[128577] in North American Network Operators' Group
Re: Policy Based Routing advice
daemon@ATHENA.MIT.EDU (Rogelio)
Thu Aug 12 15:54:19 2010
In-Reply-To: <AANLkTinsEtPCdxx0Cq08b4RVsrFa3CjVs6cjEuTWYQ38@mail.gmail.com>
From: Rogelio <rgamino@gmail.com>
Date: Thu, 12 Aug 2010 15:54:28 -0400
To: Andrey Khomyakov <khomyakov.andrey@gmail.com>
Cc: Nanog <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hmmm... The reason I recommended that is because I think I remember reading s=
omewhere that the "set ip" command does not work on point-to-point interface=
s. The outbound interface in your config has a /30 assigned to it so maybe i=
t is seeing it as a p-t-p interface?
Do you have a "less preferred" route via that interface for the destination i=
p's? If not, I don't think your pbr will work either.
Sent from my iPhone
On Aug 12, 2010, at 3:33 PM, Andrey Khomyakov <khomyakov.andrey@gmail.com> w=
rote:
> I dont' think this will work. Here is the formal description of "set
> interface" from cisco.com:
>=20
> This action specifies that the packet is forwarded out of the local
> interface. The interface must be a Layer 3 interface (no switchports), and=
> the destination address in the packet must lie within the IP network
> assigned to that interface. If the destination address for the packet does=
> not lie within that network, the packet is dropped.
>=20
>=20
> Since in my case the packets are destined to random addresses on the webz,=
> my understanding that this will effectively be a drop statement for them.
>=20
> But, no, I have not tried it.
>=20
> On Thu, Aug 12, 2010 at 3:25 PM, Rogelio <rgamino@gmail.com> wrote:
>=20
>> Have you tried "set interface" instead of "set ip"?
>>=20
>>=20
>> Sent from my iPhone
>>=20
>> On Aug 12, 2010, at 3:13 PM, Andrey Khomyakov <khomyakov.andrey@gmail.com=
>
>> wrote:
>>=20
>>> I did try an extended ACL and had the same result.
>>> The way I know that it's not working is that I see these packets arrivin=
g
>> on
>>> a wrong interface on the firewall and therefor being dropped.
>>> I actually had to open a CR with Cisco and they verified the config and
>> said
>>> nothing is wrong with it. They are escalating and will hopefully get bac=
k
>> to
>>> me about this.
>>>=20
>>> Andrey
>>=20
>=20
>=20
>=20
> --=20
> Andrey Khomyakov
> [khomyakov.andrey@gmail.com]
