Thanks Sadiq.
I created a lab again since my time was expired on IPEXPERT rack.
This time I used the class-map with "match-all" instead of "match-any". This
is also the solution in YB Lab 1 - Q 6.1.
The good news is that DMVPN including EIGRP stays up. I can telnet the DMVPN
routes but I cannot PING between DMVPN tunnel addresses. Pretty awkward. Do
not know the reason. I have applied the policy-map to my control-plane not the
control-plane host. Which is the way it should be.
Best Regards.
______________________
Adil S
On May 28, 2011, at 7:22 PM, Sadiq Yakasai wrote:
> Hi Adil,
>
> This is your culprit:
>
> class-map match-any cm_icmp
> match access-group 112
> match not access-group 111 ->>>>>>> this will basically end up matching on
all IP traffic and the policy drops it. You need to revisit your intention
here.
> !
> !
> policy-map pm_icmp
> class cm_icmp
> drop
> !
> access-list 111 permit icmp 10.0.0.0 0.255.255.255 any
> access-list 111 permit icmp 172.16.0.0 0.15.255.255 any
> access-list 111 permit icmp 192.168.0.0 0.0.255.255 any
> access-list 112 permit icmp any any
>
>
>
> On Sat, May 28, 2011 at 11:41 PM, Adil Pasha <aspasha_at_gmail.com> wrote:
> Thanks for your reply.
>
> Let me lab put a lab again since my time in the other rented lab is
expired.
>
>
> Best Regards.
> ______________________
> Adil
>
> On May 28, 2011, at 3:45 PM, dcp_at_dcptech.com wrote:
>
> > Looks like you are dropping icmp but not classifying anything else. You
> > haven't defined any bandwidth for the default class so it isn't getting
> > any.
> >
> > David
> >
> >> Guys,
> >>
> >> Could you please tell me why am I getting this error message in Yusuf's
> >> lab 1 - Q 6.1?
> >> I have done this lab multiple times but never saw this error message.
> >>
> >> Whey I apply the policy map on control-plane the DMVPN or eigrp drops
> >> between dmvpn nei. Is there a bug issue or am I doing something wrong
> >> today?
> >>
> >> Thanks.
> >>
> >> -----------
> >>
> >>
> >> !
> >> class-map match-any cm_icmp
> >> match access-group 112
> >> match not access-group 111
> >> !
> >> !
> >> policy-map pm_icmp
> >> class cm_icmp
> >> drop
> >> !
> >> access-list 111 permit icmp 10.0.0.0 0.255.255.255 any
> >> access-list 111 permit icmp 172.16.0.0 0.15.255.255 any
> >> access-list 111 permit icmp 192.168.0.0 0.0.255.255 any
> >> access-list 112 permit icmp any any
> >> !
> >> control-plane
> >> service-policy input pm_icmp
> >> !
> >>
> >> R2(config-cp)#service-policy input pm_icmp
> >> R2(config-cp)#end
> >> R2#
> >> *May 28 13:41:14.638: %CP-5-FEATURE: Control-plane Policing feature
> >> enabled on Control plane aggregate path
> >>
> >> *May 28 13:41:15.434: %SYS-5-CONFIG_I: Configured from console by
console
> >> R2#
> >> *May 28 13:41:27.106: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor
> >> 172.1.0.1 (Tunnel1) is down: holding time expired
> >> R2#
> >>
> >>
> >> Best Regards.
> >> ______________________
> >> Adil
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
>
> --
> CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net
Received on Sat May 28 2011 - 23:11:39 ART
This archive was generated by hypermail 2.2.0 : Wed Jun 01 2011 - 09:01:12 ART