From: Gregory Gombas (ggombas@gmail.com)
Date: Thu Aug 16 2007 - 15:15:43 ART
Interesting, at first glance I would think that locally originated
traffic would only be affected by local policy map, but that doesn't
answer why the traceroute is being policy routed...
Keep us posted if you figure out the answer...
On 8/16/07, Ben Holko <ben.holko@datacom.com.au> wrote:
> Hey all,
>
> Consider the following policy routing config:
>
>
> ip access-list extended IP_PHONES
> permit ip 10.89.8.0 0.0.1.255 10.100.57.0 0.0.0.255
> permit ip 10.89.72.0 0.0.1.255 10.100.57.0 0.0.0.255
> !
> route-map IP_PHONES permit 5
> match ip address IP_PHONES
> set ip next-hop 10.89.71.4
> !
> route-map IP_PHONES permit 10
> !
>
> And I apply policy routing on selected interfaces with "ip policy
> route-map IP_PHONES"
>
> The policy routing appears to be working when I test from the relevant
> subnet, but "show route-map" fails to include pings in the counters, but
> traceroute does increase the counters:
>
> Router1#show route-map
> route-map IP_PHONES, permit, sequence 5
> Match clauses:
> ip address (access-lists): IP_PHONES
> Set clauses:
> ip next-hop 10.89.71.4
> Policy routing matches: 9 packets, 540 bytes <----this does not
> increase with ping traffic, but it goes up with traceroute packets
> route-map IP_PHONES, permit, sequence 10
> Match clauses:
> Set clauses:
> Policy routing matches: 16 packets, 1539 bytes <---- this does not go
> up with ping packets either
> Router1#
>
>
> "debug ip policy" fails to show anything for the ICMP packets, but does
> show the traceroute packets being policy routed
>
>
> Router1#debug ip policy
>
> <move to router 2 and send some traffic which should be policy routed>
>
> Router2#ping 10.100.57.1 source 10.89.8.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.100.57.1, timeout is 2 seconds:
> Packet sent with a source address of 10.89.8.2
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
> Router2#
>
> <no debug output on Router1?>
>
> <back to router2>
>
> Router2#traceroute
> Protocol [ip]:
> Target IP address: 10.100.57.1
> Source address: 10.89.8.2
> Numeric display [n]:
> Timeout in seconds [3]:
> Probe count [3]:
> Minimum Time to Live [1]:
> Maximum Time to Live [30]:
> Port Number [33434]:
> Loose, Strict, Record, Timestamp, Verbose[none]:
> Type escape sequence to abort.
> Tracing the route to 10.100.57.1
>
> 1 10.89.254.1 0 msec 0 msec 0 msec
> 2 10.89.71.4 0 msec * *
> Router2#
>
>
> <yay! Debug output on router1>
>
> *Mar 1 01:07:12: IP: s=10.89.8.2 (GigabitEthernet1/0/28),
> d=10.100.57.1, len 28, policy match
> *Mar 1 01:07:12: IP: route map IP_PHONES, item 5, permit
> *Mar 1 01:07:12: IP: s=10.89.8.2 (GigabitEthernet1/0/28), d=10.100.57.1
> (Vlan320), len 28, policy routed
> *Mar 1 01:07:12: IP: GigabitEthernet1/0/28 to Vlan320 10.89.71.4
> *Mar 1 01:07:12: IP: s=10.89.8.2 (GigabitEthernet1/0/28),
> d=10.100.57.1, len 28, policy match
> *Mar 1 01:07:12: IP: route map IP_PHONES, item 5, permit
> *Mar 1 01:07:12: IP: s=10.89.8.2 (GigabitEthernet1/0/28), d=10.100.57.1
> (Vlan320), len 28, policy routed
> *Mar 1 01:07:12: IP: GigabitEthernet1/0/28 to Vlan320 10.89.71.4
> *Mar 1 01:07:12: IP: s=10.89.8.2 (GigabitEthernet1/0/28),
> d=10.100.57.1, len 28, policy match
> *Mar 1 01:07:12: IP: route map IP_PHONES, item 5, permit
> *Mar 1 01:07:12: IP: s=10.89.8.2 (GigabitEthernet1/0/28), d=10.100.57.1
> (Vlan320), len 28, policy routed
> *Mar 1 01:07:12: IP: GigabitEthernet1/0/28 to Vlan320 10.89.71.4
> Router1#
>
>
>
> Why isn't my PING traffic seemingly being policy routed?
>
> Ben
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Sep 01 2007 - 11:32:11 ART