From: ccie2be (ccie2be@nyc.rr.com)
Date: Tue Jun 21 2005 - 22:19:19 GMT-3
George,
I hear what you're saying but that doesn't really make sense to me.
When going from the loopback int to the atm int on the same router, there's
no real pvc over which the packet is transiting - it's just internal router
circuitry.
But, maybe you're right - at least adding the static map worked. I wonder
what would happen if the atm pvc was configured as a p2p sub-int or if
dynamic mapping were used. I suppose then no extra configuration would be
needed. Do you agree?
Thanks, Tim
-----Original Message-----
From: George Cassels [mailto:glcassels3@nc.rr.com]
Sent: Tuesday, June 21, 2005 9:03 PM
To: 'ccie2be'; 'Group Study'
Subject: RE: Interpreting Traceroute results - Follow-up
Yep think about it if you need a L2 to L3 mapping to ping the local
routers IP you would also need one to route to a IP even though it is on
the same router. You see that encap fail message all the time..or at
least I do because I forgot my L2 to L3 mapping.
-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: Tuesday, June 21, 2005 7:45 PM
To: 'George Cassels'; 'Group Study'
Subject: RE: Interpreting Traceroute results - Follow-up
Hi George,
Thanks for getting back to me on this.
Are you talking about when the outbound packet goes from the loopback
int to
the atm int on the same router?
And, for this L3 to L2 mapping is needed?
TIA, Tim
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
George Cassels
Sent: Tuesday, June 21, 2005 7:53 PM
To: 'ccie2be'; 'Group Study'
Subject: RE: Interpreting Traceroute results - Follow-up
Tim,
I would say this is just like when you need to ping the local IP
address on an interface such as frame, ATM or ISDN. You still have to
have some kind of layer 2 to layer 3 mapping. It is the same thing
here. You have your destination set to 54.1.1.6 if there is no mapping
you ain't gonna get to it...
George
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie2be
Sent: Tuesday, June 21, 2005 4:14 PM
To: Group Study
Subject: FW: Interpreting Traceroute results - Follow-up
Hi guys,
I found and fixed the problem.
I don't know why this solution worked but it did.
The reflexive acl on R6 was configured on an ATM interface using a
static
map to the remote router.
I enabled debug ip packet and saw a few encap failed messages on the ATM
int.
09:37:30: IP: local to Loopback0 54.1.1.254
09:37:30: IP: s=150.1.6.6 (local), d=54.1.1.6, len 56, cef process
switched
09:37:30: IP: s=150.1.6.6 (local), d=54.1.1.6 (ATM0), len 56, sending
09:37:30: IP: s=150.1.6.6 (local), d=54.1.1.6 (ATM0), len 56,
encapsulation
failed
So, I added another static map to R6's own ip address in the ATM int.
interface ATM0
ip address 54.1.1.6 255.255.255.0
ip access-group INBOUND in
ip access-group OUTBOUND out
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 CISCO
pvc 0/101
protocol ip 54.1.1.254 broadcast
protocol ip 54.1.1.6 broadcast
!
no atm ilmi-keepalive
And, then all worked fine.
On R3, the reflexive acl was configured on an Ethernet interface.
Can anyone explain why I got the encap failed message before I
configured a
static map to R6's own atm interface?
TIA, Tim
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie2be
Sent: Tuesday, June 21, 2005 4:48 PM
To: Group Study
Subject: Interpreting Traceroute results
Hi guys,
I'm playing around with reflexive acl's.
I configured R6 to policy locally generated traffic to the loopback so
that
the reflexive acl would pick it up.
When I Traceroute to the remote router, this is what happens.
R6#traceroute 54.1.1.254
Type escape sequence to abort.
Tracing the route to 54.1.1.254
1 * * *
2 54.1.1.254 0 msec * 0 msec
How can the second line show success when the first line shows failure?
You can see that the policy routing is working in this debug:
09:07:48: IP: s=54.1.1.6 (local), d=54.1.1.254, len 28, policy match
09:07:48: IP: route map POLICY, item 10, permit
09:07:48: IP: s=54.1.1.6 (local), d=54.1.1.254 (Loopback0), len 28,
policy
route
d
09:07:48: IP: local to Loopback0 54.1.1.254
09:07:51: IP: s=54.1.1.6 (local), d=54.1.1.254, len 28, policy match
09:07:51: IP: route map POLICY, item 10, permit
09:07:51: IP: s=54.1.1.6 (local), d=54.1.1.254 (Loopback0), len 28,
policy
route
d
09:07:51: IP: local to Loopback0 54.1.1.254
09:07:54: IP: s=54.1.1.6 (local), d=54.1.1.254, len 28, policy match
09:07:54: IP: route map POLICY, item 10, permit
09:07:54: IP: s=54.1.1.6 (local), d=54.1.1.254 (Loopback0), len 28,
policy
route
d
When I use the same exact config on a different router, the results are
different. (I copied the acl's from R6 to R3.)
Extended IP access list INBOUND
10 evaluate OK
15 permit eigrp any any (326 matches)
20 permit icmp any any port-unreachable (24 matches)
30 permit icmp any any ttl-exceeded (12 matches)
40 permit icmp any any time-exceeded
50 permit icmp any any unreachable
60 deny icmp any any
70 deny ip any any
Reflexive IP access list OK
permit udp host 204.12.1.254 eq 33439 host 204.12.1.3 eq 38750 (1
match) (t
ime left 85)
permit udp host 204.12.1.254 eq 33438 host 204.12.1.3 eq 33418 (1
match) (t
ime left 82)
permit udp host 204.12.1.254 eq 33437 host 204.12.1.3 eq 40985 (1
match) (t
ime left 82)
Extended IP access list OUTBOUND
10 permit icmp any any reflect OK
20 permit eigrp any any reflect OK
30 permit udp any any reflect OK
40 deny ip any any
R3#traceroute 204.12.1.254
Type escape sequence to abort.
Tracing the route to 204.12.1.254
1 150.1.3.3 4 msec 4 msec 4 msec
2 204.12.1.254 8 msec * 4 msec
R3#
Can anyone explain why R6 is timing out but R3 isn't?
Except for the ip addresses, the debug is the exact same on both
routers.
Also, I noticed that after doing a Traceroute, the acl showed only
matches
on port-unreachable and ttl-exceeded so it looks to me that those are
the
correct icmp types to use to allow Traceroute even though I've seen
others
say differently.
TIA, Tim
This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:42 GMT-3