Why does my PBR does not work with OSPF P2M Network Type?

image

R5(config)#! On R5 I am filtering route to R2's loopback: 150.1.2.2/32
R5(config)#! inbound, so Type 1 LSA still exists in R5's database
R5(config)#!but not in the routing table, let's see
R5(config)#do sh ip ospf data    

            OSPF Router with ID (150.1.5.5) (Process ID 1)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
150.1.1.1       150.1.1.1       1413        0x80000007 0x008CA7 4
150.1.2.2       150.1.2.2       1099        0x80000006 0x00E734 3
150.1.3.3       150.1.3.3       1192        0x80000006 0x0015FE 3
150.1.4.4       150.1.4.4       1292        0x80000007 0x009997 5
150.1.5.5       150.1.5.5       1111        0x80000007 0x00B984 7
150.1.6.6       150.1.6.6       2     (DNA) 0x80000003 0x009A72 1

                Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
150.1.5.5       150.1.5.5       1111        0x80000004 0x00DD18
150.1.6.6       150.1.1.1       1413        0x80000004 0x006190
150.1.6.6       150.1.4.4       1292        0x80000004 0x003AB1
150.1.6.6       150.1.6.6       2     (DNA) 0x80000001 0x00C133
150.1.7.7       150.1.3.3       1192        0x80000004 0x0032B9
150.1.7.7       150.1.6.6       2     (DNA) 0x80000001 0x0011D7
150.1.8.8       150.1.5.5       1111        0x80000004 0x0003E2
         
R5(config)#!we see 150.1.2.2 in the 2nd row of Router Link States
R5(config)#!let's verify it is not in the routing table:
R5(config)#do sh ip route | i 150.1.2
R5(config)#!now let's see how our filter was applied: 
R5(config)#do sh run | s router ospf
router ospf 1
 router-id 150.1.5.5
 distribute-list prefix R1R2 in
R5(config)#do sh ip prefix-l R1R2
ip prefix-list R1R2: 3 entries
   seq 5 deny 150.1.1.1/32
   seq 10 deny 150.1.2.2/32
   seq 15 permit 0.0.0.0/0 le 32
R5(config)#!ok so 150.1.2.2/32 is denied and we saw that
R5(config)#!but let's check one more thing...
R5(config)#do ping 150.1.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5(config)#!the problem is that other routers rely on
R5(config)#!R5 as the next hop to reach 150.1.2.2
R5(config)#!R4 for example... let's go there

 

R4(config)#!let's see how we reach 150.1.2.2/32
R4(config)#do sh ip route | i 150.1.2.2/32
O        150.1.2.2/32 [110/129] via 155.1.45.5, 02:02:00, Serial1/1
R4(config)#!next hop is R5's IP address but the problem is
R4(config)#!R5 filters that route, so it drops traffic
R4(config)#do ping 150.1.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4(config)#!I thought it could solve that with policy routing
R4(config)#!le't go back to R5 for now

 

R5(config)#!I created my policy as follows:
R5(config)#do sh route-m Policy
route-map Policy, permit, sequence 10
  Match clauses:
    ip address prefix-lists: R2
  Set clauses:
    ip next-hop 155.1.0.2
  Policy routing matches: 2532 packets, 263328 bytes
R5(config)#do sh ip prefix-l R2
ip prefix-list R2: 1 entries
   seq 5 permit 150.1.2.2/32
R5(config)#!Basically for traffic directed to 150.1.2.2
R5(config)#!use 155.1.0.2 as the next hop
R5(config)#!and I applied it on my serial interface
R5(config)#do sh run int s1/1
Building configuration...

Current configuration : 152 bytes
!
interface Serial1/1
 ip address 155.1.45.5 255.255.255.0
 ip policy route-map Policy
 ip ospf 1 area 0
 serial restart-delay 0
 clock rate 64000
end

R5(config)#!I am also trying to solve the issue for local
R5(config)#!traffic directed to 150.1.2.2/32
R5(config)#do sh run | i ip local policy
ip local policy route-map Policy
R5(config)#!problem is, for some reason the policy is being matched
R5(config)#!and then rejected... at least is what I see in
R5(config)#!the debug output. Let's ping from R4
R5(config)#!now that the policy is applied

 

R4(config)#do ping 150.1.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R4(config)#!let's see what R5 says about this...

 

R5(config)#
*Feb  9 20:21:27.326: CEF-IP-POLICY: fib for addr 155.1.0.2 is Not Attached; Nexthop rejected
*Feb  9 20:21:27.326: IP: s=155.1.45.4 (Serial1/1), d=150.1.2.2, len 100, FIB policy rejected - normal forwarding
*Feb  9 20:21:27.341: IP: s=155.1.45.4 (Serial1/1), d=150.1.2.2, len 100, policy rejected -- normal forwarding
*Feb  9 20:21:27.341: IP: s=155.1.45.5 (local), d=155.1.45.4, len 56, policy rejected -- normal forwarding
R5(config)#!ok so the first line says something about next hop
R5(config)#!not being attached. This is due to the OSPF network
R5(config)#!type of point-to-multipoint:
R5(config)#do sh ip ospf int s1/0
Serial1/0 is up, line protocol is up
  Internet Address 155.1.0.5/24, Area 0, Attached via Interface Enable
  Process ID 1, Router ID 150.1.5.5, Network Type POINT_TO_MULTIPOINT, Cost: 64
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           64        no          no            Base
  Enabled by interface config, including secondary ip addresses
  Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:05
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 1/4, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 3, maximum is 12
  Last flood scan time is 0 msec, maximum is 1 msec
  Neighbor Count is 4, Adjacent neighbor count is 4
    Adjacent with neighbor 150.1.3.3
    Adjacent with neighbor 150.1.1.1
    Adjacent with neighbor 150.1.2.2
    Adjacent with neighbor 150.1.4.4
  Suppress hello for 0 neighbor(s)
R5(config)#do sh ip route | i 155.1.0.2/32
O        155.1.0.2/32 [110/64] via 155.1.0.2, 00:58:58, Serial1/0
R5(config)#!so I am guessing is because of the network type but
R5(config)#!I'd like to understad why...
R5(config)#!same results for local traffic directed to 150.1.2.2:
R5(config)#do debug ip policy
Policy routing debugging is on
R5(config)#do ping 150.1.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:

*Feb  9 20:28:04.436: IP: s=155.1.0.5 (local), d=150.1.2.2, len 100, policy rejected -- normal forwarding.
*Feb  9 20:28:06.440: IP: s=155.1.0.5 (local), d=150.1.2.2, len 100, policy rejected -- normal forwarding
*Feb  9 20:28:06.471: IP: s=155.1.0.5 (Serial1/1), d=150.1.2.2, len 100, FIB policy match
*Feb  9 20:28:06.471: IP: s=155.1.0.5 (Serial1/1), d=150.1.2.2, len 100, PBR Counted
*Feb  9 20:28:06.471: CEF-IP-POLICY: fib for addr 155.1.0.2 is Not Attached; Nexthop rejected
*Feb  9 20:28:06.471: IP: s=155.1.0.5 (Serial1/1), d=150.1.2.2, len 100, FIB policy rejected - normal forwarding..
*Feb  9 20:28:08.447: IP: s=155.1.0.5 (local), d=150.1.2.2, len 100, policy rejected -- normal forwarding
*Feb  9 20:28:08.496: IP: s=155.1.0.5 (Serial1/1), d=150.1.2.2, len 100, FIB policy match
*Feb  9 20:28:08.496: IP: s=155.1.0.5 (Serial1/1), d=150.1.2.2, len 100, PBR Counted
*Feb  9 20:28:08.496: CEF-IP-POLICY: fib for addr 155.1.0.2 is Not Attached; Nexthop rejected
*Feb  9 20:28:08.496: IP: s=155.1.0.5 (Serial1/1), d=150.1.2.2, len 100, FIB policy rejected - normal forwarding.
*Feb  9 20:28:10.449: IP: s=155.1.0.5 (local), d=150.1.2.2, len 100, policy rejected -- normal forwarding
*Feb  9 20:28:10.528: IP: s=155.1.0.5 (Serial1/1), d=150.1.2.2, len 100, FIB policy match
*Feb  9 20:28:10.529: IP: s=155.1.0.5 (Serial1/1), d=150.1.2.2, len 100, PBR Counted
*Feb  9 20:28:10.529: CEF-IP-POLICY: fib for addr 155.1.0.2 is Not Attached; Nexthop rejected
*Feb  9 20:28:10.529: IP: s=155.1.0.5 (Serial1/1), d=150.1.2.2, len 100, FIB policy rejected - normal forwarding
*Feb  9 20:28:12.451: IP: s=155.1.0.5 (local), d=150.1.2.2, len 100, policy rejected -- normal forwarding
*Feb  9 20:28:12.548: IP: s=155.1.0.5 (Serial1/1), d=150.1.2.2, len 100, FIB policy match
*Feb  9 20:28:12.548: IP: s=155.1.0.5 (Serial1/1), d=150.1.2.2, len 100, PBR Counted
*Feb  9 20:28:12.548: CEF-IP-POLICY: fib for addr 155.1.0.2 is Not Attached; Nexthop rejected
*Feb  9 20:28:12.548: IP: s=155.1.0.5 (Serial1/1), d=150.1.2.2, len 100, FIB policy rejected - normal forwarding.
Success rate is 0 percent (0/5)

In case you are wondering, the policy does work when I change the network type to Broadcast... but again, I'd like to understand why this behavior.

Thanks in advance

Comments

  • Cisco IP Routing-Zenin states


    "First the next-hop address is checked for

    resolvability; the next-hop address must be resolvable



    via a directly connected route."
    and ospf p2m hosts routes are not directly connected routes
    The book written when 12.0 IOS was current.  A static route to interface would introduce a connected route into table to check if CEF reports differently.


     

     

    My guess is that IOS still retaining/using this logic

    Im not observing behavior using GNS3.  /good post and would like to know why too.

Sign In or Register to comment.