From: Ben Holko (ben.holko@datacom.com.au)
Date: Thu Aug 16 2007 - 19:43:36 ART
I had considered this, but it doesn't explain it
Also it's not local policy, as the pings and traces are coming from a
remote router, not from the router which is doing the policy routing
Any other thoughts?
Ben
From: eicc tester [mailto:reto_ccie@yahoo.com]
Sent: Friday, 17 August 2007 6:28 AM
To: Ben Holko; ccielab@groupstudy.com
Subject: Re: Policy routing not matching ICMP in the counters?
Please consider the fact that ping are base on icmp packet only, instead
traceroute may use UDP packet on port 33434 to sent in order to see the
unreachables back.
just consider the fact that may be not the same behavior of traceroute
and ping.
Ben Holko <ben.holko@datacom.com.au> wrote:
Hey all,
Consider the following policy routing config:
ip access-list extended IP_PHONES
permit ip 10.89.8.0 0.0.1.255 10.100.57.0 0.0.0.255
permit ip 10.89.72.0 0.0.1.255 10.100.57.0 0.0.0.255
!
route-map IP_PHONES permit 5
match ip address IP_PHONES
set ip next-hop 10.89.71.4
!
route-map IP_PHONES permit 10
!
And I apply policy routing on selected interfaces with "ip
policy
route-map IP_PHONES"
The policy routing appears to be working when I test from the
relevant
subnet, but "show route-map" fails to include pings in the
counters, but
traceroute does increase the counters:
Router1#show route-map
route-map IP_PHONES, permit, sequence 5
Match clauses:
ip address (access-lists): IP_PHONES
Set clauses:
ip next-hop 10.89.71.4
Policy routing matches: 9 packets, 540 bytes <----this does not
increase with ping traffic, but it goes up with traceroute
packets
route-map IP_PHONES, permit, sequence 10
Match clauses:
Set clauses:
Policy routing matches: 16 packets, 1539 bytes <---- this does
not go
up with ping packets either
Router1#
"debug ip policy" fails to show anything for the ICMP packets,
but does
show the traceroute packets being policy routed
Router1#debug ip policy
Router2#ping 10.100.57.1 source 10.89.8.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.57.1, timeout is 2
seconds:
Packet sent with a source address of 10.89.8.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
1/1/1 ms
Router2#
Router2#traceroute
Protocol [ip]:
Target IP address: 10.100.57.1
Source address: 10.89.8.2
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.100.57.1
1 10.89.254.1 0 msec 0 msec 0 msec
2 10.89.71.4 0 msec * *
Router2#
*Mar 1 01:07:12: IP: s=10.89.8.2 (GigabitEthernet1/0/28),
d=10.100.57.1, len 28, policy match
*Mar 1 01:07:12: IP: route map IP_PHONES, item 5, permit
*Mar 1 01:07:12: IP: s=10.89.8.2 (GigabitEthernet1/0/28),
d=10.100.57.1
(Vlan320), len 28, policy routed
*Mar 1 01:07:12: IP: GigabitEthernet1/0/28 to Vlan320 10.89.71.4
*Mar 1 01:07:12: IP: s=10.89.8.2 (GigabitEthernet1/0/28),
d=10.100.57.1, len 28, policy match
*Mar 1 01:07:12: IP: route map IP_PHONES, item 5, permit
*Mar 1 01:07:12: IP: s=10.89.8.2 (GigabitEthernet1/0/28),
d=10.100.57.1
(Vlan320), len 28, policy routed
*Mar 1 01:07:12: IP: GigabitEthernet1/0/28 to Vlan320 10.89.71.4
*Mar 1 01:07:12: IP: s=10.89.8.2 (GigabitEthernet1/0/28),
d=10.100.57.1, len 28, policy match
*Mar 1 01:07:12: IP: route map IP_PHONES, item 5, permit
*Mar 1 01:07:12: IP: s=10.89.8.2 (GigabitEthernet1/0/28),
d=10.100.57.1
(Vlan320), len 28, policy routed
*Mar 1 01:07:12: IP: GigabitEthernet1/0/28 to Vlan320 10.89.71.4
Router1#
Why isn't my PING traffic seemingly being policy routed?
Ben
This archive was generated by hypermail 2.1.4 : Sat Sep 01 2007 - 11:32:11 ART