Why do you set the output interface to a loopback? Have you tried it with the reflexive ACL inbound instead of outbound?
On Tue, Sep 1, 2009 at 7:19 PM, Marcel Lammerse <[email protected]> wrote: > Hi All, > > I am trying to configure locally generated BGP and ICMP traffic to be > inspected by reflexive acls, using the following: > > R1 > > ip local policy route-map LOCAL_POLICY > ! > route-map LOCAL_POLICY permit 10 > match ip address LOCAL_TRAFFIC > set default interface Loopback0 > ! > ip access-list extended INBOUND > evaluate MIRROR > deny ip any any log > ! > ip access-list extended LOCAL_TRAFFIC > permit tcp any any eq bgp > permit icmp any any > ! > ip access-list extended OUTBOUND > permit tcp any any eq bgp reflect MIRROR timeout 300 > permit icmp any any reflect MIRROR timeout 300 > deny ip any any log > ! > interface FastEthernet1/0 > ip address 192.168.12.1 255.255.255.0 > ip access-group INBOUND in > ip access-group OUTBOUND out > duplex auto > speed auto > > I see the following matches on the ACLs : > > R1#sh ip access-lists > Extended IP access list INBOUND > 10 evaluate MIRROR > 20 deny ip any any log (81 matches) > Extended IP access list LOCAL_TRAFFIC > 10 permit tcp any any eq bgp (83 matches) > 20 permit icmp any any (67 matches) > Reflexive IP access list MIRROR > Extended IP access list OUTBOUND > 10 permit tcp any any eq bgp reflect MIRROR > 20 permit icmp any any reflect MIRROR > 30 deny ip any any log > R1# > > R1#sh ip bgp sum > BGP router identifier 1.1.1.1, local AS number 10 > BGP table version is 1, main routing table version 1 > > Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/ > Down State/PfxRcd > 192.168.12.2 4 20 0 0 0 0 0 > never Active > R1# > > And, you guessed it, it is not working :) > > I see that the local BGP sesssion is matched, but no dynamic acl entry > is created for the return path, therefore BGP doesn't come up : > > R1# > *Sep 2 09:11:14.551: %SYS-5-CONFIG_I: Configured from console by > console > *Sep 2 09:11:19.807: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp > 192.168.12.2(38879) -> 192.168.12.1(179), 1 packet > *Sep 2 09:11:31.107: %SEC-6-IPACCESSLOGRL: access-list logging rate- > limited or missed 4 packets > *Sep 2 09:11:47.803: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp > 192.168.12.2(64607) -> 192.168.12.1(179), 1 packet > *Sep 2 09:12:02.703: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp > 192.168.12.2(179) -> 192.168.12.1(28480), 1 packet <-------- > > But, why? Looking at the route-map, the set clause is as follows : > > R1#sh route-map > route-map LOCAL_POLICY, permit, sequence 10 > Match clauses: > ip address (access-lists): LOCAL_TRAFFIC > Set clauses: > default interface Loopback0 > Policy routing matches: 322 packets, 22016 bytes > R1# > > I've tried 'set interface loopback' , but that gives me the following > warning message : > > R1(config-route-map)#set interface loopback 0 > %Warning:Use P2P interface for routemap set > interface clause > > R1(config-route-map)# > > Does anyone know if this is relevant for triggering the reflection? > ICMP also doesn't work : > > R1#ping 192.168.12.2 > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds: > ..... > Success rate is 0 percent (0/5) > R1# > > Any insight would be greatly appreciated! > > > -- > Marcel Lammerse > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > -- Regards, Joe Astorino - CCIE #24347 R&S Technical Instructor - IPexpert, Inc. Cell: +1.586.212.6107 Fax: +1.810.454.0130 Mailto: [email protected]
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
