I need to configure ASR 9006 with this configuration.
OLD and good configuration:
access-list 199 deny ip any 184.108.40.206 0.0.31.255 log
access-list 199 deny ip any 220.127.116.11 0.0.15.255 log
access-list 199 deny ip any 18.104.22.168 0.0.15.255 log
access-list 199 deny ip any 22.214.171.124 0.0.31.255 log
access-list 199 deny ip any 126.96.36.199 0.0.3.255 log
access-list 199 deny ip any 188.8.131.52 0.0.1.255 log
access-list 199 deny ip any 184.108.40.206 0.0.3.255 log
access-list 199 permit ip any any
route-map 123456 permit 10
match ip address 199
set ip next-hop 220.127.116.11
ip address 10.206.1.1 255.255.255.252
ip policy route-map 123456
and my new config but this is bad
if destination in XX then
set next-hop 18.104.22.168
I need know know how appliy the route-policy to the interface
Hello, thank you.
We don't use mpls and we need VRF for two independent routing tables on ASR.We are going to use ABF for routing via source address on BVI and bundle interfaces.
Is it possible?
I do not believe ACL-based forwarding is supported on L2 interfaces (such as a BVI) at this time: http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.1/addr_serv/configuration/guide/ipaddr_cg41a9k_chapter1.html#concept_BF68E0C2D04E420B82E1BFC36F5A0B1F
I believe support is planned for 4.3, however.
This is really not practical!
This is the only way to apply an ACL on an interface in global configuration mode?!
ipv4 access-group ABF in
I have 100 ip address that I can not summarize and I need to set them to a single nexthop? Do I need to write it 100 times?
permit x.x.x.x nexthop y.y.y.y
permit z.z.z.z nexthop y.y.y.y
....... 100 times ?
and I need also to use those Ip adresses in a route-policy so I have to write them all over again!
At least in IOS you make an ACL, use route-map to match the ACL (and use the ACL somewhere else if you want) and set a nexthop and then applied to an interface.
you define the acl globally, and you apply it to the interface on ingress.
it is indeed case that with a route-map approach, you can reuse the ACL.
for asr9k/xr you could, instead of ABF, if you want to re-use the ACL, define the ACL as you like with route-map and then use PBR to pull in that ACL into a class-map type traffic and in the pbr control policy set a next hop there.
that might be an alternate solution similar to route-map for you.
I really appreciate your reply !
This worked perfectly!!
ipv4 access-list acl1
class-map type traffic class1
match access-group ipv4 acl1
policy-map type pbr policy1
class type traffic class1
set destination-address ipv4 y.y.y.y ( my nexthop)
service-policy type pbr input policy1
oh I forgot to mention that the pbr method is a true l3 redirect, meaning that with the set destination operation you rewrite the packets layer 3 address.
thsi is nice so that on next nodes, the new destination is followed, rather than needing to redirect at every hop from the original path to destination.
on the return we can reset the source address back to the original servers addr so that we did a perfect spoof.