Re: Cisco access list - multihomed question

From: Chief Technology Officer-ISPKenya (cto@nbi.ispkenya.com)
Date: Mon Oct 29 2001 - 22:13:49 EST

Next message: Lee Waskevich: "[nsp] OSPF to customers"
Previous message: Loureiro, Rodrigo - (Bra): "[nsp] BGP maximum datagram size"
Next in thread: Chief Technology Officer-ISPKenya: "Re: Cisco access list - multihomed question"
Maybe reply: Chief Technology Officer-ISPKenya: "Re: Cisco access list - multihomed question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

I seem to have managed to nail it with the following:

Int e0/0
ip route-cache policy
ip policy route-map family
<snip
!
access-list 115 permit tcp a.b.c.d 0.0.0.31 any eq www ! cache-bypass
access-list 115 permit tcp f.g.h.i 0.0.0.31 any eq www ! cache-bypass
!
access-list 116 permit ip w.x.y.z 0.0.0.127 any ! the 'net that I want to reroute
!
access-list 117 permit ip host j.k.l.m any ! My web-cache
!
route-map family permit 10
match ip address 115
set ip next-hop q.r.s.t ! content-filter server
!
route-map family permit 20
match ip address 116
set interface Serial2/0:16 ! upstream for 're-routed' net
!
route-map family permit 30
match ip address 117
set interface Serial0/0 ! Default for all other traffic

Thanks to all who helped!

Longwe

p.s. please critique the above composition, check it for literary value, grammar, syntax and possibly logic flow ;-)

On Mon, 29 Oct 2001 17:54:03 +1000
Philip Smith <pfs@cisco.com> wrote:

> At 10:22 29/10/2001 +0300, Brian Longwe wrote:
>
> >I already have a working PBR for our filtered internet access service
> >which goes something like:
> >
> >route-map family permit 10
> > match ip address 115
> > set ip next-hop w.x.y.z
> >
> >access-list 115 permit tcp a.b.c.d 0.0.0.127 any eq www
> >access-list 115 deny tcp any any eq www
> >
> >This takes http (port 80) traffic from net a.b.c.d and routes it to
> >w.x.y.z <my content filter> and leaves all other traffic to be routed by
> >the FIB
>
> Looks fine, you probably don't need the second line, but it does no harm...
>
> >My catch is....
> >
> >I have discovered that each interface will only take a single "ip policy
> >route-map" statement.... this means that I must combine the logic for my
> >filtered service with the logic for this new policy.... which is proving
> >to be a little tricky....
>
> ...yes, but you can stack lots of bits together in the route-map... For
> example:
>
> route-map family permit 20
> match ip address 116
> set ip next-hop a.b.c.d
>
> etc... Is this what you are trying to do?
>
> >...hopefully nothing that a strong cup of coffee can't cure
>
> Yeah, well... :)
>
> philip
> --
>
>
> -----
> This is the afnog mailing list, managed by Majordomo 1.94.4
>
> To send a message to this list, e-mail afnog@afnog.org
> To send a request to majordomo, e-mail majordomo@afnog.org and put
> your request in the body of the message (i.e use "help" for help)
>
> This list is maintained by owner-afnog@afnog.org
>
>

Next message: Lee Waskevich: "[nsp] OSPF to customers"
Previous message: Loureiro, Rodrigo - (Bra): "[nsp] BGP maximum datagram size"
Next in thread: Chief Technology Officer-ISPKenya: "Re: Cisco access list - multihomed question"
Maybe reply: Chief Technology Officer-ISPKenya: "Re: Cisco access list - multihomed question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:52 EDT