Route traffic
Hi All,
we have three sites at mumbai, pune , delhi.
A site to site tunnel is created between mumbai and pune.
and tunnel between mumbai and delhi.
We donot have tunnel between delhi and pune.
Is it possible to route the traffic of delhi from mumbai site to pune site.
The problem is we donot to create site to site between delhi and pune.
Hi Jcavaraj,
Just consider the scenario three site a, b, c.
a---10.0.0.0/24 net
b----20.0.0.0/24 net
c-----30.0.0.0/24 net
there is site to site tunnel is created between a to b and a to c. no tunnel between b to c,
Now the requirement is 20 network should access 30 network
Please find the access-list below
on site a
access-list outside_2_crypto extended permit ip 10.0.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0
accss-list outside_2_crypto extended permit ip 10.0.0.0 255.255.255.255.0 30.0.0.0 255.255.255.0
same-security-traffic permit intra-interface
on site b
access-list outside_4_crypto extended permit ip 20.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_4_crypto extended permit ip 20.0.0.0 255.255.255.0 30.0.0.0 255.255.255.0
same-security-traffic permit intra-interface
on site c
access-list outside_3_crypto extended permit ip 30.0.0.0 255.255.255.0 10.0.0.0 255.255..255.0
access-list outside_3_crypto extended permit ip 30.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0
same-security-traffic permit intra-interface.
Is the configuration right ? Please let me know
Similar Messages
-
Possible to Route Traffic Based on AVC?
Is it possible to route traffic, based on the Application Visibility Control functions that specific Cisco routers are capable of? Here's my issue: I have two ISP's. One is at about 120% utilization. The other isn't doing anything. I can specify ip routes based on IP addresses. For instance, I can ip route 173.252.110.27 255.255.255.255 10.x.x.x to point to our ISP2 firewall, which is our non-utilized provider, for Facebook traffic. The problem is that sites like this have massive public subnets, so I won't be able to capture all of the traffic destined to Facebook. Is there a way to route traffic based on application? I know that Palo Alto firewalls have a way to do Policy Based Forwarding, based on application. I was wondering if the same was possible with AVC. Thanks for any help.
Hello.
Yes, it's possible and, actually, you have 2 ways.
1. use manual load-balanace between links.
2. use PfR to load-balance traffic automatically.
PS: you also will need NAT with route-map. -
Route Traffic to down a specfic link
I need to route traffic that is sourced from 10.1.50.0 network down link 1. Currently all traffic goes down Link 2. I want all traffic except 10.1.50.0 network to still use Link 2 as primary. What would be the best approach a static route for the 10.1.50.0 network or some type of policy map or something else? Thanks for the help
Thanks for the reply. I created the access list and policy map from above but can not put the policy map on the VLAN interface. The commands are there but when I verify by looking at the interface it is not there. It is a 3750 G with IPSERVICES IOS. Any ideas? Thanks
Standard IP access list 50
10 permit 10.2.50.0, wildcard bits 0.0.0.255 log
sh route-map
route-map **VLAN250**, permit, sequence 10
Match clauses:
ip address (access-lists): 50
Set clauses:
interface GigabitEthernet2/0/1
Policy routing matches: 0 packets, 0 bytes -
How to route traffic across subnets when one NIC is a hyper-V virtual switch?
Having a bit of a problem with a hyper-V environment which does not seem to route network traffic on two different subnets between each other.
If it were a purely physical server with two NICs and a gateway set traffic would automatically be forwarded between the two different subnets.
However when one of those NICs is a hyper-V virtual switch this simple routing no-longer seems to work and no traffic gets forwarded between subnets?
Situation is:
Hyper-V server with two NICs
NIC 1 = 192.168.0/24 - main Internal company network.
NIC 2 (hyper-V virtual switch.) = 192.168.1/24 - connects to ADSL internet router
Virtualized Domain Controller.
One or two virtualiszed NICs as necessary
How then does traffic get routed between these two subnets? If RRAS has to be configured to do this where is the best place to do it, on the hyper-V host or on the virtualized domain controller?
Thanks,Hi ,
You can create an internal virtual switch and configure an IP for it (I assume it is 192.168.1.2/24) .
After you enable RRAS in hyper-v host there will be two gateways for different subnets .
" NIC 2 (hyper-V virtual switch.) = 192.168.1/24 - connects to ADSL internet router "
The problem is here ,if these VMs need to access internet .
So , these VMs can not configure their gateway same as the IP of internal virtual switch , you may set VM's gateway as the ADSL internet router's IP meanwhile add a static route entry for every VM .
Please refer to the Syntax :
route add -p 192.168.0.0 mask 255.255.255.0 192.168.1.2
Hope this helps
Best Regards
Elton Ji
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
ASA 5510 Not able to route traffic between 2 LAN interfaces
Hi everybody,
I need help to enable traffic between two physical ports on my Cisco ASA 5510. I created access rules and NAT but traffic doe not go from accounting interface to Inside. I am able to access internet from both interfaces. Can someone pin point me in the right direction since I am not an expert in Cisco but has to finish this by the end of the week.
Thank you,
Sigor
Here is my configuration:
ASA Version 8.2(2)
hostname Cisco
domain-name xxx.com
names
interface Ethernet0/0
description Outside
nameif Outside
security-level 0
ip address 101.101.101.101 255.255.240.0
interface Ethernet0/1
description Inside Network
nameif Inside
security-level 90
ip address 192.168.10.1 255.255.255.0
interface Ethernet0/2
description Accounting
nameif Accounting
security-level 100
ip address 20.0.1.1 255.255.255.0
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
clock timezone EST -5
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name xxx.com
same-security-traffic permit inter-interface
object-group service Port-10000 tcp
port-object eq 10000
object-group service Port-8080 tcp
port-object eq 8080
object-group service Port-8011 tcp
port-object eq 8011
object-group service DM_INLINE_TCP_1 tcp
group-object Port-8080
port-object eq www
group-object Port-8011
object-group service DM_INLINE_TCP_2 tcp
group-object Port-10000
port-object eq https
port-object eq www
object-group service rdp tcp
port-object eq 3389
object-group service DM_INLINE_TCP_3 tcp
group-object rdp
port-object eq ftp
object-group service DM_INLINE_TCP_4 tcp
group-object Port-10000
port-object eq www
port-object eq https
port-object eq ssh
object-group service DM_INLINE_TCP_5 tcp
group-object Port-8011
group-object Port-8080
port-object eq www
object-group service DM_INLINE_TCP_6 tcp
group-object Port-10000
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_7 tcp
group-object rdp
port-object eq ftp
access-list Outside_access_in extended permit tcp any host 101.101.101.104 object-group DM_INLINE_TCP_5
access-list Outside_access_in extended permit tcp any host 101.101.101.102 object-group DM_INLINE_TCP_6
access-list Outside_access_in extended permit tcp any host 101.101.101.103 object-group DM_INLINE_TCP_7
access-list Outside_access_in extended permit tcp any host 101.101.101.106 eq smtp
access-list Outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.80.0 255.255.255.0
access-list CiscoIPsec_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list Accounting extended permit ip 20.0.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list Accounting extended permit ip 20.0.1.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu Accounting 1500
mtu management 1500
ip local pool IPSecDHCP 192.168.80.100-192.168.80.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (Accounting) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp 101.101.101.104 www 192.168.10.14 www netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.104 8011 192.168.10.14 8011 netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.104 8080 192.168.10.14 8080 netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.102 10000 192.168.10.3 10000 netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.102 https 192.168.10.3 https netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.102 www 192.168.10.3 www netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.103 ftp 192.168.10.17 ftp netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.103 3389 192.168.10.32 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.106 smtp 192.168.10.23 smtp netmask 255.255.255.255
static (Inside,Accounting) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
access-group Outside_access_in in interface Outside
access-group Accounting in interface Accounting
route Outside 0.0.0.0 0.0.0.0 101.101.101.101 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 Inside
http 20.0.1.0 255.255.255.0 Accounting
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 32608000
crypto ipsec security-association replay disable
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256
-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer 89.216.17.35
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
dhcpd address 20.0.1.100-20.0.1.200 Accounting
dhcpd dns 192.168.10.19 8.8.8.8 interface Accounting
dhcpd lease 306800 interface Accounting
dhcpd domain abtscs.com interface Accounting
dhcpd enable Accounting
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy CiscoIPsec internal
group-policy CiscoIPsec attributes
dns-server value 192.168.10.30 192.168.10.19
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CiscoIPsec_splitTunnelAcl
default-domain value xxx.com
vpn-group-policy CiscoIPsec
tunnel-group 198.226.20.35 type ipsec-l2l
tunnel-group 198.226.20.35 ipsec-attributes
pre-shared-key *****
tunnel-group CiscoIPsec type remote-access
tunnel-group CiscoIPsec general-attributes
address-pool IPSecDHCP
default-group-policy CiscoIPsec
tunnel-group CiscoIPsec ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
Cryptochecksum:2a7c97a7a22397908ef83ca6f0065919
: endWithout diving too deep into your config, I noticed a couple of things:
interface Ethernet0/1
description Inside Network
nameif Inside
security-level 90
ip address 192.168.10.1 255.255.255.0
interface Ethernet0/2
description Accounting
nameif Accounting
security-level 100
ip address 20.0.1.1 255.255.255.0
On an ASA, higher security level interfaces are always allowed, by default, to lower security levels, but not the other way around. So, if you want to keep this config, you would need an acl on the Inside interface to allow traffic to go from level 90 to 100:
access-list Inside permit ip any any
access-group Inside in interface Inside
The acl will permit the traffic into either interface (outside or Accounting). As long as you have your other rules set up correctly, this should resolve your issue...
HTH,
John -
Need to route traffic based on destination to 2 different routers
I have a 4451X that has a default route of 10.10.48.1. I have 2 other internet routers at 10.10.48.15, and 172.31.1.3.
The router at 172.31.1.3 is a VPN firewall and has a VPN to 3 specific IP networks. 172.31.252.0/24, 192.168.252.0/24, and 192.168.163.0/24.
I need the traffic headed to the 3 VPN'd networks to route to 172.31.1.3, and the remaining traffic to route to 10.10.48.15.
The source network is 172.31.0.0/23 and the gateway of the machines is 172.31.0.1.
I tried creating a PBR but the internet traffic seems to go outbound through the router's default route of 10.10.48.1 and not 10.10.48.15.
I am sure I am just missing something silly.
Here are the relevant portions of the config:
interface GigabitEthernet0/0/1
ip address 172.31.0.20 255.255.254.0
ip nat inside
ip policy route-map Test
negotiation auto
vrrp 1 ip 172.31.0.1
vrrp 1 priority 105
interface GigabitEthernet0/0/1.2
encapsulation dot1Q 2
ip address 10.10.48.12 255.255.255.224
ip nat inside
ip access-group 199 in
vrrp 1 ip 10.10.48.3
vrrp 1 priority 105
vrrp 2 priority 105
no cdp enable
ip route 0.0.0.0 0.0.0.0 10.10.48.1
ip route 0.0.0.0 0.0.0.0 172.31.1.3 2
access-list 116 permit ip 172.31.0.0 0.0.1.255 172.31.254.0 0.0.0.255
access-list 116 permit ip 172.31.0.0 0.0.1.255 192.168.252.0 0.0.0.255
access-list 116 permit ip 172.31.0.0 0.0.1.255 192.168.163.0 0.0.0.255
route-map Test permit 19
match ip address 116
continue 20
set ip next-hop 172.31.1.3
route-map Test1 permit 20
set ip next-hop 10.10.48.15
Thanks in advance.
Burton HallmanFirstly I'm not sure why you have two default routes if everything is meant go via 10.10.48.1 ?
That aside in terms of your PBR -
1) remove the continue statement. I don't know what it is meant to be doing but as far as i know it has no effect with PBR
2) more importantly your second statement is using a different route map name ie Test1 which makes it a completely different route map so the one applied to the interface only has the first statement in it which is the one for VPN traffic.
Jon -
Hi all,
My WRE54G version 2 cannot route the WIFI traffic to my Belkin router after setup. The setup was made by connecting the WRE54G directly to Belkin router with the following configurations with the Web configuration tool in WRE54G.
WRE54G
Name: Linksys WRE54G
IP address: 192.168.1.150
Subnet Mask: 255.255.255.0
Gateway: 192.168.1.1
Mode: Mixed
Channel: 10
SSID: 54Home
Wireless Security: Enable
Belkin Router
IP Address: 192.168.1.1
Subnet Mask: 255.255.255.0
DHCP Address range: 192.168.1.2 - 192.168.1.100
Mode: Mixed
SSID: 54Home
WEP setting of both Belkin router and WRE54G are the same.
Both the link and activity LED on the WRE54G are Lighted in blue.
When connecting WRE54G with UTP wire, I can ping the WRE54G with my notebook with wired connection with Belkin, and I can use the web interface configure the WRE54G. When removing the wire to WRE54G, the notebook cannot ping the WRE54G.
When I test the WRE54G with wireless connection, my notebook cannot get an IP address and it needs to manually assign one. After using the manual IP, the notebook can reach the WRE54G, but not the Belkin Router, nor any connection to the internet.
However, if I disable the wireless network of the notebook and connect it directly to the router with UTP wire, the router is working fine. I switch off the WRE54G, change the notebook to DHCP, it connect back to the Belkin router and internet contivity is also fine.
It seems that the WRE54G did not talk to Belkin on the WIFI traffic. Are there anyone encountered the same problem, and have the solutions?
Thanks in advance
DavisMake sure that wireless settings are same as in wireless router also check the Ip settings in the range extender ... it should be in the range of the router .... If all settings working fine .... & still you are not able to ping the Range Extender when wireless .... Disable the firewall on the laptop for few seconds .... try to ping the Range Extender .... if not ... in such case ... upgrade the firmware of the range Extender ...after upgrade ... reset & reconfigure the router ...
-
Unknown network traffic / router traffic monitoring
So I got a new PC with windows 7 on it, and I installed this gadget that monitors network traffic, and it shows a lot of traffic that my local PC isn't showing, so I am thinking there is something running on the LAN that I can't see. I was looking to find a live, better program to monitor the actiontec router, for traffic. anyone know of anything that can maybe show me who is using all the bandwidth on my network?
i have found software for Linksys, but nothing for the Actiontec.
Thanks,
Quasimodem
Fios in Florida
Solved!
Go to Solution.Keep in mind that when looking at Wireshark (sniffer) software there are different types of traffic:
Unicast
Broadcast
Multicast
Unicast is traffic between two devices. You will see the traffic between the PC with wireshark and another device on your local network such as a printer, another PC or the Router. You should not see traffic between another PC and the Internet for example. Using a phone as an example some calls you and the conversation is between you and the person on the other end of the phone. This is unicast traffic. Using defaults of the actiontec, IP address seen will be 192.168.1.1 for the router and 192.168.1.2-99 for devices on your network. If you have the TV service, 192.168.1.100-1xx is used for the cable boxes.
Broadcast traffic is traffic sent to all devices. Its not directed toward a particular PC but rather usually looking for information. In a sniffer trace you will see broadcast traffic. Going back to the phone example, someone makes an announcement on an overhead intercom system that is broadcast traffic. Broadcast traffic will be seen as 192.168.255.255
Multicast traffic is traffic from one device for many devices. Usually used in video feeds. Using the phone system as an example someone wishes to tell a group of people something so instead of calling each person up and telling them each person who wants the information joins a conference bridge. Anyone is allowed to listen but only those that wish to get the information receive it. Generally how multicast works. Multicast traffic will be seen as IP address 224.x.x.x or something of the sorts where the address will be 2xx.x.x.x.
I hope this makes sense. Probably more information than you needed but at least it will help you understand what wireshark is telling you. -
1 server, 2 networks how to route traffic to both
Hi i have NW65SP7
what i'm trying to do is
1. to have users come in thru the data network (192.168.0.0) and the traffic
go back out thru the default gateway (192.168.0.1) and
2. i want LDAP traffic to go in thru the other network (10.1.0.0) and
backout thru the same networks gateway (10.1.0.1).
1. works fine and all seems to go up and down the right network, however 2.
comes down 10.1.0.0 and backout thru the default gateway on 192.168.0.1. I
don't\can't have this as the firewall rejects the packet as the source and
destination networks are different ie. the fw sees the packet come in thru
10.1.0.0 but when the server sends it back out thru 192.168.0.0 the firewall
rightly drops it
How do i get 2. to work as i want, can this even be done on NW.
What i've done so far is
a. enabled Static Routing
b. created a default route (192.168.0.1) with a metric of 2
c. created a network route for 10.1.0.0 (10.1.0.1) with a metric of 1"Thorsten Kampe" <[email protected]> wrote in message
news:[email protected]...
>* Steven Lim (Mon, 08 Dec 2008 01:57:27 GMT)>
>> ok i'll try again but i thought that i did expalin it so i'm not sure how
>> my
>> second attempt will go ;)
>
> Is the NetWare server the router? Which addresses do the server's
> interfaces have? Which default gateway do the hosts in the network have?
> Any static routes?
No the netware server is not the router
The server has 1 interface but two vlans trunked to the one interface, each
vlan has a separate IP. I can ping each IP on each of the trunked vlans
fine. I'm using Broadcom Q57 NICS and the QASP\BASP advanced driver to
support the trunked vlans. Don't let that confuse the issue though..it's
basically the same as having two nic interfaces connected to two seperate
networks in this case lets say 192.168.0.10 and 10.0.0.10
Just so we're on the same page, we have a very large routed network with
over 250 subnetworks with 4 10G interconnected core routers each with a 10G
distribution routers, buildings\user\server networks hang of the
distribution routers . Client machines are distributed accross the network
and are not on the same vlan\subnet as the servers.
A server on 192.168.0.0 will have a default gateway of 192.168.0.1 and
servers on 10.0.0.0 will have a default gateway of 10.0.0.1 there are no
clients machines on these subnets....btw we don't really have a 192.168.0.0
network..i'm just using this as an example.
The NW server has 1 static route configured as the default gateway on
192.168.0.1...and i've been trying to work out how to configure another
static route to make sure that all incoming and outgoing traffic for
10.0.0.0 stays on 10.0.0.0 or whatever else i need to do to get it working
>> i have two networks 192.168.0.0 and 10.0.0.0
>>
>> 1. I want all traffic that originates from 192.168.0.0 to go back thru
>> the
>> 192.168.0.0 gateway on 192.168.0.1 (currently the default gateway
>> configured
>> in inetcfg static routing table).
>
> In case the NetWare server is the router you only have to enable routing
> - the server's default gateway is completely irrelevant for that. Of
> course the hosts in the networks have to have the router as the default
> gateway (or a static route).
Clients are fine, lets say that they are on 192.168.1.0 to 192.168.255.0 and
they have default gateways on their subnets the go thru x.x.x.1 (eg.a
192.168.1.0 machine will have a default gateway of 192.168.1.1 and a
192.168.2.0 machine will have a default gateway of 192.168.2.1 etc)
>> 2. I want all ldap traffic, in my case this will be ldap port 389 and
>> 636,
>> that originates from network 10.0.0.0 to go back thru the gateway
>> 10.0.0.1.
>
> Routing is not (application) protocol specific. You can either route all
> IP packets or none a certain route. Please have a look at the routing
> table of your computer to see what I mean.
Yes i understand that routing is not application\protocol specific
When you say "have a look at the routing table" i assume you mean the
netware server....i've done that using TCPCON..i can see the issue..just not
sure how to get it to do what i want
> Also what you might want is called source routing[1] and this is mostly
> blocked because it opens a huuuuge security hole.
>
>> This is required because the firewall requires that if a response is
> to go
>> out to a client then then it must go out over the same network that it
>> originated from. This is the part that's not currently working. At the
>> moment the query comes in from 10.0.0.0 and the response tries to goes
>> out
>> via the deafult gateway on 192.168.0.1 the firewall blocks the outgoing
>> traffic....basic stuff!!!
>
> I wonder where and how you put that firewall if you have only two
> subnets and one router. Is this Bordermanager on the NetWare server?
See above re. the network...the firewall\s are blades within the core
routers and support virtual firewalls that can be applied to any part of the
distribution\access layer of the network.
Does that make any more sense???
> Thorsten
> [1] http://en.wikipedia.org/wiki/Source_routing -
Policy based routing on VRF interfaces to route traffic through TE Tunnel
Hi All,
Is there a method to do policy based routing on VRF interfaces and route data traffic through one TE tunnel and non-data traffic through another TE tunnel.
The tunnel is already build up with these below config
interface Tunnel25
ip unnumbered Loopback0
tunnel destination 10.250.16.250
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng path-option 10 explicit name test
ip explicit-path name test enable
next-address x.x.x.x
next-address y.y.y.y
router ospf 1
mpls traffic-eng router-id Loopback0
mpls traffic-eng area 0
mpls traffic-eng tunnels
nterface GigabitEthernet5/2
mpls traffic-eng tunnels
mpls ip
Is there additional config needed to work ,also in the destination end for the return traffic,we want to use the normal PATH --I mean non TE tunnel.
We tested with the above scenario,but couldn't able to reach the destination.Meantime we had a question,when the packet uses the policy map while ingress,it may not know the associatuion with VRF(Is that right? --If so ,how to make it happen)
Any help would be really appreciated
Thanks
Regards
Anantha Subramanian Natarajanhi Anantha!
I might not be the right person to comment on your first question. I have not configured MVPNs yet and not very confertable with the topic.
But I am sure that if you read through the CBTS doc thoroughly, you might be able to derive the answer yourself. One thing I notice is that " a Tunnel will be selected regularly according to the routing process (even isf it is cbts enabled). From the tunnels selected using the regular best path selection, the traffic is mapped to a perticular tunnel in the group if specific class is mapped to that tunnel.
So a master tunnel can be the only tunnel between the 2 devices over which the routing (bgp next hops) are exchanged and all other tunnels can be members of this tunnel. So your RPF might not fail.
You might have to explore on this a bit more and read about the co-existance of multicast and TE. This will be the same as that.
For your second question, the answer would be easy :
If you want a specific eompls cust to take a particular tunnel/path, just create a seperate pair of loopbacks on the PEs. Make the loopback learnt on the remote PE through the tunnel/path that you want the eompls to take. Then establish the xconnect with this loopback. I am assuming that your question is that a particular eompls session should take a particular path.
If you meant that certain traffic from the same eompls session take a different path/tunnel, then CBTS will work.
Regards,
Niranjan -
VRF-Lite on one 6509; How to route traffic from global to VRF.
To anyone that can lead me in the right direction:
I have a 6509 switch with IOS " s3223-adventerprise_wan-mz.122-33.SXJ2.bin" on it. I am running VRF-lite on it and would like to route some subnets from the global route table to the VRF route table. How can I do this and stay on the same physical switch. I am using EIGRP for the global network and route table and static routing within the the VRF. Any suggestions or recommendations? Thanks in advance for your help in this matter...Hello,
You need to use (Static route) in both directions, One Static in the VRF table points to the Global interface, and another one in the Global point to the VRF interface for the recieved traffic. After that, you Can Redistribute the Global Static route into Eigrp for end-to-end connectivity!
Example:
Consider you have 2 interfaces in your Core SW-6509: One is G0/1 and the other is G0/2
G0/1 is placed into the Global table , and G0/2 is part of VRF (X)
interface G0/1
IP address 1.1.1.1 255.255.255.0
inteface G0/2
ip vrf forwarding X
ip address 2.2.2.2 255.255.255.0
Consider Subnet Y.Y.Y.Y in the Global and you want to have it accessible from the VRF!
configure this: (ip route vrf X y.y.y.y y.y.y.y.y G0/1 Global)
Configure also this for the return traffic from the Global table: (ip route 2.2.2.2 z.z.z.z G0/2)
You Can then redistribute the Global static into the Eigrp as below:
router Eigrp 1
no auto summary
redistribute static metric 1.1.1.1.1
HTH
Mohamed -
Using Xserve to route traffic between LANs
A couple of years ago Camelot posted a response on how to set up an Xserve to route network traffic between the Xserve's internal NICs (http://discussions.apple.com/thread.jspa?threadID=1193839&tstart=127). In that situation, both LANs were 192.168.x.x. Can this same technique be used where one LAN is 192.168.x.x and the other LAN is 172.16.x.x or do the first two octets have to be the same for this to work? Addresses on the 172.16 are dished out from a Cisco PIX501 which I don't control. The Xserve has a fixed IP of 172.16.128.241 (DHCP with manual address) on en0. The 192.168 LAN is on en1 and the XServe does the DHCP for that side. NAT is on with IP forwarding. I can get to systems on the 172.16 LAN from the 192.168 LAN but not vice versa.
Xserve is running Server 10.5.4Can this same technique be used where one LAN is 192.168.x.x and the other LAN is 172.16.x.x or do the first two octets have to be the same for this to work?
You can route between any connected networks. There doesn't have to be any common elements in the IP address subnets.
I can get to systems on the 172.16 LAN from the 192.168 LAN but not vice versa.
You say you're running NAT on this system. NAT is not needed (or, in fact, desired) since it's designed for one way traffic (e.g. traffic from LAN 1 is translated to an address in LAN2 before forwarding). To have traffic flow the other way you need to setup port forwarding, which isn't practical for a large number of machines.
My earlier suggestion doesn't suggest enabling NAT at all, just IP Forwarding. IP Forwarding should work both ways provided the relevant devices in each LAN know where to route the traffic (e.g. devices in the 192.168.x.x LAN need to have a route that sends traffic for 172.16.x.x to the 192.168.x.x address of the XServe). -
NM-16ESW - adding a switch into a 3725 router slot - can i route traffic out of the switch ?
Hi all,
I have added the above module (16 switch port) into my router.
R16#show ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet0/1 unassigned YES unset administratively down down
FastEthernet1/0 unassigned YES unset administratively down down
FastEthernet1/1 unassigned YES unset administratively down down
FastEthernet1/2 unassigned YES unset administratively down down
FastEthernet1/3 unassigned YES unset administratively down down
FastEthernet1/4 unassigned YES unset administratively down down
FastEthernet1/5 unassigned YES unset administratively down down
FastEthernet1/6 unassigned YES unset administratively down down
FastEthernet1/7 unassigned YES unset administratively down down
FastEthernet1/8 unassigned YES unset administratively down down
FastEthernet1/9 unassigned YES unset administratively down down
FastEthernet1/10 unassigned YES unset administratively down down
FastEthernet1/11 unassigned YES unset administratively down down
FastEthernet1/12 unassigned YES unset administratively down down
FastEthernet1/13 unassigned YES unset administratively down down
FastEthernet1/14 unassigned YES unset administratively down down
FastEthernet1/15 unassigned YES unset administratively down down
Vlan1 unassigned YES unset up down
R16(config-if)#int fa1/0
R16(config-if)#ip address 192.168.10.1 255.255.255.0
% IP addresses may not be configured on L2 links.
R16(config-if)#
q1) Not being able to set IP to the interface as shown above, I would believe it is really a switch port. Is there anyway I can see what kind of port a interface is or can be ? (switch port, routed port etc ?) or whether is it a L2 or L3 switch ?
q2) in that case, since the switch is already inside the router, how do i route L3 traffic out of the switch ?
Assuming fe0/1 on the router is the interface connected to external network.
and 2 workstations attached to the switch ports fe1/1 and and fe1/2, how can i set their gateway to point to fe0/1's IP ? Can fe0/1 to be connected to fe1/0 internally ?
Regards,
NoobHi KOE SIZE JIE,
q1) I tried the no switchport command on the 16switch port module and it works. I can set an IP on the switch port. But according to Liam, it is a L2 switch, how come we can assign no switchport command ?
As Bilal pointed out, I was mistaken you can issue the "no switchport" for a L3 routed port on that specific module.
q2) it is said that on a L2 switch only 1 SVI can be connected (for management purpose only) and L2 switch is not able to do routing. With the L2 switch module inserted into the router, will the SVI be able to do routing then ?
I believe this goes back to what Bilal was saying about limited functionality on the EtherSwitch. I will have to play with one in GNS3 to give you a solid answer.
But I think what it is trying to say is... You cannot use SVI's for inter-vlan routing. You can only have a single SVI for management purposes.
q3)Liam, you mention earlier fa0/0 is pointing to some network. is fa0/0 in the same router as the 16 switchport module ?
ip route 10.10.10.0 255.255.255.0 192.168.1.254 -- this command seems to be saying to access the 10.10.10.0 network, please go to the next hop IP 192.168.1.254 (but again, you are setting this next hop IP on the current router interface itself) - did i get anything wrong ?
I have read back my post and this reads wrong.
When i showed you the code snippet, 192.168.1.254 would be the interface on the next hop router. Not the router you are issuing the ip route command on. You would also need an IP address on the router interface directly connected to the next hop router. I.E 192.168.1.253
You will not then receive that error. Sorry about that, my sloppy config without a diagram!
HTHs,
Liam -
Incoming and Outgoing router traffic
Hi everybody,
What exactly is the concept of incoming and outgoing traffic at one particular router interface? Can outgoing traffic be considered as the traffic forwarded from that interface to another interface?
Cheers
Aditya Naiduimagine an interface has two doors.
|| interface ||
thus packet flowing towards the interface would be considered "in",
--> || interface || <--
alternatively, packet flowing the opposite direction would be considered "out",
<-- || interface || -->
now, let have a look at the router with 2 interfaces.
|| interface 1 || -- routing process -- || interface 2 ||
packet originated from subnet connected to interface 1 destined for the subnet connected to interface 2:
--> || interface 1 || --> --> || interface 2 || -->
in other words,
the packet firstly flows "in" interface 1, "out" interface 1, "in" interface 2, and finally "out" interface 2. -
Routing traffice using 2 interfaces
my question is whats the best solution for routing internet traffic out one interface and production, management traffic out another interface. using a cisco ISR 2900
You can use PBR.
Here are 2 documents with examples:
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr_ps1835_TSD_Products_Configuration_Guide_Chapter.html
https://supportforums.cisco.com/docs/DOC-1634
HTH
Maybe you are looking for
-
Trying to ininstall full software and driver 120 envy all in one windows 8.1
i tryed hp scan doctor no luck i have disk that came with printer help!!!
-
Split Suite Bar and Ribbon Menu in SharePoint Online / O365
As we all know the suite bar and ribbon menu controls are loaded from a single control. I have a requirement to place a div between suite bar and ribbon menu as shown in the image. Is it possible in SharePoint Online / O365? Current suite bar and ri
-
SQL Server 2012 SP 2 with SharePoint 2010
Can SP2 for SQL Server 2012 be installed in an SharePoint 2010 Farm? If so, does SP 2010 need to be at a specific CU/SP? I can't find anything about this specific combination. Dean MCTS-SQL 2005 Business Intelligence, MCITP SharePoint 2010
-
hi , How to insert a CUSTOM C coding into sap kernel so that it can be accessed by using " CALL ' C-FUNC ' ID FIELD " STATEMENT IN ABAP.
-
Interactive Form with images from KM ??
hello: I need to read an image from km to incorporate it in Interactive Form, but for some reason when being generated the Form does not show it. The subject to dynamically obtain the images from km. Thank you very much.