Pages

network cisco ccna gns3 certification arteq

network cisco ccna gns3 certification arteq
a network runs through it

Search insearchofthecert

Sunday, August 19, 2012

path control 2...

r4#trace 192.168.1.1 source 192.168.4.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
  1 172.16.34.3 16 msec 32 msec 4 msec
  2 172.16.23.2 12 msec 28 msec 12 msec
  3 172.16.12.1 12 msec 40 msec *

you built it, you must know why?

r3#sh ip eigrp topo 192.168.1.0
EIGRP-IPv4 Topology Entry for AS(1)/ID(192.168.3.1) for 192.168.1.0/24
  State is Passive, Query origin flag is 1, 1 Successor(s), FD is 21152000
  Descriptor Blocks:
  172.16.23.2 (Serial1/2), from 172.16.23.2, Send flag is 0x0
      Composite metric is (21152000/20640000), route is Internal
      Vector metric:
        Minimum bandwidth is 128 Kbit
        Total delay is 45000 microseconds
        Reliability is 255/255
        Load is 1/255
        Minimum MTU is 1500
        Hop count is 2
        Originating router is 192.168.1.1
  172.16.13.1 (Serial1/1), from 172.16.13.1, Send flag is 0x0
      Composite metric is (40640000/128256), route is Internal
      Vector metric:
        Minimum bandwidth is 64 Kbit
        Total delay is 25000 microseconds
        Reliability is 255/255
        Load is 1/255
        Minimum MTU is 1500
        Hop count is 1
        Originating router is 192.168.1.1
r3#

it's twice as fast the long way... but you saw that coming...

so make a damn pbr to use r3-->r1 instead...

access-list 1 permit 192.168.4.128 0.0.0.127

route-map r3r1 permit
match ip add 1
set ip next-hop 172.16.13.1

put it all up in the interface

int s1/3
ip policy route-map r3r1

you could get fancy and make a named access-list...

r3#sh route-map
route-map r3r1, permit, sequence 10
  Match clauses:
    ip address (access-lists): 1
  Set clauses:
    ip next-hop 172.16.13.1
  Policy routing matches: 0 packets, 0 bytes

r4#trace 192.168.1.1 source 192.168.4.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
  1 172.16.34.3 20 msec 8 msec 4 msec
  2 172.16.23.2 12 msec 20 msec 16 msec
  3 172.16.12.1 20 msec 36 msec *

this trace doesn't work... why? because our acl is for 4.128 and above...

r4#trace 192.168.1.1 source 192.168.4.129
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
  1 172.16.34.3 16 msec 32 msec 8 msec
  2 172.16.13.1 8 msec 8 msec * 

this one does because we are specifying the source correctly... so adjust the acl...

access-list 1 permit 192.168.4.0 0.0.0.127

r4#trace 192.168.1.1 source 192.168.4.1 
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
  1 172.16.34.3 36 msec 4 msec 4 msec
  2 172.16.13.1 8 msec 8 msec *

r3#sh route-map
route-map r3r1, permit, sequence 10
  Match clauses:
    ip address (access-lists): 1
  Set clauses:
    ip next-hop 172.16.13.1
  Policy routing matches: 12 packets, 384 bytes

now we have some matches...

r4#ping ip 192.168.1.1 source 192.168.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.4.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms

that works too...

r3#sh route-map
route-map r3r1, permit, sequence 10
  Match clauses:
    ip address (access-lists): 1
  Set clauses:
    ip next-hop 172.16.13.1
  Policy routing matches: 17 packets, 904 bytes

note the match incremented by 5

get rid of the acl that permits 192.168.4.0...

r3#sh access-list
Standard IP access list 1
    10 permit 192.168.4.128, wildcard bits 0.0.0.127

set up another acl called 2 for debugging

access-list 2 permit 192.168.4.0 0.0.0.255

debug ip policy 2


r4#ping ip 192.168.1.1 source 192.168.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.4.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/16 ms
r4#

the forwarding gets rejected... the ping obviously still gets there but through r2...

r3#       
*Aug 19 11:45:11: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, FIB policy rejected(no match) - normal forwarding
*Aug 19 11:45:11: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, FIB policy rejected(no match) - normal forwarding
*Aug 19 11:45:11: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, FIB policy rejected(no match) - normal forwarding
*Aug 19 11:45:11: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, FIB policy rejected(no match) - normal forwarding
*Aug 19 11:45:11: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, FIB policy rejected(no match) - normal forwarding

now plug the permit 4.0 back into acl 1...

r3#sh access-list
Standard IP access list 1
    10 permit 192.168.4.0, wildcard bits 0.0.0.127
Standard IP access list 2
    10 permit 192.168.4.0, wildcard bits 0.0.0.255 (19 matches)

r4#ping ip 192.168.1.1 source 192.168.4.1         
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.4.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms

r3#
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, FIB policy match
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, PBR Counted
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, g=172.16.13.1, len 100, FIB policy routed
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, FIB policy match
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, PBR Counted
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, g=172.16.13.1, len 100, FIB policy routed
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, FIB policy match
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, PBR Counted
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, g=172.16.13.1, len 100, FIB policy routed
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, FIB policy match
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192
r3#.168.1.1, len 100, PBR Counted
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, g=172.16.13.1, len 100, FIB policy routed
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, FIB policy match
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, PBR Counted
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, g=172.16.13.1, len 100, FIB policy routed
r3#

r3#sh route-map
route-map r3r1, permit, sequence 10
  Match clauses:
    ip address (access-lists): 1
  Set clauses:
    ip next-hop 172.16.13.1
Nexthop tracking current: 0.0.0.0
172.16.13.1, fib_nh:0,oce:0,status:0

  Policy routing matches: 42 packets, 3504 bytes

it's a lot of work sometimes to get to the gravy, but it can payoff... trust me, if you are doing switch first, get the access-maps down then and there...


No comments:

Post a Comment