Route Map Policy on SVI - Trunk from ESX
Hi,
I have a question regarding the following configuration.
A route map matches traffic from a particular subnet, say on VLAN 10 (using an ACL).
A route map policy is applied on this SVI (int vlan 10)
A server on this subnet is running on ESX which is connected to the switch on a trunk port.
The ESX host tags all frames from this server as VLAN 10.
In this scenario, should the route map pick up the traffic from this server? I don't see why not, but in my testing it doesn't seem to be working :)
Thanks for any help.
Hi Alex,
It's a 3750x (stack) with 12.2(55)SE5.
I've already changed the SDM template to routing and rebooted the switch.
I don't think the route map is working at all actually :) See config below, let me know if you can spot anything obvious but the networks on the ACL are definitely correct.
Thanks again.
Extended IP access list UPLINK2
10 permit ip 192.168.1.0 0.0.0.255 any
20 permit ip 192.168.4.0 0.0.1.255 any (305 matches)
route-map ROUTE1 permit 10
match ip address UPLINK2
set ip next-hop 10.1.1.253
interface Vlan10
ip address 192.168.5.254 255.255.254.0
ip policy route-map ROUTE1
end
Similar Messages
-
Route map policy on Catalyst4500x
Does anyone know about route map policy on Catalyst4500x ? Is it do on hardware or software ? I try to use policy route map to match and redirect traffic about 1 Gbps
Hi Alex,
It's a 3750x (stack) with 12.2(55)SE5.
I've already changed the SDM template to routing and rebooted the switch.
I don't think the route map is working at all actually :) See config below, let me know if you can spot anything obvious but the networks on the ACL are definitely correct.
Thanks again.
Extended IP access list UPLINK2
10 permit ip 192.168.1.0 0.0.0.255 any
20 permit ip 192.168.4.0 0.0.1.255 any (305 matches)
route-map ROUTE1 permit 10
match ip address UPLINK2
set ip next-hop 10.1.1.253
interface Vlan10
ip address 192.168.5.254 255.255.254.0
ip policy route-map ROUTE1
end -
Local policy route-map for policy route
Hi
this is related my previous question:
I want to set policy route on asr1004, that redirect vpn traffic.
my case is:
asr1004 import a default route 0.0.0.0 from int 0 with bgp neibour address 10.100.100.100
assume internal traffic 10.10.10.0/24 coming into asr1004 on int 1.
assume vpn with ip address 10.2.2.2 is direct linked to asr1004 int 2, and int 2 ip address is 10.2.2.1
assume taget network is 10.200.200.0/24
I want internal traffic (10.10.10.0/24) go to target (10.200.200.0/24) to be redirect to10.2.2.2 (vpn) first, so I add "ip route 10.200.200.0/24 10.2.2.2" on asr1004.
Than, I want vpn (10.2.2.2) encrypt traffic and send it to one of ip in10.200.200.0/24 range again. at this point if I put local policy route-map below, is it will work?
ip local policy route-map vpn-out
access-list 100 permit ip 10.2.2.2 any
route-map vpn-out permit 10
match ip address 100
set ip next-hop 10.100.100.100
if not, do I have any change to do policy route for this case?
any comment will be appreciated
Thanks in advance
Julxuhi Jon
can I refresh the question again:
my case is:
asr1004 import a default route 0.0.0.0 from int 0 with bgp neibour address 10.100.100.100
assume internal traffic 10.10.0.0/16 coming into asr1004 on int 1 with ip address 10.3.3.3
assume vpn with ip address 10.10.2.2 is direct linked to asr1004 int 2, and int 2 ip address is 10.10.2.1
assume taget network is 10.200.200.0/24
I want internal traffic (10.10.0.0/16) go to target (10.200.200.0/24) to be redirect to10.10.2.2 (vpn) first, so I add "ip route 10.200.200.0/24 10.10.2.2" on asr1004.
Than, I want vpn (10.10.2.2) encrypt traffic and send it to one of ip in10.200.200.0/24 range again. at this point if I put local policy route-map below, is it will work?
ip local policy route-map vpn-out
access-list 100 permit ip 10.10.2.2 any
route-map vpn-out permit 10
match ip address 100
set ip next-hop 10.100.100.100
such as:
interface TenGigabitEthernet0/0/0
description bgp to get default
ip address 10.100.100.100 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
interface TenGigabitEthernet0/1/0
description get internaltraffic
ip address 10.3.3.3 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
interface GigabitEthernet0/2/1
description vpn
ip address 10.10.2.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
media-type rj45
negotiation auto
ip local policy route-map vpn-out
access-list 100 permit ip 10.10.2.2 any
route-map vpn-out permit 10
match ip address 100
set ip next-hop 10.100.100.100
ip route 10.200.200.0/24 10.10.2.2
Could you please advise if it is correct? -
Can't apply policy route-map on C3750 stack vlan interface
Hi All.
I've come up with this problem and i could see some people have had the same issue. I've tried to overlook and check other replies but it didn't help me. So I'm hoping someone could spot the problem. Here are the details:
2 x WS-C3750G-24T-E in stack
Cisco IOS Software, C3750 Software (C3750-ADVIPSERVICESK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)
switch#sh sdm prefe
The current template is "desktop IPv4 and IPv6 routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 1.5K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 2.75K
number of directly-connected IPv4 hosts: 1.5K
number of indirect IPv4 routes: 1.25K
number of IPv6 multicast groups: 1.125k
number of directly-connected IPv6 addresses: 1.5K
number of indirect IPv6 unicast routes: 1.25K
number of IPv4 policy based routing aces: 0.25K
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 0.5K
number of IPv6 policy based routing aces: 0.25K
number of IPv6 qos aces: 0.5K
number of IPv6 security aces: 0.5K
There are 2 ISPs, G1/0/1 and G2/0/1. After creating a route-map i can apply a policy route-map to Vlan5 and it accepts without any errors. But when you do sh run vlan5 the command is not there, it's not applied.
Any help will be appretiated.
Thanks.Hi Jon.
Thanks for your reply. I didn't put those configs as they're basic without use of VRF and WCCP. Also i've checked or tried to find the list of unsupported commands and didn't see them in that list. See config below with some extras:
track 11 rtr 1 reachability
track 22 rtr 2 reachability
ip routing
no ip dhcp use vrf connected
interface GigabitEthernet1/0/1
description ISP1
no switchport
ip address 9.9.9.2 255.255.255.252
no ip proxy-arp
no ip mroute-cache
speed 100
duplex full
ipv6 address 2B01:4B8:0:3::2/64
ipv6 ospf 1 area 0
no mdix auto
no cdp enable
interface GigabitEthernet2/0/1
description ISP2
no switchport
ip address 9.9.9.5 255.255.255.252
ip ospf cost 10000
speed 1000
duplex full
ipv6 address 2B01:4B8:0:7::2/64
ipv6 enable
ipv6 ospf cost 10000
ipv6 ospf 1 area 0
interface Vlan5
description Company Ext Subnet
ip address 9.9.8.1 255.255.255.128
no ip proxy-arp
no ip mroute-cache
ipv6 address 2B01:4B8:1:22::1/64
ipv6 ospf 1 area 15
access-list 111 permit tcp any any eq www
route-map pbr1 permit 10
match ip address 111
set interface GigabitEthernet2/0/1 GigabitEthernet1/0/1
route-map pbr1 permit 20
set interface GigabitEthernet1/0/1 GigabitEthernet2/0/1
route-map pbr2 permit 10
match ip address 111
set ip next-hop verify-availability 9.9.9.6 1 track 11
set ip next-hop 9.9.9.1
route-map pbr2 permit 20
set ip next-hop verify-availability 9.9.9.1 1 track 22
set ip next-hop 9.9.9.6
I've tried to apply both policies pbr1 and pbr2, it allowed to do that without errors but at the end it wasn't there.
Cheers, -
Hi all,
may some of you tell me the real meaning of the sub-command "set interface <intf>" under the route-map section?
I thought it was like the <intf> parameter whe you set a route out of an interface.
I tried it with a PIX that should have to act as proxy-arp device but nothing happened.
Everything worked fine using "set ip next-hop ..."
The topology appears a little bit complicated if explained how I built it in practice.
Just a PIX525, a switch and a router 877 that manages VLANS.
I reproduced the environment that doesn't see 2 ethernet interfaces on the router where the policy is applied but 1 serial and 1 ethernet. By now there are 2 devices, one per link, and the def route is based on proxy-arp both for the serial and the ethernet.
Hope the scenario was clearly depicted.
TIA
AlexPlease refer to this document..
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009481d.shtml
HTH,
Ahmed -
I have a 6509 that I've setup with route-maps in order to route VLANs in different ways. For example, if we wanted some vlans to get out to the internet we would route them to a certain address. Then there is another vlan that we route to another internet gateway. It was all working pretty good until we swapped out another switch gateway in the network and every since things have been wonky. It seems as though the switch is routing packets that would normally stay on that switch out of the switch then back in, even though my access-list are set to deny the traffic. Here are the access-list and route-maps:
access-list 10 permit 192.168.24.101
access-list 10 permit 192.168.24.102
access-list 100 permit tcp any 172.16.0.0 0.0.255.255 established
access-list 100 permit tcp 192.168.4.0 0.0.3.255 host 172.16.1.10 eq www
access-list 100 permit tcp 192.168.4.0 0.0.3.255 host 172.16.1.11 eq www
access-list 104 permit ip host 172.16.4.11 host 65.54.150.19
access-list 104 permit tcp host 172.16.4.20 any eq www
ip access-list extended BITCENTRAL_INTERNET
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
permit ip host 172.16.1.170 any
permit ip host 172.16.1.150 any
ip access-list extended EDIT_BAYS
deny ip any 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 any
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
permit ip host 192.168.25.2 any
permit ip host 192.168.26.80 any
permit ip host 192.168.25.104 any
permit ip host 192.168.25.3 any
permit ip host 192.168.26.69 any
permit ip host 192.168.26.71 any
permit ip host 192.168.27.33 any
ip access-list extended ENPS
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
permit ip host 192.168.24.101 any
permit ip host 192.168.24.102 any
permit ip host 192.168.24.103 any
ip access-list extended ENTRIQ
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
deny ip 172.16.0.0 0.0.255.255 192.168.24.0 0.0.3.255
deny ip 192.168.24.0 0.0.3.255 172.16.0.0 0.0.255.255
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
permit ip 172.16.8.0 0.0.0.255 any
ip access-list extended MISC
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
deny ip 172.16.0.0 0.0.255.255 192.168.24.0 0.0.3.255
deny ip 192.168.24.0 0.0.3.255 172.16.0.0 0.0.255.255
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
permit ip 172.16.11.0 0.0.0.255 any
ip access-list extended Omneon
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
permit ip host 172.16.2.11 any
permit ip host 172.16.2.2 any
ip access-list extended ROSS-VLAN
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
permit ip host 172.16.4.20 any
permit ip host 172.16.4.32 any
permit ip host 172.16.4.31 any
permit ip host 172.16.4.29 any
permit ip host 172.16.4.30 any
permit ip host 172.16.4.28 any
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
interface Vlan1
no ip address
shutdown
interface Vlan10
ip address 172.16.1.1 255.255.255.0
ip policy route-map BITCENTRAL
interface Vlan20
ip address 172.16.2.1 255.255.255.0
ip policy route-map OMNEON
interface Vlan30
ip address 172.16.3.1 255.255.255.0
interface Vlan40
ip address 172.16.4.1 255.255.255.0
ip policy route-map ROSS-VLAN
interface Vlan50
ip address 172.16.5.1 255.255.255.0
interface Vlan60
ip address 172.16.6.1 255.255.255.0
interface Vlan70
ip address 172.16.7.1 255.255.255.0
interface Vlan80
ip address 172.16.8.1 255.255.255.0
ip policy route-map ENTRIQ
interface Vlan100
ip address 192.168.27.1 255.255.252.0
ip helper-address 192.168.7.255
ip policy route-map OMNIBUS-VLAN
interface Vlan110
ip address 172.16.11.1 255.255.255.0
ip helper-address 192.168.27.200
ip policy route-map MISC
interface Vlan120
ip address 172.16.10.1 255.255.255.240
ip policy route-map EDIT_BAYS
interface Vlan140
ip address 192.168.4.15 255.255.255.0
ip directed-broadcast 10
interface Vlan500
ip address 192.168.1.19 255.255.255.224
ip classless
ip route 172.22.0.0 255.255.255.248 192.168.4.1
ip route 192.168.0.0 255.255.255.224 192.168.4.254
ip route 192.168.5.0 255.255.255.0 192.168.4.1
route-map BITCENTRAL permit 60
match ip address BITCENTRAL_INTERNET
set ip next-hop 192.168.4.1
route-map EDIT_BAYS permit 50
match ip address EDIT_BAYS
set ip next-hop 192.168.4.1
route-map ENTRIQ permit 80
match ip address ENTRIQ
set ip next-hop 172.16.8.254
route-map MISC permit 40
match ip address MISC
set ip next-hop 192.168.4.1
route-map MSN permit 10
match ip address 104
set ip next-hop 192.168.4.1
route-map OMNEON permit 20
match ip address Omneon
set ip next-hop 192.168.4.1
route-map OMNIBUS-VLAN permit 30
match ip address EDIT_BAYS
set ip next-hop 192.168.4.1
route-map OMNIBUS-VLAN permit 40
match ip address ENPS
set ip next-hop 192.168.4.1
route-map ROSS-VLAN permit 70
match ip address ROSS-VLAN
set ip next-hop 192.168.4.1
route-map SEC-VLAN permit 30
match ip address SEC-VLAN
set ip next-hop 192.168.4.1
Here is how we tested the system and found the error. We cut the connection to 192.168.4.1 router, and when we try to ping a host on the 100 VLAN with the ip address of 192.168.24.101 from the MISC vlan with a ip address of 172.168.11.9 the ping just fails. When we enable the connection to the 192.168.4.1 router the pings go through again. What in my route-map is causing this, I thought I setup the deny rules pretty good?Hi Mike,
Between you and me, this is a lengthy config you have there.
Next don't forget that a route-map doesn't apply to traffic originated or destined to the self-device, unless you use ip local policy in which might work, but there I have seen some nasty bugs.
So if you can shorten your config to one example, then do the tests :
- sourced from device A (it can be the SVI of another switch)
- through your 6509
- destined to device B (it also can be the SVI of another switch, or even simpler some loopback inteface). -
BGP Outbound Route-Map Question
Hi Experts,
Just need your help again. I was trying to do some lab and I came across this weird behaviour with BGP outbound route-map. The diagram is simple.
Please see attached diagram. Sorry for the very poor illustration. R6 has iBGP peering to both R4 and R1. Both R1 and R4 have eBGP peering to R5. No IGP running on any routers as well to keep things simple. There are 2 things to do.
* Create a static route for 160.1.0.0/16 pointing to Null0 on both R1 and R4 and advertise to BGP via network statement but only R5 should be able to see the 160.1.0.0/16 route. R6 should not receive it.
* Advertise R5's /32 loopback interface to BGP but ensure R6 to have that route in its routing table. Don't use next-hop-self on both R1 and R4. Don't advertise WAN link via network command.
I'll just illustrate R4 and R6 here to keep things straight forward.
R4#sh ip bgp
BGP table version is 5, local router ID is 150.1.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 150.1.5.5/32 155.1.45.5 0 0 100 i
*> 160.1.0.0 0.0.0.0 0 32768 i
R6#sh ip bgp
BGP table version is 11, local router ID is 150.1.6.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* i150.1.5.5/32 155.1.45.5 0 100 0 100 i
* i 155.1.0.5 0 100 0 100 i
The first task was achieved as the 160.0.0.0/16 route is not present in R6's table. I used these commands in R4.
router bgp 65000
no synchronization
bgp log-neighbor-changes
network 160.1.0.0
neighbor 155.1.45.5 remote-as 100
neighbor 155.1.146.6 remote-as 65000
neighbor 155.1.146.6 route-map R6_OUT out
no auto-summary
route-map R6_OUT deny 5
match ip address prefix-list AGGR
route-map R6_OUT permit 1000
ip prefix-list AGGR seq 5 permit 160.1.0.0/16
So with the configuration above, it is clear that R4 is hitting route-map line 5 to deny 160.1.0.0/16 being advertised to R6. I tried to remove line 5 to validate as well if the /16 route will be advertised to R6 and it did so route-map configuration above is confirmed working.
Next, advertise loopback 0 of R5 to R6 and make sure it is a valid route in BGP table without the use of next-hop-self or WAN advertisement.
I used the following configuration.
ip prefix-list R5_LINK seq 5 permit 155.1.45.5/32
route-map R6_OUT permit 10
match ip route-source R5_LINK
set ip next-hop 155.1.146.4
I inserted line 10 in between route-map 5 and 1000. So R4 would check its route table for routes with 155.1.45.5 as route-source then advertise it to R6 with next-hop address of 155.1.146.4. It worked!
R6#sh ip bgp
BGP table version is 15, local router ID is 150.1.6.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i150.1.5.5/32 155.1.146.4 0 100 0 100 i
* i 155.1.0.5 0 100 0 100 i
*>i160.1.0.0 155.1.146.4 0 100 0 i
As you can see above, 150.1.5.5 route is now a valid BGP route but surprisingly, the 160.1.0.0/16 route is there! From what I have seen, BGP skipped line 5 and started at 10. Even if I insert the same rule as line 5 and make it as line 15, it's not working. The /16 route is still being advertised. If I remove the match ip route-source clause in sequence 10 then it will withdraw the 160.1.0.0/16 route again. Looks like "match ip route-source" is not very friendly with direct filtering to BGP neighbors but I saw this being used with BGP inject-map and it worked well.
R4#sh route-map
route-map R6_OUT, deny, sequence 5
Match clauses:
ip address prefix-lists: AGGR
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map R6_OUT, permit, sequence 10
Match clauses:
ip route-source (access-lists): R5_LINK
Set clauses:
ip next-hop 155.1.146.4
Policy routing matches: 0 packets, 0 bytes
route-map R6_OUT, permit, sequence 1000
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Any thoughts why this is happening?
Thanks in advance.Hi John,
I did a small lab to test feature "match ip route-source" and it is working fine. Please check below config and output.
R4 does not have 172.16.16.0/24 and also routes for which next-hop is not 1.1.1.1. In case you still facing issue, please share output of "debug ip bgp updates out"
Topology
R1--ebgp--R3---ibgp---R4
R3#show ip b su | b Nei
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
1.1.1.1 4 100 34 36 29 0 0 00:27:37 7
4.4.4.4 4 300 9 12 29 0 0 00:04:12 0
R3#
R3#sh route-map TO-R4
route-map TO-R4, deny, sequence 10
Match clauses:
ip address prefix-lists: DENY-PREFIX
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map TO-R4, permit, sequence 20
Match clauses:
ip route-source (access-lists): 20
Set clauses:
Policy routing matches: 0 packets, 0 bytes
R3#
R3#show ip prefix-list DENY-PREFIX
ip prefix-list DENY-PREFIX: 1 entries
seq 5 permit 172.16.16.0/24
R3#
R3#sh ip access-lists 20
Standard IP access list 20
20 permit 1.1.1.1 (25 matches)
R3#
R3#show ip b
BGP table version is 29, local router ID is 3.3.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
* 172.16.8.0/22 1.1.1.1 0 0 100 i
*> 172.31.13.1 20 32768 i
*> 172.16.16.0/24 1.1.1.1 0 0 100 i
*> 172.16.17.0/24 1.1.1.1 0 0 100 i
*> 172.16.19.0/24 1.1.1.1 0 0 100 i
*> 172.16.20.0/22 1.1.1.1 0 0 100 i
* 172.16.24.0/30 1.1.1.1 0 0 100 i
*> 172.31.13.1 20 32768 i
*> 172.16.80.0/22 1.1.1.1 0 0 100 i
R3#
R4#show ip b
BGP table version is 53, local router ID is 4.4.4.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
r>i172.16.17.0/24 1.1.1.1 0 100 0 100 i
r>i172.16.19.0/24 1.1.1.1 0 100 0 100 i
r>i172.16.20.0/22 1.1.1.1 0 100 0 100 i
*>i172.16.80.0/22 1.1.1.1 0 100 0 100 i
R4#
--Pls dont forget to rate helpful posts--
Regards,
Akash -
Can anyone tell me what a route map is and how they work, thanks
Carlhi
route maps are used for different purposes like policy based routing,controlling the routing updates also for number of administrative functionalities.
But the usage of route maps can be found mostly inline with PBR where the forwarding is being done based on different criterias.
Abstracts from CCO
"They are an ordered sequence of individual statements, each has a permit or deny result. Evaluation of ACL or route-maps consists of a list scan, in a predetermined order, and an evaluation of the criteria of each statement that matches. A list scan is aborted once the first statement match is found and an action associated with the statement match is performed".
"They are generic mechanismscriteria matches and match interpretation are dictated by the way they are applied. The same route-map applied to different tasks might be interpreted differently".
also check this link for more info.
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008047915d.shtml#what
regds -
Route Map - Delete Sequence Number
Hi All,
Taking the cisco example below, which demos how to PBR.
access-list 1 permit 209.165.200.225
access-list 2 permit 209.165.200.226
interface ethernet 1
ip policy route-map Texas
route-map Texas permit 10
match ip address 1
set ip precedence priority
set ip next-hop 209.165.200.227
route-map Texas permit 20
match ip address 2
set ip precedence critical
set ip next-hop 209.165.200.228
How would i safely remove sequence number 20 from the above?
Many thanks.Hi John,
no route-map Texas 20 worked good.
thanks -
Route-map continue, in CRS RPL
Dear all,
what is the replacement for continue command in route-map for CRS IOS XR RPL ?
is it ? pass command ??
actually i had some issue matching almost 15 community attribute ingress from customer network...
and i think, is it can be done with pass command ?
like :
if community (a:a) then
action
pass
else if community (b:b) then
action
pass
end if
so, when the route contain community a:a, will get action assigned, and not yet to be forwarded, instead, will continue to run the next if, to check if the route also contain b:b community...
so with this i dont have to create almost 2^15 combination if format on RPL.
is it do able ? or is there any command that work simillar with "continue" command in route-map, if match, the route still get processed until the end of policy.
Thanks a lot,
Budi LHello Budi
Yes, the pass statement allows a policy to continue executing even though the route has not been modified. When a policy has finished executing, any route that has been modified in the policy or any route that has received a pass disposition in the policy, successfully passes the policy and completes the execution. Note, a policy does not modify route attribute values until all tests have been completed. In other words, comparison operators always run on the initial data in the route. Intermediate modifications of the route attributes do not have a cascading effect on the evaluation of the policy.
Here is the PASS example:
route-policy ak-community
if community matches-any (11:11, 44:44) then
set community (55:55) additive
pass
endif
if community matches-any (22:22) then
set community (77:77) additive
endif
end-policy
If a route contains a community 11:11 then we add 55:55 and continue. So If the same route contain 22:22 as well, we’d add another community 77:77 to the same route. Note, if we have an action (like SET here), a PASS statement is not needed and we continue with the policy.
Example 2. Here we can see nested IF. So if a route contains 11:11 then we add 55:55 and verify it further if the route has 22:22 and if so, add 77:77
route-policy ak-community
if community matches-any (11:11, 44:44) then
set community (55:55) additive
if community matches-any (22:22) then
set community (77:77) additive
endif
endif
end-policy
Example 3. In this example we add 55:55 to routes matching 11:11 or 44:44. Otherwise, if a route has 22:22, we add 77:77. Note, if a route has 11:11 AND 22:22 (or 44:44 AND 22:22) we’d add 55:55 only.
route-policy ak-community
if community matches-any (11:11, 44:44) then
set community (55:55) additive
elseif community matches-any (22:22) then
set community (77:77) additive
endif
end-policy
IF statement are flexible too. You noted we used MATCHES-ANY in the IF statement. We can use a list of different conations in one IF. For example:
If community matches-every (11:11, 22:22) or destination in (11.1.3.0/24) then
set local-preference 500
Regards,
/A -
PBR - adding a route map to an interface
Hello.
I cannot add a route-map to an interface on a C3750 stack
I have copied the switch details below
#sho ver
Cisco IOS Software, C3750 Software (C3750-IPSERVICES-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Thu 19-Jul-07 19:15 by nachen
Image text-base: 0x00003000, data-base: 0x01280000
ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(25r)SEE3, RELEASE SOFTWARE (fc1)
Pleidelsheim_V1B_Core uptime is 16 hours, 43 minutes
System returned to ROM by power-on
System restarted at 22:01:48 CET Wed Mar 3 2010
System image file is "flash:/c3750-ipservices-mz.122-35.SE5.bin"
cisco WS-C3750G-24TS (PowerPC405) processor (revision P0) with 118784K/12280K bytes of memory.
Processor board ID CAT1130ZK5F
Last reset from power-on
9 Virtual Ethernet interfaces
56 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 00:1D:46:8C:22:80
Motherboard assembly number : 73-7058-14
Power supply part number : 341-0045-01
Motherboard serial number : CAT113059LV
Power supply serial number : PHI1114L1PJ
Model revision number : P0
Motherboard revision number : A0
Model number : WS-C3750G-24TS-E
System serial number : CAT1130ZK5F
Top Assembly Part Number : 800-22348-07
Top Assembly Revision Number : A0
Version ID : V07
CLEI Code Number : COM7700ARA
Hardware Board Revision Number : 0x09
Switch Ports Model SW Version SW Image
* 1 28 WS-C3750G-24TS 12.2(35)SE5 C3750-IPSERVICES-M
2 28 WS-C3750G-24TS 12.2(35)SE5 C3750-IPSERVICES-M
Switch 02
Switch Uptime : 16 hours, 43 minutes
Base ethernet MAC Address : 00:21:A1:2E:78:00
Motherboard assembly number : 73-7058-15
Power supply part number : 341-0045-01
Motherboard serial number : FDO121903D2
Power supply serial number : LIT121603VV
Model revision number : Q0
Motherboard revision number : A0
Model number : WS-C3750G-24TS-E
System serial number : CAT1105RGN2
Top assembly part number : 800-22348-08
Top assembly revision number : A0
Version ID : V08
CLEI Code Number : COMUJ10ARA
Configuration register is 0xF
#sho sdm prefer
The current template is "desktop routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 3K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 11K
number of directly-connected IPv4 hosts: 3K
number of indirect IPv4 routes: 8K
number of IPv4 policy based routing aces: 0.5K
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 1K
When I try to add the route map
interface Vlanx
ip policy route-map xx
%PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map xx not supported for Policy-Based Routing
Can anyone see what could be wrong?Okay, just realised the route-map is not valid.
The settings are okay.
access-list 160 remark WIRELESS GUEST PBR FWD TRAFFIC
access-list 160 permit tcp 172.16.168.128 0.0.0.63 any
access-list 160 permit udp 172.16.168.128 0.0.0.63 any
access-list 160 permit ip 172.16.168.128 0.0.0.63 any
access-list 160 permit icmp 172.16.168.128 0.0.0.63 any
route-map GUEST_VLAN-to-WEB permit 20
description FWD REMAINING GUEST TRAFFIC TO PROXY
match ip address 160
set interface Null0
Doesn't like the set interface Null0
How else could I setup a black hole -
Route SIP REFER to SIP Trunk based on DN
Cisco UCM 9 is connected to a third-party PBX over SIP Trunk. Third-party PBX sends a SIP REFER message to Cisco UCM to call a DN on the third-party PBX. Cisco UCM responds with SIP 404 Not Found as it does not recognize the DN of the third-party PBX.
How do I configure Cisco Unified Communication Manager 9 to route this call back out over the SIP Trunk to the third-party PBX based on the DN (Not IP)?
Cisco UCM contains a route pattern 53xxx to route to SIP_Trunk_3rdParty.
Third-party PBX contains a SIP Proxy and Call Server. The call should route to the SIP Proxy IP. The SIP REFER contains "Refer-To" 53xxx@ThirdPartyCallServerIP
I added a SIP Route Pattern on CUCM to route calls for ThirdPartyCallServerIP to SIP_Trunk_3rdParty. This works in routing the call to ThirdPartyCallServerIP, however I need the call to route to 53xxx@ThirdPartySIPproxyIP for it to be successful.
Direct calls from CUCM to ThirdParty PBX 53XXX@ThirdPartySIPproxyIP are successful. SIP REFER coming into CUCM to request CUCM to call ThirdParty fail.
Any ideas on what configuration on CUCM I could try to get CUCM to route the call to thrid-party based on the SIP REFER?Thanks for the reply Vivek.
Partitions:
- ThirdPartyPBX
- CiscoEndpoints
Calling Search Space: "ThirdParty_Cisco" contain both of the above partitions.
Route Pattern 531XX and 80965 are assigned to Route Partition "ThirdPartyPBX"
Cisco UCM Main site phones are in CSS "ThirdParty_Cisco" and DN is in Route Partition "CiscoEndpoints". DN is in CSS "ThirdParty_Cisco".
Trunk "SIP_Trunk_3rdParty" - Inbound and Outbound Calls are in CSS "ThirdParty_Cisco".
Trunk SIP information has "Rerouting CSS", "Out-of-Dialog Refer CSS", and Subscribe CSS as "ThirdParty_Cisco".
Cisco continues to respond to with SIP 404 not found. CUCM does not seem to match the SIP refer to the CSS or Route partition with with 531XX route pattern.
The SIP Refer is coming from DN 80965 over the SIP Trunk from the Third-party PBX.
Perhaps I'm missing something in my CSS config?
Any other method for CUCM to match SIP Refer to a Route Pattern? -
Managing Route-Map based MPLS VPN
1) How to derive the VPN information of the MPLS VPN configured using route-maps? As I understand, stitching route-maps information to derive VPN is complex as it is difficult to derive & correlate the filters tied to each of the route-maps that are tied to a VRF :(
2) Is there any MIB to get from the MIB
a) Route-maps tied to each VRF
b) What is the filter associated with each route-map?
c) Definition of each of the above filter
It would have been nice if the route-maps' name had global-significance within AS, so that we could have treated route-maps, pretty much like the route-tragets. Alas, I doubt it is :(
It should be noted here that if the MPLS VPN is configured using route targets, the VPN information derivation is fairly straight forward throught MplsVpn MIB.
So, the question is what is the simplest way to derive the MPLS VPN info given that they are configured using route-maps in BGP for labelled-route-distribution & for the pkt association with the VRFs.
Thanks,
Suresh REach CE in a customer VPN is also added to the management VPN by selecting the Join the management VPN option in the service request user interface.
The function of the management route map is to allow only the routes to the specific CE into the management VPN. The Cisco IOS supports only one export route map and one import route map per VRF.
http://www.cisco.com/en/US/products/sw/netmgtsw/ps4748/products_user_guide_chapter09186a0080353ac3.html -
I am unable to successfully migrate a VM from ESX (5.1) to a Hyper-V 2012 R2 host via SCVMM 2012 R2
If I copy the .vmdk and its files over to the SCVMM library server I am able to successfully convert it. So that is my workaround for now.
Here is the error I get everytime. It always seems to get at least 50% of the way through the Virtual-to-Virtual conversion step but then fails
Error (2912)
An internal error has occurred trying to contact the myrdshost.local server: : .
WinRM: URL: [http://myrdshost:5985], Verb: [INVOKE], Method: [GetProgress], Resource: [http://schemas.microsoft.com/wbem/wsman/1/wmi/root/scvmm/HttpPostDeploymentJob?InstanceID=https://myesxhost:443//folder/SIE-WEBI-02/SIE-WEBI-02.vmdkA3fdsName=PS-DATASTORE4/D:A5chyper-vA5cvmA5cSIE-WEBI-02A5cSIE-WEBI-02.vhd/]
Unknown error (0x80072f78)
Recommended Action
Check that WS-Management service is installed and running on server myrdshost. For more information use the command "winrm helpmsg hresult". If
myrdshost is a host/library/update server or a PXE server role then ensure that VMM agent is installed and running. Refer to http://support.microsoft.com/kb/2742275 for more details.I am having the exact same issue. I have tried different versions of ESXi from a base image to a fully updated. I have also played around with NIC type(1G/10G) and MTU. The only thing I haven't tried was putting the Hyper-v hosts and ESXi
hosts on the same subnet, and that will be next, just to take the routing out of the mix, after that I will mess around with the 10G driver options. Copying them over and converting local isn't an option for me as some of my virtual disks are 1TB+. I
have about 300 VM's to move.. I am fully patched on the Host side as well as the VMM 2012 R2 side.
If I find out something I will let you know. -
Hi,
what is the reason for not having any match, in the acl for the route-map?
Current configuration : 1731 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
ip cef
interface Loopback0
ip address 192.168.0.1 255.255.255.0
interface Loopback1
ip address 192.168.1.1 255.255.255.0
interface Loopback200
ip address 196.0.0.1 255.255.255.0
interface FastEthernet0/0
ip address 195.0.0.1 255.255.255.0
ip policy route-map r_teste
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface Serial1/0
ip address 10.0.0.2 255.255.255.252
serial restart-delay 0
interface Serial1/1
ip address 172.16.0.2 255.255.255.252
serial restart-delay 0
clock rate 128000
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
router bgp 100
no synchronization
bgp log-neighbor-changes
network 192.168.0.0
network 192.168.1.0
neighbor 10.0.0.1 remote-as 200
neighbor 172.16.0.1 remote-as 300
no auto-summary
ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.0.1
access-list 40 permit any
route-map anuncia1 permit 20
match ip address 20
route-map anuncia0 permit 10
match ip address 10
route-map r_teste permit 10
match ip address 40
set ip default next-hop 10.0.0.1
control-plane
line con 0
line aux 0
line vty 0 4
login
end
R2#ping 192.168.55.1 source 195.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.55.1, timeout is 2 seconds:
Packet sent with a source address of 195.0.0.1
Success rate is 0 percent (0/5)
R2#sh access-lists
Standard IP access list 10
10 permit 192.168.0.0, wildcard bits 0.0.0.255
Standard IP access list 20
10 permit 192.168.1.0, wildcard bits 0.0.0.255
Standard IP access list 30
10 permit 195.0.0.0, wildcard bits 0.0.0.255
Standard IP access list 40
10 permit any
Extended IP access list 100
10 permit ip any 192.168.55.0 0.0.0.255
R2#
is possible without changing the bgp?
thanksDefault PBR:
All packets received on an interface (ingress) with PBR enabled are entertained, first they should match through ACL then forward to next hop. if a match is exist (through ACL) but not forward to next hop then do nothing this packet especially for ICMP packet.
I think you need Local PBR:
Packets that are generated by the router are not normally policy-routed. To enable local PBR for such packets, indicate which route map the router should use by using the following command in global configuration mode:
ip local policy route-map TEST
Regards,
kazim
Maybe you are looking for
-
ITunes won't launch in windows xp - Data Execution Prevention
I have tried removing all apple programs, specifying to turn off DEP for itunes and quicktime, but still cannot run itunes due to the DEP feature.
-
Jdev 11.1.1.5 - JDK 1.6_31 I have put a dynamic region on a page with 4 taskflows defined as the regions. Each taskflow is a train. I have a bean that controls the loading (the default bean) with a load for each screen.. ie public .. myRegion1, etc..
-
Sending step in Integration Process waiting for Acknowledgement infinitely
In process I had to send an MATMAS, CLFMAS and CNPMAS. The data for this IDoc comes in one message from third party system. So, my Integration Process has receive step (to collect a data), and three send-steps (for MATMAS, for CLFMAS, for CNPMAS), on
-
Loading pdf file in flex application (not in AIR)
Hi, Could any one suggest opening pdf file within flex application with blazeds. we have used the following code to open pdf file in the same window navigateToURL( new URLRequest( "http://localhost:8080/PdfSample/jsp/PdfContent.jsp" ),"_self"); But w
-
Is there any difference , selecting particular string from left to right
hi we have a problem for selecting a string ... we selecting a string from JEditorPane .. useing JEditorPane.getselectedText(); After selecting text we adding some tags to selected text it working fine when we are selecting from right to left . when