Re: PBR for locally generated traffic

From: Herbert Maosa (asawilunda@googlemail.com)
Date: Thu Sep 06 2007 - 09:48:13 ART

• Next message: Sadiq Yakasai: "Re: PBR for locally generated traffic"
• Previous message: Sean C: "Re: I suck"
• Maybe in reply to: Sadiq Yakasai: "PBR for locally generated traffic"
• Next in thread: Sadiq Yakasai: "Re: PBR for locally generated traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Sadiq,

I believe Reflexive Access Lists do not work with locally generated traffic.
You always have to make static entries for the local traffic. I doubt this
behaviour of reflexive access-lists is going to change because of PBR.

Others can confirm.

Herbert.

On 9/6/07, Sadiq Yakasai <sadiqtanko@gmail.com> wrote:
>
> Hi Guys,
>
> So here I am trying to PBR locally generated traffic so that I can
> have a hit on my reflexive access list,.... i just dont seem to have
> it working!
>
> Please see below, any help will highly be appreciated...thanks
>
> R4#sh run | i policy|route-map|access|set|match|permit|evaluate
> int f0//0
> ip access-group INACL in
> ip access-group OUTACL out
>
> ip local policy route-map LOCAL
>
> ip access-list extended INACL
> permit tcp any any eq bgp
> permit tcp any eq bgp any
> permit udp any any eq rip
> evaluate REFLECT
>
> ip access-list extended OUTACL
> permit tcp any any reflect REFLECT
> permit udp any any reflect REFLECT
> permit icmp any any reflect REFLECT
>
>
> access-list 100 permit tcp any any eq telnet
> access-list 100 permit icmp any any
>
> route-map LOCAL permit 10
> match ip address 100
> set interface Loopback0
>
> R4#sh access-lists
> Extended IP access list 100
> 10 permit tcp any any eq telnet (28 matches)
> 20 permit icmp any any (73 matches)
> Extended IP access list INACL
> 10 permit tcp any any eq bgp
> 20 permit tcp any eq bgp any (42 matches)
> 30 permit udp any any eq rip (174 matches)
> 40 evaluate REFLECT
> Extended IP access list OUTACL
> 10 permit tcp any any reflect REFLECT (34 matches)
> 20 permit udp any any reflect REFLECT
> 30 permit icmp any any reflect REFLECT
> Reflexive IP access list REFLECT
> R4#ping 204.12.1.254 repeat 1
>
> Type escape sequence to abort.
> Sending 1, 100-byte ICMP Echos to 204.12.1.254, timeout is 2 seconds:
>
> *Sep 6 12:00:33.425: ICMP: dst (204.12.1.4) administratively
> prohibited unreachable sent to 204.12.1.254.
> Success rate is 0 percent (0/1)
>
>
>
> Traffic from others behind this router seems to pass through fine,
> indicating that my reflexion works fine. But the locally generated
> telnet or ping traffic, having been policy routed to the loopback, so
> that I can get a hit on the reflexion, just cant seem to work.
>
> When I make static entries into the INACL, allowing telnet and icmp to
> come in explicitly, it works... but I want to try and PBR option here
> as a matter of choice.
>
> Thanks
>
> Sadiq
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

-- 
Kindest regards,
hm

• Next message: Sadiq Yakasai: "Re: PBR for locally generated traffic"
• Previous message: Sean C: "Re: I suck"
• Maybe in reply to: Sadiq Yakasai: "PBR for locally generated traffic"
• Next in thread: Sadiq Yakasai: "Re: PBR for locally generated traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:09 ART