PBR for locally generated traffic

From: Sadiq Yakasai (sadiqtanko@gmail.com)
Date: Thu Sep 06 2007 - 08:48:40 ART

• Next message: Prashant Shukla: "Re: O E2 , loadbalancing."
• Previous message: Gary Duncanson: "Re: time ranges / gotcha etc"
• Next in thread: Herbert Maosa: "Re: PBR for locally generated traffic"
• Maybe reply: Herbert Maosa: "Re: PBR for locally generated traffic"
• Maybe reply: Sadiq Yakasai: "Re: PBR for locally generated traffic"
• Maybe reply: Derek Pocoroba: "Re: PBR for locally generated traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Guys,

So here I am trying to PBR locally generated traffic so that I can
have a hit on my reflexive access list,.... i just dont seem to have
it working!

Please see below, any help will highly be appreciated...thanks

R4#sh run | i policy|route-map|access|set|match|permit|evaluate
int f0//0
 ip access-group INACL in
 ip access-group OUTACL out

ip local policy route-map LOCAL

ip access-list extended INACL
 permit tcp any any eq bgp
 permit tcp any eq bgp any
 permit udp any any eq rip
 evaluate REFLECT

ip access-list extended OUTACL
 permit tcp any any reflect REFLECT
 permit udp any any reflect REFLECT
 permit icmp any any reflect REFLECT

access-list 100 permit tcp any any eq telnet
access-list 100 permit icmp any any

route-map LOCAL permit 10
 match ip address 100
 set interface Loopback0

R4#sh access-lists
Extended IP access list 100
    10 permit tcp any any eq telnet (28 matches)
    20 permit icmp any any (73 matches)
Extended IP access list INACL
    10 permit tcp any any eq bgp
    20 permit tcp any eq bgp any (42 matches)
    30 permit udp any any eq rip (174 matches)
    40 evaluate REFLECT
Extended IP access list OUTACL
    10 permit tcp any any reflect REFLECT (34 matches)
    20 permit udp any any reflect REFLECT
    30 permit icmp any any reflect REFLECT
Reflexive IP access list REFLECT
R4#ping 204.12.1.254 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 204.12.1.254, timeout is 2 seconds:

*Sep 6 12:00:33.425: ICMP: dst (204.12.1.4) administratively
prohibited unreachable sent to 204.12.1.254.
Success rate is 0 percent (0/1)

Traffic from others behind this router seems to pass through fine,
indicating that my reflexion works fine. But the locally generated
telnet or ping traffic, having been policy routed to the loopback, so
that I can get a hit on the reflexion, just cant seem to work.

When I make static entries into the INACL, allowing telnet and icmp to
come in explicitly, it works... but I want to try and PBR option here
as a matter of choice.

Thanks

Sadiq

• Next message: Prashant Shukla: "Re: O E2 , loadbalancing."
• Previous message: Gary Duncanson: "Re: time ranges / gotcha etc"
• Next in thread: Herbert Maosa: "Re: PBR for locally generated traffic"
• Maybe reply: Herbert Maosa: "Re: PBR for locally generated traffic"
• Maybe reply: Sadiq Yakasai: "Re: PBR for locally generated traffic"
• Maybe reply: Derek Pocoroba: "Re: PBR for locally generated traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:09 ART