Policy routing via address ranges

Similar Messages

• Multiple routing tables and/or policy routing

  Hey all,
  I'm trying to configure a Mac Mini (10.8) for multiple routing tables and policy routing.  This server runs Ostinato, a freeware traffic generator.  My purpose is to generate traffic on multiple VLANs towards different gateways and different destinations.  To that end, I have VLAN tagged the (only) Ethernet port and configured 5 VLANs on it.  The first one has the default route (I manage this Mac over this VLAN).  The other four have IP addresses in the test range I'm using. 
  The goal is to have traffic sourced from IP-address-X go out vlanX towards gateway-X.  It's counterpart on the far end runs Linux and I have configured it in this way:
  ip route add default via <gateway-X> dev ethX table X
  ip rule add from <network-X> table X priority X
  Researching on OpenBSD forums (since it's the base of MacOS X), provided this:
  route -T X add 0.0.0.0/0 -iface <gateway-X>
  echo pass in from <network-X> to 0.0.0.0/0 rtable X | pfctl -mf -
  However, the Mountain Lion "route" command does not support the -T option, so that killed that idea.  Another forum suggested that this would have worked on 10.4:
  ipfw add X fwd <gateway-X> ip from <IP-address-X> to any
  I tried this on 10.8 though the man page says it's deprecated, and (surprise, surprise) it did not work. 
  Any ideas to get this working appreciated!
  Thanks,
  Aaron

  Still doesn't have it in 10.9.4.
  irene:~ cschwartz$ sudo bash
  bash-3.2# route -T add
  route: illegal option -- T
  usage: route [-dnqtv] command [[modifiers] args]
  I'm guessing you want policy-based routing due to VLANs...? If you can get a USB-to-Ethernet adapter, then maybe you can work around this by using multiple physical links instead of VLAN tagging. But if you need source-based routing etc. then no.

• Ipfilter: does policy routing work on Solaris 10?

  Hello,
  - Does the ipf redirection (aka policy routing) feature work with the
  ipfilter that comes with Solaris 10?
  I would like to use the the ipf redirection statements "to
  interface:router_ip" or "reply-to interface:router_ip" as decribed in
  http://coombs.anu.edu.au/~avalon/ipf.new.txt
  (The syntax is mentionned in the BNF of the Solaris 10 ipf(4) man
  page, but the explanations there are lacking.)
  On a machine that has two interfaces, the purpose is to send output
  reply packets of a TCP session to the same interface that the input
  packets came from. The idea to use ipfilter to do this comes from the
  blog entry:
  Packets out of the wrong interface
  http://blogs.sun.com/carlson/entry/packets_out_of_the_wrong
  My first try was to use "reply-to" in a "keep state" rule:
  pass in quick on e1000g305000 reply-to e1000g305000:10.13.5.1 proto tcp from any to any port = 443 keep state keep frags group i_sso-test1
  Which I understand as "once a connection to port 443 starts on
  interface e1000g305000 send all reply packets to the same interface to
  the gateway 10.13.5.1"
  But it does not work; in the ipf log it shows that the rule matched:
  22:56:32.770690 e1000g305000 @i_sso-test1:1 p 10.194.17.11,5648 -> 10.13.5.181,443 PR tcp len 20 60 -S K-S K-F IN
  22:56:32.770783 e1000g0 @i_sso-test1:1 p 10.13.5.181,443 -> 10.194.17.11,5648 PR tcp len 20 44 -AS K-S K-F OUT
  But the reply packet is not seen on the router (10.13.5.1), nor does
  it get to 10.194.17.11 through another route (no firewall on that
  machine).
  My second try was to use two stateless rules, and to do "source port
  routing" for outgoing packets:
  pass in quick proto tcp from any to any port = 443 group i_sso-test1
  pass out quick on e1000g0 to e1000g305000:10.13.5.1 proto tcp from any port = 443 to any group o_sso-test1
  pass out quick proto tcp from any port = 443 to any group o_sso-test1
  Which I understand as "incoming packets to port 443 are allowed and
  outgoing packets from port 443, if passing on interface e1000g0, are
  redirected through interface e1000g305000 via the gateway 10.13.5.1,
  if not, are just allowed".
  It does not work either; in the ipf log it shows that both the in and
  the first out rules matched:
  23:09:00.591163 e1000g305000 @i_sso-test1:1 p 10.194.17.11,26080 -> 10.13.5.181,443 PR tcp len 20 60 -S IN
  23:09:00.591363 e1000g0 @o_sso-test1:1 p 10.13.5.181,443 -> 10.194.17.11,26080 PR tcp len 20 44 -AS OUT
  But again the reply packet seems to be lost in thin air.
  I have tried various other rules to no avail.
  - Should this work with ipfilter v4.1.9 (592) coming with Solaris 10
  u7?
  - Am I missing something in the configuration?
  - Shouldn't the ipf log show the outgoing reply packet twice? (Once on
  the "wrong" interface e1000g0 and once on the interface it is
  redirected to e1000g305000.) Or indicate in another manner that the
  redirection occurred (like it indicates K-S for "keep state")?
  Context:
  # netstat -rn
  Routing Table: IPv4
  Destination Gateway Flags Ref Use Interface
  default 10.194.7.1 UG 1 2407
  default 10.194.7.1 UG 1 5104 e1000g0
  10.13.5.0 10.13.5.181 U 1 5 e1000g305000:1
  10.194.7.0 10.194.7.81 U 1 3 e1000g0:2
  224.0.0.0 10.194.7.81 U 1 0 e1000g0:2
  127.0.0.1 127.0.0.1 UH 1 7 lo0:7
  # cat /etc/release
  Solaris 10 5/09 s10s_u7wos_08 SPARC
  Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
  Use is subject to license terms.
  Assembled 30 March 2009
  # ipf -V
  ipf: IP Filter: v4.1.9 (592)
  Kernel: IP Filter: v4.1.9
  Running: yes
  Log Flags: 0x70000000 = pass, block, nomatch
  Default: pass all, Logging: available
  Active list: 0
  Feature mask: 0x107
  If it matters, this is occuring in a Solaris 10 zone, whith virtual
  interfaces one of which uses 801.q tagging (vlan 305, subnet
  10.13.5.0/24), and the "router" is a Cisco ACE load balancer with
  interface 10.13.5.1 on the server side.
  Thanks in advance for your help in this matter!
  Best regards,
  Dominique
  Mr Dominique Petitpierre Email: User@Domain
  Division Informatique User=Dominique.Petitpierre
  University of Geneva Domain=unige.ch

  I was saying
  If it matters, this is occurring in a Solaris 10 zone, whith virtual
  interfaces one of which uses 801.q tagging (vlan 305, subnet
  10.13.5.0/24),...Well, it turns out that 802.1q tagging does matter: packets redirected
  by an ipf policy based routing rule to an interface with tagging are
  not transmitted.
  In order to better see what was happening the ipf rules were extended
  like this (stateless case):
  @1 pass in quick on e1000g0 proto tcp from any to any port = 443 group i_sso-test1
  @2 pass in quick on e1000g305000 proto tcp from any to any port = 443 group i_sso-test1
  @1 pass out quick on e1000g0 to e1000g305000:10.13.5.1 proto tcp from 10.13.5.181/32 port = 443 to any group o_sso-test1
  @2 pass out quick on e1000g305000 to e1000g0:10.194.7.1 proto tcp from 10.194.7.81/32 port = 443 to any group o_sso-test1
  @3 pass out quick on e1000g305000 proto tcp from any port = 443 to any group o_sso-test1
  @4 pass out quick on e1000g0 proto tcp from any port = 443 to any group o_sso-test1Also, for the purpose of the demonstration, the zone configuration was
  modified to direct all packets to the same interface with tagging,
  thus having just one default route:
  zonecfg -z sso-test1 info net
  net:
          address: 10.13.5.181/24
          physical: e1000g305000
          defrouter: 10.13.5.1
  net:
          address: 10.194.7.81/24
          physical: e1000g305000
          defrouter: 10.13.5.1
  netstat -rn
  Routing Table: IPv4
    Destination           Gateway           Flags  Ref     Use     Interface
  default              10.194.7.1           UG        1       2867          
  default              10.13.5.1            UG        1         86 e1000g305000
  10.13.5.0            10.13.5.181          U         1          2 e1000g305000:1
  10.194.7.0           10.194.7.81          U         1          0 e1000g305000:3
  224.0.0.0            10.13.5.181          U         1          0 e1000g305000:1
  127.0.0.1            127.0.0.1            UH        1          7 lo0:7     (In this peculiar case the default route to 10.194.7.1 is an artifact
  displayed by netstat due to the zone isolation mechanism, but it is
  not actually used for routing at the zone level; the interface without
  tagging, e1000g0, is only displayed on the global zone where ipfilter
  operates)
  When testing from 10.194.17.11 with "telnet 10.13.4.180 443", it
  works. And one can see in the ipf logs that it is the third out rule
  that matched (@o_sso-test1:3), i.e. there was no redirection on
  another interface (proof that there is nothing wrong with the context
  setup):
  16:59:30.479660 e1000g305000 @i_sso-test1:2 p 10.194.17.11,2111 -> 10.13.5.181,443 PR tcp len 20 60 -S IN
  16:59:30.479844 e1000g305000 @o_sso-test1:3 p 10.13.5.181,443 -> 10.194.17.11,2111 PR tcp len 20 44 -AS OUT
  16:59:30.480182 e1000g305000 @i_sso-test1:2 p 10.194.17.11,2111 -> 10.13.5.181,443 PR tcp len 20 40 -A INWhen testing from 10.194.17.11 with "telnet 10.194.7.81 443", it works
  also. This time one can see in the ipf logs that it is the second out
  rule that matched (@o_sso-test1:2), i.e. there was redirection from
  e1000g305000 to e1000g0.
  16:59:41.247101 e1000g0 @i_sso-test1:1 p 10.194.17.11,3851 -> 10.194.7.81,443 PR tcp len 20 60 -S IN
  16:59:41.247206 e1000g305000 @o_sso-test1:2 p 10.194.7.81,443 -> 10.194.17.11,3851 PR tcp len 20 64 -AS OUT
  16:59:41.247508 e1000g0 @i_sso-test1:1 p 10.194.17.11,3851 -> 10.194.7.81,443 PR tcp len 20 52 -A INA packet capture confirms this and one can see in the capture the
  SYN-ACK reply packet go out on e1000g0.
  The reverse case, essentially the original setup shown in my first
  post, where the default route is the interface without tagging
  (e1000g0) and the reply packet matches the redirection rule from
  e1000g0 to the interface with tagging e1000g305000, the packet is lost
  (i.e. is not visible in the packet capture on either interface).
  Further tests with stateful redirection ("reply-to") show the same
  pattern (does not work when packets are redirected to an interface
  with tagging).
  It looks like it is a bug: may be ipfilter injects the redirected
  packet at a processing stage where it should already have a 802.1q tag
  but does not, or something similar; in the working case, ipfilter acts
  on a not yet tagged packet which can be used "as is" at the same
  processing stage on the non tagging interface, and thus is correctly
  transmitted.
  Conclusion: ipfilter policy based routing does work on Solaris 10u7,
  but, at least in my setup, not when redirection occurs to a 802.1q
  tagging interface.
  - Could somebody confirm this?
  - Is this a known bug? (I didn't find anything relevant on sunsolve or
  on the ipfilter mailing list)
  Edited by: kleinstein on Oct 1, 2009 4:22 AM
  Edited by: kleinstein on Oct 1, 2009 4:25 AM
  Edited by: kleinstein on Oct 1, 2009 4:30 AM
  Edited by: kleinstein on Oct 1, 2009 4:32 AM
  Edited by: kleinstein on Oct 1, 2009 4:37 AM
  Edited by: kleinstein on Oct 1, 2009 4:40 AM
  Edited by: kleinstein on Oct 1, 2009 4:41 AM

• Local policy route-map for policy route

  Hi 
  this is related my previous question:
  I want to set policy route on asr1004, that redirect vpn traffic. 
  my case is:
    asr1004 import a default route 0.0.0.0 from int 0 with bgp neibour address 10.100.100.100
  assume internal traffic 10.10.10.0/24 coming into asr1004 on int 1.
  assume vpn with ip address 10.2.2.2 is direct linked to asr1004 int 2, and int 2 ip address is 10.2.2.1
  assume taget network is 10.200.200.0/24
  I want internal traffic (10.10.10.0/24) go to target (10.200.200.0/24)  to be redirect to10.2.2.2 (vpn)  first, so I add  "ip route 10.200.200.0/24 10.2.2.2" on asr1004.
  Than, I want vpn (10.2.2.2) encrypt traffic and send it to one of ip in10.200.200.0/24 range again. at this point if I put local policy route-map below, is it will work?
  ip local policy route-map vpn-out
  access-list 100 permit ip 10.2.2.2 any
  route-map vpn-out permit 10
    match ip address 100
    set ip next-hop 10.100.100.100
  if not, do I have any change to do policy route for this case?
  any comment will be appreciated
  Thanks in advance
  Julxu

  hi Jon
  can I refresh the question again:
  my case is:
    asr1004 import a default route 0.0.0.0 from int 0 with bgp neibour address 10.100.100.100
  assume internal traffic 10.10.0.0/16 coming into asr1004 on int 1 with ip address 10.3.3.3
  assume vpn with ip address 10.10.2.2 is direct linked to asr1004 int 2, and int 2 ip address is 10.10.2.1
  assume taget network is 10.200.200.0/24
  I want internal traffic (10.10.0.0/16) go to target (10.200.200.0/24)  to be redirect to10.10.2.2 (vpn)  first, so I add  "ip route 10.200.200.0/24 10.10.2.2" on asr1004.
  Than, I want vpn (10.10.2.2) encrypt traffic and send it to one of ip in10.200.200.0/24 range again. at this point if I put local policy route-map below, is it will work?
  ip local policy route-map vpn-out
  access-list 100 permit ip 10.10.2.2 any
  route-map vpn-out permit 10
    match ip address 100
    set ip next-hop 10.100.100.100
  such as:
  interface TenGigabitEthernet0/0/0
   description bgp to get default
   ip address 10.100.100.100 255.255.255.252
   no ip redirects
   no ip unreachables
   no ip proxy-arp
  interface TenGigabitEthernet0/1/0
   description get internaltraffic
   ip address 10.3.3.3 255.255.255.0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
  interface GigabitEthernet0/2/1
   description vpn
   ip address 10.10.2.1 255.255.255.248
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   media-type rj45
   negotiation auto
  ip local policy route-map vpn-out
  access-list 100 permit ip 10.10.2.2 any
  route-map vpn-out permit 10
    match ip address 100
    set ip next-hop 10.100.100.100
  ip route 10.200.200.0/24 10.10.2.2
  Could you please advise if it is correct?

• AirPort Express doesn't connect to router via WLAN anymore

  Hello
  A few days ago I've bought an *AirPort Express (802.11n)*
  When I wanted to test it for the first time, I set it up to *connect to an Existing Wireless Network* and it worked, I could for example stream music from iTunes or print something.
  The main reason I bought the APExpress was to extend the range of my wireless signal area, and since my router's got WDS ability I set the *AirPort as a part of the WDS Network* and logically I connected it via Ethernet to the router, and again everything worked.
  Now my problem is:
  yesterday I wanted to use the APExpress to stream some music to the kitchen,
  so I chose the profile in which it was set to connect to an Existing Wireless Network, like I already described above.
  But now it doesn't work; the APExpress doesn't connect to the router via WLAN, though there's the green light which's supposed to mean that everything's fine but it doesn't show up in the AirPort Setup Assistant.
  As soon as I connect it via Ethernet to router it shows up and you can start streaming music or whatever, but without Ethernet it doesn't connect to the router anymore.
  And that's weird, cause for the first time I used the device it worked, but now it doesn't!
  Now I would be very thankful if somebody could help me to solve this problem.
  Cheers
  Yasser

  I've tried a bunch of 10.1.10.x's and none of them seem to work. The computer that does work has gotten the IP automatically, though.
  I've been doing some reading, and it seems as though OS X self-assigns a 169.254.x.x IP address whenever it tries to get an IP from DHCP and fails. Aside from turning off both the router and the modem for about 15 minutes, is there any other way to make the router give me an IP address? And why does one of the computers work? Do you think that if we tried to renew the DHCP lease on that computer, it wouldn't be able to get one?
  I'm not sure what the router is set to give out. How would I check that?

• Determing IP Address Ranges for Setting up a VPN

  Following the directions that I've found here ... I'm attempting to setup a VPN for my company to share documents.
  I am using a mac mini, which is connected to a router, and the router to a cable modem.
  In order to set up the VPN using L2TP over IPsec, I need to enter both a Starting and Ending IP Address.
  I have found only a single IP address for the mac mini, and when going into system profiler have found various other addresses and am not sure how to properly setup the IP Address Range.
  Some of the categories shown in the System Profiler are:
  IPv4 Addresses, IPv4 Configuration Method, Interface Name, Router, Subnet Masks, IPv6 Configuration Method, DNS Server Addresses, etc.
  However, I only see 1 single IP Address.
  Any help would be greatly appreciated.
  ~ JJL

  OK, that's good, you have all you need.
  You are probably going to need to read up on the management of the base station as this is going to be your NAT router (remember that from my earlier post?) and your internet firewall. Management will be via a web browser, on a computer directly connected to base station's ethernet port. There will be a default IP address to put into the web browser to reach the management page. This IP address can probably be found by opening the Network prefs on one of your airport computers and looking to see what the 'Router' IP is set to (I'm presuming that the base station is still in its default function). It will also be in the base station documentation.
  The base station will act as your DHCP server (we could alternatively use the server but lets keep it as the base station - no real difference). There will be a management page for this where you can specify its own IP address and also what range you want to distribute to other computers. For example...
  192.168.1.1 for base station
  192.168.1.2 to 192.168.1.40 for DHCP
  Remember, we do not want to hand out all the IP addresses by DHCP because we need to keep some back for the server's static IP and the VPN users. So maybe we keep...
  192.168.1.100 for the server
  192.168.1.200-219 for L2TP vpn
  192.168.1.220-239 for PPTP vpn (if this is also needed for PCs and the like).
  Via management screen, confirm that NAT routing on the base station is enabled (this allows all LAN computers to access internet via your base station which is now your 'Internet Router'.
  Confirm that the firewall on the base station is enabled. This protects your LAN (on the private side of the router) from all other traffic on the internet (the public WAN).
  Switch off both the modem and the base station.
  Connected the modem to the WAN port of the base station (ordinary ethernet cable).
  Keep modem off for 5 - 10 minutes (this clears any cached settings at the ISP end). Switch on the cable modem and wait a few minutes for it to settle.
  Switch on the base station and reconnect to the management screen. There will probably be an Internet Wizard or some such thing in the management page to establish the connection with the modem.
  When the connection to the modem is OK, you should be able to browse rest of internet from the computer you have directly connect to the base station
  Restart any computers connected by airport. They should now also be able to browse internet.
  Disconnect computer which is directly connected to base station.
  The ethernet port on base station now gets connected to your switch.
  The Server connects to the switch too.
  You are probably going to need to give your server a new IP address, in the same network range as now being used elsewhere in your LAN. This is not quite as trivial as just changing it in the Network Prefs although you may well be able to get it going fine doing just that (to be honest, I'm not sure I want to add that bit into this already lengthening post
  If you want to just change the IP address in Network Prefs just now, remember that the Router field will be the IP address of your base station. The DNS server (in server network prefs) will also be base station.
  I have skipped past a bit regarding the server setup and also omitted how to get the vpn traffic from the WAN to the server (hint: port forwarding in router) but i think it is wise just to get the rest of the network up and running behind a secure router/firewall first.
  -david

• Policy routing

  Hello,
  Can i do policy routing only if a route it´s present?. My problem is that i want send some traffic to other router but if this router loose the internet conection my router continues send it this traffic and it´s droped
  Regards.

  If all of the routers are connected via a common Ethernet segment you could run HSRP between the Internet router and the other router with the Internet router being the primary. Then you can policy route your traffic to the HSRP address. If you configure HSRP to track your internet connection and there is a failure, HSRP would fail over to the standby router. PBR would then be sending the traffic to the other router to meet your requirement.

• Can TC extend a non-apple router via wireless?

  I believe this ground has been covered by prior questions, but I just need to confirm before giving up hope.
  Can the Apple TC extend a wireless network that eminantes from a non-Apple router (in my case, UBee, Time Warner Cable)?
  Our cable modem enters the living room, where it is plugged via ethernet cord to the UBee router. The range just barely reaches my upstairs office. In a perfect work, I'd like to keep the TC in the upstairs office so that I can a) share our USB printer, and b) extend our network to the second floor.
  Is this possible? I get the sense that it's not.
  Thanks for all your help,
  Mike

  Not possible except with WDS.. which means far too many compromises.. wep security, G only wireless.. and a very good chance it won't work anyway.
  Use EOP adapters and setup the TC as a WAP and switch.. or run ethernet .. they are the best ways.
  Turn off the wireless on the cable router.. and plug an extreme or express into it.. TC can then extend wireless.
  Again this is not the best solution but is the one apple's bottom line really likes.. which is why the limitation is there.

• Connecting 2 WAN clouds on the same IP address range.

  Hello, I have a problem connecting my office to two third party companies.
  I have two Cisco 1700 series WAN links to my office from these companies, Both routers are fully managed by their respective companies, both use static routing, and both are using the 10.0.0.0/8 IP address range.
  The first company assigned my office the address range 10.212.1.0/24.
  The second company assigned my office the address range 10.215.1.0/24.
  My office can be set to any IP address range.
  My questions are:
  Is it possible to have a connection from my office to both networks at the same time? If so how?
  Do I require these companies to provide me with their static routing information? or can I use routing protocols?
  Do I need to perform NAT?
  Can I use a PIX 515e firewall with three interfaces?
  Sample configuration would be greatly appreciated

  It's possible to have connections to your offices at the same time with the usage of subinterfaces.The usage of static and dynamic protocols depends totally based on the size of the topology of your network.If it's a very very small network static routing will do. Performing a nat totally depends upon ypur decision whether to use a public ip or not.If required you can use a pix firewall

• I keep losing my wireless connection after periods of inactivity - any solution? I recently installed a new wireless router with improved range.

  I recently installed a Netgear Wireless router for improved reception, but now my macbook loses connection through Airport after periods of inactivity.  We have another older Macbook in the house, and it never loses connection.  I never had this problem with the previous Linksys router, just limited range.  Any ideas what is causing this?  It's frustrating to have to frequently shout down and re-boot.  That so far is the only way I can re-connect.

  Adjust the Wireless Settings on your linksys router...
  Open an Internet Explorer browser page.In the address bar type - 192.168.1.1
  Leave username blank & in password use admin in lower case...
  For Wireless Settings, please do the following : -
  Click on the Wireless tab on the Setup page- Here Wireless Network mode should be mixed- Provide any non linksys network name ....
  Name (SSID) box- Set wireless channel to 11- And wireless SSID broadcast should be Enabled and then click on "Save Settings" >>
  Click on the Sub tab under Wireless > Wireless Security...
  Change the Wireless security mode to WPA, For Encryption, select AES...For Passphrase input your desired WPA Key. For example , MySecretKey , This will serve as your
  network key whenever you connect to your wireless network.
  Do NOT give this key to anyone.
  Click on Advanced Wireless settings>>
  Change the Beacon Interval to 75 >>Change the Fragmentation Threshold to 2304 Change the RTS Threshold to 2304 >>Click on "Save Settings" ...
  Try to look for the Wireless Network on your laptop and attempt to connect...

• Router IP address change

  I have DHCP on my network router firewall and I have a wireless router. I also have a private IP address setup of 10.0.1.   I change to router IP address to my IP range but it does not work. Is there a way to setup the router to find DHCP on my network and capture the correct 10.0.1 range? If not how can I manually change it and still use th web browser setup page to configue the router? The setup page has the rages 192.168.. range and will not connect to the web browser setup when change from this...I also wanted to disable the DHCP since I already have DHCP on the network...

  You can login to router's setup and change its IP address to IP address matching your network. Next time login using the new IP address assigned.

• Policy Routing - Unix and MS (Dare I ask?)

  Guys,
  Need to route out of a dual homed Unix and Windows box based on the source address or source interface as not to follow the default route.
  ie, Packet arrives at host x on interface eth0 but the default route is out of eth1 so I get assemetric packet forwarding on the box.
  I think ipfw is the way to policy route on unix, but anyone got a plan for windows?
  Many thx indeed, and kind regards,
  Ken

  The standard action, as performed by router software (such as Cisco IOS), is to select the next hop address and the output device. I will refer to this action as a "match & set" style of action. However, Linux takes a much more flexible approach. In Linux, there are several actions to choose from. The default action performs a route lookup from a specified destination-based routing table. The match & set action then becomes the simplest case of Linux route selection, which is realized when the specified destination-based routing table contains only a single default route. Linux supports multiple routing tables, containing multiple standard destination routes. Bear in mind that each of these routing tables is the same as the entire routing table for any other OS. Linux effectively provides 255 Ciscos to choose from. (For number freaks, Linux 2.2.12 supports 255 routing tables, 255 aggregate realms, and 232 (4294967296 decimal) policy rule priorities.

• Automatic computer discovery by IP address range

  My domain is a subdomain of a parent domain and I only manage devices in my own subnet with static IPs. I am just installing SCCM2102 r2 as a trial version! at step 1 to configure and devices to manage, I don't see an option to scan devices via an IP address
  range! I don't want to scan entire root domain in which I don't manage. Is that option available somewhere in SCCM 2102 R2? thanks.
  Thang Mo

  There is also a network discovery that can be used to discover devices in a specific subnet. It's not very often used, as it cause lots of overhead and discovers also devices that you don't want to manage (see also:
  http://technet.microsoft.com/en-us/library/hh427340.aspx#BKMK_ConfigNetworkDisc).
  Also keep in mind that you don't need to discover the devices that you want to manage. It just makes it easier to install clients on them. Without discovering you would need to manually install the clietns.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• Is it possible to have two ip address ranges on an airport base station

  I have just got two airport extreme base stations for the school that I work in.
  Our School network uses static ip addresses in two ranges - we have a range of 10.11.128.1 to 10.11.129.254 with our servers on 10.11.135.252-254 and a subnet of 255.255.248.0
  This range is for computers that pupils have access to.
  We also have the range 10.9.35.1 - 10.9.35.254 with a subnet of 255.255.255.0 which is for staff and is used for electronic registration and reporting.
  I have set up a base station so that computers on the pupil network can logon to the network via airport but I don't see how I can get the base station to allow computers on the staff network to logon as well. In any classroom there are computers used by pupils but there will always at least one on the staff network for taking registers.
  I would be really grateful if anyone could tell me any way of setting up the base station to cope with both address ranges.

  No.

• What should my router IP address be?

  I had my Airport Extreme router running my wireless network and the IP address was 192.168.1.1.
  Then I reset everything and deleted the old network and created a new one with the same name.
  It seems to be working fine but now the router IP address shows 10.0.1.1.
  Why did it change and should it be 192.168.1.1 like before?
  I have 3 Mac computers, an iPad and an Airport Express and they all now have IP addresses starting with 10.0.1.
  Why is this happening?
  Thanks
  Len

  The default IP address of all the Apple routers is 10.0.1.1, so if you reset the device or the settings back to defaults, this is the setting that you will see.
  The 10.0.1.x range works just fine. There's no particular reason for it to be 192.168.1.1 unless you happen to like that number better. There's no performance advantage to either the 10.0.x.x or 192.168.x.x range.
  Your next question may be how to change back to 192.168.1.1.
  Open Airport Utility - click Manual Setup
  Click the Internet icon
  Click the DHCP tab below the icons
  Locate the setting for DHCP Beginning Address and change this to 192.168
  Click Update at the lower right to save your settings
  You'll need to power cycle your entire network now.