Policy with route-map
Hi all,
may some of you tell me the real meaning of the sub-command "set interface <intf>" under the route-map section?
I thought it was like the <intf> parameter whe you set a route out of an interface.
I tried it with a PIX that should have to act as proxy-arp device but nothing happened.
Everything worked fine using "set ip next-hop ..."
The topology appears a little bit complicated if explained how I built it in practice.
Just a PIX525, a switch and a router 877 that manages VLANS.
I reproduced the environment that doesn't see 2 ethernet interfaces on the router where the policy is applied but 1 serial and 1 ethernet. By now there are 2 devices, one per link, and the def route is based on proxy-arp both for the serial and the ethernet.
Hope the scenario was clearly depicted.
TIA
Alex
Please refer to this document..
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009481d.shtml
HTH,
Ahmed
Similar Messages
-
Applying "route-map" in interfaces with encapsulation dot1q
Hello,
I would like to ask you if there were some trouble in applying route-maps in a interface and its subinterfaces, as it is shown:
interface GigabitEthernet0/2
ip address 11.0.9.26 255.255.255.252
ip policy route-map GestionRadios
interface GigabitEthernet0/2.11
encapsulation dot1Q 11
ip address 11.0.9.18 255.255.255.252
ip policy route-map RedOperativaA
interface GigabitEthernet0/2.12
encapsulation dot1Q 12
ip address 11.0.9.22 255.255.255.252
ip policy route-map RedOperativaB
I am not sure if it is correct totally. Besides I get this informacion doing "show ip policy" and it seems to be right.
Router#show ip policy
Interface Route map
Gi0/2 GestionRadios
Gi0/2.11 RedOperativaA
Gi0/2.12 RedOperativaB
I would be very grateful for your help.
Thanks in advance
Regards,
SandroSandro
We do not have much to work with in your post so giving you really good answers is difficult. You do not tell us what type of device this is (I assume probably a router, but perhaps it is a layer 3 switch?) or what version of code it is running. These things make a difference sometimes in what is supported or is not supported. But since you get output in show ip policy then I assume that the device does support configuration of this feature.
You show us the configuration of the interfaces but not the configuration of the route maps or the access lists which the route maps probably use. So we can not form an opinion of the validity of the route maps or the access lists.
And you do not tell us whether the Policy Based Routing is working or not (and in fact you do not tell us for sure that you are doing PBR - though that is generally what route maps on the interfaces are doing) so we are not clear whether there is a problem here or not.
But based on what you show us in this post I do not see any particular problems with the route maps and the way that you have applied them to interfaces (assuming that your goal is really to do PBR).
HTH
Rick -
I have a 6509 that I've setup with route-maps in order to route VLANs in different ways. For example, if we wanted some vlans to get out to the internet we would route them to a certain address. Then there is another vlan that we route to another internet gateway. It was all working pretty good until we swapped out another switch gateway in the network and every since things have been wonky. It seems as though the switch is routing packets that would normally stay on that switch out of the switch then back in, even though my access-list are set to deny the traffic. Here are the access-list and route-maps:
access-list 10 permit 192.168.24.101
access-list 10 permit 192.168.24.102
access-list 100 permit tcp any 172.16.0.0 0.0.255.255 established
access-list 100 permit tcp 192.168.4.0 0.0.3.255 host 172.16.1.10 eq www
access-list 100 permit tcp 192.168.4.0 0.0.3.255 host 172.16.1.11 eq www
access-list 104 permit ip host 172.16.4.11 host 65.54.150.19
access-list 104 permit tcp host 172.16.4.20 any eq www
ip access-list extended BITCENTRAL_INTERNET
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
permit ip host 172.16.1.170 any
permit ip host 172.16.1.150 any
ip access-list extended EDIT_BAYS
deny ip any 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 any
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
permit ip host 192.168.25.2 any
permit ip host 192.168.26.80 any
permit ip host 192.168.25.104 any
permit ip host 192.168.25.3 any
permit ip host 192.168.26.69 any
permit ip host 192.168.26.71 any
permit ip host 192.168.27.33 any
ip access-list extended ENPS
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
permit ip host 192.168.24.101 any
permit ip host 192.168.24.102 any
permit ip host 192.168.24.103 any
ip access-list extended ENTRIQ
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
deny ip 172.16.0.0 0.0.255.255 192.168.24.0 0.0.3.255
deny ip 192.168.24.0 0.0.3.255 172.16.0.0 0.0.255.255
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
permit ip 172.16.8.0 0.0.0.255 any
ip access-list extended MISC
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
deny ip 172.16.0.0 0.0.255.255 192.168.24.0 0.0.3.255
deny ip 192.168.24.0 0.0.3.255 172.16.0.0 0.0.255.255
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
permit ip 172.16.11.0 0.0.0.255 any
ip access-list extended Omneon
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
permit ip host 172.16.2.11 any
permit ip host 172.16.2.2 any
ip access-list extended ROSS-VLAN
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
permit ip host 172.16.4.20 any
permit ip host 172.16.4.32 any
permit ip host 172.16.4.31 any
permit ip host 172.16.4.29 any
permit ip host 172.16.4.30 any
permit ip host 172.16.4.28 any
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
interface Vlan1
no ip address
shutdown
interface Vlan10
ip address 172.16.1.1 255.255.255.0
ip policy route-map BITCENTRAL
interface Vlan20
ip address 172.16.2.1 255.255.255.0
ip policy route-map OMNEON
interface Vlan30
ip address 172.16.3.1 255.255.255.0
interface Vlan40
ip address 172.16.4.1 255.255.255.0
ip policy route-map ROSS-VLAN
interface Vlan50
ip address 172.16.5.1 255.255.255.0
interface Vlan60
ip address 172.16.6.1 255.255.255.0
interface Vlan70
ip address 172.16.7.1 255.255.255.0
interface Vlan80
ip address 172.16.8.1 255.255.255.0
ip policy route-map ENTRIQ
interface Vlan100
ip address 192.168.27.1 255.255.252.0
ip helper-address 192.168.7.255
ip policy route-map OMNIBUS-VLAN
interface Vlan110
ip address 172.16.11.1 255.255.255.0
ip helper-address 192.168.27.200
ip policy route-map MISC
interface Vlan120
ip address 172.16.10.1 255.255.255.240
ip policy route-map EDIT_BAYS
interface Vlan140
ip address 192.168.4.15 255.255.255.0
ip directed-broadcast 10
interface Vlan500
ip address 192.168.1.19 255.255.255.224
ip classless
ip route 172.22.0.0 255.255.255.248 192.168.4.1
ip route 192.168.0.0 255.255.255.224 192.168.4.254
ip route 192.168.5.0 255.255.255.0 192.168.4.1
route-map BITCENTRAL permit 60
match ip address BITCENTRAL_INTERNET
set ip next-hop 192.168.4.1
route-map EDIT_BAYS permit 50
match ip address EDIT_BAYS
set ip next-hop 192.168.4.1
route-map ENTRIQ permit 80
match ip address ENTRIQ
set ip next-hop 172.16.8.254
route-map MISC permit 40
match ip address MISC
set ip next-hop 192.168.4.1
route-map MSN permit 10
match ip address 104
set ip next-hop 192.168.4.1
route-map OMNEON permit 20
match ip address Omneon
set ip next-hop 192.168.4.1
route-map OMNIBUS-VLAN permit 30
match ip address EDIT_BAYS
set ip next-hop 192.168.4.1
route-map OMNIBUS-VLAN permit 40
match ip address ENPS
set ip next-hop 192.168.4.1
route-map ROSS-VLAN permit 70
match ip address ROSS-VLAN
set ip next-hop 192.168.4.1
route-map SEC-VLAN permit 30
match ip address SEC-VLAN
set ip next-hop 192.168.4.1
Here is how we tested the system and found the error. We cut the connection to 192.168.4.1 router, and when we try to ping a host on the 100 VLAN with the ip address of 192.168.24.101 from the MISC vlan with a ip address of 172.168.11.9 the ping just fails. When we enable the connection to the 192.168.4.1 router the pings go through again. What in my route-map is causing this, I thought I setup the deny rules pretty good?Hi Mike,
Between you and me, this is a lengthy config you have there.
Next don't forget that a route-map doesn't apply to traffic originated or destined to the self-device, unless you use ip local policy in which might work, but there I have seen some nasty bugs.
So if you can shorten your config to one example, then do the tests :
- sourced from device A (it can be the SVI of another switch)
- through your 6509
- destined to device B (it also can be the SVI of another switch, or even simpler some loopback inteface). -
Route-map after tunnel end point
Hello Folks. I have an ASA5510 with multiple tunnels terminating into it. Some sites require a hairpin bend out into the internet after terminating, this works fine with an applicable NAT statement, however, is it possible to use a route-map to route this traffic that would normally hair pin bend out the same interface back into the internet, but rather go out through another link on another host?
yes, you can
but not with route map because in ASA there is not route map
so u need first put the folowing command to allow the tunnel exit from the same interface where it is terminated orginally
issue the
same-security-traffic intra-interface
command in the global configuration mode
and for more configurations details use the following link will be useful for your case
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml
good luck
Please, Rate if helpful -
Route shaping / Route Mapping
Ok I am looking for a way to propoerly force specific traffic over a specific link. I am thinking that I need to dp this with route mapping but am not sure of this is handled by the core or by the edge routers.
Here is the senario. I have two links connected to two different routers and both routers are inturn connected to the same core switch. Link #1 is a 3M serial link and link #2 a 10M Ethernet link. The router supporting the 3M link is a 3825 and the router supporting the 10M link is a 2921. The switch they are connected to is a 3750G.
We have installed two SANs within the network and one is located at the facility supported by these two links. They have started replication between the two SANS and I want to prevent this replication traffic from flowing over the 3M. If the 10M goes down for any reason the replication will be paused or stored until the link comes back up. What do I need to do to advertise / route the traffic between the two SANs over the 10M link? I use EIGRP between the core and the two routers and use BGP between the two routers and my provider. I am thinking the end goal is to not advertise the VLAN the local SAN is attached to over the router with the 3M link attached. Since both routers use the same EIGRP instance if there would be some massaging on both routers or do something unique on the core.
Where do I start? I am working on a refrigerator diagram that shows how things are interconnected and will attach shortly.
Thanks in advancce...
BrentHi Brent,
Just make sure the the core has a better metric path to reach the other SAN subnet via the 10M link, Do you want to use the 3 M link as backup - if so the core must see the 3M link is a feasible successor.
You may need to check that the cores at both ends agree on the 10M link as the path between the 2 SANs.
Cheers
Mike -
Policy Based Routing with VPN Client configuration
Hi to all,
We have a Cisco 2800 router in our company that also serves as a VPN server. We use the VPN Client to connect to our corporate network (pls don't laugh, I know that it is very obsolete but I haven't had the time lately to switch to SSL VPN).
The router has two WAN connections. One is the primary wan ("slow wan" link with slower upload 10D/1U mbps) and it is used for the corporate workstations used by the emploees. The other is our backup link. It has higher upload speed - 11D/11U mbps, (fast wan), and thus we also use the high upload link for our webserver (I have done this using PBR just for the http traffic from the webserver). For numerous other reasions we can not use the `fast wan` connection as our primary connection and it is used anly as a failover in case the primary link fails.
The `fast wan` also has a static IP address and we use this static IP for the VPN Client configuration.
Now the thing is that because of the failover, when we connect from the outside using the VPN Client, the traffic comes from the`fast wan` interface, but exits from the `slow wan` interface. And because the `slow wan` has only 1mbps upload the vpn connection is slow.
Is there any way for us to redirect the vpn traffic to always use the `fast wan` interface and to take advantage of the 11mbps upload speed of that connection?
This is our sanitized config
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group dc
key ***
dns 192.168.5.7
domain corp.local
pool SDM_POOL_1
acl 101
max-users 3
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group dc
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile SDM_Profile1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
interface Loopback0
ip address 10.10.10.1 255.255.255.0
interface FastEthernet0/0
description *WAN*
no ip address
ip mtu 1396
duplex auto
speed auto
interface FastEthernet0/0.3
description FAST-WAN-11D-11U
encapsulation dot1Q 3
ip address 88.XX.XX.75 255.255.255.248
ip load-sharing per-packet
ip nat outside
ip virtual-reassembly
interface FastEthernet0/0.4
description SLOW-WAN-10D-1U
encapsulation dot1Q 4
ip address dhcp
ip nat outside
ip virtual-reassembly
no cdp enable
interface FastEthernet0/1
description *LOCAL*
no ip address
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/1.10
description VLAN 10 192-168-5-0
encapsulation dot1Q 10
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly max-reassemblies 32
no cdp enable
interface FastEthernet0/1.20
description VLAN 20 10-10-0-0
encapsulation dot1Q 20
ip address 10.10.0.254 255.255.255.0
ip access-group PERMIT-MNG out
ip nat inside
ip virtual-reassembly
!!! NOTE: This route map is used to PBR the http traffic for our server
ip policy route-map REDIRECT-VIA-FAST-WAN
no cdp enable
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
interface Virtual-Template3
no ip address
interface Virtual-Template4
no ip address
ip local pool SDM_POOL_1 192.168.5.150 192.168.5.152
ip forward-protocol nd
!!! SLOW-WAN NEXT HOP DEFAULT ADDRESS
ip route 0.0.0.0 0.0.0.0 89.XX.XX.1 5
!!! FAST-WAN NEXT HOP DEFAULT ADDRESS
ip route 0.0.0.0 0.0.0.0 88.XX.XX.73 10
ip nat inside source route-map FAST-WAN-NAT-RMAP interface FastEthernet0/0.3 overload
ip nat inside source route-map SLOW-WAN-NAT-RMAP interface FastEthernet0/0.4 overload
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list 101 permit ip 10.10.0.0 0.0.0.255 any
ip access-list extended FAST-WAN-NAT
permit tcp 192.168.5.0 0.0.0.255 range 1025 65535 any
permit udp 192.168.5.0 0.0.0.255 range 1025 65535 any
permit icmp 192.168.5.0 0.0.0.255 any
permit tcp 10.10.0.0 0.0.0.255 range 1025 65535 any
permit udp 10.10.0.0 0.0.0.255 range 1025 65535 any
permit icmp 10.10.0.0 0.0.0.255 any
ip access-list extended REDIRECT-VIA-FAST-WAN
deny tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255
permit tcp host 10.10.0.43 eq 443 9675 any
ip access-list extended SLOW-WAN-NAT
permit ip 192.168.5.0 0.0.0.255 any
permit ip 10.10.0.0 0.0.0.255 any
route-map FAST-WAN-NAT-RMAP permit 10
match ip address FAST-WAN-NAT
match interface FastEthernet0/0.3
route-map REDIRECT-VIA-FAST-WAN permit 10
match ip address REDIRECT-VIA-FAST-WAN
set ip next-hop 88.XX.XX.73
route-map SLOW-WAN-NAT-RMAP permit 10
match ip address SLOW-WAN-NAT
match interface FastEthernet0/0.4Can you try to use PBR Match track object,
Device(config)# route-map abc
Device(config-route-map)# match track 2
Device(config-route-map)# end
Device# show route-map abc
route-map abc, permit, sequence 10
Match clauses:
track-object 2
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Additional References for PBR Match Track Object
This feature is a part of IOS-XE release 3.13 and later.
PBR Match Track Object
Cisco IOS XE Release 3.13S
The PBR Match Track Object feature enables a device to track the stub object during Policy Based Routing.
The following commands were introduced or modified: match track tracked-obj-number
Cheers,
Sumit -
Policy Based Routing is not working with slb configured
I have a 7609 with a slb firewallfarm configured. It is running IOS 12.2(18)SXE3 with sup720. The firewallfarm is configured with default settings with no access parameter, only real servers configured.
All the traffic is coming from a single vlan (it's not possible to implement another layer 2 way to make the traffic pass through) and I would like to make a single flow to exit from another interface and not pass to the real servers configured on FWfarm. I wrote the following PBR statements:
!!!!!!! Begin !!!!!!!
access-list 110 permit ip host XX.XX.XX.XX any
!where XX.XX.XX.XX is an omitted IP address
route-map NEW-ROUTEMAP permit 10
match ip address 110
set ip next-hop 192.168.253.3
interface Vlan55
!vlan 55 is the interface from where the selected flows comes
ip route-cache policy
ip policy route-map NEW-ROUTEMAP
!!!!! END !!!!!!!
The route-map seems working, in fact I can see matched ACL and route-map.
The problem is the SLB seems to take all the traffic in charge, also the one I would like to route to another interface, in fact if I put my desidered output interface in monitor I can see no traffic passing through.
SLB creates the sticky entry anyway, in fact as far as I know, the SLB has the priority to static routing and route-maps.
Any idea for a workaround? Is there a way to make PBR works with SLB?
Thanks in advance.
RicIt's possible to make pbr work with slb for further details refere to the link ,
http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca75d.html -
Local policy route-map for policy route
Hi
this is related my previous question:
I want to set policy route on asr1004, that redirect vpn traffic.
my case is:
asr1004 import a default route 0.0.0.0 from int 0 with bgp neibour address 10.100.100.100
assume internal traffic 10.10.10.0/24 coming into asr1004 on int 1.
assume vpn with ip address 10.2.2.2 is direct linked to asr1004 int 2, and int 2 ip address is 10.2.2.1
assume taget network is 10.200.200.0/24
I want internal traffic (10.10.10.0/24) go to target (10.200.200.0/24) to be redirect to10.2.2.2 (vpn) first, so I add "ip route 10.200.200.0/24 10.2.2.2" on asr1004.
Than, I want vpn (10.2.2.2) encrypt traffic and send it to one of ip in10.200.200.0/24 range again. at this point if I put local policy route-map below, is it will work?
ip local policy route-map vpn-out
access-list 100 permit ip 10.2.2.2 any
route-map vpn-out permit 10
match ip address 100
set ip next-hop 10.100.100.100
if not, do I have any change to do policy route for this case?
any comment will be appreciated
Thanks in advance
Julxuhi Jon
can I refresh the question again:
my case is:
asr1004 import a default route 0.0.0.0 from int 0 with bgp neibour address 10.100.100.100
assume internal traffic 10.10.0.0/16 coming into asr1004 on int 1 with ip address 10.3.3.3
assume vpn with ip address 10.10.2.2 is direct linked to asr1004 int 2, and int 2 ip address is 10.10.2.1
assume taget network is 10.200.200.0/24
I want internal traffic (10.10.0.0/16) go to target (10.200.200.0/24) to be redirect to10.10.2.2 (vpn) first, so I add "ip route 10.200.200.0/24 10.10.2.2" on asr1004.
Than, I want vpn (10.10.2.2) encrypt traffic and send it to one of ip in10.200.200.0/24 range again. at this point if I put local policy route-map below, is it will work?
ip local policy route-map vpn-out
access-list 100 permit ip 10.10.2.2 any
route-map vpn-out permit 10
match ip address 100
set ip next-hop 10.100.100.100
such as:
interface TenGigabitEthernet0/0/0
description bgp to get default
ip address 10.100.100.100 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
interface TenGigabitEthernet0/1/0
description get internaltraffic
ip address 10.3.3.3 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
interface GigabitEthernet0/2/1
description vpn
ip address 10.10.2.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
media-type rj45
negotiation auto
ip local policy route-map vpn-out
access-list 100 permit ip 10.10.2.2 any
route-map vpn-out permit 10
match ip address 100
set ip next-hop 10.100.100.100
ip route 10.200.200.0/24 10.10.2.2
Could you please advise if it is correct? -
Route Map Policy on SVI - Trunk from ESX
Hi,
I have a question regarding the following configuration.
A route map matches traffic from a particular subnet, say on VLAN 10 (using an ACL).
A route map policy is applied on this SVI (int vlan 10)
A server on this subnet is running on ESX which is connected to the switch on a trunk port.
The ESX host tags all frames from this server as VLAN 10.
In this scenario, should the route map pick up the traffic from this server? I don't see why not, but in my testing it doesn't seem to be working :)
Thanks for any help.Hi Alex,
It's a 3750x (stack) with 12.2(55)SE5.
I've already changed the SDM template to routing and rebooted the switch.
I don't think the route map is working at all actually :) See config below, let me know if you can spot anything obvious but the networks on the ACL are definitely correct.
Thanks again.
Extended IP access list UPLINK2
10 permit ip 192.168.1.0 0.0.0.255 any
20 permit ip 192.168.4.0 0.0.1.255 any (305 matches)
route-map ROUTE1 permit 10
match ip address UPLINK2
set ip next-hop 10.1.1.253
interface Vlan10
ip address 192.168.5.254 255.255.254.0
ip policy route-map ROUTE1
end -
Can't apply policy route-map on C3750 stack vlan interface
Hi All.
I've come up with this problem and i could see some people have had the same issue. I've tried to overlook and check other replies but it didn't help me. So I'm hoping someone could spot the problem. Here are the details:
2 x WS-C3750G-24T-E in stack
Cisco IOS Software, C3750 Software (C3750-ADVIPSERVICESK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)
switch#sh sdm prefe
The current template is "desktop IPv4 and IPv6 routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 1.5K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 2.75K
number of directly-connected IPv4 hosts: 1.5K
number of indirect IPv4 routes: 1.25K
number of IPv6 multicast groups: 1.125k
number of directly-connected IPv6 addresses: 1.5K
number of indirect IPv6 unicast routes: 1.25K
number of IPv4 policy based routing aces: 0.25K
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 0.5K
number of IPv6 policy based routing aces: 0.25K
number of IPv6 qos aces: 0.5K
number of IPv6 security aces: 0.5K
There are 2 ISPs, G1/0/1 and G2/0/1. After creating a route-map i can apply a policy route-map to Vlan5 and it accepts without any errors. But when you do sh run vlan5 the command is not there, it's not applied.
Any help will be appretiated.
Thanks.Hi Jon.
Thanks for your reply. I didn't put those configs as they're basic without use of VRF and WCCP. Also i've checked or tried to find the list of unsupported commands and didn't see them in that list. See config below with some extras:
track 11 rtr 1 reachability
track 22 rtr 2 reachability
ip routing
no ip dhcp use vrf connected
interface GigabitEthernet1/0/1
description ISP1
no switchport
ip address 9.9.9.2 255.255.255.252
no ip proxy-arp
no ip mroute-cache
speed 100
duplex full
ipv6 address 2B01:4B8:0:3::2/64
ipv6 ospf 1 area 0
no mdix auto
no cdp enable
interface GigabitEthernet2/0/1
description ISP2
no switchport
ip address 9.9.9.5 255.255.255.252
ip ospf cost 10000
speed 1000
duplex full
ipv6 address 2B01:4B8:0:7::2/64
ipv6 enable
ipv6 ospf cost 10000
ipv6 ospf 1 area 0
interface Vlan5
description Company Ext Subnet
ip address 9.9.8.1 255.255.255.128
no ip proxy-arp
no ip mroute-cache
ipv6 address 2B01:4B8:1:22::1/64
ipv6 ospf 1 area 15
access-list 111 permit tcp any any eq www
route-map pbr1 permit 10
match ip address 111
set interface GigabitEthernet2/0/1 GigabitEthernet1/0/1
route-map pbr1 permit 20
set interface GigabitEthernet1/0/1 GigabitEthernet2/0/1
route-map pbr2 permit 10
match ip address 111
set ip next-hop verify-availability 9.9.9.6 1 track 11
set ip next-hop 9.9.9.1
route-map pbr2 permit 20
set ip next-hop verify-availability 9.9.9.1 1 track 22
set ip next-hop 9.9.9.6
I've tried to apply both policies pbr1 and pbr2, it allowed to do that without errors but at the end it wasn't there.
Cheers, -
Route map policy on Catalyst4500x
Does anyone know about route map policy on Catalyst4500x ? Is it do on hardware or software ? I try to use policy route map to match and redirect traffic about 1 Gbps
Hi Alex,
It's a 3750x (stack) with 12.2(55)SE5.
I've already changed the SDM template to routing and rebooted the switch.
I don't think the route map is working at all actually :) See config below, let me know if you can spot anything obvious but the networks on the ACL are definitely correct.
Thanks again.
Extended IP access list UPLINK2
10 permit ip 192.168.1.0 0.0.0.255 any
20 permit ip 192.168.4.0 0.0.1.255 any (305 matches)
route-map ROUTE1 permit 10
match ip address UPLINK2
set ip next-hop 10.1.1.253
interface Vlan10
ip address 192.168.5.254 255.255.254.0
ip policy route-map ROUTE1
end -
Does icmp redirect work with policy based route
Setup:
R1 and R2 on same ip net.
On R1 policy based route is configured with R2 as next hop.
Will R1 send icmp redirect (to use R2 instead) to those hosts that match the policy based routing ?
Thanks.
Gert SchaarupHI Gert,
The answer to your question is yes. I have verified this in a lab previously. As long as all the conditions for ICMP redirect have been met (source address on same net, best gateway on same net) then ICMP redirects are sent regardless of whether PBR or normal routing is being used.
Hope that helps - pls rate the post if it does.
Paresh -
Im setting up a server with the port 25565 and im doing it with Port Map but the problwem is i cant seem to get it to work with my router. it goes through my macmini to the router and the expansion hardrive
Im setting up a server with the port 25565 and im doing it with Port Map but the problwem is i cant seem to get it to work with my router. it goes through my macmini to the router and the expansion hardrive
-
Ip helper address with Policy Base Routing
Does ip helper work with Policy Base Routing? and if so how and what version of the router software do you need?
thanksAs first function at the ingress interface is ip_helper, as second function at the same ingress interface is policy-based-routing.
We have the same situation regarding ip nat in combination with policy-based-routing. -
Inter-VPN routing with export map for host routes
Hi,
I am trying to export host routes from a connected network from one VRF to multiple other VRFs. This is to allow the leaking specific host routes for management purposes. However, I suspect that the /32 host route(s) actually need to be present in the management VRF so the RTs are added accordingly, rather than just specified in the match clause of the MGMT VRF export map.
Ideally here, I only want to export 10.111.111.254/32 from the connected network 10.111.111.0/24 in the MGMT VRF. The only way around this I can see it to move 10.111.111.0/24 behind another device, and add specific host route(s) within the MGMT VRF for the 10.111.111.X/32 host routes (which are redistributed into the MGMT VRF), using the additional device as the next-hop.
ip vrf MGMT
rd 1:1
export map MGMT-EXPORT-MAP
route-target export 1:1
route-target import 1:1
route-target import 1:1001
ip vrf CUST-B
rd 1:2
export map CUSTOMERS-EXPORT-MAP
route-target export 1:2
route-target import 1:2
route-target import 1:1000
interface FastEthernet0/0.100
encapsulation dot1Q 100
ip vrf forwarding MGMT
ip address 10.111.111.1 255.255.255.0
interface FastEthernet0/0.200
encapsulation dot1Q 101
ip vrf forwarding CUST-B
ip address 10.96.2.1 255.255.254.0
router bgp 65000
bgp router-id 1.1.1.1
no bgp default ipv4-unicast
bgp log-neighbor-changes
address-family ipv4 vrf CUST-B
redistribute connected
no synchronization
exit-address-family
address-family ipv4 vrf MGMT
redistribute connected
no synchronization
exit-address-family
ip prefix-list CUSTOMERS seq 5 permit 10.96.2.0/23
ip prefix-list ONPREMISE seq 5 permit 10.111.111.0/24
ip prefix-list ONPREMISE seq 10 permit 10.111.111.254/32
route-map CUSTOMERS-EXPORT-MAP permit 10
match ip address prefix-list CUSTOMERS
set extcommunity rt 1:1001 additive
route-map MGMT-EXPORT-MAP permit 10
match ip address prefix-list ONPREMISE
set extcommunity rt 1:1000 additive
Cheers,
MattHi Matt
Yes the X/32 routes needs to be present in the VRF Routing-Table and if they are to be learnt statically then the MP-iBGP config for that particular VRF address-family has to redistribute static routes as well.
Regards
Varma
Maybe you are looking for
-
GNOME 3.16: Crash after login with GDM
Hi all, I've just upgraded to GNOME 3.16, but unfortunately it wasn't completely successful. After I login with GDM, I get the "Oh no! something has gone wrong" screen, with logout the only option. Funny thing is: when I press the super-key, I have a
-
Dynamic change of ring elements
I am wondering if there is a method exist to update ring elements dynamicaly during the vi is running...??? Example: I have a TCP listen VI that get IP address from different TCP client as they are connecting to the server and I want the user could
-
Hi all experts in Grid/utility computing. I am doing some research for a conference paper I will be presenting in May 04 on Grid computing in the Education sector(university). I was wondering if anyone may have some information on how grid computing
-
I am using Firefox on HTC One. When I touch the address bar, I want to be able to see the Bookmarks tab instead of Top Sites. By default, it always goes to Top Sites. Is there a setting that I can change, or change the order of the tabs? Thank you
-
Trouble exporting To HD with multiple clips
Can I export my iMovie project if I'm mixing videos from my HD camera and my iphone? After going the the hour nog process of exporting twice now, it gives me and Error 49 at the end and won't export the movie. Is the reason because some of my videos