RE: local policy route-map not working for me

From: Vincent Mashburn (vmashburn@fedex.com)
Date: Thu Nov 09 2006 - 13:09:08 ART

• Next message: Michael Stout: "Re: Regurlar expression confirmation"
• Previous message: Nawaz, Ajaz: "RE: Cat6500 vs. 7600 Router"
• Maybe in reply to: Michael Zuo: "local policy route-map not working for me"
• Next in thread: DP: "Re: local policy route-map not working for me"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Even if you use the "ip local policy route-map" command, your reflexive
access-lists will not work. Reflexive and CBAC only work for traffic
passing through the router, not traffic generated by the router. Try
generating the traffic from another device.
Thanks
Vince Mashburn
Sr. Voice / Data Engineer
901-263-5072
CCVP, CCNP, CCDA, Network +
Cisco IP Telephony Support Specialist
Cisco IP Telephony Operations Specialist
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Udo
Sent: Thursday, November 09, 2006 12:50 AM
To: Michael Zuo
Cc: Jian Gu; Hafizur Rahman (Europe); ccielab@groupstudy.com
Subject: RE: local policy route-map not working for me

Hi GS,

I'm working with reflexive access-lists
Right now local generated icmp traffic doesn't work with the access-list
This is the topology
R2-s2/0--------------s2/0.25-R5-f1/0----------------f1/0-R7

This is my configuration:
======================================================================
R5:
interface FastEthernet1/0
 desc to Router R7
 ip address 192.168.4.5 255.255.255.0
 ip access-group INBOUND in
 ip access-group OUTBOUND out
 duplex half

ip local policy route-map LOCAL

ip access-list extended INBOUND
 evaluate REFLECT
ip access-list extended OUTBOUND
 permit tcp any any reflect REFLECT
 permit udp any any reflect REFLECT
 permit icmp any any reflect REFLECT

route-map LOCAL permit 10
 match ip address LOCAL_ICMP_TRAFFIC
 set interface FastEthernet1/0

ip access-list extended LOCAL_ICMP_TRAFFIC
 permit icmp any any

I configure
ip local policy TEST

route-map TEST
match ip address Local
set interface Loopback 0

When I ping from R5 to R7 I debug the following
====================================0

Nov 9 07:48:24.351: %SEC-6-IPACCESSLOGDP: list 197 permitted icmp
192.168.4.7 -> 192.168.4.5 (0/0), 1 packet
Nov 9 07:48:24.355: IP: s=192.168.4.7 (FastEthernet1/0), d=192.168.4.5,
len 100, access denied
Nov 9 07:48:24.359: ICMP type=0, code=0.
Nov 9 07:48:26.315: IP: s=192.168.4.7 (FastEthernet1/0), d=192.168.4.5,
len 100, access denied
Nov 9 07:48:26.319: ICMP type=0, code=0.
Nov 9 07:48:28.319: IP: s=192.168.4.7 (FastEthernet1/0), d=192.168.4.5,
len 100, access denied
Nov 9 07:48:28.323: ICMP type=0, code=0.
Nov 9 07:48:30.319: IP: s=192.168.4.7 (FastEthernet1/0), d=192.168.4.5,
len 100, access denied
Nov 9 07:48:30.323: ICMP type=0, code=0.
Nov 9 07:48:32.379: IP: s=192.168.4.7 (FastEthernet1/0), d=192.168.4.5,
len 100, access denied
Nov 9 07:48:32.383: ICMP type=0, code=0.
===================================================================
I get an answer from R7 but the traffic is denied..

Any help for me ?

Udo

Am Mittwoch, den 08.11.2006, 16:06 -0800 schrieb Michael Zuo:
> Thanks for the reply. Jian, you mentioned that my original
prefix-list
> was not correct (ip prefix-list 10 seq 5 permit 142.1.0.0/24). I
> thought I was supposed to match the destination IP subnet with the
> prefix-list? It should've matched the source of the trace packets?
>
>
>
> thanks
>
>
>
> ________________________________
>
> From: Jian Gu [mailto:guxiaojian@gmail.com]
> Sent: Wednesday, November 08, 2006 10:07 AM
> To: Michael Zuo
> Cc: Hafizur Rahman (Europe); ccielab@groupstudy.com
> Subject: Re: local policy route-map not working for me
>
>
>
> Small correction, for traceroute you do need to match UDP, your
> configuration works with ping.
>
> On 11/8/06, Jian Gu < guxiaojian@gmail.com
<mailto:guxiaojian@gmail.com>
> > wrote:
>
> This configuration should work (and it works in my setup), the reason
> your original configuration did not work is not because it is a prefix
> list, it is because your prefix list was not configured correctly.
When
> Cisco IOS router does a ping it will consult its unicast routing table
> and use the IP address of outgoing interface's IP address as Ping
> packet's source IP address.
>
>
>
> On 11/7/06, Michael Zuo < mzuo@ixiacom.com <mailto:mzuo@ixiacom.com> >
> wrote:
>
> Still does not work, I change the configuration to:
>
> ip access-list extended PING
> permit icmp any host 142.1.0.4
> !
> route-map PING permit 10
> match ip address PING
> set ip next-hop 142.1.46.4
>
> still:
>
>
> R6(config-ext-nacl)#do trace 142.1.0.4
>
> Type escape sequence to abort.
> Tracing the route to 142.1.0.4
>
> 1 204.12.1.3 4 msec 0 msec 4 msec
> 2 142.1.0.4 32 msec * 28 msec
>
> Any ideas on how I can debug?
>
> Thanks...
>
> -----Original Message-----
> From: Hafizur Rahman (Europe) [mailto:hafizur.rahman@uk.didata.com]
> Sent: Monday, November 06, 2006 11:37 PM
> To: Michael Zuo; ccielab@groupstudy.com
> Subject: RE: local policy route-map not working for me
>
> Hi Michael
>
> Try using extended ACl instead of prefix list
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Michael Zuo
> Sent: 07 November 2006 07:09
> To: ccielab@groupstudy.com
> Subject: local policy route-map not working for me
>
> Hi All,
>
>
>
> I am having a problem with my local policy routing and can not figure
> out why it is not working:
>
>
>
> Topology:
>
> =======
>
> R3, R4 and R6 forms a triangle
>
>
>
> Networks:
>
> =======
>
> Between R3, R4: 142.1.34.0/24
>
> Between R3, R6: 204.12.1.0/24
>
> Between R4, R6: 142.1.46.0/24
>
>
>
> R4 also have IP address 142.1.0.4
>
>
>
> OSPF is configured in a way that ping from R6 to 142.1.0.4 would go
thru
> R3 first (R3 touches area 0)
>
>
>
> I am trying to use policy routing to route ICMP from R6 directly over
> the connection between R4 and R6 which is not in OSPF
>
>
>
> Configuration
>
> =======
>
>
>
> R6:
>
>
>
> router ospf 1
>
> log-adjacency-changes
>
> network 54.1.3.6 0.0.0.0 area 3
>
> network 204.12.1.6 0.0.0.0 area 3
>
>
>
> ip local policy route-map PING
>
> !
>
>
>
> ip prefix-list 10 seq 5 permit 142.1.0.0/24
>
> !
>
> !
>
> route-map PING permit 10
>
> match ip address prefix-list 10
>
> set ip next-hop 142.1.46.4
>
>
>
> Result
>
> =====
>
>
>
> R6(config)#do trace 142.1.0.4
>
>
>
> Type escape sequence to abort.
>
> Tracing the route to 142.1.0.4
>
>
>
> 1 204.12.1.3 0 msec 0 msec 4 msec
>
> 2 142.1.0.4 28 msec * 28 msec
>
> R6(config)#
>
>
>
> R6#sh ip loc pol
>
> Local policy routing is enabled, using route map PING
>
> route-map PING, permit, sequence 10
>
> Match clauses:
>
> ip address prefix-lists: 10
>
> Set clauses:
>
> ip next-hop 142.1.46.4
>
> Policy routing matches: 5 packets, 320 bytes
>
>
>
>
>
>
>
>
>
> Which means R6 still go thru R3 first before getting to R4!! Also, the
> packet count in "sh ip loc pol" does not increase
>
>
>
>
>
> Am I missing something obvious? How do I debug further?
>
>
>
>
>
>
>
> Thanks a bunch!!
>
>

• Next message: Michael Stout: "Re: Regurlar expression confirmation"
• Previous message: Nawaz, Ajaz: "RE: Cat6500 vs. 7600 Router"
• Maybe in reply to: Michael Zuo: "local policy route-map not working for me"
• Next in thread: DP: "Re: local policy route-map not working for me"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:45 ART