Hi All,
I am trying to configure locally generated BGP and ICMP traffic to be
inspected by reflexive acls, using the following:
R1
ip local policy route-map LOCAL_POLICY
!
route-map LOCAL_POLICY permit 10
match ip address LOCAL_TRAFFIC
set default interface Loopback0
!
ip access-list extended INBOUND
evaluate MIRROR
deny ip any any log
!
ip access-list extended LOCAL_TRAFFIC
permit tcp any any eq bgp
permit icmp any any
!
ip access-list extended OUTBOUND
permit tcp any any eq bgp reflect MIRROR timeout 300
permit icmp any any reflect MIRROR timeout 300
deny ip any any log
!
interface FastEthernet1/0
ip address 192.168.12.1 255.255.255.0
ip access-group INBOUND in
ip access-group OUTBOUND out
duplex auto
speed auto
I see the following matches on the ACLs :
R1#sh ip access-lists
Extended IP access list INBOUND
10 evaluate MIRROR
20 deny ip any any log (81 matches)
Extended IP access list LOCAL_TRAFFIC
10 permit tcp any any eq bgp (83 matches)
20 permit icmp any any (67 matches)
Reflexive IP access list MIRROR
Extended IP access list OUTBOUND
10 permit tcp any any eq bgp reflect MIRROR
20 permit icmp any any reflect MIRROR
30 deny ip any any log
R1#
R1#sh ip bgp sum
BGP router identifier 1.1.1.1, local AS number 10
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/
Down State/PfxRcd
192.168.12.2 4 20 0 0 0 0 0
never Active
R1#
And, you guessed it, it is not working :)
I see that the local BGP sesssion is matched, but no dynamic acl entry
is created for the return path, therefore BGP doesn't come up :
R1#
*Sep 2 09:11:14.551: %SYS-5-CONFIG_I: Configured from console by
console
*Sep 2 09:11:19.807: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp
192.168.12.2(38879) -> 192.168.12.1(179), 1 packet
*Sep 2 09:11:31.107: %SEC-6-IPACCESSLOGRL: access-list logging rate-
limited or missed 4 packets
*Sep 2 09:11:47.803: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp
192.168.12.2(64607) -> 192.168.12.1(179), 1 packet
*Sep 2 09:12:02.703: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp
192.168.12.2(179) -> 192.168.12.1(28480), 1 packet <--------
But, why? Looking at the route-map, the set clause is as follows :
R1#sh route-map
route-map LOCAL_POLICY, permit, sequence 10
Match clauses:
ip address (access-lists): LOCAL_TRAFFIC
Set clauses:
default interface Loopback0
Policy routing matches: 322 packets, 22016 bytes
R1#
I've tried 'set interface loopback' , but that gives me the following
warning message :
R1(config-route-map)#set interface loopback 0
%Warning:Use P2P interface for routemap set
interface clause
R1(config-route-map)#
Does anyone know if this is relevant for triggering the reflection?
ICMP also doesn't work :
R1#ping 192.168.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#
Any insight would be greatly appreciated!
--
Marcel Lammerse
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
