Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

fly
New Member

Crs-1 ABF traceroute policy routing

We config ABF on crs-1 interface to policy traffic to another next hop

But when we use traceroute. Policy not work

Cco said ABF not support ip option.  Traceroute is one of ip option

How can I verify this policy

Thanks

4 REPLIES
Cisco Employee

Re: Crs-1 ABF traceroute policy routing

Hello Fly,

Normally default traceroute does not use ipv4 option and should work just fine.

We can not test ABF with traffic originating from the router where the ABF is applied to. It has to be a transit traffic and ABF has to be applied to an ingress interface of the router with ABF.

Here is the example:

RP/0/RP1/CPU0:pixies#sh run ipv4 access-list abf33

Tue May 22 09:53:52.884 CEST

ipv4 access-list abf33

10 permit ipv4 192.168.101.0 0.255.255.255 any nexthop 10.12.113.2

20 permit ipv4 any any

!

Traceroute from the adjacent router:

before ABF configuration

=================================

RP/0/RP1/CPU0:placebo#traceroute 77.77.77.77

Tue May 22 09:46:12.446 CEST

Type escape sequence to abort.

Tracing the route to 77.77.77.77

1 192.168.101.2 9 msec 8 msec 7 msec

2 12.1.1.1 14 msec * 11 msec

After the ABF configuration on the ingress if of pixies

=================================

RP/0/RP1/CPU0:placebo#traceroute 77.77.77.77

Tue May 22 09:49:12.049 CEST

Type escape sequence to abort.

Tracing the route to 77.77.77.77

1 192.168.101.2 17 msec 9 msec 7 msec

2 10.12.113.2 11 msec 11 msec 7 msec  <--------------------  NH from ABF

3 13.1.1.1 7 msec * 9 msec

RP/0/RP1/CPU0:pixies#show access-lists abf33 hardware ingress location 0/2/CPU0

Tue May 22 09:50:55.047 CEST

ipv4 access-list abf33

10 permit ipv4 192.0.0.0 0.255.255.255 any (52 hw matches) (next-hop: 10.12.113.2) <------------------  matching entries in HW

20 permit ipv4 any any (25 hw matches)

Regards,

/A

fly
New Member

Crs-1 ABF traceroute policy routing

hi Alexei

    Thank you!

    we met a weired problem, we config ABF,next-hop

    but doesn't work

    we have two crs-1 and one 7609

   two crs-1 config as below

  270 permit ipv4 58.240.152.0 0.0.0.255 any nexthop 210.52.241.229

270 permit ipv4 58.240.152.0 0.0.0.255 any nexthop 210.52.241.225

  trace from 7609

 

NJ-A-JPGX-SR7609-1#traceroute

Protocol [ip]:

Target IP address: 120.2.2.2

Source address: 58.240.152.81

Numeric display [n]:

Timeout in seconds [3]:

Probe count [3]:

Minimum Time to Live [1]:

Maximum Time to Live [30]:

Port Number [33434]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Type escape sequence to abort.

Tracing the route to 120.2.2.2

1 221.6.0.249 0 msec

   221.6.2.253 4 msec

   221.6.1.109 0 msec

2 210.52.241.229 12 msec

221.6.2.13 4 msec

   210.52.241.229 8 msec

3 * * *

4 *

   219.158.96.106 52 msec *

221.6.2.13 4 is not policy route, is default route  in routing table,   correct policy route path is 210.52.241.229

   ios-xr version is 3.8.4

   is this a bug

   thank you!

Fly

Cisco Employee

Re: Crs-1 ABF traceroute policy routing

Hello Fly,

Correct me if I didn’t get it write.

On the CRS we apply the ACL with the NH 210.52.241.229 and at the trace with ttl 2 we get a reply from 221.6.2.13 instead of expected 210.52.241.229

1 221.6.0.249 0 msec

  221.6.2.253 4 msec

  221.6.1.109 0 msec

2 210.52.241.229 12 msec

221.6.2.13 4 msec

  210.52.241.229 8 msec

3 * * *

What I see is that from the 7600 we have 3 routes to the destination via 221.6.0.249, 221.6.2.253 and 221.6.1.109.

Are all these 3 IP addresses belonging to our CRSes and all 3 of them have ingress ABF ACL?

I’d suggest to simplify the routing to narrow down the issue.

  • •1.       Make sure the route from 7600 to 120.2.2.2 has only one path and that interface is connected to our CRS with the ABF ACL.
  • •2.       As was suggested by Max, put ABF ACL with the HW count in order to verify how many tracert packet hit this acl.

Regards,

/A

Cisco Employee

Crs-1 ABF traceroute policy routing

You can put an hardware egress access-list on the egress interface used for the nexthop you configured, and make sure it is matching traffic.

Just configure your acl matching the traffic that is rerouted by the ABF and apply it on the interface with the 'hardware-count' keyword:

ipv4 access-group [name] egress hardware-count

Then use in exec:

show access-list ipv4 [name] hardware egress location 0/x/CPU0

(x is the linecard slot where the egress interface is located).

737
Views
25
Helpful
4
Replies
CreatePlease login to create content