Re: local policy route-map not working for me

From: Udo (ccie_groupstudy@yahoo.de)
Date: Fri Nov 10 2006 - 03:33:36 ART

This is also what I have done..I push the traffic into the Lo0 but this
doesn't work

Udo
> Vincent is right about this. Locally generated traffic is not tagged by
> outbound access-lists. However if you push your local generated traffic out
> a loopback interface. This will cause the traffic to exit then re-enter
> appearing as transit traffic to the router.
>
>
> HTH
> DP
>
> On 11/9/06, Vincent Mashburn <vmashburn@fedex.com> wrote:
> >
> > Even if you use the "ip local policy route-map" command, your reflexive
> > access-lists will not work. Reflexive and CBAC only work for traffic
> > passing through the router, not traffic generated by the router. Try
> > generating the traffic from another device.
> > Thanks
> > Vince Mashburn
> > Sr. Voice / Data Engineer
> > 901-263-5072
> > CCVP, CCNP, CCDA, Network +
> > Cisco IP Telephony Support Specialist
> > Cisco IP Telephony Operations Specialist
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Udo
> > Sent: Thursday, November 09, 2006 12:50 AM
> > To: Michael Zuo
> > Cc: Jian Gu; Hafizur Rahman (Europe); ccielab@groupstudy.com
> > Subject: RE: local policy route-map not working for me
> >
> > Hi GS,
> >
> > I'm working with reflexive access-lists
> > Right now local generated icmp traffic doesn't work with the access-list
> > This is the topology
> > R2-s2/0--------------s2/0.25-R5-f1/0----------------f1/0-R7
> >
> >
> > This is my configuration:
> > ======================================================================
> > R5:
> > interface FastEthernet1/0
> > desc to Router R7
> > ip address 192.168.4.5 255.255.255.0
> > ip access-group INBOUND in
> > ip access-group OUTBOUND out
> > duplex half
> >
> >
> >
> > ip local policy route-map LOCAL
> >
> >
> > ip access-list extended INBOUND
> > evaluate REFLECT
> > ip access-list extended OUTBOUND
> > permit tcp any any reflect REFLECT
> > permit udp any any reflect REFLECT
> > permit icmp any any reflect REFLECT
> >
> >
> > route-map LOCAL permit 10
> > match ip address LOCAL_ICMP_TRAFFIC
> > set interface FastEthernet1/0
> >
> >
> > ip access-list extended LOCAL_ICMP_TRAFFIC
> > permit icmp any any
> >
> >
> >
> > I configure
> > ip local policy TEST
> >
> > route-map TEST
> > match ip address Local
> > set interface Loopback 0
> >
> > When I ping from R5 to R7 I debug the following
> > ====================================0
> >
> > Nov 9 07:48:24.351: %SEC-6-IPACCESSLOGDP: list 197 permitted icmp
> > 192.168.4.7 -> 192.168.4.5 (0/0), 1 packet
> > Nov 9 07:48:24.355: IP: s=192.168.4.7 (FastEthernet1/0), d=192.168.4.5,
> > len 100, access denied
> > Nov 9 07:48:24.359: ICMP type=0, code=0.
> > Nov 9 07:48:26.315: IP: s=192.168.4.7 (FastEthernet1/0), d=192.168.4.5,
> > len 100, access denied
> > Nov 9 07:48:26.319: ICMP type=0, code=0.
> > Nov 9 07:48:28.319: IP: s=192.168.4.7 (FastEthernet1/0), d=192.168.4.5,
> > len 100, access denied
> > Nov 9 07:48:28.323: ICMP type=0, code=0.
> > Nov 9 07:48:30.319: IP: s=192.168.4.7 (FastEthernet1/0), d=192.168.4.5,
> > len 100, access denied
> > Nov 9 07:48:30.323: ICMP type=0, code=0.
> > Nov 9 07:48:32.379: IP: s=192.168.4.7 (FastEthernet1/0), d=192.168.4.5,
> > len 100, access denied
> > Nov 9 07:48:32.383: ICMP type=0, code=0.
> > ===================================================================
> > I get an answer from R7 but the traffic is denied..
> >
> > Any help for me ?
> >
> > Udo
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Am Mittwoch, den 08.11.2006, 16:06 -0800 schrieb Michael Zuo:
> > > Thanks for the reply. Jian, you mentioned that my original
> > prefix-list
> > > was not correct (ip prefix-list 10 seq 5 permit 142.1.0.0/24). I
> > > thought I was supposed to match the destination IP subnet with the
> > > prefix-list? It should've matched the source of the trace packets?
> > >
> > >
> > >
> > > thanks
> > >
> > >
> > >
> > > ________________________________
> > >
> > > From: Jian Gu [mailto:guxiaojian@gmail.com]
> > > Sent: Wednesday, November 08, 2006 10:07 AM
> > > To: Michael Zuo
> > > Cc: Hafizur Rahman (Europe); ccielab@groupstudy.com
> > > Subject: Re: local policy route-map not working for me
> > >
> > >
> > >
> > > Small correction, for traceroute you do need to match UDP, your
> > > configuration works with ping.
> > >
> > > On 11/8/06, Jian Gu < guxiaojian@gmail.com
> > <mailto:guxiaojian@gmail.com>
> > > > wrote:
> > >
> > > This configuration should work (and it works in my setup), the reason
> > > your original configuration did not work is not because it is a prefix
> > > list, it is because your prefix list was not configured correctly.
> > When
> > > Cisco IOS router does a ping it will consult its unicast routing table
> > > and use the IP address of outgoing interface's IP address as Ping
> > > packet's source IP address.
> > >
> > >
> > >
> > > On 11/7/06, Michael Zuo < mzuo@ixiacom.com <mailto:mzuo@ixiacom.com> >
> > > wrote:
> > >
> > > Still does not work, I change the configuration to:
> > >
> > > ip access-list extended PING
> > > permit icmp any host 142.1.0.4
> > > !
> > > route-map PING permit 10
> > > match ip address PING
> > > set ip next-hop 142.1.46.4
> > >
> > > still:
> > >
> > >
> > > R6(config-ext-nacl)#do trace 142.1.0.4
> > >
> > > Type escape sequence to abort.
> > > Tracing the route to 142.1.0.4
> > >
> > > 1 204.12.1.3 4 msec 0 msec 4 msec
> > > 2 142.1.0.4 32 msec * 28 msec
> > >
> > > Any ideas on how I can debug?
> > >
> > > Thanks...
> > >
> > > -----Original Message-----
> > > From: Hafizur Rahman (Europe) [mailto:hafizur.rahman@uk.didata.com]
> > > Sent: Monday, November 06, 2006 11:37 PM
> > > To: Michael Zuo; ccielab@groupstudy.com
> > > Subject: RE: local policy route-map not working for me
> > >
> > > Hi Michael
> > >
> > > Try using extended ACl instead of prefix list
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of
> > > Michael Zuo
> > > Sent: 07 November 2006 07:09
> > > To: ccielab@groupstudy.com
> > > Subject: local policy route-map not working for me
> > >
> > > Hi All,
> > >
> > >
> > >
> > > I am having a problem with my local policy routing and can not figure
> > > out why it is not working:
> > >
> > >
> > >
> > > Topology:
> > >
> > > =======
> > >
> > > R3, R4 and R6 forms a triangle
> > >
> > >
> > >
> > > Networks:
> > >
> > > =======
> > >
> > > Between R3, R4: 142.1.34.0/24
> > >
> > > Between R3, R6: 204.12.1.0/24
> > >
> > > Between R4, R6: 142.1.46.0/24
> > >
> > >
> > >
> > > R4 also have IP address 142.1.0.4
> > >
> > >
> > >
> > > OSPF is configured in a way that ping from R6 to 142.1.0.4 would go
> > thru
> > > R3 first (R3 touches area 0)
> > >
> > >
> > >
> > > I am trying to use policy routing to route ICMP from R6 directly over
> > > the connection between R4 and R6 which is not in OSPF
> > >
> > >
> > >
> > > Configuration
> > >
> > > =======
> > >
> > >
> > >
> > > R6:
> > >
> > >
> > >
> > > router ospf 1
> > >
> > > log-adjacency-changes
> > >
> > > network 54.1.3.6 0.0.0.0 area 3
> > >
> > > network 204.12.1.6 0.0.0.0 area 3
> > >
> > >
> > >
> > > ip local policy route-map PING
> > >
> > > !
> > >
> > >
> > >
> > > ip prefix-list 10 seq 5 permit 142.1.0.0/24
> > >
> > > !
> > >
> > > !
> > >
> > > route-map PING permit 10
> > >
> > > match ip address prefix-list 10
> > >
> > > set ip next-hop 142.1.46.4
> > >
> > >
> > >
> > > Result
> > >
> > > =====
> > >
> > >
> > >
> > > R6(config)#do trace 142.1.0.4
> > >
> > >
> > >
> > > Type escape sequence to abort.
> > >
> > > Tracing the route to 142.1.0.4
> > >
> > >
> > >
> > > 1 204.12.1.3 0 msec 0 msec 4 msec
> > >
> > > 2 142.1.0.4 28 msec * 28 msec
> > >
> > > R6(config)#
> > >
> > >
> > >
> > > R6#sh ip loc pol
> > >
> > > Local policy routing is enabled, using route map PING
> > >
> > > route-map PING, permit, sequence 10
> > >
> > > Match clauses:
> > >
> > > ip address prefix-lists: 10
> > >
> > > Set clauses:
> > >
> > > ip next-hop 142.1.46.4
> > >
> > > Policy routing matches: 5 packets, 320 bytes
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Which means R6 still go thru R3 first before getting to R4!! Also, the
> > > packet count in "sh ip loc pol" does not increase
> > >
> > >
> > >
> > >
> > >
> > > Am I missing something obvious? How do I debug further?
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Thanks a bunch!!
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > -----------------------------------------
> > > Dimension Data - providing global IP based solutions and services
> > > for over 20 years supported locally from a single point of contact.
> > >
> > > This email is confidential. If you are not the intended recipient
> > > then you must not copy it, forward it, use it for any purpose, or
> > > disclose it to another person.
> > >
> > > Please also note that the author of this email is not authorised
> > > to; make any offers capable of acceptance unless expressly stated
> > > in a validly dated and attached document which shall be subject to
> > > the terms and conditions stated therein or, conclude any contract
> > > on behalf of Dimension Data by email.
> > >
> > > Although Dimension Data has taken reasonable precautions to ensure
> > > no viruses are present in this email, the company cannot accept
> > > responsibility for any loss or damage arising from the use of this
> > > email or attachments.
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> > ___________________________________________________________
> > Der fr|he Vogel fdngt den Wurm. Hier gelangen Sie zum neuen Yahoo! Mail:
> > http://mail.yahoo.de
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

                

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:46 ART