Hi Sarad and Yemi,
Thanks a lot for your help. Now I understand concept for local policing.
As per Sarad's suggestion policy is working fine when I give nexthop
which is from the connected subnet.
Information:
R1#sh route-map xxx
route-map xxx, permit, sequence 10
Match clauses:
ip address (access-lists): 6
Set clauses:
ip next-hop 172.16.254.2
Nexthop tracking current: 0.0.0.0
172.16.254.2, fib_nh:2ADA3F0,oce:0,status:0
Policy routing matches: 0 packets, 0 bytes
R1#
R1#
R1#sh ip local poli
Local policy routing is enabled, using route map xxx
route-map xxx, permit, sequence 10
Match clauses:
ip address (access-lists): 6
Set clauses:
ip next-hop 172.16.254.2
Nexthop tracking current: 0.0.0.0
172.16.254.2, fib_nh:2ADA3F0,oce:0,status:0
Policy routing matches: 0 packets, 0 bytes
R1#
R1#sh ip eig nei
EIGRP-IPv4 neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q
Seq
(sec) (ms) Cnt
Num
0 172.16.253.2 Et0/0 11 03:39:10 19 200 0
24
R1#ping 172.16.253.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.253.2, timeout is 2 seconds:
*Jun 27 07:30:29.632: IP: s=172.16.253.1 (local), d=172.16.253.2, len
100, policy match
*Jun 27 07:30:29.632: IP: route map xxx, item 10, permit
*Jun 27 07:30:29.632: IP: s=172.16.253.1 (local), d=172.16.253.2
(Ethernet0/1), len 100, policy routed
*Jun 27 07:30:29.632: IP: local to Ethernet0/1 172.16.254.2.
*Jun 27 07:30:31.636: IP: s=172.16.253.1 (local), d=172.16.253.2, len
100, policy match
*Jun 27 07:30:31.636: IP: route map xxx, item 10, permit
*Jun 27 07:30:31.636: IP: s=172.16.253.1 (local), d=172.16.253.2
(Ethernet0/1), len 100, policy routed
*Jun 27 07:30:31.636: IP: local to Ethernet0/1 172.16.254.2.
*Jun 27 07:30:33.636: IP: s=172.16.253.1 (local), d=172.16.253.2, len
100, policy match
*Jun 27 07:30:33.636: IP: route map xxx, item 10, permit
*Jun 27 07:30:33.636: IP: s=172.16.253.1 (local), d=172.16.253.2
(Ethernet0/1), len 100, policy routed
*Jun 27 07:30:33.636: IP: local to Ethernet0/1 172.16.254.2.
*Jun 27 07:30:35.636: IP: s=172.16.253.1 (local), d=172.16.253.2, len
100, policy match
*Jun 27 07:30:35.636: IP: route map xxx, item 10, permit
*Jun 27 07:30:35.636: IP: s=172.16.253.1 (local), d=172.16.253.2
(Ethernet0/1), len 100, policy routed
*Jun 27 07:30:35.636: IP: local to Ethernet0/1 172.16.254.2.
*Jun 27 07:30:37.636: IP: s=172.16.253.1 (local), d=172.16.253.2, len
100, policy match
*Jun 27 07:30:37.636: IP: route map xxx, item 10, permit
*Jun 27 07:30:37.636: IP: s=172.16.253.1 (local), d=172.16.253.2
(Ethernet0/1), len 100, policy routed
*Jun 27 07:30:37.636: IP: local to Ethernet0/1 172.16.254.2.
Success rate is 0 percent (0/5)
R1#
Thanks,
Sonu
________________________________
From: Sarad [mailto:tosara_at_gmail.com]
Sent: Sunday, June 27, 2010 12:18 PM
To: Sonu Khandelwal (sokhande)
Cc: Yemi Oshunkoya; ccielab_at_groupstudy.com
Subject: Re: Need to undestand local policy
Hi Sonu,
I think this is due to that you dont have a directly connected subnet of
the IP address what you are redirecting. It is why policy is failing.
Try to change the next hop to one of the ips in a directly connected
subnet & see whether its gonna work.
Thanks
Sara
On Sun, Jun 27, 2010 at 12:04 PM, Sonu Khandelwal (sokhande)
<sokhande_at_cisco.com> wrote:
Hi Sarad,
Thanks for help. I had applied policy in global mode only. Here
is debugs information.
R2#sh run | i ip local
ip local policy route-map xxx
R2#
R2#deb ip poli
R2#deb ip policy
Policy routing debugging is on
R2#
R2#ping 172.16.253.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.253.1, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
1/3/12 ms
R2#
*Jun 27 06:21:47.493: IP: s=172.16.253.2 (local),
d=172.16.253.1, len 100, policy match
*Jun 27 06:21:47.493: IP: route map xxx, item 10, permit
*Jun 27 06:21:47.493: IP: s=172.16.253.2 (local),
d=172.16.253.1, len 100, policy rejected -- normal forwarding
*Jun 27 06:21:47.497: IP: s=172.16.253.2 (local),
d=172.16.253.1, len 100, policy match
*Jun 27 06:21:47.497: IP: route map xxx, item 10, permit
*Jun 27 06:21:47.497: IP: s=172.16.253.2 (local),
d=172.16.253.1, len 100, policy rejected -- normal forwarding
*Jun 27 06:21:47.497: IP: s=172.16.253.2 (local),
d=172.16.253.1, len 100, policy match
*Jun 27 06:21:47.497: IP: route map xxx, item 10, permit
R2#
*Jun 27 06:21:47.497: IP: s=172.16.253.2 (local),
d=172.16.253.1, len 100, policy rejected -- normal forwarding
*Jun 27 06:21:47.497: IP: s=172.16.253.2 (local),
d=172.16.253.1, len 100, policy match
*Jun 27 06:21:47.497: IP: route map xxx, item 10, permit
*Jun 27 06:21:47.497: IP: s=172.16.253.2 (local),
d=172.16.253.1, len 100, policy rejected -- normal forwarding
*Jun 27 06:21:47.497: IP: s=172.16.253.2 (local),
d=172.16.253.1, len 100, policy match
*Jun 27 06:21:47.497: IP: route map xxx, item 10, permit
*Jun 27 06:21:47.497: IP: s=172.16.253.2 (local),
d=172.16.253.1, len 100, policy rejected -- normal forwarding
R2#
*Jun 27 06:22:35.909: %SEC-6-IPACCESSLOGS: list 6 permitted
172.16.253.2 5 packets
R2#
R2#
R2#sh route-map xxx
route-map xxx, permit, sequence 10
Match clauses:
ip address (access-lists): 6
Set clauses:
ip next-hop 19.19.19.1
Policy routing matches: 60 packets, 9924 bytes
R2#show access
R2#show access-li
R2#show access-lists 6
Standard IP access list 6
10 permit any log (60 matches)
R2#
Thanks,
Sonu
________________________________
From: Sarad [mailto:tosara_at_gmail.com]
Sent: Sunday, June 27, 2010 11:57 AM
To: Sonu Khandelwal (sokhande)
Cc: Yemi Oshunkoya; ccielab_at_groupstudy.com
Subject: Re: Need to undestand local policy
Hi Sokhande,
you need to apply the policy in the global configuration mode as
follows
ip local policy route-map XXX
Then use "debug ip policy" command to check whether your traffic
is policy routed.
Thanks
Sara
On Sun, Jun 27, 2010 at 11:33 AM, Sonu Khandelwal (sokhande)
<sokhande_at_cisco.com> wrote:
Hi Yemi,
Yes, ping also working fine.
R2#sh ip eig nei
EIGRP-IPv4 neighbors for process 1
H Address Interface Hold Uptime
SRTT RTO Q Seq
(sec)
(ms) Cnt Num
0 172.16.253.1 Et0/0 11
02:03:33 15 200 0 20
R2#ping 172.16.253.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.253.1, timeout
is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip
min/avg/max = 1/1/4 ms
R2#
Thanks,
Sonu
-----Original Message-----
From: Yemi Oshunkoya [mailto:yzmar4real_at_hotmail.com]
Sent: Sunday, June 27, 2010 10:15 AM
To: Sonu Khandelwal (sokhande); ccielab_at_groupstudy.com
Subject: Re: Need to undestand local policy
Hi sokhande,
Pls discard my last mail, you don't need to apply
it on an interface. Can u try doing a ping and see if that gets policy
routed?
Sent from my BlackBerry wireless device from MTN
-----Original Message-----
From: yzmar4real_at_hotmail.com
Date: Sun, 27 Jun 2010 04:24:25
To: <sokhande_at_cisco.com>; <ccielab_at_groupstudy.com>
Reply-To: yzmar4real_at_hotmail.com
Subject: Re: Need to undestand local policy
U didn't apply your policy on any interface. :) Sent
from my BlackBerry wireless device from MTN
-----Original Message-----
From: sokhande_at_cisco.com
Date: Sun, 27 Jun 2010 04:02:28
To: <ccielab_at_groupstudy.com>
Subject: Need to undestand local policy
Hi All,
I am trying to understand local policy. As per my
understanding any packet which is generated by router will get treatment
based on local policy. ospf hello/ eigrp hello/ routing updates will all
be considered as locally generated packets.
I have created a simple scenerio and this seems to be
not working for me.
R1----R2
R1 and R2 are connected back to back using E0/0
interface and are running eigrp between them. I am doing a local policy
on R2 such that its next hop gets changed to some junk ip address and no
neighborship gets built between these interface. This seems to be not
working and I see that policy is not even being hit.
configs of R1:
interface Ethernet0/0
ip address 172.16.253.1 255.255.255.0
end
sh run | b router eigrp
router eigrp 1
network 172.16.0.0
configs of R2:
R2#sh run | b router eigrp
router eigrp 1
network 172.16.0.0
R2#
R2#sh run int e0/0
Building configuration...
Current configuration : 68 bytes
!
interface Ethernet0/0
ip address 172.16.253.2 255.255.255.0
end
!
route-map xxx permit 10
match ip address 6
set ip next-hop 19.19.19.1 (some junk ip address) !
!
R2#sh ip access-lists 6
Standard IP access list 6
10 permit any log (33 matches)
show commands on R1 and R2.
Neighborship is still built and I am not able to
understand this behavior.
R2#sh ip eigrp neighbors
EIGRP-IPv4 neighbors for process 1
H Address Interface Hold Uptime
SRTT RTO Q Seq
(sec)
(ms) Cnt Num 0 172.16.253.1 Et0/0 11
08:43:32 20 200 0 15 R2# 0 ccle ip eig nei
erbu-script 06/27 9:21am
R2#cle ip eig nei
*Jun 27 03:51:09.257: %DUAL-5-NBRCHANGE: EIGRP-IPv4(0)
1: Neighbor 172.16.253.1
(Ethernet0/0) is down: manually cleared
R2#cle ip eig nei
*Jun 27 03:51:11.001: %DUAL-5-NBRCHANGE: EIGRP-IPv4(0)
1: Neighbor 172.16.253.1
(Ethernet0/0) is up: new adjacency
R2#sh ip eigrp neighbors
EIGRP-IPv4 neighbors for process 1
H Address Interface Hold Uptime
SRTT RTO Q Seq
(sec)
(ms) Cnt Num 0 172.16.253.1 Et0/0 11
00:00:03 15 200 0 20
Can you please help me here?
Thanks a lot in advance,
Sonu
Blogs and organic groups at http://www.ccie.net
Received on Sun Jun 27 2010 - 13:10:07 ART
This archive was generated by hypermail 2.2.0 : Sun Aug 01 2010 - 09:11:38 ART