From: Sasa Milic (smilic2@pexim.co.yu)
Date: Mon Apr 30 2007 - 18:34:03 ART
I have just labed it up with dynamips and vmware virtual machine. Created
two ACLs on router:
Extended IP access list db
10 permit ip any host 192.168.101.255
20 permit ip any any
Extended IP access list db2
10 permit ip any host 192.168.101.255
20 permit ip any host 255.255.255.255
30 permit ip any any
ACL 'db' is incoming on interface where windows vmware machine is connected
and used for ping. 'db2' is outgoing on interface where pings should go.
Ping from 192.168.102.203 to 192.168.101.255:
*Apr 30 2007 23:29:06.175 UTC: IP: tableid=0, s=192.168.102.203
(FastEthernet2/0), d=192.168.101.255 (FastEthernet1/0), routed via RIB
*Apr 30 2007 23:29:06.175 UTC: IP: s=192.168.102.203 (FastEthernet2/0),
d=192.168.101.255 (FastEthernet1/0), g=255.255.255.255, len 60,
forward directed broadcast
*Apr 30 2007 23:29:06.179 UTC: ICMP type=8, code=0
*Apr 30 2007 23:29:06.183 UTC: IP: s=192.168.102.203 (FastEthernet2/0),
d=192.168.101.255 (FastEthernet1/0), len 60, rcvd 5
*Apr 30 2007 23:29:06.183 UTC: ICMP type=8, code=0
*Apr 30 2007 23:29:06.187 UTC: IP: tableid=0, s=192.168.102.100 (local),
d=192.168.102.203 (FastEthernet2/0), routed via FIB
*Apr 30 2007 23:29:06.187 UTC: IP: s=192.168.102.100 (local),
d=192.168.102.203 (FastEthernet2/0), len 60, sending
*Apr 30 2007 23:29:06.191 UTC: ICMP type=0, code=0
Debug says that packet went to Fa1/0, but sniffer doesn't show it. Incoming
ACL counter is incremented by 4 for each ping, outgoing ACL counters are
zero.
Now, check "show ip interface <outgoing interface>". Broadcast address is
"255.255.255.255". Change broadcast address on interface with "ip
broadcast-address 192.168.101.255".
*Apr 30 2007 23:32:25.695 UTC: IP: tableid=0, s=192.168.102.203
(FastEthernet2/0), d=192.168.101.255 (FastEthernet1/0), routed via RIB
*Apr 30 2007 23:32:25.699 UTC: IP: s=192.168.102.203 (FastEthernet2/0),
d=192.168.101.255 (FastEthernet1/0), g=255.255.255.255, len 60,
forward directed broadcast
*Apr 30 2007 23:32:25.703 UTC: ICMP type=8, code=0
*Apr 30 2007 23:32:25.703 UTC: IP: s=192.168.102.203 (FastEthernet2/0),
d=192.168.101.255 (FastEthernet1/0), len 60, rcvd 5
*Apr 30 2007 23:32:25.707 UTC: ICMP type=8, code=0
*Apr 30 2007 23:32:25.707 UTC: IP: tableid=0, s=192.168.102.100 (local),
d=192.168.102.203 (FastEthernet2/0), routed via FIB
*Apr 30 2007 23:32:25.711 UTC: IP: s=192.168.102.100 (local),
d=192.168.102.203 (FastEthernet2/0), len 60, sending
*Apr 30 2007 23:32:25.715 UTC: ICMP type=0, code=0
Debugs looks the same. Pings are going (checked with sniffer), but still no
matches in outgoing access list. Incoming list still shows 4 matches for
each ping. Strange.
Regards,
Sasa
----- Original Message -----
From: "Suplepo" <suplepo@yahoo.com>
To: "Sasa Milic" <smilic2@pexim.co.yu>; <ccielab@groupstudy.com>
Sent: Monday, April 30, 2007 10:31 PM
Subject: Re: Matching Directed broadcast
> Yep, caught that after I sent out the original
> question and have since changed it, but I'm still not
> seeing matches for the access-list or route-map.
>
> From a directly connected router I'm pinging 1.1.1.255
> and the router responds as you'd expect, but I'm not
> seeing the matches? Any other ideas?
>
> Oh I also removed the "ip directed-broadcast" since in
> this case it should be required since I'm pinging from
> a directly connected device on the 1.1.1.0/24 network.
>
> Still no dice :(
> --- Sasa Milic <smilic2@pexim.co.yu> wrote:
>
>>
>> Try to use extended access list. Standard access
>> list usually matches on
>> source, not on destination. You need something like:
>>
>> ip access-list extended INBOUND_BCAST
>> permit any host 1.1.1.255
>> !
>>
>> Regards,
>> Sasa, #8635
>>
>>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:38 ART