From: Wollmann, Bruno RQHR (Bruno.Wollmann@rqhealth.ca)
Date: Mon Jan 07 2008 - 03:13:49 ARST
Excuse the long post
I just spent the last few hours trying different ways of setting DE and
I have learned a few things.
I used a very simple topology to test
SW1(vlan11)-------(fa0/0)R1(s0/0/0)----frame
cloud----(s0/0/0)R2(fa0/0)-------(vlan12)SW2
SW1 (vlan11) 10.0.11.7/24
R1 (fa0/0) 10.0.11.1/24
R1 (s0/0/0) 10.0.1.1/24
R2 (s0/0/0) 10.0.1.2/24
R2 (fa0/0) 10.0.12.2/24
SW2 (vlan12) 10.0.12.8/24
I ran EIGRP on all interfaces and I had full reachability.
config for R2:
class-map match-all DE
match fr-de
policy-map DE
class DE
drop
interface Serial0/0/0
service-policy input DE
The different scenarios I tried on R1 are...
********************
Scenario 1 setup: MQC and service policy applied to interface
class-map match-any DE
match protocol telnet
match protocol eigrp
!
policy-map DE
class DE
set fr-de
!
interface s0/0/0
service-policy output DE
Scenario 1 results:
Transit telnet traffic, local telnet traffic out to R2 and EIGRP traffic
had DE-bit set as all this traffic was dropped. Telnet wouldn't work
and EIGRP went down.
********************
Scenario 2 setup: MQC and service policy applied to frame-relay
map-class
Scenario 2 results: Identical to scenario 1
********************
Scenario 3 setup: used de-list and de-group
frame-relay de-list 1 interface FastEthernet0/0
frame-relay de-list 1 protocol ip list 101
!
access-list 101 permit tcp any any eq telnet
access-list 101 permit icmp any any
!
interface Serial0/0/0
frame-relay de-group 1 102
Scenario 3 results:
The results don't make sense to me. Only locally generated traffic has
the DE-bit set. It didn't matter what else I tried, I couldn't get
transit traffic dropped at R2 using the de-list. Does anyone else have
experience with this?
********************
Thanks
Bruno
________________________________
From: Narbik Kocharians [mailto:narbikk@gmail.com]
Sent: January 5, 2008 8:31 PM
To: Wollmann, Bruno RQHR
Cc: CCIE
Subject: Re: Locally generated traffic
You could use MQC to set the DE bit on one end of the cloud and on the
other end you could match the DE and drop the traffic and see if the
router behind it still receives the traffic. I don't have a pod in front
of me to show this or even to test this, but I think it should work.
On 1/5/08, Wollmann, Bruno RQHR <Bruno.Wollmann@rqhealth.ca> wrote:
Hello,
I'm trying to compile a list of IOS commands that affect
outgoing,
locally generated router traffic. This is what I have so far.
1) an outbound access-list does not prevent locally generated
traffic
from leaving the router. I.E. I have an outbound access-list
applied to
an interface that denies icmp, telnet and rip. When I ping from
this
router I receive replies, when I ping through the router I do
not.
Telnet and RIP also still work.
2) I then tried MQC and defined a class-map that matches the
same
access-l from example 1 and then drop this traffic in a
policy-map
applied outbound on an interface. This traffic is dropped for
transit
traffic and locally generated traffic. I.E. I can not ping or
telnet
from this router and RIP updates are also blocked from being
sent out.
3) How do I test the Frame-relay DE-list command? I tried some
debugs
but I can't find any output that indicates whether the DE bit is
set or
not. Does this command work for locally generated traffic or
just
transit traffic?
4) What if I set the DE bit in MQC? What affect does this have
on
locally generated traffic.
5) Policy routing only works on locally generated traffic when
using the
"ip local policy" command.
Any input is appreciated.
thanks
Bruno
This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:37:58 ARST