- Silver, 250 points or more
I have a rather infuriating issue that I can't seem to resolve. I have a 4-router setup in a lab:
I have R3 and R4 configured to tag packets as IPP3 and IPP4, respectively, when they ping R1.
To test this, I have a policy-map on R2's ingress (right) interface that matches IPP3 and IPP4 in independent classes:
class-map match-all PREC4
match precedence 4
class-map match-all PREC3
match precedence 3
I place "drop" in parentheses because I'm adding/removing them as needed to test. So if I remove one class, say class PREC3, and have PREC4 drop IPP4 packets, R4 cannot ping R1 (as expected). If I then add class PREC3, and have it drop IPP3 packets, R3 cannot ping R1 (also as expected).
Here's the problem - if I apply "no drop" to one of the classes (either PREC3 or PREC4), both R3 and R4 can ping R1. This is in spite of the fact that the other class still has "drop" configured. Why would this be the case? If I configure "drop" again, neither router can ping.
Next - I can reset all this by configuring both classes for "no drop". Then I can apply "drop" to either class and make the appropriate router stop pinging, and even make both drop pinging by applying "drop" to both classes. But if both are configured for drop, and I configure "no drop" on either one of the classes, both routers are able to ping.
By the way, if anyone has any good show commands or debugs that will tell me how packets are being tagged, that would be wonderful. The fact that the policy-map drops specific packets tells me that the tagging is working, but I wouldn't mind seeing that for myself.