I agree Tyson. On Wed, Jun 2, 2010 at 6:24 PM, Tyson Scott <[email protected]> wrote:
> Kings, > > > > when you say apply it globally I assume you mean "ip local policy". This > only affects traffic generated by the router. The reason this is necessary > is traffic originated by the router is originated from the control plane. > PBR applied to an interface affects traffic from the data plane on the > ingress of the interface. Thus router generated traffic can never meet this > category. > > > > Interface PBR = ingress on an interface defined by your ACL in the > route-map. > > local PBR = router generated traffic defined by your ACL. > > > > Both of these are shown in example in the Video on Demand but I don't think > I call it out as a specific topic. I use them to overcome some routing > problems over the DMVPN. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Wednesday, June 02, 2010 4:31 AM > *To:* Jimmy Larsson > *Cc:* OSL Security > > *Subject:* Re: [OSL | CCIE_Security] Routing when doing IOS L2L > > > > Hi Jimmy > > > You can find reverse-route under crypto maps. This was brought in for > redundancy. The route for remote networks will be always pointing the peer. > You need not configure the routers manually. With this, you need worry about > the route it takes to the peer. > > The "set reverse-route" route was introduced later with IPSec profiles. > This allows to set tag and distance. Very useful for DVTI based VPN, where > you can redistribute using the tag. > > When you apply route-maps to the interface it impacts that interface alone. > With configured globally, it impacts all interfaces. > > For the problem, try this > > On R1, you don't have a peer as it is a dynamic crypto map, "reverse-route > static" won't work > > Just add "reverse-route" which will automatically find the peer and add the > route for 2.2.2.2 > > or > > configure "reverse-route remote peer 172.16.1.1" with or without static > option. > > or > > configure ip route 2.2.2.2 255.255.255.255 172.16.1.1 > > This should work. > > PBR is too sophisticated solution for this issue :-) > > > > With regards > Kings > > On Wed, Jun 2, 2010 at 2:14 AM, Jimmy Larsson <[email protected]> wrote: > > TacAck: The difference in route-maps between my trial and your successfull > example was that I was doing "set interface fa0/0" while you did "set ip > next-hop 172.16.1.1". when doing it your way it works great. > > > > Tyson: I understand that route-maps is not the most beautiful way of > solving things. Now I have tried it and will put that tool in the bottom of > my tool-bag. > > > > Whats the difference between applying route-maps on interface and "local"? > Do you have a good DocCD-link that I can read about route-maps? I am not a > r/s-guy (yet) and it´s quite new to me. > > > > And NOW I finally understand the difference between "reverse-route" and > "set reverse-route <options>"-statements! I saw them as 2 different ways of > doing RRI but couldnt understand the difference. But when looking in the > command reference I see that "reverse-route" is the only command that > ENABLES RRI, the "set reverse-route" just tweaks the behaviour by changing > distance and so on. Cool! > > > > This is cool! > > > > > > > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
