Subject: Rare project developers
List archive
- From: mc36 <>
- To: Everson Borges <>
- Cc: "" <>
- Subject: Re: [rare-dev] multiple tunnels with pbr
- Date: Tue, 18 Jan 2022 07:07:24 +0100
hi,
i did the following:
-first of all, got rid of the "out of subnet ospf" logs by changing
FRA0001(cfg)#inter eth4
FRA0001(cfg-if)#ipv4 address 13.13.13.1 255.255.255.252
FRA0001(cfg-if)#router ospf4 1 enable
the latter one because address change removed routing...
-then RIO0001#ping 30.30.30.2 /vrf v1 /repeat 11111111 which worked
periodically,
so my first idea was to observe the igp which is always a good idea so
FRA0001(cfg)#router ospf4
FRA0001(cfg-rtr)#area 0 spf-topolog
-and immediately got a periodic message of
info shrtPthFrst.diffPrefix:shrtPthFrst.java:577 prefix 30.30.30.0/30 lost at
GVA0001
info shrtPthFrst.diffPrefix:shrtPthFrst.java:561 prefix 40.40.40.0/30
appeared at GVA0001
info shrtPthFrst.diffPrefix:shrtPthFrst.java:577 prefix 40.40.40.0/30 lost at
GVA0001
info shrtPthFrst.diffPrefix:shrtPthFrst.java:561 prefix 30.30.30.0/30
appeared at GVA0001
which indicates a flappy interface
-so i did the following:
GVA0001#show ipv4 route v1 | include 30.30.30
O E2 30.30.30.0/30 110/0 ethernet1 7.7.7.2 00:07:26
GVA0001#show ipv4 route v1 | include 30.30.30
O E2 30.30.30.0/30 110/0 ethernet1 7.7.7.2 00:07:27
GVA0001#show ipv4 route v1 | include 30.30.30
O E2 30.30.30.0/30 110/0 ethernet1 7.7.7.2 00:07:27
GVA0001#show ipv4 route v1 | include 30.30.30
O E2 30.30.30.0/30 110/0 ethernet1 7.7.7.2 00:07:28
GVA0001#show ipv4 route v1 | include 30.30.30
O E2 30.30.30.0/30 110/0 ethernet1 7.7.7.2 00:07:29
GVA0001#show ipv4 route v1 | include 30.30.30
O E2 30.30.30.0/30 110/0 ethernet1 7.7.7.2 00:07:29
GVA0001#show ipv4 route v1 | include 30.30.30
S 20.20.20.11/32 30/0 tunnel1 30.30.30.1 00:00:00
C 30.30.30.0/30 0/0 tunnel1 null 00:00:00
LOC 30.30.30.2/32 0/1 tunnel1 null 00:00:00
GVA0001#show ipv4 route v1 | include 30.30.30
S 20.20.20.11/32 30/0 tunnel1 30.30.30.1 00:00:00
C 30.30.30.0/30 0/0 tunnel1 null 00:00:00
LOC 30.30.30.2/32 0/1 tunnel1 null 00:00:00
GVA0001#show ipv4 route v1 | include 30.30.30
S 20.20.20.11/32 30/0 tunnel1 30.30.30.1 00:00:01
C 30.30.30.0/30 0/0 tunnel1 null 00:00:01
LOC 30.30.30.2/32 0/1 tunnel1 null 00:00:01
GVA0001#show ipv4 route v1 | include 30.30.30
S 20.20.20.11/32 30/0 tunnel1 30.30.30.1 00:00:02
C 30.30.30.0/30 0/0 tunnel1 null 00:00:02
LOC 30.30.30.2/32 0/1 tunnel1 null 00:00:02
GVA0001#show ipv4 route v1 | include 30.30.30
S 20.20.20.11/32 30/0 tunnel1 30.30.30.1 00:00:03
C 30.30.30.0/30 0/0 tunnel1 null 00:00:03
LOC 30.30.30.2/32 0/1 tunnel1 null 00:00:03
GVA0001#show ipv4 route v1 | include 30.30.30
S 20.20.20.11/32 30/0 tunnel1 30.30.30.1 00:00:04
C 30.30.30.0/30 0/0 tunnel1 null 00:00:04
LOC 30.30.30.2/32 0/1 tunnel1 null 00:00:04
GVA0001#show ipv4 route v1 | include 30.30.30
S 20.20.20.11/32 30/0 tunnel1 30.30.30.1 00:00:04
C 30.30.30.0/30 0/0 tunnel1 null 00:00:04
LOC 30.30.30.2/32 0/1 tunnel1 null 00:00:04
GVA0001#show ipv4 route v1 | include 30.30.30
O E2 30.30.30.0/30 110/0 ethernet1 7.7.7.2 00:07:36
GVA0001#show ipv4 route v1 | include 30.30.30
O E2 30.30.30.0/30 110/0 ethernet1 7.7.7.2 00:07:37
GVA0001#show ipv4 route v1 | include 30.30.30
O E2 30.30.30.0/30 110/0 ethernet1 7.7.7.2 00:07:37
GVA0001#
-so when the tunnel comes up, you route the tunnel destination into the tunnel
so it decides that unlimited recursive encap and brings it down, resulting in
tunnel up, then in the next evaluation you route the tunnel dest into the
tunnel
again, and so on so i did the following:
GVA0001(cfg)#no ipv4 route v1 20.20.20.11 255.255.255.255 30.30.30.1 distance
30
GVA0001(cfg)#no ipv4 route v1 20.20.20.11 255.255.255.255 40.40.40.1 distance
40
-which stopped the spf logs to appear continuously...
-and also ping 30.30.30.2 /vrf v1 /repeat 11111111 went 100% success rate...
-then RIO0001#ping 20.20.20.7 /vrf v1 /interface lo0 /tos 15 started to flood:
RIO0001#show interfaces traffic
interface state tx rx drop
loopback0 up 0 0 0
ethernet1 up 5437092 5437092 0
tunnel1 up 4172718 0 0
tunnel2 up 0 0 0
tunnel4 admin 0 0 12391512
-well, maybe my bad pbr stuff?
RIO0001#show access-list tos11
sequence 10 permit all any all any all tos 11-22
match=tx=0(0) rx=670902336(10482849) drp=0(0) accessed=00:00:00 ago,
00:00:00 timeout
RIO0001#show access-list tos11
sequence 10 permit all any all any all tos 11-22
match=tx=0(0) rx=674903296(10545364) drp=0(0) accessed=00:00:00 ago,
00:00:00 timeout
RIO0001#show access-list tos11
sequence 10 permit all any all any all tos 11-22
match=tx=0(0) rx=676086784(10563856) drp=0(0) accessed=00:00:00 ago,
00:00:00 timeout
RIO0001#show access-list tos11
sequence 10 permit all any all any all tos 11-22
match=tx=0(0) rx=677354560(10583665) drp=0(0) accessed=00:00:00 ago,
00:00:00 timeout
RIO0001#
-so yess, we're matching every packet and pbr happens before routing,
so the box have no chance to inspect the routing table to see that
the packet is for-us and respond to the ping so i did the following:
RIO0001#show running-config access
access-list tos11
sequence 10 permit all any all 20.20.20.7 255.255.255.255 all tos 11-22
exit
access-list tos33
sequence 10 permit all any all 20.20.20.7 255.255.255.255 all tos 33-44
exit
and
GVA0001#show running-config access
access-list tos11
sequence 10 permit all any all 20.20.20.11 255.255.255.255 all tos 11-22
exit
access-list tos33
sequence 10 permit all any all 20.20.20.11 255.255.255.255 all tos 33-44
exit
GVA0001#
-then tested with
RIO0001#ping 20.20.20.7 /vrf v1 /interface lo0 /repeat 1111111 /tos 15
RIO0001#ping 20.20.20.7 /vrf v1 /interface lo0 /repeat 1111111 /tos 35
and imho now it's working.... :)
regards,
cs
On 1/17/22 23:54, Everson Borges wrote:
Hi Csaba
I apologize in advance for not having tested it sooner.
For some reason your email with the pbr implementation didn't reach me, but
that's not the problem, as Cristina sent it to me today.
I just tested it today and unfortunately it didn't work.
If there's any time left to take a look, I might have done something wrong.
RIO and GVA router file attached.
Em seg., 17 de jan. de 2022 s 15:43, Cristina Klippel Dominicini
< <>>
escreveu:
________________________________________
De: <>
< <>> em
nome de mc36
< <>>
Enviado: quarta-feira, 12 de janeiro de 2022 04:24
Para: <>; Everson
Borges
Assunto: [rare-dev] multiple tunnels with pbr
hi,
yesterday during the vc you asked if we can demo a multiple path
selection with pbr stuff...
so yesss i'll prepare one for the next vc within my homenet until that,
here is a sketch
that you could try out on your topology at
https://github.com/eversonscherrer/freertr/tree/main/polKa
<https://github.com/eversonscherrer/freertr/tree/main/polKa>
let's assume for now that you're set up two tunnels addressed as 30.30.30.0/30
<http://30.30.30.0/30> and 30.30.30.4/30 <http://30.30.30.4/30>
then on your rio node you can configure the following:
access-list tos11
sequence 10 permit all any all any all tos 11-22
exit
access-list tos33
sequence 10 permit all any all any all tos 33-44
exit
ipv4 pbr v1 sequence 10 tos11 v1 nexthop 30.30.30.2
ipv4 pbr v1 sequence 20 tos33 v1 nexthop 30.30.30.6
as you can see it'll match exclusively on dscp (maiden name shifted tos:)
you could be able to test it with
ping 20.20.20.7 /siz 1111 /rep 11111111 /int lo0 /tos 15
ping 20.20.20.7 /siz 1111 /rep 11111111 /int lo0 /tos 35
ping 20.20.20.7 /siz 1111 /rep 11111111 /int lo0 /tos 45
and spot the difference... :)
regards,
cs
________________________________
Esta mensagem (incluindo anexos) cont m informa o confidencial
destinada a um usu rio espec fico e seu conte do protegido por lei. Se
voc n o o destinat rio correto deve
apagar esta mensagem.
O emitente desta mensagem respons vel por seu conte do e endere
amento.
Cabe ao destinat rio cuidar quanto ao tratamento adequado. A divulga
o, reprodu o e/ou distribui o sem a devida autoriza o ou qualquer
outra a o sem conformidade com as
normas internas do Ifes s o proibidas e pass veis de san o
disciplinar, c vel e criminal.
--
Att.
Everson Scherrer Borges
- [rare-dev] multiple tunnels with pbr, mc36, 01/12/2022
- Message not available
- Message not available
- Re: [rare-dev] multiple tunnels with pbr, mc36, 01/18/2022
- Message not available
- Message not available
Archive powered by MHonArc 2.6.19.