
   set ip next-hop 192.168.4.1
  route-map MSN permit 10
   match ip address 104
   set ip next-hop 192.168.4.1
  route-map OMNEON permit 20
   match ip address Omneon
   set ip next-hop 192.168.4.1
  route-map OMNIBUS-VLAN permit 30
   match ip address EDIT_BAYS
   set ip next-hop 192.168.4.1
  route-map OMNIBUS-VLAN permit 40
   match ip address ENPS
   set ip next-hop 192.168.4.1
  route-map ROSS-VLAN permit 70
   match ip address ROSS-VLAN
   set ip next-hop 192.168.4.1
  route-map SEC-VLAN permit 30
   match ip address SEC-VLAN
   set ip next-hop 192.168.4.1
  Here is how we tested the system and found the error. We cut the connection to 192.168.4.1 router, and when we try to ping a host on the 100 VLAN with the ip address of 192.168.24.101 from the MISC vlan with a ip address of 172.168.11.9 the ping just fails. When we enable the connection to the 192.168.4.1 router the pings go through again.  What in my route-map is causing this, I thought I setup the deny rules pretty good?

  Hi Mike,
  Between you and me, this is a lengthy config you have there.
  Next don't forget that a route-map doesn't apply to traffic originated or destined to the self-device, unless you use ip local policy in which might work, but there I have seen some nasty bugs.
  So if you can shorten your config to one example, then do the tests :
   - sourced from device A (it can be the SVI of another switch)
   - through your 6509 
   - destined to device B (it also can be the SVI of another switch, or even simpler some loopback inteface).

• How to configure one dsl connection and one public ip in cisco router and map to one interface for using exchange server

  how to configure one dsl connection and one public ip in cisco router and map to one interface for using exchange server

  Hi ,
   Have you got any additional public IP Address from your service provider , If yes on router you can have static route for those additional IP Address pointing to your ASA  outside interface . 
  Accordingly you can configure NAT 
  HTH
  Sandy . 

• Cisco 4900m, pbr, route-map

  Hi,
  My customer has a question, what is the limit for entries for the route-map for PBR that will be done in hardware? This applies to soft-4900M 12.2 (53) SG2. I need a reference to documentation.
  Regards,
  lb

  Hi Lukasz,
  the 4900M is a Data Center Switch and not a Metro one, so it is more appropriate if you post these types of questions on Network Infrastructure > LAN Switching and Routing section
  (the 4900M should not be confused with the ME4900 series, which are Metro switches instead).
  Anyway it supports 128.000 Security and Quality-of-Service (QoS) Hardware Entries as documented here:
  http://www.cisco.com/en/US/products/ps6021/prod_models_comparison.html
  and here:
  http://www.cisco.com/en/US/partner/prod/collateral/switches/ps5718/ps6021/ps9310/Data_Sheet_Cat_4900M.html
  regards,
  Riccardo

• Can't apply policy route-map on C3750 stack vlan interface

  Hi All.
  I've come up with this problem and i could see some people have had the same issue. I've tried to overlook and check other replies but it didn't help me. So I'm hoping someone could spot the problem. Here are the details:
  2 x WS-C3750G-24T-E in stack
  Cisco IOS Software, C3750 Software (C3750-ADVIPSERVICESK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)
  switch#sh sdm prefe
  The current template is "desktop IPv4 and IPv6 routing" template.
  The selected template optimizes the resources in
  the switch to support this level of features for
  8 routed interfaces and 1024 VLANs.
    number of unicast mac addresses:                  1.5K
    number of IPv4 IGMP groups + multicast routes:    1K
    number of IPv4 unicast routes:                    2.75K
      number of directly-connected IPv4 hosts:        1.5K
      number of indirect IPv4 routes:                 1.25K
    number of IPv6 multicast groups:                  1.125k
    number of directly-connected IPv6 addresses:      1.5K
    number of indirect IPv6 unicast routes:           1.25K
    number of IPv4 policy based routing aces:         0.25K
    number of IPv4/MAC qos aces:                      0.5K
    number of IPv4/MAC security aces:                 0.5K
    number of IPv6 policy based routing aces:         0.25K
    number of IPv6 qos aces:                          0.5K
    number of IPv6 security aces:                     0.5K
  There are 2 ISPs, G1/0/1 and G2/0/1. After creating a route-map i can apply a policy route-map to Vlan5 and it accepts without any errors. But when you do sh run vlan5 the command is not there, it's not applied.
  Any help will be appretiated.
  Thanks.

  Hi Jon.
  Thanks for your reply. I didn't put those configs as they're basic without use of VRF and WCCP. Also i've checked or tried to find the list of unsupported commands and didn't see them in that list. See config below with some extras:
  track 11 rtr 1 reachability
  track 22 rtr 2 reachability
  ip routing
  no ip dhcp use vrf connected
  interface GigabitEthernet1/0/1
  description ISP1
  no switchport
  ip address 9.9.9.2 255.255.255.252
  no ip proxy-arp
  no ip mroute-cache
  speed 100
  duplex full
  ipv6 address 2B01:4B8:0:3::2/64
  ipv6 ospf 1 area 0
  no mdix auto
  no cdp enable
  interface GigabitEthernet2/0/1
  description ISP2
  no switchport
  ip address 9.9.9.5 255.255.255.252
  ip ospf cost 10000
  speed 1000
  duplex full
  ipv6 address 2B01:4B8:0:7::2/64
  ipv6 enable
  ipv6 ospf cost 10000
  ipv6 ospf 1 area 0
  interface Vlan5
  description Company Ext Subnet
  ip address 9.9.8.1 255.255.255.128
  no ip proxy-arp
  no ip mroute-cache
  ipv6 address 2B01:4B8:1:22::1/64
  ipv6 ospf 1 area 15
  access-list 111 permit tcp any any eq www
  route-map pbr1 permit 10
  match ip address 111
  set interface GigabitEthernet2/0/1 GigabitEthernet1/0/1
  route-map pbr1 permit 20
  set interface GigabitEthernet1/0/1 GigabitEthernet2/0/1
  route-map pbr2 permit 10
  match ip address 111
  set ip next-hop verify-availability 9.9.9.6 1 track 11
  set ip next-hop 9.9.9.1
  route-map pbr2 permit 20
  set ip next-hop verify-availability 9.9.9.1 1 track 22
  set ip next-hop 9.9.9.6
  I've tried to apply both policies pbr1 and pbr2, it allowed to do that without errors but at the end it wasn't there.
  Cheers,

• Route-Map Query

  Hi All,
  I'm trying to achieve the following -
  I have a host 10.44.125.70.
  If going to any Internal address space I want the host to use a certain next hop (vlan interface on core this PBR is configured). Then IF going to anywhere else (e.g external address) , use a different next hop. I have the below but doesn't seem to be working as expected. Is my first route-map entry catching all traffic? I'm sure what I'm trying to do is very simple...
  IP access list Sent_Inside
      10 permit ip host 10.44.125.70 172.12.0.0 0.0.15.255
      30 permit ip host 10.44.125.70 10.0.0.0 0.255.255.255
   IP access list Sent_Outside
      10 permit ip host 10.44.125.70 any
      20 permit ip host 10.44.125.70 any
  route-map TEST permit 20
   match ip address Sent_Inside
   set ip next-hop 10.44.125.1
  route-map TEST permit 30
   match ip address Sent_Outside
   set ip next-hop 10.44.141.7

  Exactly John, a different default route already exists. Because I have a static NAT on the ASA (10.44.141.7) for this host of mine, I need to make sure all Internet traffic uses the ASA and not the default route on the Core.
  What is happening at the moment is - If I have just the below.Then the device 10.44.125.70 is accessible from the Outside on my Nat'd external address (ASA config is all good and setup with NAT etc..). I then realised I could not access my hosts internal IP within the network so i added the extra parts to my route-map. Upon doing this my NAT stopped working (but I could then access my internal address internally). Not going to be able to test this again until tomorrow either which isn't ideal.
   IP access list Sent_Outside
      10 permit ip host 10.44.125.70 any
      20 permit ip host 10.44.125.70 any
  route-map TEST permit 30
   match ip address Sent_Outside
   set ip next-hop 10.44.141.7

• 3560 PBR including internal routes help

  I'm attempting to use PBR on a 3560 switch.  Everything seems to be working OK but we have some periodic CPU interupt spikes that are effecting performance.
  I have three vlans
  vlan 1 - 172.19.142.0/24
  vlan 2 - 172.20.142.0/24
  vlan 3 - 173.23.142.0/24
  route-map PBR permit 10
  match ip address 140
  set ip next-hop 192.168.250.2
  I'm trying to policy route all www and ssl traffic
  ip access-list 140 permit tcp any any eq www
  ip access-list 140 permit tcp any any eq 443
  However I have two problems
  1)I have internal web services, so I need www traffic from 172.23.142.0/24 ro route to 172.19.142.0/24 and this policy sends all www traffic out next hop of 192.168.250.2
  2)When I add to acl 140
  ip access-list 140 deny tcp 172.23.142.0 0.0.0.255 172.19.142.0 0.0.0.255 www
  The policy works as expected but CPU starts to spike.
  If I try to use 'set ip default next-hop XXXX' or change to 'route-map PBR deny 10' (for internal routed) the ip policy route-map pbr statement disappears from the vlan interface and cannot be re-added.  No errors are displayed, it's just like the command is ignored.
  I've looked at:
  http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a00807213f5.shtml#pbr
  Specifically
  •Do not match ACLs that permit packets destined for a local address
  •Do not match ACLs with deny ACEs
  I'm looking for a way to impliment PBR for selective traffic (www and 443), but keep the internal routing intact using the same protocols (www and 443).
  Any suggestions would be appreciated.
  Thanks,
  Tom

  I'm not entirely sure this will work but it is worth a try. if you can't use local subnets then you need to specify all possible internet addresses. The acl below uses wildcard masks to specify every possible internet address. Due to the way wildcard masks work all traffic between 172.16.x.x and 172.31.x subnets do not match the acl. if you wanted to be more specific to your subnets you could be but it would make the acl considerably longer. But as this whole range is private addressing it doesn't really matter or shouldn't.
  Also to keep the acl short it does allow traffic to the other private address ranges ie. 10.x.x.x and 192.168.x.x  but then so did your original acl. So you only need one permit statement in your route map with sets the next hop to 192.168.250.2.
  I have assumed that you do not have any http/https traffic between internal subnets that you actually want to policy route. If you do this acl would not match and therefore they would be routed using the normal routing table.
  permit tcp any 0.0.0.0 127.255.255.255  eq www   - covers all class A networks
  permit tcp any 0.0.0.0 127.255.255.255  eq ssl
  permit tcp any 128.0.0.0 31.255.255.255 eq www  -  128.0.0.0 -> 159.255.255.255
  permit tcp any 128.0.0.0 31.255.255.255 eq ssl
  permit tcp any 160.0.0.0 7.255.255.255 eq www -  160.0.0.0 -> 167.255.255.255
  permit tcp any 160.0.0.0 7.255.255.255 eq ssl
  permit tcp any 168.0.0.0 3.255.255.255 eq www    - 168.0.0.0 -> 171.255.255.255
  permit tcp any 168.0.0.0 3.255.255.255 eq ssl
  permit tcp any 172.0.0.0 0.15.255.255 eq www  - 172.0.0.0 -> 172.15.255.255
  permit tcp any 172.0.0.0 0.15.255.255 eq ssl
  permit tcp any 172.32.0.0 0.31.255.255 eq www - 172.32.0.0 -> 172.63.255.255
  permit tcp any 172.32.0.0 0.31.255.255 eq ssl
  permit tcp any 172.64.0.0 0.63.255.255 eq www - 172.64.0.0 -> 172.127.255.255
  permit tcp any 172.64.0.0 0.63.255.255 eq ssl
  permit tcp any 172.128.0.0 0.127.255.255 eq www  - 172.128.0.0 172.255.255.255
  permit tcp any 172.128.0.0 0.127.255.255 eq ssl
  permit tcp any 173.0.0.0 0.255.255.255 eq www - 173.0.0.0 -> 173.255.255.255
  permit tcp any 173.0.0.0 0.255.255.255 eq ssl
  permit tcp any 174.0.0.0 1.255.255.255 eq www  - 174.0.0.0 -> 175.255.255.255
  permit tcp any 174.0.0.0 1.255.255.255 eq ssl
  permit tcp any 176.0.0.0 15.255.255.255 eq www - 176.0.0.0 -> 191.255.255.255
  permit tcp any 176.0.0.0 15.255.255.255 eq ssl
  permit tcp any 192.0.0.0 31.255.255.255 eq www  - 192.0.0.0 -> 223.255.255.255
  permit tcp any 192.0.0.0 31.255.255.255 eq ssl
  Like i say no guarantees and i have no idea of what this will do to the switch in terms of CPU etc. but probably worth a try.
  Jon

• Managing Route-Map based MPLS VPN

  1) How to derive the VPN information of the MPLS VPN configured using route-maps? As I understand, stitching route-maps information to derive VPN is complex as it is difficult to derive & correlate the filters tied to each of the route-maps that are tied to a VRF :(
  2) Is there any MIB to get from the MIB
  a) Route-maps tied to each VRF
  b) What is the filter associated with each route-map?
  c) Definition of each of the above filter
  It would have been nice if the route-maps' name had global-significance within AS, so that we could have treated route-maps, pretty much like the route-tragets. Alas, I doubt it is :(
  It should be noted here that if the MPLS VPN is configured using route targets, the VPN information derivation is fairly straight forward throught MplsVpn MIB.
  So, the question is what is the simplest way to derive the MPLS VPN info given that they are configured using route-maps in BGP for labelled-route-distribution & for the pkt association with the VRFs.
  Thanks,
  Suresh R

  Each CE in a customer VPN is also added to the management VPN by selecting the Join the management VPN option in the service request user interface.
  The function of the management route map is to allow only the routes to the specific CE into the management VPN. The Cisco IOS supports only one export route map and one import route map per VRF.
  http://www.cisco.com/en/US/products/sw/netmgtsw/ps4748/products_user_guide_chapter09186a0080353ac3.html

• Route map no match

  Hi,
  what is the reason for not having any match, in the acl for the route-map?
  Current configuration : 1731 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname R2
  boot-start-marker
  boot-end-marker
  no aaa new-model
  memory-size iomem 5
  ip cef
  interface Loopback0
   ip address 192.168.0.1 255.255.255.0
  interface Loopback1
   ip address 192.168.1.1 255.255.255.0
  interface Loopback200
   ip address 196.0.0.1 255.255.255.0
  interface FastEthernet0/0
   ip address 195.0.0.1 255.255.255.0
   ip policy route-map r_teste
   duplex auto
   speed auto
  interface FastEthernet0/1
   no ip address
   shutdown
   duplex auto
   speed auto
  interface Serial1/0
   ip address 10.0.0.2 255.255.255.252
   serial restart-delay 0
  interface Serial1/1
   ip address 172.16.0.2 255.255.255.252
   serial restart-delay 0
   clock rate 128000
  interface Serial1/2
   no ip address
   shutdown
   serial restart-delay 0
  interface Serial1/3
   no ip address
   shutdown
   serial restart-delay 0
  router bgp 100
   no synchronization
   bgp log-neighbor-changes
   network 192.168.0.0
   network 192.168.1.0
   neighbor 10.0.0.1 remote-as 200
   neighbor 172.16.0.1 remote-as 300
   no auto-summary
  ip http server
  no ip http secure-server
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 172.16.0.1
  access-list 40 permit any
  route-map anuncia1 permit 20
   match ip address 20
  route-map anuncia0 permit 10
   match ip address 10
  route-map r_teste permit 10
   match ip address 40
   set ip default next-hop 10.0.0.1
  control-plane
  line con 0
  line aux 0
  line vty 0 4
   login
  end
  R2#ping 192.168.55.1 source 195.0.0.1
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.55.1, timeout is 2 seconds:
  Packet sent with a source address of 195.0.0.1
  Success rate is 0 percent (0/5)
  R2#sh access-lists
  Standard IP access list 10
      10 permit 192.168.0.0, wildcard bits 0.0.0.255
  Standard IP access list 20
      10 permit 192.168.1.0, wildcard bits 0.0.0.255
  Standard IP access list 30
      10 permit 195.0.0.0, wildcard bits 0.0.0.255
  Standard IP access list 40
      10 permit any
  Extended IP access list 100
      10 permit ip any 192.168.55.0 0.0.0.255
  R2#
  is possible without changing the bgp?
  thanks

  Default PBR:
  All packets received on an interface (ingress) with PBR enabled are entertained, first they should match through ACL then forward to next hop. if a match is exist (through ACL) but not forward to next hop then do nothing this packet especially for ICMP packet. 
  I think you need  Local PBR:
  Packets that are generated by the router are not normally policy-routed. To enable local PBR for such packets, indicate which route map the router should use by using the following command in global configuration mode:
  ip local policy route-map TEST
  Regards,
  kazim

• Route Map - Delete Sequence Number

  Hi All,
  Taking the cisco example below, which demos how to PBR.
  access-list 1 permit 209.165.200.225
  access-list 2 permit 209.165.200.226
  interface ethernet 1
   ip policy route-map Texas
  route-map Texas permit 10
   match ip address 1
   set ip precedence priority
   set ip next-hop 209.165.200.227
  route-map Texas permit 20
   match ip address 2
   set ip precedence critical
   set ip next-hop 209.165.200.228
  How would i safely remove sequence number 20 from the above?
  Many thanks.

  Hi John,
  no route-map Texas 20       worked good.
  thanks

• Route-Map Equal Access

  Dears
  please if i configure route-map for two access list like below '
  interface tengig 1
  ip policy route-map ABC
  access-list 101 permit any eq www  1.1.1.0 0.0.0.255
  access-list 102 permit any eq www  2.2.2.0 0.0.0.255
  route-map ABC permit 10
  match ip add 101
  set ip next-hop 50.1.1.1
  route-map ABC permit 20
  match ip add 102
  set ip next-hop 60.1.1.1
  is it need to write this string below ?
  route-map ABC permit 30
  set default interface null0

  Rawa
  If you do that any packets that don't match acl 101 or acl 102 and there is no explicit route in the routing table they will be routed to null0. So it depends on whether you want that or not.
  I explained this before in that if a packet does not match any PBR route map statements then those packets will be routed using the routing table. However in your example in the last statement, because you have not specified a match statement, all packets that didn't match the acls or have an explicit route in the routing table will be routed to null0.
  Jon

• Route-Map not taken on 3850 IP Services

  Something odd I am seeing.
  Trying to use a 3850 L3 switch running IP Services, XE ver 03.03.03SE,   to do some policy routing on one of the VLAN interfaces.
  Interface VLAN 10
  ip address 208.x.y.z 255.255.255.0
  ip policy route-map Use_Route1
  It seems to take the command but when I look back with a show run interface vlan 10, it is not there.
  Also when I look at the show route policy it indicates that 0 packets have been processed.
  Is this a bug or am I missing something?

  Hi Richard,
  Cisco 3850 even running on full IP services image will not support verify-availability command to track with IP SLA.
  If you enable terminal monitor or configure the device using console you can see the syslog message when you try to configure the route-map with set ip next-hop verify-availability command
  %PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map <name> not supported for Policy-Based Routing
  You can see the route-map command showing up in the config BUT as soon as you try to apply to interface vlan10 the command will be not be applied and PBR will not work.
  I hope Cisco find way to fix this!!
  Workaround:
  You can use EEM Applet with IP SLA
  event manager applet internet_up
  event syslog pattern "%TRACKING-5-STATE: 1 ip sla 1 reachability Down->Up"
  action 2.0 cli command "enable"
  action 3.0 cli command "config t"
   action 3.2 cli command "interface Vlan10"
   action 3.3 cli command "ip policy router-map Use_Internet"
   action 3.4 cli command "exit"
  event manager applet internet_down
  event syslog pattern "%TRACKING-5-STATE: 1 ip sla 1 reachability Up->Down"
  action 2.0 cli command "enable"
  action 3.0 cli command "config t"
   action 3.2 cli command "interface Vlan10"
   action 3.3 cli command "no ip policy router-map Use_Internet"
   action 3.4 cli command "exit"
  repeat the same process for other IP SLA tracking you have
  hope this helps
  Santhosh

• BGP Outbound Route-Map Question

  Hi Experts,
  Just need your help again. I was trying to do some lab and I came across this weird behaviour with BGP outbound route-map. The diagram is simple.
  Please see attached diagram. Sorry for the very poor illustration. R6 has iBGP peering to both R4 and R1. Both R1 and R4 have eBGP peering to R5. No IGP running on any routers as well to keep things simple. There are 2 things to do.
  * Create a static route for 160.1.0.0/16 pointing to Null0 on both R1 and R4 and advertise to BGP via network statement but only R5 should be able to see the 160.1.0.0/16 route. R6 should not receive it.
  * Advertise R5's /32 loopback interface to BGP but ensure R6 to have that route in its routing table. Don't use next-hop-self on both R1 and R4. Don't advertise WAN link via network command.
  I'll just illustrate R4 and R6 here to keep things straight forward.
  R4#sh ip bgp
  BGP table version is 5, local router ID is 150.1.4.4
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                r RIB-failure, S Stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network          Next Hop            Metric LocPrf Weight Path
  *> 150.1.5.5/32     155.1.45.5               0             0 100 i
  *> 160.1.0.0        0.0.0.0                  0         32768 i
  R6#sh ip bgp
  BGP table version is 11, local router ID is 150.1.6.6
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                r RIB-failure, S Stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network          Next Hop            Metric LocPrf Weight Path
  * i150.1.5.5/32     155.1.45.5               0    100      0 100 i
  * i                 155.1.0.5                0    100      0 100 i
  The first task was achieved as the 160.0.0.0/16 route is not present in R6's table. I used these commands in R4.
  router bgp 65000
   no synchronization
   bgp log-neighbor-changes
   network 160.1.0.0
   neighbor 155.1.45.5 remote-as 100
   neighbor 155.1.146.6 remote-as 65000
   neighbor 155.1.146.6 route-map R6_OUT out
   no auto-summary
  route-map R6_OUT deny 5
   match ip address prefix-list AGGR
  route-map R6_OUT permit 1000
  ip prefix-list AGGR seq 5 permit 160.1.0.0/16
  So with the configuration above, it is clear that R4 is hitting route-map line 5 to deny 160.1.0.0/16 being advertised to R6. I tried to remove line 5 to validate as well if the /16 route will be advertised to R6 and it did so route-map configuration above is confirmed working.
  Next, advertise loopback 0 of R5 to R6 and make sure it is a valid route in BGP table without the use of next-hop-self or WAN advertisement.
  I used the following configuration.
  ip prefix-list R5_LINK seq 5 permit 155.1.45.5/32
  route-map R6_OUT permit 10
   match ip route-source R5_LINK
   set ip next-hop 155.1.146.4
  I inserted line 10 in between route-map 5 and 1000. So R4 would check its route table for routes with 155.1.45.5 as route-source then advertise it to R6 with next-hop address of 155.1.146.4. It worked!
  R6#sh ip bgp
  BGP table version is 15, local router ID is 150.1.6.6
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                r RIB-failure, S Stale
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network          Next Hop            Metric LocPrf Weight Path
  *>i150.1.5.5/32     155.1.146.4              0    100      0 100 i
  * i                 155.1.0.5                0    100      0 100 i
  *>i160.1.0.0        155.1.146.4              0    100      0 i
  As you can see above, 150.1.5.5 route is now a valid BGP route but surprisingly, the 160.1.0.0/16 route is there! From what I have seen, BGP skipped line 5 and started at 10. Even if I insert the same rule as line 5 and make it as line 15, it's not working. The /16 route is still being advertised. If I remove the match ip route-source clause in sequence 10 then it will withdraw the 160.1.0.0/16 route again. Looks like "match ip route-source" is not very friendly with direct filtering to BGP neighbors but I saw this being used with BGP inject-map and it worked well.
  R4#sh route-map
  route-map R6_OUT, deny, sequence 5
    Match clauses:
      ip address prefix-lists: AGGR
    Set clauses:
    Policy routing matches: 0 packets, 0 bytes
  route-map R6_OUT, permit, sequence 10
    Match clauses:
      ip route-source (access-lists): R5_LINK
    Set clauses:
      ip next-hop 155.1.146.4
    Policy routing matches: 0 packets, 0 bytes
  route-map R6_OUT, permit, sequence 1000
    Match clauses:
    Set clauses:
    Policy routing matches: 0 packets, 0 bytes
  Any thoughts why this is happening?
  Thanks in advance.

  Hi John,
  I did a small lab to test feature "match ip route-source" and it is working fine. Please check below config and output.
  R4 does not have 172.16.16.0/24 and also routes for which next-hop is not 1.1.1.1. In case you still facing issue, please share output of "debug ip bgp updates out"
  Topology
  R1--ebgp--R3---ibgp---R4
  R3#show ip b su | b Nei
  Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
  1.1.1.1         4          100      34      36       29    0    0 00:27:37        7
  4.4.4.4         4          300       9      12       29    0    0 00:04:12        0
  R3#
  R3#sh route-map TO-R4
  route-map TO-R4, deny, sequence 10
    Match clauses:
      ip address prefix-lists: DENY-PREFIX 
    Set clauses:
    Policy routing matches: 0 packets, 0 bytes
  route-map TO-R4, permit, sequence 20
    Match clauses:
      ip route-source (access-lists): 20 
    Set clauses:
    Policy routing matches: 0 packets, 0 bytes
  R3#
  R3#show ip prefix-list DENY-PREFIX
  ip prefix-list DENY-PREFIX: 1 entries
     seq 5 permit 172.16.16.0/24
  R3#
  R3#sh ip access-lists 20
  Standard IP access list 20
      20 permit 1.1.1.1 (25 matches)
  R3#
  R3#show ip b
  BGP table version is 29, local router ID is 3.3.3.3
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                r RIB-failure, S Stale, m multipath, b backup-path, x best-external
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network          Next Hop            Metric LocPrf Weight Path
  *  172.16.8.0/22    1.1.1.1                  0             0 100 i
  *>                  172.31.13.1             20         32768 i
  *> 172.16.16.0/24   1.1.1.1                  0             0 100 i
  *> 172.16.17.0/24   1.1.1.1                  0             0 100 i
  *> 172.16.19.0/24   1.1.1.1                  0             0 100 i
  *> 172.16.20.0/22   1.1.1.1                  0             0 100 i
  *  172.16.24.0/30   1.1.1.1                  0             0 100 i
  *>                  172.31.13.1             20         32768 i
  *> 172.16.80.0/22   1.1.1.1                  0             0 100 i
  R3#
  R4#show ip b
  BGP table version is 53, local router ID is 4.4.4.4
  Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                r RIB-failure, S Stale, m multipath, b backup-path, x best-external
  Origin codes: i - IGP, e - EGP, ? - incomplete
     Network          Next Hop            Metric LocPrf Weight Path
  r>i172.16.17.0/24   1.1.1.1                  0    100      0 100 i
  r>i172.16.19.0/24   1.1.1.1                  0    100      0 100 i
  r>i172.16.20.0/22   1.1.1.1                  0    100      0 100 i
  *>i172.16.80.0/22   1.1.1.1                  0    100      0 100 i
  R4#
  --Pls dont forget to rate helpful posts--
  Regards,
  Akash