From: haducbinh (haducbinh@vnpro.org)
Date: Thu Nov 09 2006 - 04:07:03 ART
Cause ICMP ping from your R5, so icmp don't match OUTBOUND ACL, when icmp
reply from R7 it match INBOUND ACL that deny icmp!
You should try to ping from R2 or change INBOUND ACL:
ip access-list extended INBOUND
permit icmp any any
evaluate REFLECT
hope this work!
HaDucBinh
Mail: haducbinh@vnpro.org or haducbinh@gmail.com
Phone: +84 908 191 322
---------------------------------------------------------------------------
Vietnamese Professionals (VnPro)
Cisco Authorised Training
149/1D Ung Van Khiem Street, Ward 25, Binh Thanh District, Ho Chi Minh City
Tel: (08) 5124257 - (08) 5125314
Fax: (08) 5124314
Website: http://vnpro.vn
Support Forum: http://vnpro.org
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Udo
Sent: Thursday, November 09, 2006 1:50 PM
To: Michael Zuo
Cc: Jian Gu; Hafizur Rahman (Europe); ccielab@groupstudy.com
Subject: RE: local policy route-map not working for me
Hi GS,
I'm working with reflexive access-lists
Right now local generated icmp traffic doesn't work with the access-list
This is the topology
R2-s2/0--------------s2/0.25-R5-f1/0----------------f1/0-R7
This is my configuration:
======================================================================
R5:
interface FastEthernet1/0
desc to Router R7
ip address 192.168.4.5 255.255.255.0
ip access-group INBOUND in
ip access-group OUTBOUND out
duplex half
ip local policy route-map LOCAL
ip access-list extended INBOUND
evaluate REFLECT
ip access-list extended OUTBOUND
permit tcp any any reflect REFLECT
permit udp any any reflect REFLECT
permit icmp any any reflect REFLECT
route-map LOCAL permit 10
match ip address LOCAL_ICMP_TRAFFIC
set interface FastEthernet1/0
ip access-list extended LOCAL_ICMP_TRAFFIC
permit icmp any any
I configure
ip local policy TEST
route-map TEST
match ip address Local
set interface Loopback 0
When I ping from R5 to R7 I debug the following
====================================0
Nov 9 07:48:24.351: %SEC-6-IPACCESSLOGDP: list 197 permitted icmp
192.168.4.7 -> 192.168.4.5 (0/0), 1 packet
Nov 9 07:48:24.355: IP: s=192.168.4.7 (FastEthernet1/0), d=192.168.4.5,
len 100, access denied
Nov 9 07:48:24.359: ICMP type=0, code=0.
Nov 9 07:48:26.315: IP: s=192.168.4.7 (FastEthernet1/0), d=192.168.4.5,
len 100, access denied
Nov 9 07:48:26.319: ICMP type=0, code=0.
Nov 9 07:48:28.319: IP: s=192.168.4.7 (FastEthernet1/0), d=192.168.4.5,
len 100, access denied
Nov 9 07:48:28.323: ICMP type=0, code=0.
Nov 9 07:48:30.319: IP: s=192.168.4.7 (FastEthernet1/0), d=192.168.4.5,
len 100, access denied
Nov 9 07:48:30.323: ICMP type=0, code=0.
Nov 9 07:48:32.379: IP: s=192.168.4.7 (FastEthernet1/0), d=192.168.4.5,
len 100, access denied
Nov 9 07:48:32.383: ICMP type=0, code=0.
===================================================================
I get an answer from R7 but the traffic is denied..
Any help for me ?
Udo
Am Mittwoch, den 08.11.2006, 16:06 -0800 schrieb Michael Zuo:
> Thanks for the reply. Jian, you mentioned that my original prefix-list
> was not correct (ip prefix-list 10 seq 5 permit 142.1.0.0/24). I
> thought I was supposed to match the destination IP subnet with the
> prefix-list? It should've matched the source of the trace packets?
>
>
>
> thanks
>
>
>
> ________________________________
>
> From: Jian Gu [mailto:guxiaojian@gmail.com]
> Sent: Wednesday, November 08, 2006 10:07 AM
> To: Michael Zuo
> Cc: Hafizur Rahman (Europe); ccielab@groupstudy.com
> Subject: Re: local policy route-map not working for me
>
>
>
> Small correction, for traceroute you do need to match UDP, your
> configuration works with ping.
>
> On 11/8/06, Jian Gu < guxiaojian@gmail.com <mailto:guxiaojian@gmail.com>
> > wrote:
>
> This configuration should work (and it works in my setup), the reason
> your original configuration did not work is not because it is a prefix
> list, it is because your prefix list was not configured correctly. When
> Cisco IOS router does a ping it will consult its unicast routing table
> and use the IP address of outgoing interface's IP address as Ping
> packet's source IP address.
>
>
>
> On 11/7/06, Michael Zuo < mzuo@ixiacom.com <mailto:mzuo@ixiacom.com> >
> wrote:
>
> Still does not work, I change the configuration to:
>
> ip access-list extended PING
> permit icmp any host 142.1.0.4
> !
> route-map PING permit 10
> match ip address PING
> set ip next-hop 142.1.46.4
>
> still:
>
>
> R6(config-ext-nacl)#do trace 142.1.0.4
>
> Type escape sequence to abort.
> Tracing the route to 142.1.0.4
>
> 1 204.12.1.3 4 msec 0 msec 4 msec
> 2 142.1.0.4 32 msec * 28 msec
>
> Any ideas on how I can debug?
>
> Thanks...
>
> -----Original Message-----
> From: Hafizur Rahman (Europe) [mailto:hafizur.rahman@uk.didata.com]
> Sent: Monday, November 06, 2006 11:37 PM
> To: Michael Zuo; ccielab@groupstudy.com
> Subject: RE: local policy route-map not working for me
>
> Hi Michael
>
> Try using extended ACl instead of prefix list
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Michael Zuo
> Sent: 07 November 2006 07:09
> To: ccielab@groupstudy.com
> Subject: local policy route-map not working for me
>
> Hi All,
>
>
>
> I am having a problem with my local policy routing and can not figure
> out why it is not working:
>
>
>
> Topology:
>
> =======
>
> R3, R4 and R6 forms a triangle
>
>
>
> Networks:
>
> =======
>
> Between R3, R4: 142.1.34.0/24
>
> Between R3, R6: 204.12.1.0/24
>
> Between R4, R6: 142.1.46.0/24
>
>
>
> R4 also have IP address 142.1.0.4
>
>
>
> OSPF is configured in a way that ping from R6 to 142.1.0.4 would go thru
> R3 first (R3 touches area 0)
>
>
>
> I am trying to use policy routing to route ICMP from R6 directly over
> the connection between R4 and R6 which is not in OSPF
>
>
>
> Configuration
>
> =======
>
>
>
> R6:
>
>
>
> router ospf 1
>
> log-adjacency-changes
>
> network 54.1.3.6 0.0.0.0 area 3
>
> network 204.12.1.6 0.0.0.0 area 3
>
>
>
> ip local policy route-map PING
>
> !
>
>
>
> ip prefix-list 10 seq 5 permit 142.1.0.0/24
>
> !
>
> !
>
> route-map PING permit 10
>
> match ip address prefix-list 10
>
> set ip next-hop 142.1.46.4
>
>
>
> Result
>
> =====
>
>
>
> R6(config)#do trace 142.1.0.4
>
>
>
> Type escape sequence to abort.
>
> Tracing the route to 142.1.0.4
>
>
>
> 1 204.12.1.3 0 msec 0 msec 4 msec
>
> 2 142.1.0.4 28 msec * 28 msec
>
> R6(config)#
>
>
>
> R6#sh ip loc pol
>
> Local policy routing is enabled, using route map PING
>
> route-map PING, permit, sequence 10
>
> Match clauses:
>
> ip address prefix-lists: 10
>
> Set clauses:
>
> ip next-hop 142.1.46.4
>
> Policy routing matches: 5 packets, 320 bytes
>
>
>
>
>
>
>
>
>
> Which means R6 still go thru R3 first before getting to R4!! Also, the
> packet count in "sh ip loc pol" does not increase
>
>
>
>
>
> Am I missing something obvious? How do I debug further?
>
>
>
>
>
>
>
> Thanks a bunch!!
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> -----------------------------------------
> Dimension Data - providing global IP based solutions and services
> for over 20 years supported locally from a single point of contact.
>
> This email is confidential. If you are not the intended recipient
> then you must not copy it, forward it, use it for any purpose, or
> disclose it to another person.
>
> Please also note that the author of this email is not authorised
> to; make any offers capable of acceptance unless expressly stated
> in a validly dated and attached document which shall be subject to
> the terms and conditions stated therein or, conclude any contract
> on behalf of Dimension Data by email.
>
> Although Dimension Data has taken reasonable precautions to ensure
> no viruses are present in this email, the company cannot accept
> responsibility for any loss or damage arising from the use of this
> email or attachments.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:45 ART