[nsp] policy routing / CEF-IP-POLICY: fib for
address10.209.254.254 is with flag 0
Brian Turnbow
b.turnbow at twt.it
Wed Jan 21 11:51:44 EST 2004
Hi,
you could use a tunnel between the 2 loopback addresses and set ip next hop
to the tunnel or use set interface tunnelx.
regards
Brian
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Gert Doering
Sent: mercoledi 21 gennaio 2004 16.50
To: cisco-nsp at puck.nether.net
Subject: [nsp] policy routing / CEF-IP-POLICY: fib for
address10.209.254.254 is with flag 0
Hi,
another interesting challenge...
The problem:
Policy-Routing doesn't want to policy-route if the "set ip next-hop"
address is not directly adjacent.
interface FastEthernet0/1
ip address 10.209.3.254 255.255.252.0
ip route-cache policy
ip policy route-map labor-policy
!
access-list 130 permit ip 10.209.1.0 0.0.0.255 135.80.0.0 0.0.255.255
access-list 130 permit ip 10.209.1.0 0.0.0.255 192.168.254.0 0.0.0.255
!
route-map labor-policy permit 10
match ip address 130
set ip next-hop 10.209.254.254
!
Intention: "Packets from 10.209.1.0/24 towards these destinations should
take whichever path is the best towards 10.209.254.254".
If I do this, and have CEF enabled, "debug ip policy" prints:
CEF-IP-POLICY: fib for address 10.209.254.254 is with flag 0
IP: s=10.209.1.1 (FastEthernet0/1), d=135.80.82.138, len 84, FIB policy
rejected - normal forwarding
If CEF is off, I get:
IP: s=10.209.1.1 (FastEthernet0/1), d=135.80.82.138, len 84, policy match
IP: route map labor-policy, item 10, permit
IP: s=10.209.1.1 (FastEthernet0/1), d=135.80.82.138 (Multilink1), len 84,
policy rejected -- normal forwarding
Connectivity and adjacencies are there:
Cisco-AVK#sh ip cef 10.209.254.254
10.209.254.254/32, version 21, cached adjacency 10.211.63.254
0 packets, 0 bytes
via 135.80.82.254, 0 dependencies, recursive
next hop 10.211.63.254, FastEthernet0/0 via 135.80.82.254/32
valid cached adjacency
If I change the policy to read:
route-map labor-policy permit 10
match ip address 130
set ip next-hop 10.211.63.254
(which is directly adjacent), everything works as expected.
So my interpretation of this is: "indirect next-hops do not work for
policy routing". And of course the question is "why? and is there a
workaround to make it work?". IOS is 12.2(21a) on a 2621XM.
As for "why would anybody want to do this", here's a bit of motivation.
Subnets A and B need to reliably communicate.
There is a ethernet connection with much bandwidth, but with some delay
issues and with some reliability issues, between them, crossing routes
X, Y, Z.
For timing critical traffic, there is a ISDN leased line, directly
connecting A and B.
A ---------- small/low RTT ------------- B
| |
+-- X --- Y --- Z --- fast/high delay----+
Bulk traffic is coming from 10.209.1.0/24, and should take the route
A->X->Y->Z->B.
Timing sensitive traffic is coming from 10.209.0.0/24, and should take
the direct route A->B. (So "classic" routing is out).
So far, this could easily be done with a "set ip next-hop X" (direct
adjacency from A).
Unfortunately, it gets worse. X/Y/Z have reliability issues, *and* are
not under our control. So there is a BGP session A->X->Y->Z->B which
is used to make sure there is connectivity over that path.
B is announcing a loopback address via B->Z->Y->X->A and via a second
session B->A (with higher MED).
So the idea was "policy-route towards that loopback IP. If X/Y/Z work,
packets will travel that way. If it doesn't work, packets take the
ISDN leased line for backup".
Yes, this is ugly (and I told them that it is, but there's a Telco
involved in managing X, Y, and Z, so this cannot be fixed quick enough
for their needs).
Any other suggestions to sort this out:
10.209.0.0/24 -> via ISDN, if available, X/Y/Z otherwise
10.209.1.0/24 -> via X/Y/Z, if available, ISDN otherwise
are welcome.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
gert at greenie.muc.de
fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list