Hi Marcel, In think the issue is that the LOCAL_TRAFFIC traffic will not re-enter in the loopback because there is a route for its destination so the "set default" will not kick in. Since you can't do set interface lo, try using set ip next-hop loopbackIP.
Martin On Tue, Sep 1, 2009 at 7:51 PM, <[email protected]> wrote: > Send CCIE_RS mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://onlinestudylist.com/mailman/listinfo/ccie_rs > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of CCIE_RS digest..." > > > Today's Topics: > > 1. Re: backbone area must be virtual-link but not found from > 150.100.12.2, FastEt (prakash patel) > 2. Re: backbone area must be virtual-link but not found from > 150.100.12.2, FastEt (Ahmed Haji Munye) > 3. Local PBR and reflexive ACL (Marcel Lammerse) > 4. Re: Local PBR and reflexive ACL (Joe Astorino) > 5. Re: Local PBR and reflexive ACL (Marcel Lammerse) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 1 Sep 2009 16:20:43 -0400 > From: prakash patel <[email protected]> > Subject: Re: [OSL | CCIE_RS] backbone area must be virtual-link but > not found from 150.100.12.2, FastEt > To: <[email protected]>, <[email protected]> > Message-ID: <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > > mismatch area ID, > > > > Date: Tue, 1 Sep 2009 19:20:12 +0000 > From: [email protected] > To: [email protected] > Subject: [OSL | CCIE_RS] backbone area must be virtual-link but not found > from 150.100.12.2, FastEt > > > > > > > > I have started OSPF process ID 123 and put Area 0 on a frame-relay, using > R2 is the hub, R5 and R6 are the spokes. I am using subnet > 150.100.100.0/24 on the Frame-relay. > > I have also started OSPF 123 between R2s Fa0/0 and R1s Fa0/0 putting then > in Area 0. > > I do have neigbors and I can see the remote routes in each routing table. > But the issue is that I am getting the ERROR message below in the blue line > when I start OSPF 123 on the 150.100.221.0/24 subnet putting it into area > 678 > > 150.100.221.0/24 is directly connected to R7s fa0/0 > > R6(config-router)#network 150.100.221.0 0.0.0.255 area 678 > R6(config-router)# > *Sep 1 19:15:38.911: %OSPF-4-ERRRCV: Received invalid packet: mismatch > area ID, > from backbone area must be virtual-link but not found from 150.100.12.2, > FastEt > hernet0/1 > > Please help me out. > > Kind Regards > Ahmed > > > L?na pengar utan s?kerhet. > S?k och j?mf?r l?n hos Kelkoo. > _________________________________________________________________ > With Windows Live, you can organize, edit, and share your photos. > http://www.windowslive.com/Desktop/PhotoGallery > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://onlinestudylist.com/pipermail/ccie_rs/attachments/20090901/135a783f/attachment-0001.htm > > ------------------------------ > > Message: 2 > Date: Tue, 1 Sep 2009 20:37:46 +0000 (GMT) > From: Ahmed Haji Munye <[email protected]> > Subject: Re: [OSL | CCIE_RS] backbone area must be virtual-link but > not found from 150.100.12.2, FastEt > To: [email protected], prakash patel > <[email protected]> > Message-ID: <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > ? > ? > Hi > ? > What is the solution and which routers do I need to change the area ID and > how do I do it? > ? > Kind Regards > Ahmed > > --- Den tis 2009-09-01 skrev prakash patel <[email protected]>: > > > Fr?n: prakash patel <[email protected]> > ?mne: RE: [OSL | CCIE_RS] backbone area must be virtual-link but not found > from 150.100.12.2, FastEt > Till: [email protected], [email protected] > Datum: tisdag 1 september 2009 20.20 > > > > > #yiv1806282282 .hmmessage P > { > margin:0px;padding:0px;} > #yiv1806282282 { > font-size:10pt;font-family:Verdana;} > > ?mismatch area ID, > ? > > > Date: Tue, 1 Sep 2009 19:20:12 +0000 > From: [email protected] > To: [email protected] > Subject: [OSL | CCIE_RS] backbone area must be virtual-link but not found > from 150.100.12.2, FastEt > > > > > > > ? > I have started OSPF process ID 123?and put Area?0?on a frame-relay, using > R2 is the hub, R5 and R6 are the spokes. I am using subnet > 150.100.100.0/24 on the Frame-relay. > ? > I have also started OSPF 123 between R2s Fa0/0 and R1s Fa0/0 putting then > in Area 0. > ? > I do have neigbors and I can see the remote routes in each routing table. > But the issue is that I am getting the ERROR message below in the blue > line?when I start OSPF 123 on the 150.100.221.0/24 subnet putting it into > area 678 > ? > 150.100.221.0/24? is directly connected to R7s fa0/0 > ? > R6(config-router)#network 150.100.221.0 0.0.0.255 area 678 > R6(config-router)# > *Sep? 1 19:15:38.911: %OSPF-4-ERRRCV: Received invalid packet: mismatch > area ID, > ?from backbone area must be virtual-link but not found from 150.100.12.2, > FastEt > hernet0/1 > ? > Please help me out. > ? > Kind Regards > Ahmed > > > L?na pengar utan s?kerhet. > S?k och j?mf?r l?n hos Kelkoo. > > > With Windows Live, you can organize, edit, and share your photos. Click > here. > > > __________________________________________________________ > L?na pengar utan s?kerhet. J?mf?r vilkor online hos Kelkoo. > http://www.kelkoo.se/c-100390123-lan-utan-sakerhet.html?partnerId=96915014 > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://onlinestudylist.com/pipermail/ccie_rs/attachments/20090901/f64340a5/attachment-0001.htm > > ------------------------------ > > Message: 3 > Date: Wed, 02 Sep 2009 09:19:04 +1000 > From: Marcel Lammerse <[email protected]> > Subject: [OSL | CCIE_RS] Local PBR and reflexive ACL > To: [email protected] > Message-ID: <[email protected]> > Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes > > Hi All, > > I am trying to configure locally generated BGP and ICMP traffic to be > inspected by reflexive acls, using the following: > > R1 > > ip local policy route-map LOCAL_POLICY > ! > route-map LOCAL_POLICY permit 10 > match ip address LOCAL_TRAFFIC > set default interface Loopback0 > ! > ip access-list extended INBOUND > evaluate MIRROR > deny ip any any log > ! > ip access-list extended LOCAL_TRAFFIC > permit tcp any any eq bgp > permit icmp any any > ! > ip access-list extended OUTBOUND > permit tcp any any eq bgp reflect MIRROR timeout 300 > permit icmp any any reflect MIRROR timeout 300 > deny ip any any log > ! > interface FastEthernet1/0 > ip address 192.168.12.1 255.255.255.0 > ip access-group INBOUND in > ip access-group OUTBOUND out > duplex auto > speed auto > > I see the following matches on the ACLs : > > R1#sh ip access-lists > Extended IP access list INBOUND > 10 evaluate MIRROR > 20 deny ip any any log (81 matches) > Extended IP access list LOCAL_TRAFFIC > 10 permit tcp any any eq bgp (83 matches) > 20 permit icmp any any (67 matches) > Reflexive IP access list MIRROR > Extended IP access list OUTBOUND > 10 permit tcp any any eq bgp reflect MIRROR > 20 permit icmp any any reflect MIRROR > 30 deny ip any any log > R1# > > R1#sh ip bgp sum > BGP router identifier 1.1.1.1, local AS number 10 > BGP table version is 1, main routing table version 1 > > Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/ > Down State/PfxRcd > 192.168.12.2 4 20 0 0 0 0 0 > never Active > R1# > > And, you guessed it, it is not working :) > > I see that the local BGP sesssion is matched, but no dynamic acl entry > is created for the return path, therefore BGP doesn't come up : > > R1# > *Sep 2 09:11:14.551: %SYS-5-CONFIG_I: Configured from console by > console > *Sep 2 09:11:19.807: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp > 192.168.12.2(38879) -> 192.168.12.1(179), 1 packet > *Sep 2 09:11:31.107: %SEC-6-IPACCESSLOGRL: access-list logging rate- > limited or missed 4 packets > *Sep 2 09:11:47.803: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp > 192.168.12.2(64607) -> 192.168.12.1(179), 1 packet > *Sep 2 09:12:02.703: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp > 192.168.12.2(179) -> 192.168.12.1(28480), 1 packet <-------- > > But, why? Looking at the route-map, the set clause is as follows : > > R1#sh route-map > route-map LOCAL_POLICY, permit, sequence 10 > Match clauses: > ip address (access-lists): LOCAL_TRAFFIC > Set clauses: > default interface Loopback0 > Policy routing matches: 322 packets, 22016 bytes > R1# > > I've tried 'set interface loopback' , but that gives me the following > warning message : > > R1(config-route-map)#set interface loopback 0 > %Warning:Use P2P interface for routemap set > interface clause > > R1(config-route-map)# > > Does anyone know if this is relevant for triggering the reflection? > ICMP also doesn't work : > > R1#ping 192.168.12.2 > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds: > ..... > Success rate is 0 percent (0/5) > R1# > > Any insight would be greatly appreciated! > > > -- > Marcel Lammerse > > > > > > > ------------------------------ > > Message: 4 > Date: Tue, 1 Sep 2009 19:46:04 -0400 > From: Joe Astorino <[email protected]> > Subject: Re: [OSL | CCIE_RS] Local PBR and reflexive ACL > To: Marcel Lammerse <[email protected]> > Cc: [email protected] > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > Why do you set the output interface to a loopback? Have you tried it with > the reflexive ACL inbound instead of outbound? > > On Tue, Sep 1, 2009 at 7:19 PM, Marcel Lammerse <[email protected]> > wrote: > > > Hi All, > > > > I am trying to configure locally generated BGP and ICMP traffic to be > > inspected by reflexive acls, using the following: > > > > R1 > > > > ip local policy route-map LOCAL_POLICY > > ! > > route-map LOCAL_POLICY permit 10 > > match ip address LOCAL_TRAFFIC > > set default interface Loopback0 > > ! > > ip access-list extended INBOUND > > evaluate MIRROR > > deny ip any any log > > ! > > ip access-list extended LOCAL_TRAFFIC > > permit tcp any any eq bgp > > permit icmp any any > > ! > > ip access-list extended OUTBOUND > > permit tcp any any eq bgp reflect MIRROR timeout 300 > > permit icmp any any reflect MIRROR timeout 300 > > deny ip any any log > > ! > > interface FastEthernet1/0 > > ip address 192.168.12.1 255.255.255.0 > > ip access-group INBOUND in > > ip access-group OUTBOUND out > > duplex auto > > speed auto > > > > I see the following matches on the ACLs : > > > > R1#sh ip access-lists > > Extended IP access list INBOUND > > 10 evaluate MIRROR > > 20 deny ip any any log (81 matches) > > Extended IP access list LOCAL_TRAFFIC > > 10 permit tcp any any eq bgp (83 matches) > > 20 permit icmp any any (67 matches) > > Reflexive IP access list MIRROR > > Extended IP access list OUTBOUND > > 10 permit tcp any any eq bgp reflect MIRROR > > 20 permit icmp any any reflect MIRROR > > 30 deny ip any any log > > R1# > > > > R1#sh ip bgp sum > > BGP router identifier 1.1.1.1, local AS number 10 > > BGP table version is 1, main routing table version 1 > > > > Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/ > > Down State/PfxRcd > > 192.168.12.2 4 20 0 0 0 0 0 > > never Active > > R1# > > > > And, you guessed it, it is not working :) > > > > I see that the local BGP sesssion is matched, but no dynamic acl entry > > is created for the return path, therefore BGP doesn't come up : > > > > R1# > > *Sep 2 09:11:14.551: %SYS-5-CONFIG_I: Configured from console by > > console > > *Sep 2 09:11:19.807: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp > > 192.168.12.2(38879) -> 192.168.12.1(179), 1 packet > > *Sep 2 09:11:31.107: %SEC-6-IPACCESSLOGRL: access-list logging rate- > > limited or missed 4 packets > > *Sep 2 09:11:47.803: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp > > 192.168.12.2(64607) -> 192.168.12.1(179), 1 packet > > *Sep 2 09:12:02.703: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp > > 192.168.12.2(179) -> 192.168.12.1(28480), 1 packet <-------- > > > > But, why? Looking at the route-map, the set clause is as follows : > > > > R1#sh route-map > > route-map LOCAL_POLICY, permit, sequence 10 > > Match clauses: > > ip address (access-lists): LOCAL_TRAFFIC > > Set clauses: > > default interface Loopback0 > > Policy routing matches: 322 packets, 22016 bytes > > R1# > > > > I've tried 'set interface loopback' , but that gives me the following > > warning message : > > > > R1(config-route-map)#set interface loopback 0 > > %Warning:Use P2P interface for routemap set > > interface clause > > > > R1(config-route-map)# > > > > Does anyone know if this is relevant for triggering the reflection? > > ICMP also doesn't work : > > > > R1#ping 192.168.12.2 > > > > Type escape sequence to abort. > > Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds: > > ..... > > Success rate is 0 percent (0/5) > > R1# > > > > Any insight would be greatly appreciated! > > > > > > -- > > Marcel Lammerse > > > > > > > > > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, please > > visit www.ipexpert.com > > > > > > -- > Regards, > > Joe Astorino - CCIE #24347 R&S > Technical Instructor - IPexpert, Inc. > Cell: +1.586.212.6107 > Fax: +1.810.454.0130 > Mailto: [email protected] > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://onlinestudylist.com/pipermail/ccie_rs/attachments/20090901/fc9f3177/attachment-0001.htm > > ------------------------------ > > Message: 5 > Date: Wed, 02 Sep 2009 09:51:32 +1000 > From: Marcel Lammerse <[email protected]> > Subject: Re: [OSL | CCIE_RS] Local PBR and reflexive ACL > To: Joe Astorino <[email protected]> > Cc: [email protected] > Message-ID: <[email protected]> > Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes > > Locally generated traffic is not affected by outbound access-lists. It > just passes through. With this reflexive access-list, I need to > trigger the acl in order create a dynamic ace in the inbound acl for > the return traffic. By forcing the traffic to the loopback interface, > it re-enters the router and follows the proper path to achieve this. > > On 02/09/2009, at 09:46 , Joe Astorino wrote: > > > Why do you set the output interface to a loopback? Have you tried > > it with the reflexive ACL inbound instead of outbound? > > > > On Tue, Sep 1, 2009 at 7:19 PM, Marcel Lammerse <[email protected]> > > wrote: > > Hi All, > > > > I am trying to configure locally generated BGP and ICMP traffic to be > > inspected by reflexive acls, using the following: > > > > R1 > > > > ip local policy route-map LOCAL_POLICY > > ! > > route-map LOCAL_POLICY permit 10 > > match ip address LOCAL_TRAFFIC > > set default interface Loopback0 > > ! > > ip access-list extended INBOUND > > evaluate MIRROR > > deny ip any any log > > ! > > ip access-list extended LOCAL_TRAFFIC > > permit tcp any any eq bgp > > permit icmp any any > > ! > > ip access-list extended OUTBOUND > > permit tcp any any eq bgp reflect MIRROR timeout 300 > > permit icmp any any reflect MIRROR timeout 300 > > deny ip any any log > > ! > > interface FastEthernet1/0 > > ip address 192.168.12.1 255.255.255.0 > > ip access-group INBOUND in > > ip access-group OUTBOUND out > > duplex auto > > speed auto > > > > I see the following matches on the ACLs : > > > > R1#sh ip access-lists > > Extended IP access list INBOUND > > 10 evaluate MIRROR > > 20 deny ip any any log (81 matches) > > Extended IP access list LOCAL_TRAFFIC > > 10 permit tcp any any eq bgp (83 matches) > > 20 permit icmp any any (67 matches) > > Reflexive IP access list MIRROR > > Extended IP access list OUTBOUND > > 10 permit tcp any any eq bgp reflect MIRROR > > 20 permit icmp any any reflect MIRROR > > 30 deny ip any any log > > R1# > > > > R1#sh ip bgp sum > > BGP router identifier 1.1.1.1, local AS number 10 > > BGP table version is 1, main routing table version 1 > > > > Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/ > > Down State/PfxRcd > > 192.168.12.2 4 20 0 0 0 0 0 > > never Active > > R1# > > > > And, you guessed it, it is not working :) > > > > I see that the local BGP sesssion is matched, but no dynamic acl entry > > is created for the return path, therefore BGP doesn't come up : > > > > R1# > > *Sep 2 09:11:14.551: %SYS-5-CONFIG_I: Configured from console by > > console > > *Sep 2 09:11:19.807: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp > > 192.168.12.2(38879) -> 192.168.12.1(179), 1 packet > > *Sep 2 09:11:31.107: %SEC-6-IPACCESSLOGRL: access-list logging rate- > > limited or missed 4 packets > > *Sep 2 09:11:47.803: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp > > 192.168.12.2(64607) -> 192.168.12.1(179), 1 packet > > *Sep 2 09:12:02.703: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp > > 192.168.12.2(179) -> 192.168.12.1(28480), 1 packet <-------- > > > > But, why? Looking at the route-map, the set clause is as follows : > > > > R1#sh route-map > > route-map LOCAL_POLICY, permit, sequence 10 > > Match clauses: > > ip address (access-lists): LOCAL_TRAFFIC > > Set clauses: > > default interface Loopback0 > > Policy routing matches: 322 packets, 22016 bytes > > R1# > > > > I've tried 'set interface loopback' , but that gives me the following > > warning message : > > > > R1(config-route-map)#set interface loopback 0 > > %Warning:Use P2P interface for routemap set > > interface clause > > > > R1(config-route-map)# > > > > Does anyone know if this is relevant for triggering the reflection? > > ICMP also doesn't work : > > > > R1#ping 192.168.12.2 > > > > Type escape sequence to abort. > > Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds: > > ..... > > Success rate is 0 percent (0/5) > > R1# > > > > Any insight would be greatly appreciated! > > > > > > -- > > Marcel Lammerse > > > > > > > > > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, > > please visit www.ipexpert.com > > > > > > > > -- > > Regards, > > > > Joe Astorino - CCIE #24347 R&S > > Technical Instructor - IPexpert, Inc. > > Cell: +1.586.212.6107 > > Fax: +1.810.454.0130 > > Mailto: [email protected] > > -- > Marcel Lammerse > > > > > > > > End of CCIE_RS Digest, Vol 44, Issue 16 > *************************************** >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
