ROUTE MAP and POLICY MAP vs PRL - Page 2

Luis Alonso Coghi Flores · ‎09-21-2011

HI

I need to configure ASR 9006 with this configuration.

OLD and good configuration:

access-list 199 deny ip any 186.32.128.0 0.0.31.255 log

access-list 199 deny ip any 186.32.224.0 0.0.15.255 log

access-list 199 deny ip any 190.53.48.0 0.0.15.255 log

access-list 199 deny ip any 190.53.64.0 0.0.31.255 log

access-list 199 deny ip any 190.53.76.0 0.0.3.255 log

access-list 199 deny ip any 190.53.80.0 0.0.1.255 log

access-list 199 deny ip any 190.53.92.0 0.0.3.255 log

access-list 199 permit ip any any

route-map 123456 permit 10

match ip address 199

set ip next-hop 144.224.115.81

interface FastEthernet1/14

no switchport

ip address 10.206.1.1 255.255.255.252

ip policy route-map 123456

and my new config but this is bad

prefix-set XX

186.32.128.0/19,

190.53.192.0/19,

186.32.224.0/20,

190.53.48.0/20,

205.211.248.0/21,

205.211.192.0/22,

205.211.244.0/22,

205.211.218.0/23,

205.211.220.0/23,

205.211.222.0/23,

200.12.227.0/24

end-set

route-policy salida-amnet-sps-cable

if destination in XX then

pass

else

set next-hop 144.224.115.81

endif

end-policy

!

I need know know how appliy the route-policy to the interface

thanks.

kzryumov1 · ‎02-10-2012

Hello, thank you.

We don't use mpls and we need VRF for two independent routing tables on ASR.

We are going to use ABF for routing via source address on BVI and bundle interfaces.
Is it possible?

charlhug · ‎02-10-2012

Hello Konstantin,

I do not believe ACL-based forwarding is supported on L2 interfaces (such as a BVI) at this time: http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.1/addr_serv/configuration/guide/ipaddr_cg41a9k_chapter1.html#concept_BF68E0C2D04E420B82E1BFC36F5A0B1F

I believe support is planned for 4.3, however.

kzryumov1 · ‎02-12-2012

Hello Charles,

Thank you.

Do you know date of announce release 4.3?

WBR,

Konstantin

xthuijs · ‎02-13-2012

That would be end of this year (2012) Konstantin. December time frame.

regards

xander

mrimch.amal · ‎04-15-2017

This is really not practical!
This is the only way to apply an ACL on an interface in global configuration mode?!
int Te
ipv4 access-group ABF in

I have 100 ip address that I can not summarize and I need to set them to a single nexthop? Do I need to write it 100 times?
permit x.x.x.x nexthop y.y.y.y
permit z.z.z.z nexthop y.y.y.y
....... 100 times ?

and I need also to use those Ip adresses in a route-policy so I have to write them all over again!

At least in IOS you make an ACL, use route-map to match the ACL (and use the ACL somewhere else if you want) and set a nexthop and then applied to an interface.

xthuijs · ‎04-15-2017

you define the acl globally, and you apply it to the interface on ingress.

it is indeed case that with a route-map approach, you can reuse the ACL.

for asr9k/xr you could, instead of ABF, if you want to re-use the ACL, define the ACL as you like with route-map and then use PBR to pull in that ACL into a class-map type traffic and in the pbr control policy set a next hop there.

that might be an alternate solution similar to route-map for you.

cheers!

xander

mrimch.amal · ‎04-17-2017

I really appreciate your reply !

This worked perfectly!!

ipv4 access-list acl1
permit x.x.x.x
permit z.z.z.z

class-map type traffic class1
match access-group ipv4 acl1
end-class-map

policy-map type pbr policy1
class type traffic class1
set destination-address ipv4 y.y.y.y ( my nexthop)
end

int Te
service-policy type pbr input policy1

thanks again

xthuijs · ‎04-17-2017

oh I forgot to mention that the pbr method is a true l3 redirect, meaning that with the set destination operation you rewrite the packets layer 3 address.

thsi is nice so that on next nodes, the new destination is followed, rather than needing to redirect at every hop from the original path to destination.

on the return we can reset the source address back to the original servers addr so that we did a perfect spoof.

cheers

xander