Possible to Route Traffic Based on AVC?

Similar Messages

• Need to route traffic based on destination to 2 different routers

  I have a 4451X that has a default route of 10.10.48.1. I have 2 other internet routers at 10.10.48.15, and 172.31.1.3.
  The router at 172.31.1.3 is a VPN firewall and has a VPN to 3 specific IP networks. 172.31.252.0/24, 192.168.252.0/24, and 192.168.163.0/24.
  I need the traffic headed to the 3 VPN'd networks to route to 172.31.1.3, and the remaining traffic to route to 10.10.48.15.
  The source network is 172.31.0.0/23 and the gateway of the machines is 172.31.0.1.
  I tried creating a PBR but the internet traffic seems to go outbound through the router's default route of 10.10.48.1 and not 10.10.48.15.
  I am sure I am just missing something silly.
  Here are the relevant portions of the config:
  interface GigabitEthernet0/0/1
   ip address 172.31.0.20 255.255.254.0
   ip nat inside
   ip policy route-map Test
   negotiation auto
   vrrp 1 ip 172.31.0.1
   vrrp 1 priority 105
  interface GigabitEthernet0/0/1.2
   encapsulation dot1Q 2
   ip address 10.10.48.12 255.255.255.224
   ip nat inside
   ip access-group 199 in
   vrrp 1 ip 10.10.48.3
   vrrp 1 priority 105
   vrrp 2 priority 105
   no cdp enable
  ip route 0.0.0.0 0.0.0.0 10.10.48.1
  ip route 0.0.0.0 0.0.0.0 172.31.1.3 2
  access-list 116 permit ip 172.31.0.0 0.0.1.255 172.31.254.0 0.0.0.255
  access-list 116 permit ip 172.31.0.0 0.0.1.255 192.168.252.0 0.0.0.255
  access-list 116 permit ip 172.31.0.0 0.0.1.255 192.168.163.0 0.0.0.255
  route-map Test permit 19
   match ip address 116
   continue 20
   set ip next-hop 172.31.1.3
  route-map Test1 permit 20
   set ip next-hop 10.10.48.15
  Thanks in advance.
  Burton Hallman

  Firstly I'm not sure why you have two default routes if everything is meant go via 10.10.48.1 ?
  That aside in terms of your PBR -
  1) remove the continue statement. I don't know what it is meant to be doing but as far as i know it has no effect with PBR
  2) more importantly your second statement is using a different route map name ie Test1 which makes it a completely different route map so the one applied to the interface only has the first statement in it which is the one for VPN traffic.
  Jon

• Prioritize traffic based on destination IP?

  Hi all, we're looking to use an ASA5505 or 5510 as our firewall but want to see if one of them can help us prioritize traffic. I know it does QoS but we're wanting to dedicate x amount of our bandwidth to traffic based on destination IP address. Is that possible and does it take a license upgrade?
  Thanks!

  Jerry, i would try something like in the second config example I mentioned. keep in mind, if ISP doesn't support marking packets, it may be hard to QoS inbound. if you assign the VOIP traffic high priority, it should go out interface first during congestion. Don't need to dedicate a certain amount of bandwidth in any way. Make sure in the design to keep the VOIP traffic, VPN traffic and User PAT (outbound NAT) traffic on separate IP's. That will help when defining the access-lists. This QoS stuff is kind of tricky and is bit confusing. I have setup a few configs according to the above examples and they _seem_ to work. I ran a policing queue on the edge router for traffic leaving to ASA, and ran a priority queue on the ASA. When i test big download from a major site, which could consume all bandwidth, it doesn't appear to clobber VOIP traffic. The same results apply, when I test a big upload to internet. The QoS stuff is tricky though, and i _didn't_ see what I expected when i use the show QoS commands to see traffic drops, etc. so YMMV!
  Take a look at this link for ASA 7.X release, which may give you some ideas:
  "QoS based on ACL with VPN Configuration" You can change ACL to include the outside interface IP as long as you have separated the NAT's, VPN, etc. like i mentioend earlier.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml
  Will

• Route decisions based on destination TCP port with EIGRP

  Need information and plausibility on making routing decisions within EIGRP based on different destination TCP port.  I have a third party partner that we communicate too and they are adding a second location which we will connect too.  They are wanting to use the same destination host IP but make route decision based on destination TCP port; i.e. if we target tcp 6123 they want us to route down link A to site A, if we target tcp 7123 we would route down link B to site B.  I have never had to make that happen so I am looking into whether it actually can and if so what is basic configuration to pursue.  We use static IP routes to/from them today and will in the future at the edge, those are distributed internally to our EIGRP.  Can EIGRP make decisions based on IP and Port?

  No routing protocol makes decisions based on port number as far as I know.
  You need to look into PBR (Policy Based Routing) for this where you can use acls to define the route that traffic takes.
  Depending on your connections you may well need to use tracking as well but it depends.
  If the only reason to use EIGRP is for these connections you probably don't need it as with PBR you are overriding the routing table anyway but you may want to run it for other connectivity.
  If you do a search on PBR you should find quite a few examples but if you get stuck then by all means come back.

• Prioritise traffic based on IP subnet

  I'm currently using an Avaya IP Office VoIP solution and I want to introduce a Cisco 2600 to replace the WAN units. I've been told that I will need a QOS switch or have two Lan ports on the router to create two subnets (1 for Data & 1 for VoIP).
  If I decide to use 2 lan ports instead of installing a QOS switch can someone tell me if this solution is viable and if it is how would I proritise the traffic based upon the IP subnet.

  If you are going to place the phones on a single subnet and connect them to a dedicated router interface with no other devices (PCs, printers etc) you should get away without any QoS because all the data on that subnet will be voice bearer, voice signaling and network management with voice bearer being by far the majority of the traffic. Your greatest concern for voice quality should be aimed at the WAN link. You will need to ensure that you have QoS between sites and this will be dependent on the type of WAN link employed.

• ACE and selection of traffic based on ACL

  Hi Folks,
  I have noticed on the ACE it is possible to select traffic to hit a chosen farm based on an ACL. On further look into the ACE ACL, i was not able to determine whether the ACL can match IP DSCP value, like you can on the IOS side.
  Can someone please confirm if its possible to have an ACE ACL matching a specific DSCP value in the packet.
  Best Regards
  Alan

  Alan,
  unfortunately this is not possible.
  Gilles.

• Route traffic

  Hi All,
  we have three sites at mumbai, pune , delhi.
  A site to site tunnel  is created between mumbai and pune.
  and tunnel between mumbai and delhi.
  We donot have tunnel between delhi and pune.
  Is it possible to route the traffic of delhi from mumbai site to pune site.
  The problem is we donot to  create site to site between delhi and pune.

  Hi Jcavaraj,
  Just consider the scenario three site a, b, c.
  a---10.0.0.0/24 net
  b----20.0.0.0/24 net
  c-----30.0.0.0/24 net
  there is  site to site tunnel is created between a to b and a to c. no tunnel between b to c,
  Now the requirement is 20 network should access 30 network
  Please find the access-list below
  on site a
  access-list outside_2_crypto extended permit ip 10.0.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0
  accss-list   outside_2_crypto extended permit ip 10.0.0.0 255.255.255.255.0 30.0.0.0 255.255.255.0
  same-security-traffic permit intra-interface
  on site b
  access-list outside_4_crypto extended permit ip 20.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
  access-list outside_4_crypto extended permit ip  20.0.0.0 255.255.255.0 30.0.0.0 255.255.255.0
  same-security-traffic permit intra-interface
  on site c
  access-list outside_3_crypto extended permit ip 30.0.0.0 255.255.255.0 10.0.0.0 255.255..255.0
  access-list outside_3_crypto extended permit ip 30.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0
  same-security-traffic permit intra-interface.
  Is the configuration right ? Please let me know

• Route Determinaiton based on shipping instructions.

  Hi Experts,
  I wanted to determine the route based on shipping instruction. How I can bring the shipping instruction field in route determination instead of shipping condition.
  Our current process is, route determination based on shipping condition but some times the routes will be different based on shipping instructions.

  Hi Jacob,
  Thank you for your response.
  Initially I have suggested the same solution but users are not ready to accept. The issues is, we have 100 to 1000 lines in purchase order and based on customer requirement the routes need to changed.
  If I use the shipping condition user need to change the lines manually one by one (Because the fast change is not possible for shipping tab fields) but if I use the shipping instruction then it is easy to change through fast change mode.
  As per the SAP note 356628 it is difficult to add the new fields(shipping tab fields) in fast change.

• Route WorkItem based on custom Attributes/ Metadata

  On my current project we have a requirement where scanned whitemail will be stored in DMS (Documentum), along with meta data. Then the DMS will create a work item in CRM for futher porcessing.
  1> where is this meta data stored in crm once the work item is created?
  2>  Is it possible to route the work item to specific teams interaction center (IC) Inbox  based on the metadat using standard config?
  I'm new to this WF area so a detailed step by step answer will be appreciated.
  Regards,
  Sam

  Hi,
  1) If you know the work item ID, you can get the "metadata" (=container) with function SAP_WAPI_READ_CONTAINER. Or you can see it in workflow log. The container data is stored as XML and you cannot read it with SE16 similarly to normal tables.
  2) Yes. There are lot of different possibilitites for this. You can create a custom rule, for which you can give the "metadata" as a parameter, and inside the rule you can have your own custom logic to get the needed agents. You can either code or configure this depending on the requirement.
  In overall these are really basic WF functionalities. You should just first get yourself familiar with WF basics (tutorials, courses, etc.) and then ask more specific questions. Nobody here will probably start teaching you the basics step by step.
  Kind regards,
  Karri

• Route calls based on extensions

  Hi guys
  First of all, I not have a good Englis so I hope you undertand me.
  I would like to know if there is a way to route calls based on the caller id. This is, for instance, I have extensions 5xxx and 88xx and now they are going trough E1 0/0/1, I want to move this, and only this extension go out to pstn through teh E1 0/0/0. It is possible to do someting like this, in such case, how?
  Best Regards

  Hi.
  You can also use the search function for your query because this topic has been touched many times here
  Eg. Use caller ID route based as search keyword  and you'll find the solution
  HTH
  Regards
  Carlo
  Please rate all helpful posts
  "The more you help the more you learn"

• Custom routing agent based on sender's security group and subject

  I made a custom routing agent that routes mails contains the word [encrypt] in the subject and sent from domain test.com
  The part of the code is
  if (e.MailItem.FromAddress.DomainPart.Contains("test.com")
                  && e.MailItem.Message.Subject.Contains("[encrypt]"))
  now what i need is to route mails based on the membership of a certain security group like "securemail" not the whole domain. ie if the sender is a member in security group (securemail) and the subject contains the word [encrypt] route the mail
  Thanks

  Thanks for your answer Glen
  The following  code is on exchange 2010 but i need it to check for a security group membership if possible
  using System;
  using System.Collections.Generic;
  using System.Linq;
  using System.Text;
  using Microsoft.Exchange.Data.Transport;
  using Microsoft.Exchange.Data.Transport.Email;
  using Microsoft.Exchange.Data.Transport.Smtp;
  using Microsoft.Exchange.Data.Transport.Routing;
  using Microsoft.Exchange.Data.Common;
  namespace RoutingAgentOverride
      public class SampleRoutingAgentFactory : RoutingAgentFactory
          public override RoutingAgent CreateAgent(SmtpServer server)
              RoutingAgent myAgent = new ownRoutingAgent();
              return myAgent;
  public class ownRoutingAgent : RoutingAgent
      public ownRoutingAgent()
          //subscribe to different events
          base.OnResolvedMessage += new ResolvedMessageEventHandler(ownRoutingAgent_OnResolvedMessage);
      void ownRoutingAgent_OnResolvedMessage(ResolvedMessageEventSource source, QueuedMessageEventArgs e)
          try
              // For testing purposes we do not only check the sender address but the subject line as well
              // If the subject contains the substring "REDIR" then the default routing is overwritten.
              // Instead of hard-coding the sender you could also perform an LDAP-query, read the information
              // from a text file, etc.
              if (e.MailItem.FromAddress.DomainPart.Contains("contoso.com")
                  && e.MailItem.Message.Subject.Contains("[encrypt]"))
                  // Here we set the address space we want to use for the next hop. Note that this doesn't change the recipient address.
                  // Setting the routing domain to "nexthopdomain.com" only means that the routing engine chooses a suitable connector
                  // for nexthopdomain.com instead of using the recpient's domain.
                  RoutingDomain myRoutingOverride = new RoutingDomain("nexthopdomain.com");
                  foreach (EnvelopeRecipient recp in e.MailItem.Recipients)
                      recp.SetRoutingOverride(myRoutingOverride);
          catch // (Exception except)

• Route call based on source IP address

  Hello Guys,
  Is there a way to route calls based on source IP address?
  I want to redirect calls to specific queues based on the ip of the phone who's starting it.
  Any ideas?
  Thanks in advance.
  Filipe Leite                  

  Hi Filipe
  I'm assuming here that you are using CallManager rather than CME?
  One option might be to use the 'device mobility' feature to assign a specific CSS to devices based on their IP subnet. That CSS could have the appropriate partitions to route to a seperate trigger that directs calls to a separate CSQ.
  Of course, whether you can do this depends on whether it would be appropriate to override the device CSS in this way.
  Aaron

• Is it possible to route the log generated frm a FNDLOAD cmd to usr def file

  Hi,
  Is it possible to route the log generated from a FNDLOAD command to user defined file??
  Thanks in advance,
  Kiran

  Kiran,
  I think it is not possible, the log file will be generated in the directory where you run FNDLOAD.
  Regards,
  Hussein

• In BD87  T /c  is it possible to control user based in Comp code...?

  In BD87  T /c  is it possible to control user based in Comp code...?
  Thanks
  Mahi

  BD87 is a transaction to work with IDOCs.
  one IDOC e.g. for vendor master can have several segments with different company codes.
  But you cannot post an IDOC only partially, that is technically not possible and does not make much sense.
  Further the IDOC segment in the table is just one huge field, It does not have single fields like company code.It is a generic field that can keep the segments of any IDOC.
  In my opinion there is no way to control it at company code level.
  In any case you posted it in the wrong forum. BD87 is not a MM transaction.
  Hence, moving it to the Abap Connectivity forum

• Route Traffic to down a specfic link

  I need to route traffic that is sourced from 10.1.50.0 network down link 1. Currently all traffic goes down Link 2. I want all traffic except 10.1.50.0 network to still use Link 2 as primary. What would be the best approach a static route for the 10.1.50.0 network or some type of policy map or something else? Thanks for the help

  Thanks for the reply. I created the access list and policy map from above but can not put the policy map on the VLAN interface. The commands are there but when I verify by looking at the interface it is not there. It is a 3750 G with IPSERVICES IOS. Any ideas? Thanks
  Standard IP access list 50
  10 permit 10.2.50.0, wildcard bits 0.0.0.255 log
  sh route-map
  route-map **VLAN250**, permit, sequence 10
    Match clauses:
      ip address (access-lists): 50
    Set clauses:
      interface GigabitEthernet2/0/1
    Policy routing matches: 0 packets, 0 bytes