RE: local policy route-map not working for me

From: Udo (ccie_groupstudy@yahoo.de)
Date: Thu Nov 09 2006 - 03:50:21 ART

Hi GS,

I'm working with reflexive access-lists
Right now local generated icmp traffic doesn't work with the access-list
This is the topology
R2-s2/0--------------s2/0.25-R5-f1/0----------------f1/0-R7

This is my configuration:
======================================================================
R5:
interface FastEthernet1/0
 desc to Router R7
 ip address 192.168.4.5 255.255.255.0
 ip access-group INBOUND in
 ip access-group OUTBOUND out
 duplex half

ip local policy route-map LOCAL

ip access-list extended INBOUND
 evaluate REFLECT
ip access-list extended OUTBOUND
 permit tcp any any reflect REFLECT
 permit udp any any reflect REFLECT
 permit icmp any any reflect REFLECT

route-map LOCAL permit 10
 match ip address LOCAL_ICMP_TRAFFIC
 set interface FastEthernet1/0

ip access-list extended LOCAL_ICMP_TRAFFIC
 permit icmp any any

I configure
ip local policy TEST

route-map TEST
match ip address Local
set interface Loopback 0

When I ping from R5 to R7 I debug the following
====================================0

Nov 9 07:48:24.351: %SEC-6-IPACCESSLOGDP: list 197 permitted icmp
192.168.4.7 -> 192.168.4.5 (0/0), 1 packet
Nov 9 07:48:24.355: IP: s=192.168.4.7 (FastEthernet1/0), d=192.168.4.5,
len 100, access denied
Nov 9 07:48:24.359: ICMP type=0, code=0.
Nov 9 07:48:26.315: IP: s=192.168.4.7 (FastEthernet1/0), d=192.168.4.5,
len 100, access denied
Nov 9 07:48:26.319: ICMP type=0, code=0.
Nov 9 07:48:28.319: IP: s=192.168.4.7 (FastEthernet1/0), d=192.168.4.5,
len 100, access denied
Nov 9 07:48:28.323: ICMP type=0, code=0.
Nov 9 07:48:30.319: IP: s=192.168.4.7 (FastEthernet1/0), d=192.168.4.5,
len 100, access denied
Nov 9 07:48:30.323: ICMP type=0, code=0.
Nov 9 07:48:32.379: IP: s=192.168.4.7 (FastEthernet1/0), d=192.168.4.5,
len 100, access denied
Nov 9 07:48:32.383: ICMP type=0, code=0.
===================================================================
I get an answer from R7 but the traffic is denied..

Any help for me ?

Udo

Am Mittwoch, den 08.11.2006, 16:06 -0800 schrieb Michael Zuo:
> Thanks for the reply. Jian, you mentioned that my original prefix-list
> was not correct (ip prefix-list 10 seq 5 permit 142.1.0.0/24). I
> thought I was supposed to match the destination IP subnet with the
> prefix-list? It should've matched the source of the trace packets?
>
>
>
> thanks
>
>
>
> ________________________________
>
> From: Jian Gu [mailto:guxiaojian@gmail.com]
> Sent: Wednesday, November 08, 2006 10:07 AM
> To: Michael Zuo
> Cc: Hafizur Rahman (Europe); ccielab@groupstudy.com
> Subject: Re: local policy route-map not working for me
>
>
>
> Small correction, for traceroute you do need to match UDP, your
> configuration works with ping.
>
> On 11/8/06, Jian Gu < guxiaojian@gmail.com <mailto:guxiaojian@gmail.com>
> > wrote:
>
> This configuration should work (and it works in my setup), the reason
> your original configuration did not work is not because it is a prefix
> list, it is because your prefix list was not configured correctly. When
> Cisco IOS router does a ping it will consult its unicast routing table
> and use the IP address of outgoing interface's IP address as Ping
> packet's source IP address.
>
>
>
> On 11/7/06, Michael Zuo < mzuo@ixiacom.com <mailto:mzuo@ixiacom.com> >
> wrote:
>
> Still does not work, I change the configuration to:
>
> ip access-list extended PING
> permit icmp any host 142.1.0.4
> !
> route-map PING permit 10
> match ip address PING
> set ip next-hop 142.1.46.4
>
> still:
>
>
> R6(config-ext-nacl)#do trace 142.1.0.4
>
> Type escape sequence to abort.
> Tracing the route to 142.1.0.4
>
> 1 204.12.1.3 4 msec 0 msec 4 msec
> 2 142.1.0.4 32 msec * 28 msec
>
> Any ideas on how I can debug?
>
> Thanks...
>
> -----Original Message-----
> From: Hafizur Rahman (Europe) [mailto:hafizur.rahman@uk.didata.com]
> Sent: Monday, November 06, 2006 11:37 PM
> To: Michael Zuo; ccielab@groupstudy.com
> Subject: RE: local policy route-map not working for me
>
> Hi Michael
>
> Try using extended ACl instead of prefix list
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Michael Zuo
> Sent: 07 November 2006 07:09
> To: ccielab@groupstudy.com
> Subject: local policy route-map not working for me
>
> Hi All,
>
>
>
> I am having a problem with my local policy routing and can not figure
> out why it is not working:
>
>
>
> Topology:
>
> =======
>
> R3, R4 and R6 forms a triangle
>
>
>
> Networks:
>
> =======
>
> Between R3, R4: 142.1.34.0/24
>
> Between R3, R6: 204.12.1.0/24
>
> Between R4, R6: 142.1.46.0/24
>
>
>
> R4 also have IP address 142.1.0.4
>
>
>
> OSPF is configured in a way that ping from R6 to 142.1.0.4 would go thru
> R3 first (R3 touches area 0)
>
>
>
> I am trying to use policy routing to route ICMP from R6 directly over
> the connection between R4 and R6 which is not in OSPF
>
>
>
> Configuration
>
> =======
>
>
>
> R6:
>
>
>
> router ospf 1
>
> log-adjacency-changes
>
> network 54.1.3.6 0.0.0.0 area 3
>
> network 204.12.1.6 0.0.0.0 area 3
>
>
>
> ip local policy route-map PING
>
> !
>
>
>
> ip prefix-list 10 seq 5 permit 142.1.0.0/24
>
> !
>
> !
>
> route-map PING permit 10
>
> match ip address prefix-list 10
>
> set ip next-hop 142.1.46.4
>
>
>
> Result
>
> =====
>
>
>
> R6(config)#do trace 142.1.0.4
>
>
>
> Type escape sequence to abort.
>
> Tracing the route to 142.1.0.4
>
>
>
> 1 204.12.1.3 0 msec 0 msec 4 msec
>
> 2 142.1.0.4 28 msec * 28 msec
>
> R6(config)#
>
>
>
> R6#sh ip loc pol
>
> Local policy routing is enabled, using route map PING
>
> route-map PING, permit, sequence 10
>
> Match clauses:
>
> ip address prefix-lists: 10
>
> Set clauses:
>
> ip next-hop 142.1.46.4
>
> Policy routing matches: 5 packets, 320 bytes
>
>
>
>
>
>
>
>
>
> Which means R6 still go thru R3 first before getting to R4!! Also, the
> packet count in "sh ip loc pol" does not increase
>
>
>
>
>
> Am I missing something obvious? How do I debug further?
>
>
>
>
>
>
>
> Thanks a bunch!!
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> -----------------------------------------
> Dimension Data - providing global IP based solutions and services
> for over 20 years supported locally from a single point of contact.
>
> This email is confidential. If you are not the intended recipient
> then you must not copy it, forward it, use it for any purpose, or
> disclose it to another person.
>
> Please also note that the author of this email is not authorised
> to; make any offers capable of acceptance unless expressly stated
> in a validly dated and attached document which shall be subject to
> the terms and conditions stated therein or, conclude any contract
> on behalf of Dimension Data by email.
>
> Although Dimension Data has taken reasonable precautions to ensure
> no viruses are present in this email, the company cannot accept
> responsibility for any loss or damage arising from the use of this
> email or attachments.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

        
                

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:45 ART