Hi Tyson I have already brought this topic but again want to discuss this.
With respect to CCIE security, I see the following areas where we use route-maps Route distribution using redistribute command with route-maps Route filtering using distribute command with route-maps PBR As the end, do we need add a dummy with permit as route-map <name> permit With PBR, I don't thing it will have an effect. If you don't have it, it will go for normal destination based routing. If you have it, since, there is no match statement, again it goes for normal routing. For filtering and redistribution, do we need to dummy permit rule? If we have that what will be the effect. Please do explain the effect of having and not having the dummy permit statement for PBR, router filtering and redistribution. What should we follow from exam point of view? With regards Kings On Wed, Jun 2, 2010 at 7:32 PM, Tyson Scott <[email protected]> wrote: > Just wanted to clarify as I was unsure on one of your statements below. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Wednesday, June 02, 2010 10:01 AM > *To:* Tyson Scott > *Cc:* Jimmy Larsson; OSL Security > > *Subject:* Re: [OSL | CCIE_Security] Routing when doing IOS L2L > > > > I agree Tyson. > > On Wed, Jun 2, 2010 at 6:24 PM, Tyson Scott <[email protected]> wrote: > > Kings, > > > > when you say apply it globally I assume you mean "ip local policy". This > only affects traffic generated by the router. The reason this is necessary > is traffic originated by the router is originated from the control plane. > PBR applied to an interface affects traffic from the data plane on the > ingress of the interface. Thus router generated traffic can never meet this > category. > > > > Interface PBR = ingress on an interface defined by your ACL in the > route-map. > > local PBR = router generated traffic defined by your ACL. > > > > Both of these are shown in example in the Video on Demand but I don't think > I call it out as a specific topic. I use them to overcome some routing > problems over the DMVPN. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Wednesday, June 02, 2010 4:31 AM > *To:* Jimmy Larsson > *Cc:* OSL Security > > > *Subject:* Re: [OSL | CCIE_Security] Routing when doing IOS L2L > > > > Hi Jimmy > > > > You can find reverse-route under crypto maps. This was brought in for > redundancy. The route for remote networks will be always pointing the peer. > You need not configure the routers manually. With this, you need worry about > the route it takes to the peer. > > The "set reverse-route" route was introduced later with IPSec profiles. > This allows to set tag and distance. Very useful for DVTI based VPN, where > you can redistribute using the tag. > > When you apply route-maps to the interface it impacts that interface alone. > With configured globally, it impacts all interfaces. > > For the problem, try this > > On R1, you don't have a peer as it is a dynamic crypto map, "reverse-route > static" won't work > > Just add "reverse-route" which will automatically find the peer and add the > route for 2.2.2.2 > > or > > configure "reverse-route remote peer 172.16.1.1" with or without static > option. > > or > > configure ip route 2.2.2.2 255.255.255.255 172.16.1.1 > > This should work. > > PBR is too sophisticated solution for this issue :-) > > > > With regards > Kings > > On Wed, Jun 2, 2010 at 2:14 AM, Jimmy Larsson <[email protected]> wrote: > > TacAck: The difference in route-maps between my trial and your successfull > example was that I was doing "set interface fa0/0" while you did "set ip > next-hop 172.16.1.1". when doing it your way it works great. > > > > Tyson: I understand that route-maps is not the most beautiful way of > solving things. Now I have tried it and will put that tool in the bottom of > my tool-bag. > > > > Whats the difference between applying route-maps on interface and "local"? > Do you have a good DocCD-link that I can read about route-maps? I am not a > r/s-guy (yet) and it´s quite new to me. > > > > And NOW I finally understand the difference between "reverse-route" and > "set reverse-route <options>"-statements! I saw them as 2 different ways of > doing RRI but couldnt understand the difference. But when looking in the > command reference I see that "reverse-route" is the only command that > ENABLES RRI, the "set reverse-route" just tweaks the behaviour by changing > distance and so on. Cool! > > > > This is cool! > > > > > > > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 9.0.819 / Virus Database: 271.1.1/2913 - Release Date: 06/02/10 > 05:57:00 >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
