Route-Map not taken on 3850 IP Services

Something odd I am seeing.
Trying to use a 3850 L3 switch running IP Services, XE ver 03.03.03SE, to do some policy routing on one of the VLAN interfaces.
Interface VLAN 10
ip address 208.x.y.z 255.255.255.0
ip policy route-map Use_Route1
It seems to take the command but when I look back with a show run interface vlan 10, it is not there.
Also when I look at the show route policy it indicates that 0 packets have been processed.
Is this a bug or am I missing something?

Hi Richard,
Cisco 3850 even running on full IP services image will not support verify-availability command to track with IP SLA.
If you enable terminal monitor or configure the device using console you can see the syslog message when you try to configure the route-map with set ip next-hop verify-availability command
%PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map <name> not supported for Policy-Based Routing
You can see the route-map command showing up in the config BUT as soon as you try to apply to interface vlan10 the command will be not be applied and PBR will not work.
I hope Cisco find way to fix this!!
Workaround:
You can use EEM Applet with IP SLA
event manager applet internet_up
event syslog pattern "%TRACKING-5-STATE: 1 ip sla 1 reachability Down->Up"
action 2.0 cli command "enable"
action 3.0 cli command "config t"
action 3.2 cli command "interface Vlan10"
action 3.3 cli command "ip policy router-map Use_Internet"
action 3.4 cli command "exit"
event manager applet internet_down
event syslog pattern "%TRACKING-5-STATE: 1 ip sla 1 reachability Up->Down"
action 2.0 cli command "enable"
action 3.0 cli command "config t"
action 3.2 cli command "interface Vlan10"
action 3.3 cli command "no ip policy router-map Use_Internet"
action 3.4 cli command "exit"
repeat the same process for other IP SLA tracking you have
hope this helps
Santhosh

Similar Messages

Route-map not working on cisco 3750

Hello All,
Im trying to use route-map using next hop. For some reason I am not getting any matching packets. SDM is setup for desktop routing.
I am not getting any matches on my route-map nor my ACL.
Code is 12.2(55)SE5
Config
interface Vlan11
description OAD_NAP Data Network
ip address 10.248.60.254 255.255.255.0
ip helper-address 172.17.101.1
ip helper-address 172.17.104.1
ip helper-address 172.17.108.114
no ip redirects
no ip proxy-arp
ip policy route-map ROUTE-OADFW
end
access-list 100 permit ip host 10.248.60.240 host 172.20.1.1 log
access-list 100 permit ip 10.248.60.0 0.0.0.255 172.20.1.0 0.0.0.255
route-map ROUTE-OADFW permit 10
match ip address 100
set ip next-hop 10.248.31.254
Don't know if this makes a difference 10.248.31.254 (FW) is not the next hop but it is in the routing table so the 3750 knows how to get their.
sho route-map
route-map ROUTE-OADFW, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop 10.248.31.254
Policy routing matches: 0 packets, 0 bytes
oan-u101-asw-01#
Very straight forward I thought :) Any help really appreciated.

Hi,
You need to look at the config guide
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swiprout.html#wp1392257
Look at step 4
Step 4
set ip next-hop ip-address [...ip-address]
Specify the action to take on the packets that match the criteria. Set next hop to which to route the packet (the next hop must be adjacent).
The address you re using as the next hop is NOT adjacent
Regards
Alex

I am having trouble connecting to my network all of a sudden. It is not an issue with the service/router. I keep getting kicked off and getting a ! in my airport... anyone know what's up with this?

I am having trouble connecting to my network all of a sudden. I am able to connect to other networks but not my own. It is not an issue with the service/router because other devices connect fine. I keep getting kicked off and getting a ! in my airport. Last time it happended I called apple and the suggested I wipe my HD and reinstall everything. I did and it did not work. One day I turned my laptop on and it connected no problem. Now it has kicked me off again. I tried resetting my IP address but that does not work either! Has anyone had this problem?

Try this:
Apple menu / System Preferences / Network.
Click Location: and select Edit Locations..
Click + (plus sign), and enter a name for the new location - anything will do.
Apply this.

Distributed multicast routing command not working on Catalyst 3850 switch

Hi Cisco community,
I was wondering if there is a known problem as to why the ip multicast-routing [distributed] option is not available on the Cat 3850 platforms
global command " ip multicast-routing " is accepted
the configuration guide named:
IP Multicast Routing Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
First Published: January 29, 2013
Last Modified: October 22, 2013
explains that this option "key word" [distributed] should be available>
Enables IP multicast routing.
ip multicast-routing [distributed]
Device(config)# ip multicast-routing distributed
=============== Here is what i have and see =========
Config attempt
============
CAT-3850-1(config)#ip multicast-routing distributed
^
Show command:
========
CAT-3850-1#show ip multicast
Multicast Routing: enabled
Multicast Multipath: disabled
Multicast Route limit: No limit
Multicast Fallback group mode: Sparse
Number of multicast boundaries configured with filter-autorp option: 0
Software:
========
Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M),
Version 03.03.03SE RELEASE SOFTWARE (fc2)
License rights:
============
CAT-3850-1#sh license right-to-use
Slot# License name Type Count Period left
1 ipservices permanent N/A Lifetime
1 apcount adder 10 Lifetime
License Level on Reboot: ipservices
Slot# License name Type Count Period left
2 ipservices permanent N/A Lifetime
2 apcount adder 10 Lifetime
License Level on Reboot: ipservices
Any hints and help would be greately appreciated.
Many thanks in advance
Markus

Hi Reza,
Thank you for your quick reply, and for putting the record staright. As such, a helpful rating was provided
PS: Feel free to help me one more time if you happend to know folllow on this query :)>
I guess that the disributed function has been included in the standard mulitcast routing command because the key word is no longer needed. Or perhaps this platform does not support this at all.#
Once again , thank you for your help above.
Best regards

Map Not Update...Unable to See Traffic....No Route Map for any destination

Yesterday updated IO6 and found map they are using is too old, compare to earlier version, cannot see Traffic, No Route Map there, Cannot Hear Voice..
This is very big problem...

If images are missing then check that you aren't blocking images from some domains.
*Check the permissions for the domain in the current tab in "Tools > Page Info > Permissions"
*Check that images are enabled: Tools > Options > Content: [X] Load images automatically
*Check the exceptions in "Tools > Options > Content: Load Images > Exceptions"
*Check the "Tools > Page Info > Media" tab for blocked images (scroll through all the images with the cursor Down key).
If an image in the list is grayed and there is a check-mark in the box "<i>Block Images from...</i>" then remove that mark to unblock the images from that domain.
Make sure that you do not block third-party images permissions.default.images
There are also extensions (Tools > Add-ons > Extensions) and security software (firewall, anti-virus) that can block images.
*http://kb.mozillazine.org/Images_or_animations_do_not_load

Packets not hitting the route-map's NAT access-list

Hi Everyone,
I've been struggling with this issue for two days, I have couple of VPN tunnels on a router and all are working fine with NAT because I created route-maps for nat to deny the packets that are going to the tunnel from getting NATed, I have the same config for all the tunnels but the issue is with xxx_NAT access-list that is not even being hit by the packets so my xxx tunnel wont come up. I am positive that the problem is NAT because when I remove NAT from the 0/1.102 interface it starts to work. here is my config :
interface GigabitEthernet0/1.102
description "xxx"
encapsulation dot1Q 102
ip address 10.300.301.1 255.255.255.0
ip access-group xxx_ACL in
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat pool ???_POOL ??
ip nat pool ???_POOL ??
ip nat pool ???_POOL ??
ip nat pool xxx_POOL ??
ip nat inside source route-map ??? pool ???_POOL overload
ip nat inside source route-map ??? pool ???_POOL overload
ip nat inside source route-map xxx pool xxx_POOL overload
ip nat inside source route-map ??? pool ???_POOL overload
ip access-list extended xxx-VPN
remark VPN to xxx
permit ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255
permit ip 192.168.45.0 0.0.0.255 10.300.301.0 0.0.0.255
ip access-list extended xxx_ACL
deny   ip 10.300.301.0 0.0.0.255 192.168.56.0 0.0.0.255
permit ip any any
ip access-list extended xxx_NAT
deny   ip 10.300.301.0 0.0.0.255 110.110.2.0 0.0.0.255
deny   ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255
permit ip 10.300.301.0 0.0.0.255 any
route-map ??? permit 10
match ip address ???_NAT
route-map xxx permit 10
match ip address xxx_NAT
route-map ??? permit 10
match ip address NAT_???
route-map ??? permit 10
match ip address ???_NAT
control-plane
banner motd ^C

As that is probably *not* the config you are having problems with (or are your route-maps really named ???, xxx etc. ?) it is hard to help.
So just a guess:
The "ip nat inside source route-map-"staements are processed in a lexical order. The naming of your route-maps has to reflect the order you want to achieve. If you have the wrong order your traffic will end in the wrong translation which you should see with "show ip nat translation".
HTH, Karsten

Why New Apple maps not supporting the direction of route in the UAE; which was supported in ios5.Please help

Why New Apple maps not supporting the direction of route in the UAE; which was supported in ios5.
When it is going to resolve

iOS 6 Which Features in What Countries...
http://www.apple.com/ios/feature-availability/

Route map does not applied on interface vlan

Hi all,
could you pls tell me why i can't apply a route-map on an interface vlan,
belown my config:
SWBBO(config-if)#ip policy route-map TEST
                           ^
% Invalid input detected at '^' marker.
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.0(2)SE1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Fri 04-Jan-13 01:38 by prod_rel_team
ROM: Bootstrap program is C3750E boot loader
BOOTLDR: C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(53r)SE2, RELEASE SOFTWARE (fc1)
BBWMASALE01 uptime is 40 weeks, 1 day, 6 minutes
System returned to ROM by power-on
System restarted at 22:12:07 UTC Mon Feb 18 2013
System image file is "flash:/c3750e-universalk9-mz.150-2.SE1.bin"
Best regards,
James

Hi jon,
belown the result of sh sdm prefer,so need i a licence ip service to apply the route-maap on the interface vlan,or just entrer the config"sdm prefer routing" and reboot the switch?
SWBB0#sh sdm prefer
The current template is "desktop default" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses:                  6K
number of IPv4 IGMP groups + multicast routes:    1K
number of IPv4 unicast routes:                    8K
    number of directly-connected IPv4 hosts:        6K
    number of indirect IPv4 routes:                 2K
number of IPv6 multicast groups:                  64
number of directly-connected IPv6 addresses:      74
number of indirect IPv6 unicast routes:           32
number of IPv4 policy based routing aces:         0
number of IPv4/MAC qos aces:                      0.5K
number of IPv4/MAC security aces:                 0.875k
number of IPv6 policy based routing aces:         0
number of IPv6 qos aces:                          0
number of IPv6 security aces:                     60

Why packets are being translated by one route-map and not the other?

Hi,
I have 2 NAT rules, each with a route-map to determine which packets are translated. What I don't understand is how to control which NAT rule is applied first..?
In my config, the first of the following rules is applied first, and then the other. I would like to have it the other way round, the second being applied first, and the first being applied second.
ip nat inside source route-map NAT_INTERNET_ACCESS_RMAP interface GigabitEthernet0/1 overload
ip nat inside source static 172.16.101.1 10.10.11.1 route-map NAT_RADIANZ_PIXACCESS_RMAP
The reason why I want it this way round is because the first rule NAT's almost everything so that I can access the Internet. The second rule NAT's specific traffic to a different address.
If I want traffic to be NATTED according to the second rule, I have to deny traffic in the first associated ACL, and permit it in the second ACL. That means I basically have to configure each ACL each time I want packets to be matched by the second NAT rule - there must be a better way of doing it!!!
Any help would be most appreciated.
Many thanks,
Michael.

Hello, here's the basic (shortened list). If I want packets to be matched by NAT_RADIANZ_PIXACCESS_ACL I have to put a deny in NAT_INTERNET_ACCESS_ACL. If I could make sure that the first list is used first, and then anything left over compared against the second, then it would make life/editing much easier...
Cheers,
Michael
ip nat inside source route-map NAT_INTERNET_ACCESS_RMAP interface GigabitEthernet0/1 overload
ip nat inside source static udp 10.10.11.1 500 10.10.11.1 500 extendable
ip nat inside source static udp 10.10.11.1 4500 10.10.11.1 4500 extendable
ip nat inside source static 172.16.101.1 10.10.11.1 route-map NAT_RADIANZ_PIXACCESS_RMAP
ip access-list extended NAT_INTERNET_ACCESS_ACL
remark Traffic to Branch A (over VPN)
deny ip 172.16.101.0 0.0.0.255 192.168.1.0 0.0.0.255
remark Traffic to Branch B (over VPN)
deny ip 172.16.101.0 0.0.0.255 172.16.0.0 0.0.0.255
deny ip 172.16.101.0 0.0.0.255 172.16.1.0 0.0.0.255
deny ip 172.16.101.0 0.0.0.255 172.16.2.0 0.0.0.255
deny ip 172.16.101.0 0.0.0.255 172.16.3.0 0.0.0.255
remark Traffic to Cust A (over VPN)
deny ip host 172.16.101.1 host 192.168.0.1
deny ip host 172.16.101.2 host 192.168.0.1
remark Traffic to Cust B (over VPN)
deny ip host 172.16.101.1 host 192.168.0.2
deny ip host 172.16.101.2 host 192.168.0.2
remark Traffic to Cust C (over Radianz VPN)
deny ip host 172.16.101.1 host 192.168.0.3
deny ip host 172.16.101.2 host 192.168.0.3
remark Traffic to Cust D (over Radianz VPN)
deny ip host 172.16.101.1 host 192.168.0.4
deny ip host 172.16.101.2 host 192.168.0.4
permit ip any any
ip access-list extended NAT_RADIANZ_PIXACCESS_ACL
remark Manangement Traffic to Cust C
permit icmp host 172.16.101.1 host xxx.xxx.xxx.xxx
permit icmp host 172.16.101.2 host xxx.xxx.xxx.xxx
permit tcp host 172.16.101.1 host xxx.xxx.xxx.xxx eq 22
permit tcp host 172.16.101.2 host xxx.xxx.xxx.xxx eq 22
remark Manangement Traffic to Cust D
permit icmp host 172.16.101.1 host xxx.xxx.xxx.xxx
permit icmp host 172.16.101.2 host xxx.xxx.xxx.xxx
permit tcp host 172.16.101.1 host xxx.xxx.xxx.xxx eq 22
permit tcp host 172.16.101.2 host xxx.xxx.xxx.xxx eq 22
route-map NAT_RADIANZ_PIXACCESS_RMAP permit 10
match ip address NAT_RADIANZ_PIXACCESS_ACL
set ip next-hop 10.10.11.14
route-map NAT_INTERNET_ACCESS_RMAP permit 40
match ip address NAT_INTERNET_ACCESS_ACL
set ip next-hop xxx.xxx.xxx.xxx

You are not registered to use this service

We have everything with BT including a new TV box with netflix etc, which is currently at the end of the 14 day cooling off period. If the following problem isn't resolved today I will be considering cancelling the TV contract and leaving BT all together.
Our phone was working ok on the 15/4/2015. I tried to dial a local number last night (16/4/2015) to hear 'you are not registered to use this service please contact your service provider'. I dialled again with the area code, same thing. Also with national and mobile calls. We can receive incoming calls. I rang the Indian call centre who said there is no problem with the line or the account (which is in credit) it must be the handset. I am waiting for them to ring me back but having searched the problem online I think this will be to no avail. I have read about prefixing phone numbers with 1280 and this has worked when trying to ring my own mobile, so it can't be a problem with the handset, can it?
I've seen it could be a problem with Indirect Access IDA being removed from my account (no idea how this might happen). I also know that there was a major outage last week (around 6/4/2015) in our area which led to the freeview HD channels not being available. I had to reset our router which cleared the problem but were Openreach in our area doing something to the exchange boxes etc?
I need this problem sorting out A.S.A.P. please.

The fact that if you use 1280 it allows successful calls suggests your line is set as CPS , carrier pre select, if this has just happened it suggests a CPS provider has taken your 'line' for calls if not for line rental, but it's not properly set up otherwise calls would terminate it would just be billed by the mystery CPS provider
Have you had any approach by company's that sell this product ?, sometimes ISP's who's product includes calls can use CPS, if not, and you haven't been 'slammed' you need BT to set your line as non CPS , so BT handle your calls automatically without using 1280
This should be easy to get done, but the drones that answer the calls probably won't have a clue, hence the 'it must be your handset' nonsense they come up with, report the line faulty,don't accept an appointment, and insist they sent the problem to what was once called BT Operate, they look after the telephone exchange equipment and it's 'data',

Remote access VPN with Cisco Router - Can not get the Internal Lan .

Dear Sir ,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .Please see the attachment for Scenario, Configuration and Ping status.
I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Below is the IP address of the device.
Local PC connect with Router -2 (Through MS Loopback) Router -2 Router-1 PC -01
IP Address :10.10.10.2 Mask : 255.255.255.0 F0/01
IP address:10.10.10.1
Mask:255.255.255.0 F0/0
IP Address :20.20.20.1
Mask :255.255.255.0
F0/1
IP address :192.168.1.3
Mask:255.255.255.0
F0/0
IP address :20.20.20.2
Mask :255.255.255.0
F0/1
IP address :192.168.1.1
Mask:255.255.255.0
I can ping from local PC to the network 10.10.10.0 and 20.20.20.0 .Please find the attach file for ping status .So connectivity is ok from my local PC to Remote Router 1 and 2.
Through Cisco remote vpn client, I can get connected with the VPN Router R1 (Please see the VPN Client pic.)But cannot ping the network 192.168.1.0
Need your help to fix the problem.
Router R2 Configuration :!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip tcp synwait-time 5
interface FastEthernet0/0
ip address 20.20.20.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
ip forward-protocol nd
no ip http server
no ip http secure-server
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
end
Router R1 Configuration :
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login USERAUTH local
aaa authorization network NETAUTHORIZE local
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
username vpnuser password 0 strongpassword
ip tcp synwait-time 5
crypto keyring vpnclientskey
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration group remotevpn
key cisco123
dns 192.168.1.2
wins 192.168.1.2
domain mycompany.com
pool vpnpool
acl VPN-ACL
crypto isakmp profile remoteclients
description remote access vpn clients
keyring vpnclientskey
match identity group remotevpn
client authentication list USERAUTH
isakmp authorization list NETAUTHORIZE
client configuration address respond
crypto ipsec transform-set TRSET esp-3des esp-md5-hmac
crypto dynamic-map DYNMAP 10
set transform-set TRSET
set isakmp-profile remoteclients
crypto map VPNMAP 10 ipsec-isakmp dynamic DYNMAP
interface FastEthernet0/0
ip address 20.20.20.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPNMAP
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpnpool 192.168.50.1 192.168.50.10
ip forward-protocol nd
ip route 10.10.10.0 255.255.255.0 FastEthernet0/0
no ip http server
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
ip access-list extended NAT-ACL
deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VPN-ACL
permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
end

Dear All,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .
Please see the attachment for Scenario, Configuration and Ping status. I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Waiting for your responce .
--Milon

Route map no match

Hi,
what is the reason for not having any match, in the acl for the route-map?
Current configuration : 1731 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
ip cef
interface Loopback0
ip address 192.168.0.1 255.255.255.0
interface Loopback1
ip address 192.168.1.1 255.255.255.0
interface Loopback200
ip address 196.0.0.1 255.255.255.0
interface FastEthernet0/0
ip address 195.0.0.1 255.255.255.0
ip policy route-map r_teste
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface Serial1/0
ip address 10.0.0.2 255.255.255.252
serial restart-delay 0
interface Serial1/1
ip address 172.16.0.2 255.255.255.252
serial restart-delay 0
clock rate 128000
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
router bgp 100
no synchronization
bgp log-neighbor-changes
network 192.168.0.0
network 192.168.1.0
neighbor 10.0.0.1 remote-as 200
neighbor 172.16.0.1 remote-as 300
no auto-summary
ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.0.1
access-list 40 permit any
route-map anuncia1 permit 20
match ip address 20
route-map anuncia0 permit 10
match ip address 10
route-map r_teste permit 10
match ip address 40
set ip default next-hop 10.0.0.1
control-plane
line con 0
line aux 0
line vty 0 4
login
end
R2#ping 192.168.55.1 source 195.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.55.1, timeout is 2 seconds:
Packet sent with a source address of 195.0.0.1
Success rate is 0 percent (0/5)
R2#sh access-lists
Standard IP access list 10
    10 permit 192.168.0.0, wildcard bits 0.0.0.255
Standard IP access list 20
    10 permit 192.168.1.0, wildcard bits 0.0.0.255
Standard IP access list 30
    10 permit 195.0.0.0, wildcard bits 0.0.0.255
Standard IP access list 40
    10 permit any
Extended IP access list 100
    10 permit ip any 192.168.55.0 0.0.0.255
R2#
is possible without changing the bgp?
thanks

Default PBR:
All packets received on an interface (ingress) with PBR enabled are entertained, first they should match through ACL then forward to next hop. if a match is exist (through ACL) but not forward to next hop then do nothing this packet especially for ICMP packet.
I think you need Local PBR:
Packets that are generated by the router are not normally policy-routed. To enable local PBR for such packets, indicate which route map the router should use by using the following command in global configuration mode:
ip local policy route-map TEST
Regards,
kazim

Cisco 4900m, pbr, route-map

Hi,
My customer has a question, what is the limit for entries for the route-map for PBR that will be done in hardware? This applies to soft-4900M 12.2 (53) SG2. I need a reference to documentation.
Regards,
lb

Hi Lukasz,
the 4900M is a Data Center Switch and not a Metro one, so it is more appropriate if you post these types of questions on Network Infrastructure > LAN Switching and Routing section
(the 4900M should not be confused with the ME4900 series, which are Metro switches instead).
Anyway it supports 128.000 Security and Quality-of-Service (QoS) Hardware Entries as documented here:
http://www.cisco.com/en/US/products/ps6021/prod_models_comparison.html
and here:
http://www.cisco.com/en/US/partner/prod/collateral/switches/ps5718/ps6021/ps9310/Data_Sheet_Cat_4900M.html
regards,
Riccardo

Understanding a route map

Hi All,
I have just taken over supporting a network, and have come accross a route map, that I don't really understand. The route-map is copied below. Can anyone please tell me step by step how its processed, and what the outcome is?
route-map test permit 5
match ip address prefix-list path_one_prefer
route-map test permit 10
match as-path 3
route-map test permit 20
match ip address prefix-list route-filter
set as-path prepend 65100
ip prefix-list path_one_prefer seq 5 permit 10.10.0.0/16
ip as-path access-list 3 permit _65000_
ip prefix-list route-filter seq 10 deny 172.130.1.0/28
ip prefix-list route-filter seq 15 deny 172.131.1.248/29
ip prefix-list route-filter seq 20 deny 172.200.128.0/27
The route map is applied outbound towards an ebgp peer
Many Thanks
Russ

Hello Russ,
Yes that is indeed the case.
route-map test permit 20
match ip address prefix-list route-filter
set as-path prepend 65100
!ip prefix-list route-filter seq 10 deny 172.130.1.0/28
ip prefix-list route-filter seq 15 deny 172.131.1.248/29
ip prefix-list route-filter seq 20 deny 172.200.128.0/27
In the route-map lines 20 - it is set to "match ip address prefix-list route-filter"
Since the deny is in place in the prefix list, take it as "Not these ones"
Everything else is permitted and AS-Path prepended.
After line 20 there is no other - ACL logic - explicit deny - so if there is no match, its a deny, so the prefix's in the prefix-list "route-filter" are not advertised.
This line 20 seems to be the "catch all" other routes except for these ones i.e. that prefix list, and prepend them.
Check the routes you are advertising them as I stated in my first post with "show ip bgp neigh x.x.x.x advertised-routes" which should correlate with the route-map applied to your BGP peer.
Hope this makes it clear.

3845 Router do not work with NME-X23ES-1GP Interface card

Need help!
I Trying install interface card NME-X 23ES-1GP on 3845 Router. I installed this card in slot 4, but router could not communicate with this card.
IOS version in Router 12.3
Here is results show diag command:
Slot 4:
Unknown (type 1187) Port adapter
Port adapter is disabled deactivated
Port adapter insertion time unknown
EEPROM contents at hardware discovery:
Hardware Revision : 1.0
Top Assy. Part Number : 800-25011-01
Board Revision : A0
Deviation Number : 0-0
Fab Version : 03
PCB Serial Number : FOC090009VC
RMA Test History : 00
RMA Number : 0-0-0-0
RMA History : 00
Product (FRU) Number : NME-X-23ES-1G-P
Version Identifier : V01
Base MAC Address : 0013.8088.9f80
MAC Address block size : 128
EEPROM format version 4
EEPROM contents (hex):
Possibly IOS release too old?

Thank you for link. I read all information on this link. But I can't solve the problem.
Commands "show version" and "show flash:" show my the IOS image file version on Router (but not on interface modules). Here is Routers IOS image:
c3845-advipservicesk9-mz.123-11.T5.bin
I Can't connect to and open a session on the interface module. Command service-module interface slot/port session don't work.
What I should do next?
May is ncessarily upgrade Software on router?
Here is results show version and show flash:
BIG1#show flash:
-#- --length-- -----date/time------ path
1 29801400 Jun 28 2005 04:47:46 +00:00 c3845-advipservicesk9-mz.123-11.T5.bin
2 1651 Jun 28 2005 04:55:18 +00:00 sdmconfig-38xx.cfg
3 3085312 Jun 28 2005 04:55:40 +00:00 sdm.tar
4 763392 Jun 28 2005 04:55:56 +00:00 es.tar
5 820224 Jun 28 2005 04:56:10 +00:00 common.tar
6 1038 Jun 28 2005 04:56:24 +00:00 home.shtml
7 113152 Jun 28 2005 04:56:36 +00:00 home.tar
8 749101 Jun 28 2005 04:56:52 +00:00 256MB.sdf
9 1208320 Jun 28 2005 04:57:08 +00:00 ips.tar
27451392 bytes available (36560896 bytes used)
BIG1#show version
Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.3(11)T5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Sat 02-Apr-05 15:14 by yiyan
ROM: System Bootstrap, Version 12.3(11r)T2, RELEASE SOFTWARE (fc1)
BIG1 uptime is 57 minutes
System returned to ROM by reload at 07:11:45 UTC Tue Jul 12 2005
System image file is "flash:c3845-advipservicesk9-mz.123-11.T5.bin"
Cisco 3845 (revision 1.0) with 223232K/38912K bytes of memory.
Processor board ID FCZ0927714C
2 Gigabit Ethernet interfaces
1 Virtual Private Network (VPN) Module
4 Voice FXS interfaces
DRAM configuration is 64 bits wide with parity enabled.
479K bytes of NVRAM.
62720K bytes of ATA System CompactFlash (Read/Write)
Configuration register is 0x2102

Route-Map not taken on 3850 IP Services

Similar Messages

Maybe you are looking for