Re: policy routing strangeness

From: Hank Nussbacher (hank@att.net.il)
Date: Sat Nov 03 2001 - 14:50:10 EST


At 12:35 02/11/01 -0500, jlewis@lewis.org wrote:

CSCdp78100 describes problems with DCEF and policy routing. I don't see a
fix yet. Workaround is to disable DCEF.

CSCdt16601 Route-maps dont work properly with named access-lists &
dCEF. Try changing the acl from mirror_to_inet to some number.

The startup I do these tests for, Wanwall, has hit numerous bugs like this
with PBR.

-Hank Nussbacher
Consultant
Wanwall Ltd.

>Are there known issues with policy routing and rsp-k3pv-mz.120-11.S3?
>
>We're running an FTP mirror site that we only want utilizing one of our
>upstream providers, so I had setup the following:
>
>ip access-list extended mirror_to_inet
> deny ip any 209.208.0.0 0.0.127.255
> deny ip any 216.98.0.0 0.0.15.255
> permit ip host 209.208.0.69 any
> deny ip any any
>
>route-map mirror-inet-policy permit 10
> match ip address mirror_to_inet
> set interface Serial2/0/0
>!
>route-map mirror-inet-policy permit 20
>
>interface Serial2/1/1
> ip policy route-map mirror-inet-policy
>
>The idea being, if traffic from 209.208.0.69 got into the router above
>through Serial2/1/1 and was destined for an IP outside our 2 IP blocks, it
>would be sent out (to the internet) through Serial2/0/0. It seemed to
>work, but I just noticed that some traffic from other source IPs was also
>being policy routed out Serial2/0/0, even though according to show ip bgp
>the best route was elsewhere.
>
>I changed the route-map to use an identical numbered access-list instead
>of the named one and it seems to be working properly now.
>
>BTW...what happens in a setup like this if Serial2/0/0 goes down? Do
>policy routed packets get dropped? If so, is there a way to set this up
>such that if the interface you're trying to policy route through goes
>down, packets still get routed?
>
>--
>----------------------------------------------------------------------
> Jon Lewis *jlewis@lewis.org*| I route
> System Administrator | therefore you are
> Atlantic Net |
>_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:22 EDT