Sunday, March 1, 2026

Configure Policy-Based Routing (PBR) in a Cisco Router

Here's a link in configuring a Policy-Based Routing (PBR) in a Cisco router. I was trying to configure PBR on a customer VRF to test or simulate customer traffic to a new FortiGate firewall. The customer traffic is currently NAT'd to the Cisco ASA firewall.

CE#trace vrf CUST 8.8.8.8 source 192.168.199.1

Type escape sequence to abort.

Tracing the route to 8.8.8.8

VRF info: (vrf in name/id, vrf out name/id)

  1 10.6.9.50 0 msec 0 msec 0 msec

  2 216.12.34.5 0 msec 0 msec 4 msec   // CISCO ASA HOP

  3 72.250.194.1 0 msec 4 msec 0 msec

 

<OUTPUT TRUNCATED>

 

  9  *  *  * 

 10 8.8.8.8 4 msec 8 msec 8 msec


 

Note you'll need to apply PBR in the "ingress" or LAN interface. You also can't configure a Loopback interface then do a ping test sourced from the said Loopback. The ping test should be sourced from an IP host/subnet located "behind" or a Layer 3 hop away from the router doing the PBR.


You'll also need to consider local traffic flows, i.e. if a host would need to access internal resources such as DNS, then you'll need a deny ACL statement to exclude those IP/subnets.

PE#show access-list 199 
Extended IP access list 199
    10 deny ip 192.168.199.0 0.0.0.255 10.1.1.0 0.0.0.255   // EXCLUDE INTERNAL DNS TRAFFIC 
    20 permit ip 192.168.199.0 0.0.0.255 any   // PERMIT 192.168.199.0/24 TO INTERNET (NEW FW)

PE#show run | sec route-map MY-PBR   // NO NEED TO CONFIGURE: set vrf <VRF>  
route-map MY-PBR permit 10 
 match ip address 199
 set ip next-hop 172.20.8.12

PE(config)#interface GigabitEthernet0/0/1   // LAN INTERFACE
PE(config-if)#ip policy route-map MY-PBR


CE#ping vrf CUST 8.8.8.8 source 192.168.199.1 rep 10   // GOOGLE DNS
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.199.1 
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 4/8/20 ms


CE#ping vrf CUST 72.163.4.185 source 192.168.199.1   // CISCO.COM
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 72.163.4.185, timeout is 2 seconds:
Packet sent with a source address of 192.168.199.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms

CE#traceroute vrf CUST 8.8.8.8 source 192.168.199.1       

Type escape sequence to abort.

Tracing the route to 8.8.8.8

VRF info: (vrf in name/id, vrf out name/id)

  1 10.6.9.50 0 msec 0 msec 0 msec

  2 172.20.8.12 msec 4 msec 0 msec   // FORTIGATE HOP

  3 66.12.34.56 0 msec 0 msec 0 msec

 

<OUTPUT TRUNCATED>


 11  *  *  * 
 12 8.8.8.8 4 msec 4 msec 4 msec

 

The PBR was confirmed working when CE router traceroute hop via the new FortiGate IP address. I also checked the NAT translations via the FortiView Sessions. The other RFC1918 IP subnets were still NAT'd via the Cisco ASA firewall.


Posted by at No comments:

Friday, February 6, 2026

Cisco Nexus cli alias Command

You can use the cli alias <command> to create a shortcut on your favorite Cisco commands. An example would be an alias for write memory (or just a wr) in a Cisco Nexus switch (it only supports copy run start).


N5K# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
N5K(config)# cli ?
  alias  Define an alias
  var    Define a variable

N5K(config)# cli alias ?
  name  Specify the alias

N5K(config)# cli alias name ?
  WORD  Alias command (Max Size 30)

N5K(config)# cli alias name wr ?
  LINE  Alias definition

N5K(config)# cli alias name wr copy run start ?
  <CR>  
  LINE   Alias definition

N5K(config)# cli alias name wr copy run start
N5K(config)# show run | i cli
cli alias name wr copy run start
N5K(config)# alias         // NEXUS VERIFICATION COMMAND
CLI alias commands
==================
alias  :show cli alias
wr     :copy run start
N5K(config)# wr
[########################################] 100%
Copy complete, now saving to disk (please wait)...

Posted by at No comments:

Thursday, January 1, 2026

SecureCRT Button for Saved Credentials

Here's a link in managing login credentials to multiple systems or devices in SecureCRT. This can be a more viable and secure password manager tool. There's also another feature in SecureCRT wherein you can add a button to automate your device login. This prevents an admin from forgetting his username/password and avoids being locked out due to multiple login attempts. 

To create a saved a Credential in SecureCRT, go to Options tab > Global Options > General > Credentials > Add

Type a Title > Username > Move up Authentication: Password > click Edit (gear icon) > select: Store Password > Type the password twice to confirm > OK. 

 

To add a new SecureCRT button > right-click (bottom area) > New Button

Select Function: Credentials > Select the newly created Credential > Select Send: Password.

Type a Label > select the Icon color > optional type a Description > OK.


SSH to a Cisco device and click the new button when prompted for a password.

svr01 ~]$ ssh -l cisco-admin 172.16.1.254

### ASA LAB ###

cisco-admin@172.16.1.254's password: <CLICK BUTTON>
User cisco-admin logged in to LAB-ASA5515x
Logins over the last 81 days: 3.  Last login: 00:59:39 UTC Sep 28 2025 from 192.168.1.100
Failed logins since the last login: 1.  Last failed login: 09:06:35 UTC Dec 5 2025 from 192.168.1.168
Type help or '?' for a list of available commands.
LAB-ASA5515x> 

Posted by at No comments:
Subscribe to: Comments (Atom)