Radim, The requirement ask for the second route-map on the manner you can have visibility of the non-matched traffic.
If you have the second default route-map you can see the counters of the traffic not-matched in the first policy entry. It works anyway, but you have or have not visibility and accounting. Regards. Enviado desde mi iPhone El 10/08/2012, a las 09:51, Radim Jurica <[email protected]> escribió: > Hi guys, > I don't understand requirement in Yusuf's question 8.2 (lab2) for > second/default route-map policy > > Part of the question is: Ensure that your solution does not impede any > traffic, and all other traffic flows uninterrupted through R3. > > From explanation part: > To mitigate the virus traffic, you need to configure PBR (route-map)—one > route-map to match the TCP traffic > based on the virus criteria, and a second route-map with no parameters > (without match/set commands). This is > similar to a default policy that matches all other traffic to pass through > uninterrupted. A route-map configuration > model has no default policy. Therefore, you need to explicitly configure the > second route-map to mimic default > policy, allowing all remaining traffic. > > I tested route-map functionality without that second/default route-map and it > works! Or missing something? > > > Design (not same as in book) > ====== > > R1 <---> (ip policy route-map) R2 <----> (192.168.1.2) R3 > > > > Config > ===== > route-map TEST permit 10 > match ip address 100 > set interface Null0 > ! > interface FastEthernet0/0 > ip address 10.10.10.1 255.255.255.0 > ip policy route-map TEST > duplex auto > speed auto > ! > access-list 100 permit icmp any any > access-list 100 permit tcp any any eq 22 > ! > > Shows > ===== > R2#sh route-map > route-map TEST, permit, sequence 10 > Match clauses: > ip address (access-lists): 100 > Set clauses: > interface Null0 > Policy routing matches: 13 packets, 1050 bytes > > R2#sh access-l 100 > Extended IP access list 100 > 10 permit icmp any any (5 matches) > 20 permit tcp any any eq 22 (8 matches) > > Verification > ============ > R1#pi 192.168.1.2 > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: > ..... > Success rate is 0 percent (0/5) > R1#ssh -l c 192.168.1.2 > > R1#192.168.1.2 > Trying 192.168.1.2 ... Open > > > User Access Verification > > Username:c > > > Thanks !! > > Radim > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
