[OSL | CCIE_Security] Default route-map needed?

Fri, 10 Aug 2012 08:19:52 -0700 

Hi guys,
I don't understand requirement in Yusuf's question 8.2 (lab2) for
second/default route-map policy

Part of the question is: Ensure that your solution does not impede any
traffic, and all other traffic flows uninterrupted through R3.

>From explanation part:
To mitigate the virus traffic, you need to configure PBR (route-map)—one
route-map to match the TCP traffic
based on the virus criteria, and a second route-map with no parameters
(without match/set commands). This is
similar to a default policy that matches all other traffic to pass through
uninterrupted. A route-map configuration
model has no default policy. Therefore, you need to explicitly configure
the second route-map to mimic default
policy, allowing all remaining traffic.

I tested route-map functionality without that second/default route-map and
it works! Or missing something?


Design (not same as in book)
======

R1 <---> (ip policy route-map) R2 <----> (192.168.1.2) R3



Config
=====
route-map TEST permit 10
 match ip address 100
 set interface Null0
!
interface FastEthernet0/0
 ip address 10.10.10.1 255.255.255.0
 ip policy route-map TEST
 duplex auto
 speed auto
!
access-list 100 permit icmp any any
access-list 100 permit tcp any any eq 22
!

Shows
=====
R2#sh route-map
route-map TEST, permit, sequence 10
  Match clauses:
    ip address (access-lists): 100
  Set clauses:
    interface Null0
  Policy routing matches: 13 packets, 1050 bytes

R2#sh access-l 100
Extended IP access list 100
    10 permit icmp any any (5 matches)
    20 permit tcp any any eq 22 (8 matches)

Verification
============
R1#pi 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#ssh -l c 192.168.1.2

R1#192.168.1.2
Trying 192.168.1.2 ... Open


User Access Verification

Username:c


Thanks !!

Radim

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to