Re: "ip local policy route-map" vs "ip policy route-map"

samsam_wang · ‎04-14-2004

two questions

First,

What is the diffirence between them?

one is in global configuration mode, another is in interface configuration mode.

second,

OSPF authentication

R1---1544K area 0 MD5---R2

R1---ISDN area 0 MD5---R2

ISDN is for backup.

Do I need to configuration MD5 on the ISDN? like

int bri 0

ip ospf message-digest-key 1 md5 cisco

Thanks

cdfowlie · ‎04-15-2004

The "ip local policy route-map" command is used to policy-route traffic generated locally on the router. For example, if you are logged into the router itself executing a ping, the local policy would apply. The same would apply for GRE / IPSec / Telnet traffic etc. coming from the router itself.

The "ip policy route-map" looks at traffic entering an interface and policy-routes accordingly. This traffic would be external, transiting the router. Hope that clears your first question.

Second:

If you are using area authentication i.e.:

router ospf 100

area 0 authentication message-digest

Then you must also configure your MD5 key on the ISDN link as you specified. All interfaces in Area 0 (including virtual links!) must have the MD5 key configured.

However, if you are configuring link authentication:

(interface serial1

ip ospf authentication message-digest)

you only need to configure the message-digest key on the interfaces where you also configure authentication.

HTH

-Colin

samsam_wang · ‎04-15-2004

Thanks for your reply.

for the first question.

the topology like

R2----R1---LAN----R3

R4----R1

if the packet is from LAN between R1 and R3, which statement I should use? "ip local policy" or "ip policy" ? because part of packets generated from R1, and part of packets generated from LAN or R3

second question.

two topology

1st topology.

R1---area 0 serial0--R2---area 1-----R3

R1---area 0 ISDN-----R2

router ospf 100

area 0 authentication message-digest

int se 0

ip ospf message-digest 1 md5 cisco

for this topology, I guess on the ISDN link, we don't need to use "ip ospf message-digest 1 md5 cisco

", because when the main link down, ISDN will up and no necessary to use MD5 on the ISDN link

second topology

R2---area0 serial0---R1---area 0----R3---area1---R4

R2---area0 ISDN-----R1

if run MD5 in area 0(between R2,R1 and R3), if the main link between R2 and R1 down, I guess ISDN must use MD5, if not, then R2 can not connect to R3.

right?

but for the first topology, that is ok if we use MD5 on the ISDN link. so for both topology, use MD5 is OK. but I found in many of study materials, they don't use MD5 on the ISDN link.

so I am confused.

Thanks again.

cdfowlie · ‎04-15-2004

For the policy-routing question, if some of your traffic is generated by R1 itself, and some is from the LAN/R3, then you can configure both the local policy and the interface policy.

(config)# ip local-policy route-map MAPNAME

Then under the interface connected to the LAN/R3

(config-if)# ip policy route-map MAPNAME.

As for your ISDN config, if you are running MD5 in area 0 you must configure the message-digest key on the ISDN link. All interfaces that are included in Area 0 must have the key in order to function properly.

HTH

-Colin

tomanderin · ‎04-15-2004

packets generated by the router do not normally abide by the policy routing, if you use "ip local policy route-map", it will.

The ospf/isdn issue, sorry don't know

Rui Carlos Antunes · ‎04-15-2004

Regarding PBR, the "ip local policy route-map" is used to Policy-Based Route traffic that is generated by the router itself (for example, if you issue a ping on the router, the ICMP packets will be Policy-Based Routed according to the route-map specified with the "ip local policy route-map". The "ip policy route-map" is used to Policy-Based Route traffic that is received on the interface on which the command is configured.

Regarding OSPF authentication, the answer is: it depends on the rest of the configuration. If you configured "area 0 authentication message-digest" under the OSPF process, then you need to configure "ip ospf message-digest-key ... md5 ..." command on the ISDN interface (since the ISDN interface belongs to Area0).