I have a 4507R wich I use as a layer 3 network core (collapse core) in a building. It has different gateways (vlan interfaces) for 5 floors, and basically I have two path to my HQ, a router with some leased lines for critical information and a VPN for the rest. The router I use to connect to our HQ is in one vlan,I have a vlan interface in the 4507 and they both use eigrp, the VPN is in a pix, I have another vlan for the pix subnet too, and I use static routing for it.
My problem is: When I receive traffic from a floor I can set the next hop for a destination in the same vlan interface so since the pix is a different vlan from the floors writing the policy rule command in the interface where I receive the floor's traffic does not work. How can I solve this? I have though of using local policy routing since the documentation I have says "packets originating in the router" but I am not sure what this expression means. Are packets from the different floors being "originated" in my 4507 since it is the layer three device in this scenario? Should this solve my inconvenient.
I can not use static routes since sometimes only some ports between server are sent via VPN and the others applications are sent via leased lines.
Just to make my mind, please check the configuration I have written below. You think this should work even when the floor's interface ip address is not in the same subnet as the pix subnet? Do you think this should work?
4507 and HQ router are interchanging routes using eigrp, I can reach the remote servers using either path.
(this are remote buildings, one or two floors, I connect to our main building using layer three switches and fiber optic). Local gateways for those building are in the remote L3 switches and I use 30 bits subnet to interconnec those L3 with this 4507.
10.200.X.X is our HQ, 10.10.X.X is my region.
I could replace the matches for 10.200.10.25 (full IP) for a static route, but in any time I could use redistribute static so I prefer policy routing..
I didn't see any traffic on my pix. Since you confirm this should work I will change my next hop in one route map and apply it to one interface where the effect, in case it could be negative, does not affect my operation.
To tell you the truth, I remember once I had to set full IP (not TCP Port) in my access list because just TCP/port was not working. Could it be an IOS bug, maybe? (I have cat4000-i5k91s-mz.122-25.EWA8)
Anyway, I will let this conversation open just in case after changing I find something else that could help me know what is causing the apparently misrouting.
I will do my changes tomorrow morning since at night we have a heavy load on our network.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.