Public Key Infrastructure Integration with the Cisco Virtual Office Solution
Digital Certificates/PKI for IPSec VPNs
Key Rollover for Certificate Renewal
Monday, October 29, 2012
Tuesday, October 16, 2012
Friday, October 5, 2012
VLAN Access Control Lists (VACLs)
Use VACL to filter traffic within a vlan
access-list 100 permit icmp 10.10.10.1 host 10.10.10.2
vlan access-map VACL 10
action forward
match ip address 1
vlan access-map VACL 20
action drop
vlan filter VACL vlan-list 11
VLAN Access Control Lists (VACLs) Tier 1
access-list 100 permit icmp 10.10.10.1 host 10.10.10.2
vlan access-map VACL 10
action forward
match ip address 1
vlan access-map VACL 20
action drop
vlan filter VACL vlan-list 11
VLAN Access Control Lists (VACLs) Tier 1
Thursday, October 4, 2012
Multi-VRF Selection Using Policy-Based Routing (PBR)
Multi-VRF Selection Using Policy-Based Routing (PBR)
Prerequisites for Multi-VRF Selection Using Policy-Based Routing (PBR)
•
The router must support policy-based routing (PBR) in order for you to configure this feature. For platforms that do not support PBR, use the Directing MPLS VPN Traffic Using a Source IP Address feature.
The router must support policy-based routing (PBR) in order for you to configure this feature. For platforms that do not support PBR, use the Directing MPLS VPN Traffic Using a Source IP Address feature.
•A VRF must be defined before you configure this feature. An error message is displayed on the console if no VRF exists.
A VRF must be defined before you configure this feature. An error message is displayed on the console if no VRF exists.Restrictions for Multi-VRF Selection Using Policy-Based Routing (PBR)
•All commands that aid in routing also support hardware switching, except for the set ip next-hop verify availabilitycommand because Cisco Discovery Protocol information is not available in the line cards.
All commands that aid in routing also support hardware switching, except for the set ip next-hop verify availabilitycommand because Cisco Discovery Protocol information is not available in the line cards.
•Protocol Independent Multicast (PIM) and multicast packets do not support PBR and cannot be configured for a source IP address that is a match criterion for this feature.
Protocol Independent Multicast (PIM) and multicast packets do not support PBR and cannot be configured for a source IP address that is a match criterion for this feature.
•The set vrf and set ip global next-hop commands can be configured with the set default interface, set interface, set ip default next-hop, and set ip next-hop commands. But the set vrf and set ip global next-hopcommands take precedence over the set default interface, set interface, set ip default next-hop, and set ip next-hop commands. No error message is displayed if you attempt to configure the set vrf command with any of these three set commands.
The set vrf and set ip global next-hop commands can be configured with the set default interface, set interface, set ip default next-hop, and set ip next-hop commands. But the set vrf and set ip global next-hopcommands take precedence over the set default interface, set interface, set ip default next-hop, and set ip next-hop commands. No error message is displayed if you attempt to configure the set vrf command with any of these three set commands.
•The Multi-VRF Selection Using Policy-Based Routing (PBR) feature cannot be configured with IP prefix lists.
The Multi-VRF Selection Using Policy-Based Routing (PBR) feature cannot be configured with IP prefix lists.
•The set global and set vrf commands cannot be simultaneously applied to a route map.
The set global and set vrf commands cannot be simultaneously applied to a route map.
•The Multi-VRF Selection Using Policy-Based Routing (PBR) feature supports VRF-lite; that is, only IP routing protocols run on the router. Multiprotocol Label Switching (MPLS) and VPN cannot be configured.
The Multi-VRF Selection Using Policy-Based Routing (PBR) feature supports VRF-lite; that is, only IP routing protocols run on the router. Multiprotocol Label Switching (MPLS) and VPN cannot be configured.Wednesday, October 3, 2012
IP CEF load balancing test
IP CEF load balancing test
33.33.33.33 - f0/13 - 55.55.55.55
- R1 - - R2 -
44.44.44.44 - f0/15 - 56.56.56.56
R1 = IPT-LAB-SWITCH
R2 = C3560-48
R1 is in OSPF totally stub area and receives two default route from R2
IPT-LAB-SWITCH#sh ip route ospf
O*IA 0.0.0.0/0 [110/2] via 10.0.15.5, 00:35:24, FastEthernet0/15
[110/2] via 10.0.13.5, 00:35:24, FastEthernet0/13
IPT-LAB-SWITCH#sh ip cef exact-route 33.33.33.33 55.55.55.55
33.33.33.33 -> 55.55.55.55 => IP adj out of FastEthernet0/13, addr 10.0.13.5
IPT-LAB-SWITCH#sh ip cef exact-route 44.44.44.44 55.55.55.55
44.44.44.44 -> 55.55.55.55 => IP adj out of FastEthernet0/13, addr 10.0.13.5
IPT-LAB-SWITCH#sh ip cef exact-route 33.33.33.33 56.56.56.56
33.33.33.33 -> 56.56.56.56 => IP adj out of FastEthernet0/15, addr 10.0.15.5
IPT-LAB-SWITCH#sh ip cef exact-route 44.44.44.44 56.56.56.56
44.44.44.44 -> 56.56.56.56 => IP adj out of FastEthernet0/15, addr 10.0.15.5
R2 has specific routes from R1
C3560-48#sh ip route ospf
33.0.0.0/32 is subnetted, 1 subnets
O 33.33.33.33 [110/2] via 10.0.15.3, 00:33:41, FastEthernet0/15
[110/2] via 10.0.13.3, 00:33:41, FastEthernet0/13
44.0.0.0/32 is subnetted, 1 subnets
O 44.44.44.44 [110/2] via 10.0.15.3, 00:33:41, FastEthernet0/15
[110/2] via 10.0.13.3, 00:33:41, FastEthernet0/13
C3560-48#sh ip cef exact-route 56.56.56.56 33.33.33.33
56.56.56.56 -> 33.33.33.33 => IP adj out of FastEthernet0/13, addr 10.0.13.3
C3560-48#sh ip cef exact-route 56.56.56.56 44.44.44.44
56.56.56.56 -> 44.44.44.44 => IP adj out of FastEthernet0/13, addr 10.0.13.3
C3560-48#sh ip cef exact-route 55.55.55.55 33.33.33.33
55.55.55.55 -> 33.33.33.33 => IP adj out of FastEthernet0/13, addr 10.0.13.3
C3560-48#sh ip cef exact-route 55.55.55.55 44.44.44.44
55.55.55.55 -> 44.44.44.44 => IP adj out of FastEthernet0/13, addr 10.0.13.3
R1 seems load balanced between the links but NOT R2???
After change the load-sharing algorithm on R2:
C3560-48(config)#ip cef load-sharing algorithm universal FFFFFFFF
C3560-48#sh ip cef exact-route 55.55.55.55 33.33.33.33
55.55.55.55 -> 33.33.33.33 => IP adj out of FastEthernet0/13, addr 10.0.13.3
C3560-48#sh ip cef exact-route 55.55.55.55 44.44.44.44
55.55.55.55 -> 44.44.44.44 => IP adj out of FastEthernet0/15, addr 10.0.15.3
C3560-48#sh ip cef exact-route 56.56.56.56 44.44.44.44
56.56.56.56 -> 44.44.44.44 => IP adj out of FastEthernet0/15, addr 10.0.15.3
C3560-48#sh ip cef exact-route 56.56.56.56 33.33.33.33
56.56.56.56 -> 33.33.33.33 => IP adj out of FastEthernet0/13, addr 10.0.13.3
ip cef load-sharing algorithm
To select a Cisco Express Forwarding (CEF) load balancing algorithm, use the ip cef load-sharing algorithm command in global configuration mode. To return to the default universal load balancing algorithm, use the no form of this command.
ip cef load-sharing algorithm {original | tunnel [id] | universal [id]}
no ip cef load-sharing algorithm {original | tunnel [id] | universal [id]}
Tuesday, October 2, 2012
Monday, October 1, 2012
Policy based routing
Note
The set ip next-hop and set ip default next-hop are similar commands but have a different order of operations. Configuring the set ip next-hop command causes the system to use policy routing first and then use the routing table. Configuring the set ip default next-hop command causes the system to use the routing table first and then policy route the specified next hop.http://www.cisco.com/en/US/docs/ios/12_3/iproute/command/reference/ip2_s1g.html#wp1037892
Policy-Based Routing Using the set ip default next-hop and set ip next-hop Commands Configuration Example
P.S. you will NOT able to disable IP CEF under Cisco 3560 therefore you can NOT debug ip policy to verify the policy routing.
Subscribe to:
Posts (Atom)