[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cisco access list - multihomed question

To: "Brian Longwe" <blongwe at psg.com>
Subject: Re: Cisco access list - multihomed question
From: "Michuki Mwangi" <michuki at swiftkenya.com>
Date: Mon, 29 Oct 2001 10:38:49 +0300
Cc: <bgreene at cisco.com>, <afnog at afnog.org>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;charset="iso-8859-1"
Delivered-To: afnog-archive at lists.eahd.or.ug
Delivered-To: <afnog at afnog.org>
Organization: Swift Global (K) Ltd
References: <20011028200951.0628cd0d.blongwe at psg.com><LNEHJBNJAPFNLEGJHCPEAELLCOAA.bgreene at cisco.com><20011029074420.530e75c4.blongwe at psg.com><001101c1603d$e4a78560$11b9f1cf at swiftkenya.com><20011029092610.159b8e6c.blongwe at psg.com><00eb01c16044$495849d0$11b9f1cf at swiftkenya.com> <20011029102227.29732e2f.blongwe at psg.com>
Reply-To: "Michuki Mwangi" <michuki at swiftkenya.com>
Sender: owner-afnog at uol.co.ug

Brian,

I've seen people doing this

route-map family permit 10
match ip address 115
set ip next-hop w.x.y.z

route-map family permit 20
match ip address 116
set ip next-hop w.x.y.q

access-list 115 permit tcp a.b.c.d 0.0.0.127 any eq www
access-list 115 deny tcp any any eq www

access-list 116 permit tcp a.b.c.d 0.0.0.127 any eq smtp
access-list 116 deny tcp any any eq smtp

and so on ...

So anything that does not meet the first criteria is sent to the next
criteria on that policy. i.e pref 20

Regards,

Michuki.




----- Original Message -----
From: Brian Longwe <blongwe at psg.com>
To: Michuki Mwangi <michuki at swiftkenya.com>
Cc: <bgreene at cisco.com>; <afnog at afnog.org>
Sent: Monday, October 29, 2001 10:22 AM
Subject: Re: Cisco access list - multihomed question


> Thank Michuki,
>
> >
> > Ok i understand same thing here!. :oP
> >
> > Just one thing that i noticed with the route maps (having seen your
initial
> > message now  ;o) ) I once did try that and when using Next hope .... the
> > router CPU utilization went wild!.
> > So try and use something like
> >
>
> I already have a working PBR for our filtered internet access service
which goes something like:
>
> route-map family permit 10
>  match ip address 115
>  set ip next-hop w.x.y.z
>
> access-list 115 permit tcp a.b.c.d 0.0.0.127 any eq www
> access-list 115 deny tcp any any eq www
>
> This takes http (port 80) traffic from net a.b.c.d and routes it to
w.x.y.z <my content filter> and leaves all other traffic to be routed by the
FIB
>
> > Also on the interface you apply the rout-map use
> > IP route-cache policy
> >
>
> I already have that
>
> My catch is....
>
> I have discovered that each interface will only take a single "ip policy
route-map" statement.... this means that I must combine the logic for my
filtered service with the logic for this new policy.... which is proving to
be a little tricky....
>
> ...hopefully nothing that a strong cup of coffee can't cure
>
> Brian
>
> >
> > ----- Original Message -----
> > From: Brian Longwe <blongwe at psg.com>
> > To: Michuki Mwangi <michuki at swiftkenya.com>
> > Cc: <bgreene at cisco.com>; <afnog at afnog.org>
> > Sent: Monday, October 29, 2001 9:26 AM
> > Subject: Re: Cisco access list - multihomed question
> >
> >
> > >
> > > Hi Michuki :-)
> > >
> > > I checked, its supported....the problem is that in the typical Kenyan
> > style I'm doing 339 things on the same router - when I enable CEF the
mem
> > usage and cpu cycles go so high that the router starts choking...
> > >
> > > ...still trying to convince the purse holders to fork out $$$ for more
> > equipment ;-)
> > >
> > > I *have* managed to get fast switching enabled without the router
going
> > south, so I think I'm on the high road...now all I need it get the logic
for
> > my route-map right...
> > >
> > > Longwe
> > >
> > > On Mon, 29 Oct 2001 08:52:26 +0300
> > > "Michuki Mwangi" <michuki at swiftkenya.com> wrote:
> > >
> > > > The WCCP with CEF  enabled might be failing due to the IOS version
you
> > have.
> > > > I think not sure that its supported on 12.1(11).
> > > >
> > > > Regards,
> > > >
> > > > Michuki.
> > > >
> > > > ----- Original Message -----
> > > > From: Brian Longwe <blongwe at psg.com>
> > > > To: Barry Raveendran Greene <bgreene at cisco.com>
> > > > Cc: <afnog at afnog.org>
> > > > Sent: Monday, October 29, 2001 7:44 AM
> > > > Subject: Re: Cisco access list - multihomed question
> > > >
> > > >
> > > > >
> > > > > I'm going to try it with fast switching <route-cache> on the
> > Interface,
> > > > should work
> > > > >
> > > > > (touch wood)
> > > > >
> > > > > Longwe
> > > > >
> > > > > >
> > > > > > It should work with out CEF (original optimum/flow based PBR
code).
> > It
> > > > will
> > > > > > just be faster with the CEF code.
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: owner-afnog at uol.co.ug [mailto:owner-afnog at uol.co.ug]On
> > Behalf Of
> > > > > > > Brian Longwe
> > > > > > > Sent: Sunday, October 28, 2001 9:10 AM
> > > > > > > To: Barry Raveendran Greene
> > > > > > > Cc: afnog at afnog.org
> > > > > > > Subject: Re: Cisco access list - multihomed question
> > > > > > >
> > > > > > >
> > > > > > > Thanks for the response Barry....
> > > > > > >
> > > > > > > Is it only implementable(sic) in CEF? I am not using CEF at
the
> > > > > > > moment because when I enable it, the router seem to go into
too
> > > > > > > many cpu cycles and my wccp sessions drop, killing browsing
for
> > > > > > > my customers....
> > > > > > >
> > > > > > > Thanks,
> > > > > > >
> > > > > > > Brian
> > > > > > >
> > > > > > > On Sun, 28 Oct 2001 08:04:17 -0800
> > > > > > > "Barry Raveendran Greene" <bgreene at cisco.com> wrote:
> > > > > > >
> > > > > > > > Hello Brian,
> > > > > > > >
> > > > > > > > Rephrasing - you want packets with a source address
x.y.z.0/25
> > > > > > > to bypass the
> > > > > > > > forward table (FIB) and be forwarded in a direction of you
> > choice.
> > > > > > > >
> > > > > > > > So what you are looking for is a "FIB bypass" feature. On
the
> > > > > > > Cisco (where
> > > > > > > > is was first created) it is called Policy Based Routing
(PBR).
> > > > > > > >
> > > > > > > > There is a lab on PBR in the ISP Workshop materials
> > > > > > > > (http://www.cisco.com/public/cons/workshops/) and found via
key
> > word
> > > > > > > > searching on Cisco's web site. Note that in the middle of
12.0
> > > > > > > we made PBR a
> > > > > > > > CEF feature - allowing it to handle more PPS and not be
process
> > > > > > > switched. So
> > > > > > > > check the documentation for any specific details.
> > > > > > > >
> > > > > > > > Also note that this will only take care of traffic being
> > > > > > > forwarded upstream
> > > > > > > > to the provider. It will not handle downstream traffic. For
> > > > downstream
> > > > > > > > flows, tweaking BGP advertisements would be you best option.
> > > > > > > >
> > > > > > > > Barry
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: owner-afnog at uol.co.ug
[mailto:owner-afnog at uol.co.ug]On
> > > > Behalf Of
> > > > > > > > > Brian Longwe
> > > > > > > > > Sent: Saturday, October 27, 2001 8:18 AM
> > > > > > > > > To: afnog at afnog.org
> > > > > > > > > Subject: Cisco access list - multihomed question
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Hi,
> > > > > > > > >
> > > > > > > > > The scenario.
> > > > > > > > >
> > > > > > > > > - Two upstream circuits on the same border router
> > > > > > > > > - I want to use one to carry (outgoing) traffic for
certain
> > > > > > > > > customer networks only
> > > > > > > > > - I want to use the other as the standard default for all
> > other
> > > > > > > > > customer traffic
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >    Upst #1 s0/0     [---------]
> > > > > > > > > --------------------[         ]< Upst #1 should route
traffic
> > for
> > > > > > > > > x.y.z.0/25
> > > > > > > > >                     [         ]
> > > > > > > > > --------------------[         ]
> > > > > > > > >    Upst #2 s1/0:16  [---------]< Upst #2 should route
traffic
> > for
> > > > > > > > > all others
> > > > > > > > >
> > > > > > > > > - Both upstream connections go to the same provider
> > > > > > > > > - There is no BGP with upstream provider, only static
> > > > > > > defaults (until now)
> > > > > > > > >
> > > > > > > > > Instinctively I want to define route-maps to block traffic
for
> > #2
> > > > > > > > > from #1 and block traffic for #1 from #2 with a "next-hop"
> > > > > > > > > statement to redirect in each route-map.
> > > > > > > > >
> > > > > > > > > Is this the right logic? Anyone with similar experience
who
> > > > > > > can give tips?
> > > > > > > > >
> > > > > > > > > Thanks,
> > > > > > > > >
> > > > > > > > > Brian Longwe
> > > > > > > > >
> > > > > > > > > -----
> > > > > > > > > This is the afnog mailing list, managed by Majordomo
1.94.4
> > > > > > > > >
> > > > > > > > > To send a message to this list, e-mail afnog at afnog.org
> > > > > > > > > To send a request to majordomo, e-mail majordomo at afnog.org
and
> > put
> > > > > > > > > your request in the body of the message (i.e use "help"
for
> > help)
> > > > > > > > >
> > > > > > > > > This list is maintained by owner-afnog at afnog.org
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > -----
> > > > > > > > This is the afnog mailing list, managed by Majordomo 1.94.4
> > > > > > > >
> > > > > > > > To send a message to this list, e-mail afnog at afnog.org
> > > > > > > > To send a request to majordomo, e-mail majordomo at afnog.org
and
> > put
> > > > > > > > your request in the body of the message (i.e use "help" for
> > help)
> > > > > > > >
> > > > > > > > This list is maintained by owner-afnog at afnog.org
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > > -----
> > > > > > > This is the afnog mailing list, managed by Majordomo 1.94.4
> > > > > > >
> > > > > > > To send a message to this list, e-mail afnog at afnog.org
> > > > > > > To send a request to majordomo, e-mail majordomo at afnog.org and
put
> > > > > > > your request in the body of the message (i.e use "help" for
help)
> > > > > > >
> > > > > > > This list is maintained by owner-afnog at afnog.org
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > > -----
> > > > > > This is the afnog mailing list, managed by Majordomo 1.94.4
> > > > > >
> > > > > > To send a message to this list, e-mail afnog at afnog.org
> > > > > > To send a request to majordomo, e-mail majordomo at afnog.org and
put
> > > > > > your request in the body of the message (i.e use "help" for
help)
> > > > > >
> > > > > > This list is maintained by owner-afnog at afnog.org
> > > > > >
> > > > > >
> > > > >
> > > > > -----
> > > > > This is the afnog mailing list, managed by Majordomo 1.94.4
> > > > >
> > > > > To send a message to this list, e-mail afnog at afnog.org
> > > > > To send a request to majordomo, e-mail majordomo at afnog.org and put
> > > > > your request in the body of the message (i.e use "help" for help)
> > > > >
> > > > > This list is maintained by owner-afnog at afnog.org
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > >
> >
> >
> >
>



-----
This is the afnog mailing list, managed by Majordomo 1.94.4

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org

References:
- Re: Cisco access list - multihomed question
  - From: Brian Longwe <blongwe at psg.com>
- RE: Cisco access list - multihomed question
  - From: "Barry Raveendran Greene" <bgreene at cisco.com>
- Re: Cisco access list - multihomed question
  - From: Brian Longwe <blongwe at psg.com>
- Re: Cisco access list - multihomed question
  - From: "Michuki Mwangi" <michuki at swiftkenya.com>
- Re: Cisco access list - multihomed question
  - From: Brian Longwe <blongwe at psg.com>
- Re: Cisco access list - multihomed question
  - From: "Michuki Mwangi" <michuki at swiftkenya.com>
- Re: Cisco access list - multihomed question
  - From: Brian Longwe <blongwe at psg.com>

Prev by Date: Re: Cisco access list - multihomed question
Next by Date: Re: Cisco access list - multihomed question
Prev by thread: Re: Cisco access list - multihomed question
Next by thread: Re: Cisco access list - multihomed question
Index(es):
- Date
- Thread