Re: policy routing strangeness

From: Zaheer Aziz (zaziz@cisco.com)
Date: Mon Nov 05 2001 - 00:43:45 EST


At 12:35 PM 11/2/2001 -0500, jlewis@lewis.org wrote:

answer in-line about your last question of re-routing in case of interface
failure.

>Are there known issues with policy routing and rsp-k3pv-mz.120-11.S3?
>
>We're running an FTP mirror site that we only want utilizing one of our
>upstream providers, so I had setup the following:
>
>ip access-list extended mirror_to_inet
> deny ip any 209.208.0.0 0.0.127.255
> deny ip any 216.98.0.0 0.0.15.255
> permit ip host 209.208.0.69 any
> deny ip any any
>
>route-map mirror-inet-policy permit 10
> match ip address mirror_to_inet
> set interface Serial2/0/0
>!
>route-map mirror-inet-policy permit 20
>
>interface Serial2/1/1
> ip policy route-map mirror-inet-policy
>
>The idea being, if traffic from 209.208.0.69 got into the router above
>through Serial2/1/1 and was destined for an IP outside our 2 IP blocks, it
>would be sent out (to the internet) through Serial2/0/0. It seemed to
>work, but I just noticed that some traffic from other source IPs was also
>being policy routed out Serial2/0/0, even though according to show ip bgp
>the best route was elsewhere.
>
>I changed the route-map to use an identical numbered access-list instead
>of the named one and it seems to be working properly now.
>
>BTW...what happens in a setup like this if Serial2/0/0 goes down? Do
>policy routed packets get dropped? If so, is there a way to set this up
>such that if the interface you're trying to policy route through goes
>down, packets still get routed?

It should be an automatic behavior that in case of interface going down,
policy is rejected
and packet forwarding goes back to normal IP routing table lookup

Note in case of Point to Point links, interface going down should be
detected at both ends
but that may not be the case of Ethernet for example. If a next-hop
Ethernet goes down
your policy routing would continue to dump packet to your local Ethernet
resulting in black hole traffic.
Cisco has a check through configuration in such cases through CDP. The
exact command escapes me
but for policy routing setup using Ethernet as a next-hop this feature is a
must.

Thanks
Zaheer

>--
>----------------------------------------------------------------------
> Jon Lewis *jlewis@lewis.org*| I route
> System Administrator | therefore you are
> Atlantic Net |
>_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:22 EDT