From: eicc tester (reto_ccie@yahoo.com)
Date: Thu Aug 16 2007 - 17:28:22 ART
Please consider the fact that ping are base on icmp packet only, instead traceroute may use UDP packet on port 33434 to sent in order to see the unreachables back.
just consider the fact that may be not the same behavior of traceroute and ping.
Ben Holko <ben.holko@datacom.com.au> wrote:
Hey all,
Consider the following policy routing config:
ip access-list extended IP_PHONES
permit ip 10.89.8.0 0.0.1.255 10.100.57.0 0.0.0.255
permit ip 10.89.72.0 0.0.1.255 10.100.57.0 0.0.0.255
!
route-map IP_PHONES permit 5
match ip address IP_PHONES
set ip next-hop 10.89.71.4
!
route-map IP_PHONES permit 10
!
And I apply policy routing on selected interfaces with "ip policy
route-map IP_PHONES"
The policy routing appears to be working when I test from the relevant
subnet, but "show route-map" fails to include pings in the counters, but
traceroute does increase the counters:
Router1#show route-map
route-map IP_PHONES, permit, sequence 5
Match clauses:
ip address (access-lists): IP_PHONES
Set clauses:
ip next-hop 10.89.71.4
Policy routing matches: 9 packets, 540 bytes <----this does not
increase with ping traffic, but it goes up with traceroute packets
route-map IP_PHONES, permit, sequence 10
Match clauses:
Set clauses:
Policy routing matches: 16 packets, 1539 bytes <---- this does not go
up with ping packets either
Router1#
"debug ip policy" fails to show anything for the ICMP packets, but does
show the traceroute packets being policy routed
Router1#debug ip policy
Router2#ping 10.100.57.1 source 10.89.8.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.57.1, timeout is 2 seconds:
Packet sent with a source address of 10.89.8.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Router2#
Router2#traceroute
Protocol [ip]:
Target IP address: 10.100.57.1
Source address: 10.89.8.2
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.100.57.1
1 10.89.254.1 0 msec 0 msec 0 msec
2 10.89.71.4 0 msec * *
Router2#
*Mar 1 01:07:12: IP: s=10.89.8.2 (GigabitEthernet1/0/28),
d=10.100.57.1, len 28, policy match
*Mar 1 01:07:12: IP: route map IP_PHONES, item 5, permit
*Mar 1 01:07:12: IP: s=10.89.8.2 (GigabitEthernet1/0/28), d=10.100.57.1
(Vlan320), len 28, policy routed
*Mar 1 01:07:12: IP: GigabitEthernet1/0/28 to Vlan320 10.89.71.4
*Mar 1 01:07:12: IP: s=10.89.8.2 (GigabitEthernet1/0/28),
d=10.100.57.1, len 28, policy match
*Mar 1 01:07:12: IP: route map IP_PHONES, item 5, permit
*Mar 1 01:07:12: IP: s=10.89.8.2 (GigabitEthernet1/0/28), d=10.100.57.1
(Vlan320), len 28, policy routed
*Mar 1 01:07:12: IP: GigabitEthernet1/0/28 to Vlan320 10.89.71.4
*Mar 1 01:07:12: IP: s=10.89.8.2 (GigabitEthernet1/0/28),
d=10.100.57.1, len 28, policy match
*Mar 1 01:07:12: IP: route map IP_PHONES, item 5, permit
*Mar 1 01:07:12: IP: s=10.89.8.2 (GigabitEthernet1/0/28), d=10.100.57.1
(Vlan320), len 28, policy routed
*Mar 1 01:07:12: IP: GigabitEthernet1/0/28 to Vlan320 10.89.71.4
Router1#
Why isn't my PING traffic seemingly being policy routed?
Ben
This archive was generated by hypermail 2.1.4 : Sat Sep 01 2007 - 11:32:11 ART