Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.34.3 16 msec 32 msec 4 msec
2 172.16.23.2 12 msec 28 msec 12 msec
3 172.16.12.1 12 msec 40 msec *
you built it, you must know why?
r3#sh ip eigrp topo 192.168.1.0
EIGRP-IPv4 Topology Entry for AS(1)/ID(192.168.3.1) for 192.168.1.0/24
State is Passive, Query origin flag is 1, 1 Successor(s), FD is 21152000
Descriptor Blocks:
172.16.23.2 (Serial1/2), from 172.16.23.2, Send flag is 0x0
Composite metric is (21152000/20640000), route is Internal
Vector metric:
Minimum bandwidth is 128 Kbit
Total delay is 45000 microseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1500
Hop count is 2
Originating router is 192.168.1.1
172.16.13.1 (Serial1/1), from 172.16.13.1, Send flag is 0x0
Composite metric is (40640000/128256), route is Internal
Vector metric:
Minimum bandwidth is 64 Kbit
Total delay is 25000 microseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1500
Hop count is 1
Originating router is 192.168.1.1
r3#
it's twice as fast the long way... but you saw that coming...
so make a damn pbr to use r3-->r1 instead...
access-list 1 permit 192.168.4.128 0.0.0.127
route-map r3r1 permit
match ip add 1
set ip next-hop 172.16.13.1
put it all up in the interface
int s1/3
ip policy route-map r3r1
you could get fancy and make a named access-list...
r3#sh route-map
route-map r3r1, permit, sequence 10
Match clauses:
ip address (access-lists): 1
Set clauses:
ip next-hop 172.16.13.1
Policy routing matches: 0 packets, 0 bytes
r4#trace 192.168.1.1 source 192.168.4.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.34.3 20 msec 8 msec 4 msec
2 172.16.23.2 12 msec 20 msec 16 msec
3 172.16.12.1 20 msec 36 msec *
this trace doesn't work... why? because our acl is for 4.128 and above...
r4#trace 192.168.1.1 source 192.168.4.129
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.34.3 16 msec 32 msec 8 msec
2 172.16.13.1 8 msec 8 msec *
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.34.3 16 msec 32 msec 8 msec
2 172.16.13.1 8 msec 8 msec *
this one does because we are specifying the source correctly... so adjust the acl...
access-list 1 permit 192.168.4.0 0.0.0.127
r4#trace 192.168.1.1 source 192.168.4.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.34.3 36 msec 4 msec 4 msec
2 172.16.13.1 8 msec 8 msec *
Type escape sequence to abort.
Tracing the route to 192.168.1.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.34.3 36 msec 4 msec 4 msec
2 172.16.13.1 8 msec 8 msec *
r3#sh route-map
route-map r3r1, permit, sequence 10
Match clauses:
ip address (access-lists): 1
Set clauses:
ip next-hop 172.16.13.1
Policy routing matches: 12 packets, 384 bytes
route-map r3r1, permit, sequence 10
Match clauses:
ip address (access-lists): 1
Set clauses:
ip next-hop 172.16.13.1
Policy routing matches: 12 packets, 384 bytes
r4#ping ip 192.168.1.1 source 192.168.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.4.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms
that works too...
r3#sh route-map
route-map r3r1, permit, sequence 10
Match clauses:
ip address (access-lists): 1
Set clauses:
ip next-hop 172.16.13.1
Policy routing matches: 17 packets, 904 bytes
note the match incremented by 5
get rid of the acl that permits 192.168.4.0...
r3#sh access-list
Standard IP access list 1
10 permit 192.168.4.128, wildcard bits 0.0.0.127
set up another acl called 2 for debugging
access-list 2 permit 192.168.4.0 0.0.0.255
debug ip policy 2
r4#ping ip 192.168.1.1 source 192.168.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.4.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/16 ms
r4#
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.4.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/16 ms
r4#
the forwarding gets rejected... the ping obviously still gets there but through r2...
*Aug 19 11:45:11: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, FIB policy rejected(no match) - normal forwarding
*Aug 19 11:45:11: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, FIB policy rejected(no match) - normal forwarding
*Aug 19 11:45:11: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, FIB policy rejected(no match) - normal forwarding
*Aug 19 11:45:11: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, FIB policy rejected(no match) - normal forwarding
*Aug 19 11:45:11: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, FIB policy rejected(no match) - normal forwarding
now plug the permit 4.0 back into acl 1...
r3#sh access-list
Standard IP access list 1
10 permit 192.168.4.0, wildcard bits 0.0.0.127
Standard IP access list 2
10 permit 192.168.4.0, wildcard bits 0.0.0.255 (19 matches)
r4#ping ip 192.168.1.1 source 192.168.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.4.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.4.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/12 ms
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, FIB policy match
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, PBR Counted
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, g=172.16.13.1, len 100, FIB policy routed
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, FIB policy match
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, PBR Counted
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, g=172.16.13.1, len 100, FIB policy routed
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, FIB policy match
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, PBR Counted
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, g=172.16.13.1, len 100, FIB policy routed
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, FIB policy match
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192
r3#.168.1.1, len 100, PBR Counted
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, g=172.16.13.1, len 100, FIB policy routed
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, FIB policy match
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, len 100, PBR Counted
*Aug 19 11:53:31: IP: s=192.168.4.1 (Serial1/3), d=192.168.1.1, g=172.16.13.1, len 100, FIB policy routed
r3#
r3#sh route-map
route-map r3r1, permit, sequence 10
Match clauses:
ip address (access-lists): 1
Set clauses:
ip next-hop 172.16.13.1
Nexthop tracking current: 0.0.0.0
172.16.13.1, fib_nh:0,oce:0,status:0
Policy routing matches: 42 packets, 3504 bytes
it's a lot of work sometimes to get to the gravy, but it can payoff... trust me, if you are doing switch first, get the access-maps down then and there...
No comments:
Post a Comment