Prefix-list and ACL strange behaviour. What's a difference?
Could you please explain what is reason why it doesn't work:
I want to setup conditional NAT just to redirect one traffic through ISP1 (10.x.x.x) and another traffic (192.168.0.0/21) to ISP2. I use route-map with match conditional with ACL, but it doesn't match required traffic (counts in the route-map doesn't increase). If I change ACL match condition to prefix-list -> counts increase!
The second step is configuring NAT conditions:
ip nat inside source route-map ISP1 int gig0/1 overload and
ip nat inside source route-map ISP2 int gig0/1 overload
And in route-map ISP2 i use prefix-list and it doesn't work (there is no translations in NAT), after i change prefix-list to ACL -> translations begin to happen.
Could you please explain the difference in Prefix-list and ACL work flow?
interface GigabitEthernet0/2 description *** INSIDE *** ip address 10.1.x.x 255.255.255.192 ip policy route-map WiFi_TO_ISP2
route-map WiFi_TO_ISP2, permit, sequence 10 Match clauses: ip address prefix-lists: WiFi_Users Set clauses: ip default next-hop x.x.x.x Policy routing matches: 3110917 packets, 732226412 bytes <-It works only with prefix-list!
route-map WiFi_TO_ISP2, permit, sequence 20 Match clauses: Set clauses: Policy routing matches: 78107 packets, 30482815 bytes
ip nat inside source route-map TO->ISP1 interface GigabitEthernet0/1 overload ip nat inside source route-map TO->ISP2 interface GigabitEthernet0/0 overload
route-map TO->ISP2, permit, sequence 10 Match clauses: ip address (access-lists): 101 <- It's fact, but it works only with ACL! Set clauses: Policy routing matches: 0 packets, 0 bytes
#sh route-map TO->ISP1 route-map TO->ISP1, permit, sequence 10 Match clauses: ip address (access-lists): 100 Set clauses: Policy routing matches: 0 packets, 0 bytes
! ip prefix-list WiFi_Users seq 5 permit 192.168.0.0/21 !
Access-list for NATs access-list 100 permit ip 10.x.x.x 0.255.255.255 any access-list 101 permit ip 192.168.0.0 0.0.7.255 any
1. Log into CLI of DNAC:
ssh maglev@< DNAC appliance IP> -p 2222
2. Run this curl command to get token to get member id:
curl -X POST -u admin:<admin user password> -H -V https://<CLUSTER-IP>/api/system/v1/identitymgmt/token
Enterprise Switching Business Unit is glad to announce Beta release 16.12.2 for all Catalyst 9200/9300/9400/9500/9600 and Catalyst 3650/3850 Platforms. This release is made available to allow users to test, evaluate and share fee...
Purpose of the document
This document describes the general recommendations or best practices when designing and deploying the Cisco SD-Access technology. The document assumes that the reader has a general overview of Cisco's SD-Access for Distributed C...
Do you currently have hands-on networking experience? If you do, we'd love to hear from you!
Your feedback will be reviewed and analyzed by our team to directly influence a networking management and monitoring product.
Take the 20-min or les...