Policy Routing - Unix and MS (Dare I ask?)
Guys,
Need to route out of a dual homed Unix and Windows box based on the source address or source interface as not to follow the default route.
ie, Packet arrives at host x on interface eth0 but the default route is out of eth1 so I get assemetric packet forwarding on the box.
I think ipfw is the way to policy route on unix, but anyone got a plan for windows?
Many thx indeed, and kind regards,
Ken
The standard action, as performed by router software (such as Cisco IOS), is to select the next hop address and the output device. I will refer to this action as a "match & set" style of action. However, Linux takes a much more flexible approach. In Linux, there are several actions to choose from. The default action performs a route lookup from a specified destination-based routing table. The match & set action then becomes the simplest case of Linux route selection, which is realized when the specified destination-based routing table contains only a single default route. Linux supports multiple routing tables, containing multiple standard destination routes. Bear in mind that each of these routing tables is the same as the entire routing table for any other OS. Linux effectively provides 255 Ciscos to choose from. (For number freaks, Linux 2.2.12 supports 255 routing tables, 255 aggregate realms, and 232 (4294967296 decimal) policy rule priorities.
Similar Messages
-
It is asking for a router name and password???
The sales person told me how easy this would be to set up..."just plug it in" he said...right. Anyhoo - I disconnected my ancient wireless router and put the cd in - started doing its thing and then it asks for a router name and password...the only name and password I have is from my old ancient router...how could it be the same? Where do I find this info? Thank you for any help!
Just go to the Linksys support site, find your router model and hardware version there, and download the User Guide or User Manual for your router, and there's all kinds of useful information there. I'm surprised that there isn't a "Quick Start" guide in with the router that gives basic instructions like go to 192.168.1.1 and then how to login to set up your router. But it is in the downloaded user manual for sure.
-
Just purchased a new router yesterday since ours got struck by lightning. Now my husband's iphone and my ipad are asking for guest wifi passwords. Don't understand.
Some new routers come with the standard connection as well as a guest account. The guest account can be used for when friends come over and want to use your Wi-Fi connection. You can give them the guest account password and still keep the main account password private. Make sure you are logging on to the main connection and not the guest account.
-
Multiple routing tables and/or policy routing
Hey all,
I'm trying to configure a Mac Mini (10.8) for multiple routing tables and policy routing. This server runs Ostinato, a freeware traffic generator. My purpose is to generate traffic on multiple VLANs towards different gateways and different destinations. To that end, I have VLAN tagged the (only) Ethernet port and configured 5 VLANs on it. The first one has the default route (I manage this Mac over this VLAN). The other four have IP addresses in the test range I'm using.
The goal is to have traffic sourced from IP-address-X go out vlanX towards gateway-X. It's counterpart on the far end runs Linux and I have configured it in this way:
ip route add default via <gateway-X> dev ethX table X
ip rule add from <network-X> table X priority X
Researching on OpenBSD forums (since it's the base of MacOS X), provided this:
route -T X add 0.0.0.0/0 -iface <gateway-X>
echo pass in from <network-X> to 0.0.0.0/0 rtable X | pfctl -mf -
However, the Mountain Lion "route" command does not support the -T option, so that killed that idea. Another forum suggested that this would have worked on 10.4:
ipfw add X fwd <gateway-X> ip from <IP-address-X> to any
I tried this on 10.8 though the man page says it's deprecated, and (surprise, surprise) it did not work.
Any ideas to get this working appreciated!
Thanks,
AaronStill doesn't have it in 10.9.4.
irene:~ cschwartz$ sudo bash
bash-3.2# route -T add
route: illegal option -- T
usage: route [-dnqtv] command [[modifiers] args]
I'm guessing you want policy-based routing due to VLANs...? If you can get a USB-to-Ethernet adapter, then maybe you can work around this by using multiple physical links instead of VLAN tagging. But if you need source-based routing etc. then no. -
ASR 9000 route-policy on ipv4 and vpnv4 neighbors
Hi
To reduce configuraton i would like to use the same route-policy for ipv4 and vpnv4 routes from the same neighbors on ASR 9000.
I know that a "pass all" route-policy will work just fine, also a route-policy like this works fine:
route-policy eBGP_NEIGHBORS
set local-preference 50
endif
end-policy
But why doesn´t this route-policy work?
rd-set EXT_SERVICES_PRIMARY
1.1.1.1:*
end-set
rd-set EXT_SERVICES_SECUNDARY
2.2.2.2:*
end-set
route-policy eBGP_NEIGHBORS
if rd in EXT_SERVICES_PRIMARY then
set local-preference 120
elseif rd in EXT_SERVICES_SECUNDARY then
set local-preference 20
else
set local-preference 80
endif
end-policy
The effect of this is that vpnv4 routes looks just fine but ipv4 routes is missing in bgp table. I have tryed all kind of configs but it just will not work, what am i missing?
The idea of this route-policy is that routes advertised by rd 1.1.1.1 will act as primary and rd 2.2.2.2 as secundary.
1.1.1.1 and 2.2.2.2 is handleing the same routes.
1.1.1.1 is located in one AS and 2.2.2.2 in an other AS
my ASR that i am working on is in a third AS
And alla other routes will have a default local-pref of 80If you watch the if statement, you're challenging that if the RD is something, or else, else... but, maybe, it doesn't work if you don't have an RD.
Based on the Mohit's answer I think that maybe, that's the reason.
route-policy eBGP_NEIGHBORS
if rd in EXT_SERVICES_PRIMARY then
set local-preference 120
elseif rd in EXT_SERVICES_SECUNDARY then
set local-preference 20
else <<< So if not "EXT_SERVICES_PRIMARY" and not "EXT_SERVICES_SECUNDARY", but stills in "if rd.."
set local-preference 80
endif
Mohit's:
route-policy eBGP_NEIGHBORS
if rd in EXT_SERVICES_PRIMARY then
set local-preference 120
elseif rd in EXT_SERVICES_SECUNDARY then
set local-preference 20
endif
set local-preference 80 >>>> Outside the if statement!
end-policy.
Let us know if the Mohit's answer worked! Just to learn something new :) -
Policy routing and black hole filtering on 6500
I have a 6500 with many SVIs configured and every one with multiple ip addresses. The users are accessing the network through these SVIs. For access control I use the black hole filtering method by dinamically injecting static routes to Null 0 for every user that is not authenticated.
But I need these users to reach one server to authenticate.
Is there a way to do this besides putting the server inside every VLAN ? Something like policy routing all the packets to the server to exit the server interface and the response packets to reach the user bypassing the global routing table ? Maybe using a vrf for the server only ?
Thanx.Dave Northampton UK here.
We seem to have different consumer laws to US it seems?
Here the RETAILER is wholly responsible for the goods he sells. If such a case as this arose there would be NO time limit of 15 days, if the goods were found not to be of "merchantable quality" the time factor would not matter, certainly up to a year!
Certainly a retailer can take matters up with their supplier/manfctr but the CUSTOMER must get a new, working product PDQ or a total refund..IN CASH or put on a card, no credit notes or any other such swaddling!
Of course! Many shops wriggle and tell people porkies but in the end that is da law!
Dave. -
Want to us my time capsule model A1409 as only backup. 2 TB hard drive.
Already have Verizon wireless router. Do not want to use Time capsule as router, only back up for iMac.
Do not know which cable port to use in back of time capsule to Ethernet port back of my iMac.
And also it is asking for password for the server John Garland's Time Capsule so Time machine can access it..
Have tried all of passwords can think of and none work.
Held the reset button for one second on back of capsule and do not see if anything happened.
What a conundrum.
Appreciate any help to get this working.
Thanks,
John RI have a 2TB Timecapsule and really only use it for Time Machine backups. But the Wi-Fi side is used to sync my iPad at times.
Mine is wiredup thus;
Eth cable from iMac to modem (not the WAN port should you have one), then eth cable from modem to T/Cap in the WAN port (bottom port with an O sign above it)
I believe when its connected up you may have to set up a wireless network. Follow the instructions to set up Wi-Fi and Network
and then give it a password. The WiFi icon should appear in the menu bar where you can switch it on or off.
Its been sometime since I set it with the help of Apple Techs so I might be a bit rusty.
Alan -
UCCE 7.5.1 - CTI Route Point and CTI Ports not registering in UCM 7.1
We are in a middle of a new installation of UCCE 7.5.1. The customer will use it only for Outbound calls. The design is to have on PROGGER and one AW, with a cluster of two CallManagers. All the setup has finished regarding the UCCE. Also, the CallManagers have been configured, regarding the CTI Route Point and the CTI Ports. All of these are associated with the PG USER which is CTI Enabled. Configuration on UCCE has been done, including the DIALER, except for the agents and the campaigns.
The problem is that the CTI Route Point and the CTI Ports on CallManager are not registering. Is this normal, since the agents and the campaigns have not been configured yet or there is an error somewhere?Looks fine.
Is the Dialer running? Maybe those 30VIP phones the Dialer uses as ports to dial from won't be registered until the Dialer starts.
But they should also be registered if you start dialogictest over the full set.
What's the "route point". Who asks for it? Is it a dialed number that runs a script?
Regards,
Geoff -
Router WebVPN and client certificate
Hello!
In my test lab I can't to make work my webvpn configuration =\
I have several components: MS AD, MS CS (but without NDES), router 2911 and client computer. Client and router have a certificate from MS CS. In my configuration I use authentication by certificate or aaa (LDAP) and authentication by aaa working good. But authentication by client certificate doesn't work. And my internal https services don't work also - "Invalid or no certificate", but this strange because I imported CA certificate for this.
Can you help me make it works?
My 2911 version:
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(3)T, RELEASE SOFTWARE (fc1)
My Config:
aaa authentication login webvpn group ldap local
ip local pool webvpn 192.168.200.1 192.168.200.254
bind authenticate root-dn cn=webvpn,ou=staff,dc=domain,dc=com password P@ssw0rd
webvpn gateway vpn
ip address <ip address> port 4443
ssl trustpoint root-ca
inservice
webvpn install svc flash0:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 1
webvpn context employee
ssl authenticate verify all
login-message "VPN Portal"
policy group policy1
url-list "inside"
functions svc-enabled
filter tunnel VPN-SPLIT
svc address-pool "webvpn" netmask 255.255.255.0
svc default-domain "domain.com"
svc keep-client-installed
svc split dns "domain.com"
svc split include 192.168.0.0 255.255.0.0
svc dns-server primary 192.168.1.1
svc dns-server secondary 192.168.1.2
citrix enabled
virtual-template 1
default-group-policy policy1
aaa authentication list webvpn
gateway vpn
authentication certificate
username-prefill
ca trustpoint root-ca
user-profile location flash0:/userprof
inservice
crypto pki trustpoint root-ca
enrollment terminal
revocation-check none
rsakeypair root-ca
I imported certificate from pkcs12 with CA certificate.
From my debug (this is happend then i try to access to my webvpn portal and I choose my certificate from MS CS for access)
Jun 5 11:22:39: WV: validated_tp : cert_username : matched_ctx :
Jun 5 11:22:39: WV: failed to get sslvpn appinfo from opssl
Jun 5 11:22:39: WV: failed to get sslvpn appinfo from opssl
Jun 5 11:22:39: WV: Error: No certificate validated for the client
Can anybody explain me why it doesn't work?Hi,
did you find any solution for this? As I am in it seems the same situation now.
I am testing it with Cisco 2911 - IOS version 151-3.T4 and last anyconnect client for Android (Samsung Galaxy S III mobile)
Thanx for any advice/help
Pavel -
Ipfilter: does policy routing work on Solaris 10?
Hello,
- Does the ipf redirection (aka policy routing) feature work with the
ipfilter that comes with Solaris 10?
I would like to use the the ipf redirection statements "to
interface:router_ip" or "reply-to interface:router_ip" as decribed in
http://coombs.anu.edu.au/~avalon/ipf.new.txt
(The syntax is mentionned in the BNF of the Solaris 10 ipf(4) man
page, but the explanations there are lacking.)
On a machine that has two interfaces, the purpose is to send output
reply packets of a TCP session to the same interface that the input
packets came from. The idea to use ipfilter to do this comes from the
blog entry:
Packets out of the wrong interface
http://blogs.sun.com/carlson/entry/packets_out_of_the_wrong
My first try was to use "reply-to" in a "keep state" rule:
pass in quick on e1000g305000 reply-to e1000g305000:10.13.5.1 proto tcp from any to any port = 443 keep state keep frags group i_sso-test1
Which I understand as "once a connection to port 443 starts on
interface e1000g305000 send all reply packets to the same interface to
the gateway 10.13.5.1"
But it does not work; in the ipf log it shows that the rule matched:
22:56:32.770690 e1000g305000 @i_sso-test1:1 p 10.194.17.11,5648 -> 10.13.5.181,443 PR tcp len 20 60 -S K-S K-F IN
22:56:32.770783 e1000g0 @i_sso-test1:1 p 10.13.5.181,443 -> 10.194.17.11,5648 PR tcp len 20 44 -AS K-S K-F OUT
But the reply packet is not seen on the router (10.13.5.1), nor does
it get to 10.194.17.11 through another route (no firewall on that
machine).
My second try was to use two stateless rules, and to do "source port
routing" for outgoing packets:
pass in quick proto tcp from any to any port = 443 group i_sso-test1
pass out quick on e1000g0 to e1000g305000:10.13.5.1 proto tcp from any port = 443 to any group o_sso-test1
pass out quick proto tcp from any port = 443 to any group o_sso-test1
Which I understand as "incoming packets to port 443 are allowed and
outgoing packets from port 443, if passing on interface e1000g0, are
redirected through interface e1000g305000 via the gateway 10.13.5.1,
if not, are just allowed".
It does not work either; in the ipf log it shows that both the in and
the first out rules matched:
23:09:00.591163 e1000g305000 @i_sso-test1:1 p 10.194.17.11,26080 -> 10.13.5.181,443 PR tcp len 20 60 -S IN
23:09:00.591363 e1000g0 @o_sso-test1:1 p 10.13.5.181,443 -> 10.194.17.11,26080 PR tcp len 20 44 -AS OUT
But again the reply packet seems to be lost in thin air.
I have tried various other rules to no avail.
- Should this work with ipfilter v4.1.9 (592) coming with Solaris 10
u7?
- Am I missing something in the configuration?
- Shouldn't the ipf log show the outgoing reply packet twice? (Once on
the "wrong" interface e1000g0 and once on the interface it is
redirected to e1000g305000.) Or indicate in another manner that the
redirection occurred (like it indicates K-S for "keep state")?
Context:
# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
default 10.194.7.1 UG 1 2407
default 10.194.7.1 UG 1 5104 e1000g0
10.13.5.0 10.13.5.181 U 1 5 e1000g305000:1
10.194.7.0 10.194.7.81 U 1 3 e1000g0:2
224.0.0.0 10.194.7.81 U 1 0 e1000g0:2
127.0.0.1 127.0.0.1 UH 1 7 lo0:7
# cat /etc/release
Solaris 10 5/09 s10s_u7wos_08 SPARC
Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
Assembled 30 March 2009
# ipf -V
ipf: IP Filter: v4.1.9 (592)
Kernel: IP Filter: v4.1.9
Running: yes
Log Flags: 0x70000000 = pass, block, nomatch
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x107
If it matters, this is occuring in a Solaris 10 zone, whith virtual
interfaces one of which uses 801.q tagging (vlan 305, subnet
10.13.5.0/24), and the "router" is a Cisco ACE load balancer with
interface 10.13.5.1 on the server side.
Thanks in advance for your help in this matter!
Best regards,
Dominique
Mr Dominique Petitpierre Email: User@Domain
Division Informatique User=Dominique.Petitpierre
University of Geneva Domain=unige.chI was saying
If it matters, this is occurring in a Solaris 10 zone, whith virtual
interfaces one of which uses 801.q tagging (vlan 305, subnet
10.13.5.0/24),...Well, it turns out that 802.1q tagging does matter: packets redirected
by an ipf policy based routing rule to an interface with tagging are
not transmitted.
In order to better see what was happening the ipf rules were extended
like this (stateless case):
@1 pass in quick on e1000g0 proto tcp from any to any port = 443 group i_sso-test1
@2 pass in quick on e1000g305000 proto tcp from any to any port = 443 group i_sso-test1
@1 pass out quick on e1000g0 to e1000g305000:10.13.5.1 proto tcp from 10.13.5.181/32 port = 443 to any group o_sso-test1
@2 pass out quick on e1000g305000 to e1000g0:10.194.7.1 proto tcp from 10.194.7.81/32 port = 443 to any group o_sso-test1
@3 pass out quick on e1000g305000 proto tcp from any port = 443 to any group o_sso-test1
@4 pass out quick on e1000g0 proto tcp from any port = 443 to any group o_sso-test1Also, for the purpose of the demonstration, the zone configuration was
modified to direct all packets to the same interface with tagging,
thus having just one default route:
zonecfg -z sso-test1 info net
net:
address: 10.13.5.181/24
physical: e1000g305000
defrouter: 10.13.5.1
net:
address: 10.194.7.81/24
physical: e1000g305000
defrouter: 10.13.5.1
netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
default 10.194.7.1 UG 1 2867
default 10.13.5.1 UG 1 86 e1000g305000
10.13.5.0 10.13.5.181 U 1 2 e1000g305000:1
10.194.7.0 10.194.7.81 U 1 0 e1000g305000:3
224.0.0.0 10.13.5.181 U 1 0 e1000g305000:1
127.0.0.1 127.0.0.1 UH 1 7 lo0:7 (In this peculiar case the default route to 10.194.7.1 is an artifact
displayed by netstat due to the zone isolation mechanism, but it is
not actually used for routing at the zone level; the interface without
tagging, e1000g0, is only displayed on the global zone where ipfilter
operates)
When testing from 10.194.17.11 with "telnet 10.13.4.180 443", it
works. And one can see in the ipf logs that it is the third out rule
that matched (@o_sso-test1:3), i.e. there was no redirection on
another interface (proof that there is nothing wrong with the context
setup):
16:59:30.479660 e1000g305000 @i_sso-test1:2 p 10.194.17.11,2111 -> 10.13.5.181,443 PR tcp len 20 60 -S IN
16:59:30.479844 e1000g305000 @o_sso-test1:3 p 10.13.5.181,443 -> 10.194.17.11,2111 PR tcp len 20 44 -AS OUT
16:59:30.480182 e1000g305000 @i_sso-test1:2 p 10.194.17.11,2111 -> 10.13.5.181,443 PR tcp len 20 40 -A INWhen testing from 10.194.17.11 with "telnet 10.194.7.81 443", it works
also. This time one can see in the ipf logs that it is the second out
rule that matched (@o_sso-test1:2), i.e. there was redirection from
e1000g305000 to e1000g0.
16:59:41.247101 e1000g0 @i_sso-test1:1 p 10.194.17.11,3851 -> 10.194.7.81,443 PR tcp len 20 60 -S IN
16:59:41.247206 e1000g305000 @o_sso-test1:2 p 10.194.7.81,443 -> 10.194.17.11,3851 PR tcp len 20 64 -AS OUT
16:59:41.247508 e1000g0 @i_sso-test1:1 p 10.194.17.11,3851 -> 10.194.7.81,443 PR tcp len 20 52 -A INA packet capture confirms this and one can see in the capture the
SYN-ACK reply packet go out on e1000g0.
The reverse case, essentially the original setup shown in my first
post, where the default route is the interface without tagging
(e1000g0) and the reply packet matches the redirection rule from
e1000g0 to the interface with tagging e1000g305000, the packet is lost
(i.e. is not visible in the packet capture on either interface).
Further tests with stateful redirection ("reply-to") show the same
pattern (does not work when packets are redirected to an interface
with tagging).
It looks like it is a bug: may be ipfilter injects the redirected
packet at a processing stage where it should already have a 802.1q tag
but does not, or something similar; in the working case, ipfilter acts
on a not yet tagged packet which can be used "as is" at the same
processing stage on the non tagging interface, and thus is correctly
transmitted.
Conclusion: ipfilter policy based routing does work on Solaris 10u7,
but, at least in my setup, not when redirection occurs to a 802.1q
tagging interface.
- Could somebody confirm this?
- Is this a known bug? (I didn't find anything relevant on sunsolve or
on the ipfilter mailing list)
Edited by: kleinstein on Oct 1, 2009 4:22 AM
Edited by: kleinstein on Oct 1, 2009 4:25 AM
Edited by: kleinstein on Oct 1, 2009 4:30 AM
Edited by: kleinstein on Oct 1, 2009 4:32 AM
Edited by: kleinstein on Oct 1, 2009 4:37 AM
Edited by: kleinstein on Oct 1, 2009 4:40 AM
Edited by: kleinstein on Oct 1, 2009 4:41 AM -
I updated my software to iOS6 and now my phone won't automatically join known wifi networks even though I have it on. It goes back to 3G every so often when I'm at home instead of using wifi, and each time I ask to join it asks for my wifi password
Try this for your home Wi-Fi:
On your iPhone, Settings > Wi-Fi > select your home network > "forget this network"
Power down (unplug) your wireless router
Restart your iPhone
Plug in your router
Re-join that network
I don't know if this simple technique will fix it for good but try it. There is a long thread about this problem here: iOS 6 WiFi Disabled -
Local policy route-map for policy route
Hi
this is related my previous question:
I want to set policy route on asr1004, that redirect vpn traffic.
my case is:
asr1004 import a default route 0.0.0.0 from int 0 with bgp neibour address 10.100.100.100
assume internal traffic 10.10.10.0/24 coming into asr1004 on int 1.
assume vpn with ip address 10.2.2.2 is direct linked to asr1004 int 2, and int 2 ip address is 10.2.2.1
assume taget network is 10.200.200.0/24
I want internal traffic (10.10.10.0/24) go to target (10.200.200.0/24) to be redirect to10.2.2.2 (vpn) first, so I add "ip route 10.200.200.0/24 10.2.2.2" on asr1004.
Than, I want vpn (10.2.2.2) encrypt traffic and send it to one of ip in10.200.200.0/24 range again. at this point if I put local policy route-map below, is it will work?
ip local policy route-map vpn-out
access-list 100 permit ip 10.2.2.2 any
route-map vpn-out permit 10
match ip address 100
set ip next-hop 10.100.100.100
if not, do I have any change to do policy route for this case?
any comment will be appreciated
Thanks in advance
Julxuhi Jon
can I refresh the question again:
my case is:
asr1004 import a default route 0.0.0.0 from int 0 with bgp neibour address 10.100.100.100
assume internal traffic 10.10.0.0/16 coming into asr1004 on int 1 with ip address 10.3.3.3
assume vpn with ip address 10.10.2.2 is direct linked to asr1004 int 2, and int 2 ip address is 10.10.2.1
assume taget network is 10.200.200.0/24
I want internal traffic (10.10.0.0/16) go to target (10.200.200.0/24) to be redirect to10.10.2.2 (vpn) first, so I add "ip route 10.200.200.0/24 10.10.2.2" on asr1004.
Than, I want vpn (10.10.2.2) encrypt traffic and send it to one of ip in10.200.200.0/24 range again. at this point if I put local policy route-map below, is it will work?
ip local policy route-map vpn-out
access-list 100 permit ip 10.10.2.2 any
route-map vpn-out permit 10
match ip address 100
set ip next-hop 10.100.100.100
such as:
interface TenGigabitEthernet0/0/0
description bgp to get default
ip address 10.100.100.100 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
interface TenGigabitEthernet0/1/0
description get internaltraffic
ip address 10.3.3.3 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
interface GigabitEthernet0/2/1
description vpn
ip address 10.10.2.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
media-type rj45
negotiation auto
ip local policy route-map vpn-out
access-list 100 permit ip 10.10.2.2 any
route-map vpn-out permit 10
match ip address 100
set ip next-hop 10.100.100.100
ip route 10.200.200.0/24 10.10.2.2
Could you please advise if it is correct? -
Policy routing via address ranges
Is it possible to use policy routing based on ranges of a subnet? I want to have 192.168.1.1-100 go out e0 and 192.168.1.101-250 go out e1. From what I've read it only looks like policy routing works with route-maps using access lists
You certainly can.. just use multiple lines in your ACLs to cover each range.
For example,
192.168.1.1-100 can be covered by:
access-list 1 permit 192.168.1.0 0.0.0.63
access-list 1 permit 192.168.1.64 0.0.0.31
access-list 1 permit 192.168.1.96 0.0.0.3
access-list 1 permit 192.168.1.100 0.0.0.0
And use the following for everything else:
access-list 1 permit 192.168.1.0 0.0.0.255
So you can use the following:
route-map PBR permit 10
match ip address 1
set interface e0
route-map PBR permit 20
match ip address 2
set interface e1
Hope that helps - pls rate the post if it does.
Paresh -
I installed a new wireless router and connected with my iPad. I then changed the ID and password with ethernet but now my iPad keeps picking up the old router name and password and doesn't see the new name. How can I get it to stop looking for the old name and find the new one?
Hello Stevo39,
If your iPhone continues to prompt for your old account and password then check out the following article.
If you're asked for the password to your previous Apple ID when signing out of iCloud - Apple Support
This article may help too.
Apple ID: What to do after you change your Apple ID - Apple Support
Regards,
Nubz -
Can't apply policy route-map on C3750 stack vlan interface
Hi All.
I've come up with this problem and i could see some people have had the same issue. I've tried to overlook and check other replies but it didn't help me. So I'm hoping someone could spot the problem. Here are the details:
2 x WS-C3750G-24T-E in stack
Cisco IOS Software, C3750 Software (C3750-ADVIPSERVICESK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)
switch#sh sdm prefe
The current template is "desktop IPv4 and IPv6 routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 1.5K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 2.75K
number of directly-connected IPv4 hosts: 1.5K
number of indirect IPv4 routes: 1.25K
number of IPv6 multicast groups: 1.125k
number of directly-connected IPv6 addresses: 1.5K
number of indirect IPv6 unicast routes: 1.25K
number of IPv4 policy based routing aces: 0.25K
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 0.5K
number of IPv6 policy based routing aces: 0.25K
number of IPv6 qos aces: 0.5K
number of IPv6 security aces: 0.5K
There are 2 ISPs, G1/0/1 and G2/0/1. After creating a route-map i can apply a policy route-map to Vlan5 and it accepts without any errors. But when you do sh run vlan5 the command is not there, it's not applied.
Any help will be appretiated.
Thanks.Hi Jon.
Thanks for your reply. I didn't put those configs as they're basic without use of VRF and WCCP. Also i've checked or tried to find the list of unsupported commands and didn't see them in that list. See config below with some extras:
track 11 rtr 1 reachability
track 22 rtr 2 reachability
ip routing
no ip dhcp use vrf connected
interface GigabitEthernet1/0/1
description ISP1
no switchport
ip address 9.9.9.2 255.255.255.252
no ip proxy-arp
no ip mroute-cache
speed 100
duplex full
ipv6 address 2B01:4B8:0:3::2/64
ipv6 ospf 1 area 0
no mdix auto
no cdp enable
interface GigabitEthernet2/0/1
description ISP2
no switchport
ip address 9.9.9.5 255.255.255.252
ip ospf cost 10000
speed 1000
duplex full
ipv6 address 2B01:4B8:0:7::2/64
ipv6 enable
ipv6 ospf cost 10000
ipv6 ospf 1 area 0
interface Vlan5
description Company Ext Subnet
ip address 9.9.8.1 255.255.255.128
no ip proxy-arp
no ip mroute-cache
ipv6 address 2B01:4B8:1:22::1/64
ipv6 ospf 1 area 15
access-list 111 permit tcp any any eq www
route-map pbr1 permit 10
match ip address 111
set interface GigabitEthernet2/0/1 GigabitEthernet1/0/1
route-map pbr1 permit 20
set interface GigabitEthernet1/0/1 GigabitEthernet2/0/1
route-map pbr2 permit 10
match ip address 111
set ip next-hop verify-availability 9.9.9.6 1 track 11
set ip next-hop 9.9.9.1
route-map pbr2 permit 20
set ip next-hop verify-availability 9.9.9.1 1 track 22
set ip next-hop 9.9.9.6
I've tried to apply both policies pbr1 and pbr2, it allowed to do that without errors but at the end it wasn't there.
Cheers,
Maybe you are looking for
-
I owe money and the billing information is telling me that my security code is invalid. If i get money in my account, will i be able to put in my security code again and purchase apps and music again?
-
My photo stream has always synced just fine between my Windows 7 PC and my iPhone 5. However, just a month or so ago it stopped automatically syncing. I turned it off and on in the iPhone settings in two places, deleted all the photos manually, signe
-
I have a Macbook Pro Late 2013, running OS X 10 Yosemite 10.10.1 and my wife has a PC with Windows 7. I use calendar that comes with my Macbook and she uses Outlook 2013 calendar. When I email from Mail on my Macbook an appointment event and my wife
-
Hello Sir/Madam, I had purchased a hp laptop from your store. I need the copy of the receipt for my purchase in order to cliam my warranty.
-
Significant performance change in spatial join
Hi, I have 2 spatial tables in Oracle 10g: one (PT_SOURCE) has a point column with over a half million records and another (TRJ_TMP_BUF) has a polygon column with 2 records. 2 spatial R-tree indexes were built on the 2 table respectively. I tried a s