From: Nigel Taylor (nigel_taylor@xxxxxxxxxxx)
Date: Sat Mar 03 2001 - 16:27:46 GMT-3
Chuck,
The "debug ip policy" on the router where the ip policy map
is defined yield no results....
That's the debug I was looking to see if their were anything weird...
Nigel..
----- Original Message -----
From: Chuck Larrieu <chuck@cl.cncdsl.com>
To: Nigel Taylor <nigel_taylor@hotmail.com>; Larry Roberts
<lroberts22@uswest.net>; CCIE_Lab Groupstudy List <ccielab@groupstudy.com>
Sent: Saturday, March 03, 2001 11:33 AM
Subject: RE: Policy routing Sanity Check
> Now that you mention it, Nigel, this is the router with the 12.0.15 image
> that I have had so many bizarre problems as well. It is the router where I
> never bothered to upgrade the eproms when I added flash and upgraded to
12.x
> in general.
>
> Nope - that's not is. I've set up pvcs with another router, removed ip
> routing from a subinterface so that now the only route to the 20.0.0.0
> network is through this other router, and I have the same result. Ping
goes
> one way, trace goes the other.
>
> Did some finagling, and here are some traces. I am pinging from
10.202.12.2
> and to 20.40.40.33. As you can see, the debug ip packet SAYS the gateway
is
> the one I expect.
>
> 3d11h: IP: s=10.202.12.2 (Serial0.3), d=20.40.40.33 (Serial0.2),
> g=10.10.7.5, le
> n 100, forward
> 3d11h: IP: s=20.40.40.33 (Serial0.1), d=10.202.12.2 (Serial0.3),
> g=10.10.8.2, le
> n 100, forward
> 3d11h: IP: s=10.202.12.2 (Serial0.3), d=20.40.40.33 (Serial0.2),
> g=10.10.7.5, le
> n 100, forward
> 3d11h: IP: s=20.40.40.33 (Serial0.1), d=10.202.12.2 (Serial0.3),
> g=10.10.8.2, le
> n 100, forward
>
> I checked the 12.1 release notes, and did some clear ip cache, with no
> effect. Also entered a no ip route-cache on various interfaces but still
no
> effect.
>
> I'm going to reconfigure things a bit and see if I can identify a similar
> issue in the 11.2 domain. I just wonder if this is another one of the
> "gotchas" you're sitting there in the lab, pinging away, happy in the
belief
> that your policy is working, and it is not. Your mouth falls open in
> disbelief when the proctor dings you. Or worse yet, you use the extended
> ping, discover the problem yourself, and spend too much time trying to fix
> it.
>
> Chuck
>
>
>
>
>
> -----Original Message-----
> From: Nigel Taylor [mailto:nigel_taylor@hotmail.com]
> Sent: Saturday, March 03, 2001 5:57 AM
> To: Nigel Taylor; Chuck Larrieu; Larry Roberts; CCIE_Lab Groupstudy List
> Subject: Re: Policy routing Sanity Check
>
> Chuck,
> Ok, I mocked up a basic PBR config to see if I would get the
> same results. Unfortunately I was not so lucky. I made my list more
> specific as to test packet being sourced from specific interface so I
could
> verify what packet should and should not be policy routed. In every case
on
> the ping and trace alike it followed the rules of PBR as we understand it.
> I also tested this with the "ip" only ACL statement and that pretty much
> covered trace and ping as well. I was wondering... what did the trace
while
> debugging "ip policy" reveal..?
>
> Interesting thing happened to me this morning. in a simple FR setup hub
and
> spoke(all physical interfaces) I couldn't get RIP to propagate to on of
the
> spokes.. Debug revealed I was sending and not receiving routes..
> As fate would have it I changed the IOS(from 12.0(15) to 12.1(6) and
> everything works.. This is the same router that gave me that FR problem
> having to use "wr mem" before the commands would take effect.. Go
> figure..:->
>
>
> Nigel.
>
>
> ----- Original Message -----
> From: Nigel Taylor <nigel_taylor@hotmail.com>
> To: Chuck Larrieu <chuck@cl.cncdsl.com>; Larry Roberts
> <lroberts22@uswest.net>; CCIE_Lab Groupstudy List <ccielab@groupstudy.com>
> Sent: Saturday, March 03, 2001 7:13 AM
> Subject: Re: Policy routing Sanity Check
>
>
> > Chuck, Larry,
> > In looking at this problem I can't see why the trace
> > would work and the ping would not. Trace and ping both use "icmp echo
> > request" with varying differences. In the original ACL you defined "ip"
as
> > the protocol to be policy routed. Try removing the icmp statement and
> > opening another session to the HUB router and run "debug ip policy" and
> then
> > ping from the Spoke from another session. Then try it with the icmp
> > statement.
> >
> > Off to take a quick look.
> >
> > Nigel.
> >
> > ----- Original Message -----
> > From: Chuck Larrieu <chuck@cl.cncdsl.com>
> > To: Larry Roberts <lroberts22@uswest.net>; CCIE_Lab Groupstudy List
> > <ccielab@groupstudy.com>
> > Sent: Saturday, March 03, 2001 3:32 AM
> > Subject: RE: Policy routing Sanity Check
> >
> >
> > > According to the Doc CD, ICMP redirects are disabled by default. But
not
> > to
> > > argue, I entered the command on both the global config and the
interface
> > in
> > > question.
> > >
> > > No dice, as shown below.
> > >
> > > Reply to request 4 (16 ms). Received packet has options
> > > Total option bytes= 40, padded length=40
> > > Record route:
> > > (10.10.2.2)
> > > (20.253.253.5)
> > > (20.254.254.5)
> > > (20.6.6.1)
> > > (20.254.254.6)
> > > (20.253.253.6)
> > > (10.10.2.1)
> > > (10.202.12.2) <*>
> > > (0.0.0.0)
> > > End of list
> > >
> > > Chuck
> > >
> > > -----Original Message-----
> > > From: Larry Roberts [mailto:lroberts22@uswest.net]
> > > Sent: Saturday, March 03, 2001 12:22 AM
> > > To: Chuck Larrieu; CCIE_Lab Groupstudy List
> > > Subject: Re: Policy routing Sanity Check
> > >
> > > Hi Chuck,
> > >
> > > Try this, turn off icmp redirects on the hub router with the following
> > > command - no ip redirects. With ping the router will redirect the icmp
> > > packets to another router if it has a better path.
> > >
> > > Hope this helps,
> > > Larry R.
> > >
> > > ----- Original Message -----
> > > From: "Chuck Larrieu" <chuck@cl.cncdsl.com>
> > > To: "CCIE_Lab Groupstudy List" <ccielab@groupstudy.com>
> > > Sent: Saturday, March 03, 2001 12:43 AM
> > > Subject: Policy routing Sanity Check
> > >
> > >
> > > > 'Cuz it ain't behaving the way I think it is supposed to.
> > > >
> > > > In my current setup I want IP traffic from my OSPF domain bound for
my
> > > EIGRP
> > > > domain to take a certain path. So on my OSPF hub router I have a
> policy
> > in
> > > > place that directs all traffic bound for the 20.0.0.0 domain to a
> > > particular
> > > > router.
> > > >
> > > > Trace takes the desired path, but ping does not. Captures using the
> > > extended
> > > > ping command, as well as the trace command results follow. Also, my
> > > relevant
> > > > configurations follow. Notice that the route-map sets the next hop
to
> > > > 10.10.5.5 Notice that the trace goes through 10.10.5.5 Notice that
> ping
> > > > goes by a completely different path.
> > > >
> > > > On the access-list, I added the first line specifying ICMP after
> > noticing
> > > > the failure of the original access-list, which consisted only of the
> > > second
> > > > line, was not working.
> > > >
> > > > OK all you comedians out there, here is my straight line for the
> > evening.:
> > > > Am I nuts or is this not working the way it is supposed to?
> > > >
> > > > Hub router relevant configuration
> > > >
> > > > interface Serial0.1 point-to-point
> > > > ip address 10.10.2.1 255.255.255.0
> > > > no ip directed-broadcast
> > > > ip policy route-map R1POLICY
> > > > frame-relay interface-dlci 102
> > > >
> > > > access-list 101 permit icmp any 20.0.0.0 0.255.255.255
> > > > access-list 101 permit ip any 20.0.0.0 0.255.255.255
> > > > route-map R1POLICY permit 10
> > > > match ip address 101
> > > > set ip next-hop 10.10.5.5
> > > >
> > > >
> > > > spoke route relevant data traces
> > > >
> > > > Router_2#trace 20.6.6.1
> > > >
> > > > Type escape sequence to abort.
> > > > Tracing the route to 20.6.6.1
> > > >
> > > > 1 10.10.2.1 4 msec 4 msec 4 msec
> > > > 2 10.10.5.5 24 msec 8 msec 8 msec
> > > > 3 20.254.254.6 12 msec * 12 msec
> > > > Router_2#
> > > >
> > > > ( one of the extended ping with record option replies - all of them
> are
> > > the
> > > > same )
> > > >
> > > > Reply to request 4 (16 ms). Received packet has options
> > > > Total option bytes= 40, padded length=40
> > > > Record route:
> > > > (10.10.2.2)
> > > > (20.253.253.5)
> > > > (20.254.254.5)
> > > > (20.6.6.1)
> > > > (20.254.254.6)
> > > > (20.253.253.6)
> > > > (10.10.2.1)
> > > > (10.202.12.2) <*>
> > > > (0.0.0.0)
> > > > End of list
> > > >
> > > > Chuck
> > > > ----------------------
> > > > I am Locutus, a CCIE Lab Proctor. Xx_Brain_dumps_xX are futile. Your
> > life
> > > as
> > > > it has been is over ( if you hope to pass ) From this time forward,
> you
> > > will
> > > > study US!
> > > > ( apologies to the folks at Star Trek TNG )
> > > >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:29:19 GMT-3