Route-map, vlan routing
I have a 6509 that I've setup with route-maps in order to route VLANs in different ways. For example, if we wanted some vlans to get out to the internet we would route them to a certain address. Then there is another vlan that we route to another internet gateway. It was all working pretty good until we swapped out another switch gateway in the network and every since things have been wonky. It seems as though the switch is routing packets that would normally stay on that switch out of the switch then back in, even though my access-list are set to deny the traffic. Here are the access-list and route-maps:
access-list 10 permit 192.168.24.101
access-list 10 permit 192.168.24.102
access-list 100 permit tcp any 172.16.0.0 0.0.255.255 established
access-list 100 permit tcp 192.168.4.0 0.0.3.255 host 172.16.1.10 eq www
access-list 100 permit tcp 192.168.4.0 0.0.3.255 host 172.16.1.11 eq www
access-list 104 permit ip host 172.16.4.11 host 65.54.150.19
access-list 104 permit tcp host 172.16.4.20 any eq www
ip access-list extended BITCENTRAL_INTERNET
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
permit ip host 172.16.1.170 any
permit ip host 172.16.1.150 any
ip access-list extended EDIT_BAYS
deny ip any 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 any
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
permit ip host 192.168.25.2 any
permit ip host 192.168.26.80 any
permit ip host 192.168.25.104 any
permit ip host 192.168.25.3 any
permit ip host 192.168.26.69 any
permit ip host 192.168.26.71 any
permit ip host 192.168.27.33 any
ip access-list extended ENPS
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
permit ip host 192.168.24.101 any
permit ip host 192.168.24.102 any
permit ip host 192.168.24.103 any
ip access-list extended ENTRIQ
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
deny ip 172.16.0.0 0.0.255.255 192.168.24.0 0.0.3.255
deny ip 192.168.24.0 0.0.3.255 172.16.0.0 0.0.255.255
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
permit ip 172.16.8.0 0.0.0.255 any
ip access-list extended MISC
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
deny ip 172.16.0.0 0.0.255.255 192.168.24.0 0.0.3.255
deny ip 192.168.24.0 0.0.3.255 172.16.0.0 0.0.255.255
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
permit ip 172.16.11.0 0.0.0.255 any
ip access-list extended Omneon
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
permit ip host 172.16.2.11 any
permit ip host 172.16.2.2 any
ip access-list extended ROSS-VLAN
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
deny ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
permit ip host 172.16.4.20 any
permit ip host 172.16.4.32 any
permit ip host 172.16.4.31 any
permit ip host 172.16.4.29 any
permit ip host 172.16.4.30 any
permit ip host 172.16.4.28 any
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
interface Vlan1
no ip address
shutdown
interface Vlan10
ip address 172.16.1.1 255.255.255.0
ip policy route-map BITCENTRAL
interface Vlan20
ip address 172.16.2.1 255.255.255.0
ip policy route-map OMNEON
interface Vlan30
ip address 172.16.3.1 255.255.255.0
interface Vlan40
ip address 172.16.4.1 255.255.255.0
ip policy route-map ROSS-VLAN
interface Vlan50
ip address 172.16.5.1 255.255.255.0
interface Vlan60
ip address 172.16.6.1 255.255.255.0
interface Vlan70
ip address 172.16.7.1 255.255.255.0
interface Vlan80
ip address 172.16.8.1 255.255.255.0
ip policy route-map ENTRIQ
interface Vlan100
ip address 192.168.27.1 255.255.252.0
ip helper-address 192.168.7.255
ip policy route-map OMNIBUS-VLAN
interface Vlan110
ip address 172.16.11.1 255.255.255.0
ip helper-address 192.168.27.200
ip policy route-map MISC
interface Vlan120
ip address 172.16.10.1 255.255.255.240
ip policy route-map EDIT_BAYS
interface Vlan140
ip address 192.168.4.15 255.255.255.0
ip directed-broadcast 10
interface Vlan500
ip address 192.168.1.19 255.255.255.224
ip classless
ip route 172.22.0.0 255.255.255.248 192.168.4.1
ip route 192.168.0.0 255.255.255.224 192.168.4.254
ip route 192.168.5.0 255.255.255.0 192.168.4.1
route-map BITCENTRAL permit 60
match ip address BITCENTRAL_INTERNET
set ip next-hop 192.168.4.1
route-map EDIT_BAYS permit 50
match ip address EDIT_BAYS
set ip next-hop 192.168.4.1
route-map ENTRIQ permit 80
match ip address ENTRIQ
set ip next-hop 172.16.8.254
route-map MISC permit 40
match ip address MISC
set ip next-hop 192.168.4.1
route-map MSN permit 10
match ip address 104
set ip next-hop 192.168.4.1
route-map OMNEON permit 20
match ip address Omneon
set ip next-hop 192.168.4.1
route-map OMNIBUS-VLAN permit 30
match ip address EDIT_BAYS
set ip next-hop 192.168.4.1
route-map OMNIBUS-VLAN permit 40
match ip address ENPS
set ip next-hop 192.168.4.1
route-map ROSS-VLAN permit 70
match ip address ROSS-VLAN
set ip next-hop 192.168.4.1
route-map SEC-VLAN permit 30
match ip address SEC-VLAN
set ip next-hop 192.168.4.1
Here is how we tested the system and found the error. We cut the connection to 192.168.4.1 router, and when we try to ping a host on the 100 VLAN with the ip address of 192.168.24.101 from the MISC vlan with a ip address of 172.168.11.9 the ping just fails. When we enable the connection to the 192.168.4.1 router the pings go through again. What in my route-map is causing this, I thought I setup the deny rules pretty good?
Hi Mike,
Between you and me, this is a lengthy config you have there.
Next don't forget that a route-map doesn't apply to traffic originated or destined to the self-device, unless you use ip local policy in which might work, but there I have seen some nasty bugs.
So if you can shorten your config to one example, then do the tests :
- sourced from device A (it can be the SVI of another switch)
- through your 6509
- destined to device B (it also can be the SVI of another switch, or even simpler some loopback inteface).
Similar Messages
-
Query Skill Group - Translation Route mapping from Routing Script
Hi,
Is there a way we can query against the individual routing scripts and extract the PSG-TR mapping?
In ICM we can map any particular Peripheral Skill Group (PSG) to a specific Translation Route (TR) defined on the same Peripheral Gateway through ICM routing scripts.
The PSG and TR are both configured through ICM configuration manager and the details are stored in the ICM DB which can be queried against.
However the mapping between the PSG and TR is done through a routing script using Script Editor.
We would like to make an SQL query where we can see PSGs associated to a Translation route on Routing Scripts.
Product: Unified Contact Center Enterprise (UCCE)
Version: 8.5(4)Hi Gergely - how would you then query this data if you required it? Is there a way to map the PSGs to the Translation routes they are associated to?
Thanks! -
Hsrp on router with vlan routing
on my router i have a vlan inteface setup, how to i go about making this vlan interface a virtual ip to be used for hsrp ?
thanks
Carlhi carl,
on the vlan interface eg. as mentioned below
Router A
interface vlan 2
ip address 10.2.1.2 255.255.255.0
standby 2 ip 10.2.1.1
standby 2 timers 5 15
standby 2 prioroty 109
standby 2 preempt
Router B
interface vlan 2
ip address 10.2.1.3 255.255.255.0
standby 2 ip 10.2.1.1
standby 2 timers 5 15
standby 2 prioroty 110
standby 2 preempt
hope this helps.
rate this post. -
Hi,
what is the reason for not having any match, in the acl for the route-map?
Current configuration : 1731 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
ip cef
interface Loopback0
ip address 192.168.0.1 255.255.255.0
interface Loopback1
ip address 192.168.1.1 255.255.255.0
interface Loopback200
ip address 196.0.0.1 255.255.255.0
interface FastEthernet0/0
ip address 195.0.0.1 255.255.255.0
ip policy route-map r_teste
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface Serial1/0
ip address 10.0.0.2 255.255.255.252
serial restart-delay 0
interface Serial1/1
ip address 172.16.0.2 255.255.255.252
serial restart-delay 0
clock rate 128000
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
router bgp 100
no synchronization
bgp log-neighbor-changes
network 192.168.0.0
network 192.168.1.0
neighbor 10.0.0.1 remote-as 200
neighbor 172.16.0.1 remote-as 300
no auto-summary
ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.0.1
access-list 40 permit any
route-map anuncia1 permit 20
match ip address 20
route-map anuncia0 permit 10
match ip address 10
route-map r_teste permit 10
match ip address 40
set ip default next-hop 10.0.0.1
control-plane
line con 0
line aux 0
line vty 0 4
login
end
R2#ping 192.168.55.1 source 195.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.55.1, timeout is 2 seconds:
Packet sent with a source address of 195.0.0.1
Success rate is 0 percent (0/5)
R2#sh access-lists
Standard IP access list 10
10 permit 192.168.0.0, wildcard bits 0.0.0.255
Standard IP access list 20
10 permit 192.168.1.0, wildcard bits 0.0.0.255
Standard IP access list 30
10 permit 195.0.0.0, wildcard bits 0.0.0.255
Standard IP access list 40
10 permit any
Extended IP access list 100
10 permit ip any 192.168.55.0 0.0.0.255
R2#
is possible without changing the bgp?
thanksDefault PBR:
All packets received on an interface (ingress) with PBR enabled are entertained, first they should match through ACL then forward to next hop. if a match is exist (through ACL) but not forward to next hop then do nothing this packet especially for ICMP packet.
I think you need Local PBR:
Packets that are generated by the router are not normally policy-routed. To enable local PBR for such packets, indicate which route map the router should use by using the following command in global configuration mode:
ip local policy route-map TEST
Regards,
kazim -
Route Map - Delete Sequence Number
Hi All,
Taking the cisco example below, which demos how to PBR.
access-list 1 permit 209.165.200.225
access-list 2 permit 209.165.200.226
interface ethernet 1
ip policy route-map Texas
route-map Texas permit 10
match ip address 1
set ip precedence priority
set ip next-hop 209.165.200.227
route-map Texas permit 20
match ip address 2
set ip precedence critical
set ip next-hop 209.165.200.228
How would i safely remove sequence number 20 from the above?
Many thanks.Hi John,
no route-map Texas 20 worked good.
thanks -
Route-map after tunnel end point
Hello Folks. I have an ASA5510 with multiple tunnels terminating into it. Some sites require a hairpin bend out into the internet after terminating, this works fine with an applicable NAT statement, however, is it possible to use a route-map to route this traffic that would normally hair pin bend out the same interface back into the internet, but rather go out through another link on another host?
yes, you can
but not with route map because in ASA there is not route map
so u need first put the folowing command to allow the tunnel exit from the same interface where it is terminated orginally
issue the
same-security-traffic intra-interface
command in the global configuration mode
and for more configurations details use the following link will be useful for your case
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml
good luck
Please, Rate if helpful -
HI All
i configured the route-map on router ,
r
oute-map Client_side_map permit 20
match ip address Client_side2
set ip next-hop xx.xx.xx.xx
but when i enter show run i see the following config thats marvel
route-map Client_side_map permit 20
match ip address Client_side2 Internet_side1
set ip next-hop xx.xx.xx.xx xx.xx.xx.xx
any one can tell me what is the underline ?Hi,
R4(config)#access-list 100 permit ip any any
R4(config)#access-list 101 permit ip any any
R4(config)#route-map test p 10
R4(config-route-map)#match ip add 100
R4(config-route-map)#set ip next
R4(config-route-map)#set ip next-hop 20.20.20.20
R4(config-route-map)#do sh route-map
route-map test, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop 20.20.20.20
Policy routing matches: 0 packets, 0 bytes
R4(config-route-map)#match ip add 101
R4(config-route-map)#set ip nex
R4(config-route-map)#set ip next-hop 22.22.22.22
R4(config-route-map)#do sh route-map
route-map test, permit, sequence 10
Match clauses:
ip address (access-lists): 100 101
Set clauses:
ip next-hop 20.20.20.20 22.22.22.22
Policy routing matches: 0 packets, 0 bytes
As you see in this example multiple same match or set statement are automatically rearranged in a OR fashion instead of a AND fashion.
So I presume you already had a 20 clause in your route-map and so you edited it in the way I showed above.
Regards
Alain
Don't forget to rate helpful posts. -
Can't apply policy route-map on C3750 stack vlan interface
Hi All.
I've come up with this problem and i could see some people have had the same issue. I've tried to overlook and check other replies but it didn't help me. So I'm hoping someone could spot the problem. Here are the details:
2 x WS-C3750G-24T-E in stack
Cisco IOS Software, C3750 Software (C3750-ADVIPSERVICESK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)
switch#sh sdm prefe
The current template is "desktop IPv4 and IPv6 routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 1.5K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 2.75K
number of directly-connected IPv4 hosts: 1.5K
number of indirect IPv4 routes: 1.25K
number of IPv6 multicast groups: 1.125k
number of directly-connected IPv6 addresses: 1.5K
number of indirect IPv6 unicast routes: 1.25K
number of IPv4 policy based routing aces: 0.25K
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 0.5K
number of IPv6 policy based routing aces: 0.25K
number of IPv6 qos aces: 0.5K
number of IPv6 security aces: 0.5K
There are 2 ISPs, G1/0/1 and G2/0/1. After creating a route-map i can apply a policy route-map to Vlan5 and it accepts without any errors. But when you do sh run vlan5 the command is not there, it's not applied.
Any help will be appretiated.
Thanks.Hi Jon.
Thanks for your reply. I didn't put those configs as they're basic without use of VRF and WCCP. Also i've checked or tried to find the list of unsupported commands and didn't see them in that list. See config below with some extras:
track 11 rtr 1 reachability
track 22 rtr 2 reachability
ip routing
no ip dhcp use vrf connected
interface GigabitEthernet1/0/1
description ISP1
no switchport
ip address 9.9.9.2 255.255.255.252
no ip proxy-arp
no ip mroute-cache
speed 100
duplex full
ipv6 address 2B01:4B8:0:3::2/64
ipv6 ospf 1 area 0
no mdix auto
no cdp enable
interface GigabitEthernet2/0/1
description ISP2
no switchport
ip address 9.9.9.5 255.255.255.252
ip ospf cost 10000
speed 1000
duplex full
ipv6 address 2B01:4B8:0:7::2/64
ipv6 enable
ipv6 ospf cost 10000
ipv6 ospf 1 area 0
interface Vlan5
description Company Ext Subnet
ip address 9.9.8.1 255.255.255.128
no ip proxy-arp
no ip mroute-cache
ipv6 address 2B01:4B8:1:22::1/64
ipv6 ospf 1 area 15
access-list 111 permit tcp any any eq www
route-map pbr1 permit 10
match ip address 111
set interface GigabitEthernet2/0/1 GigabitEthernet1/0/1
route-map pbr1 permit 20
set interface GigabitEthernet1/0/1 GigabitEthernet2/0/1
route-map pbr2 permit 10
match ip address 111
set ip next-hop verify-availability 9.9.9.6 1 track 11
set ip next-hop 9.9.9.1
route-map pbr2 permit 20
set ip next-hop verify-availability 9.9.9.1 1 track 22
set ip next-hop 9.9.9.6
I've tried to apply both policies pbr1 and pbr2, it allowed to do that without errors but at the end it wasn't there.
Cheers, -
Route map does not applied on interface vlan
Hi all,
could you pls tell me why i can't apply a route-map on an interface vlan,
belown my config:
SWBBO(config-if)#ip policy route-map TEST
^
% Invalid input detected at '^' marker.
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.0(2)SE1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Fri 04-Jan-13 01:38 by prod_rel_team
ROM: Bootstrap program is C3750E boot loader
BOOTLDR: C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(53r)SE2, RELEASE SOFTWARE (fc1)
BBWMASALE01 uptime is 40 weeks, 1 day, 6 minutes
System returned to ROM by power-on
System restarted at 22:12:07 UTC Mon Feb 18 2013
System image file is "flash:/c3750e-universalk9-mz.150-2.SE1.bin"
Best regards,
JamesHi jon,
belown the result of sh sdm prefer,so need i a licence ip service to apply the route-maap on the interface vlan,or just entrer the config"sdm prefer routing" and reboot the switch?
SWBB0#sh sdm prefer
The current template is "desktop default" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 6K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 8K
number of directly-connected IPv4 hosts: 6K
number of indirect IPv4 routes: 2K
number of IPv6 multicast groups: 64
number of directly-connected IPv6 addresses: 74
number of indirect IPv6 unicast routes: 32
number of IPv4 policy based routing aces: 0
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 0.875k
number of IPv6 policy based routing aces: 0
number of IPv6 qos aces: 0
number of IPv6 security aces: 60 -
Route leaking from VRF to Global on same router with VLAN interface
Hi all,
I would like to do some route leaking from VRF to Global and Global to VRF on the same router. Here is an output of the config:
interface FastEthernet4
description ***Connection to WAN***
ip vrf forwarding FVRF
ip address 10.0.0.6 255.255.255.0
interface Vlan100
description ***LAN***
ip address 192.168.227.1 255.255.255.0
So what I want is to import 192.168.227.0 /24 into FVRF and import 10.0.0.0 /24 into the global routing table.
I though I could do that config but it is not possible:
(config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100
% For VPN or topology routes, must specify a next hop IP address if not a point-to-point interface
OR
DK-SLVPN(config)#ip route vrf FVRF 192.168.227.0 255.255.255.0 vlan 100 192.168.227.1 global
%Invalid next hop address (it's this router)
Any ideas are really welcome.
Best regards,
LaurentHi,
I have tried the following solution:
Add 10.0.0.0 /24 From VRFto Global:
ip route 10.0.0.0 255.255.255.0 FastEthernet4
Add 192.168.227.0 /24 from Global to VRF:
router bgp 64512
bgp log-neighbor-changes
address-family ipv4
no synchronization
redistribute connected
no auto-summary
exit-address-family
ip prefix-list Global-VRF seq 5 permit 192.168.227.0/24
route-map Global permit 10
match ip address prefix-list Global-VRF
ip vrf FVRF
rd 1:1
import ipv4 unicast map Global
So now the VRF table looks like that:
# sh ip route vrf FVRF
C 10.0.0.0/24 is directly connected, FastEthernet4
S 10.0.0.1/32 [254/0] via 10.0.0.1, FastEthernet4
L 10.0.0.6/32 is directly connected, FastEthernet4
B 192.168.227.0/24 is directly connected, 00:15:12, Vlan100
The Global table looks like this:
#sh ip route
Gateway of last resort is 10.1.0.107 to network 0.0.0.0
D* 0.0.0.0/0 [90/1709056] via 10.1.0.107, 3d02h, Tunnel1
10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
S 10.0.0.0/24 is directly connected, FastEthernet4
C 10.1.0.0/24 is directly connected, Tunnel1
L 10.1.0.227/32 is directly connected, Tunnel1
C 10.2.0.0/24 is directly connected, Tunnel2
L 10.2.0.227/32 is directly connected, Tunnel2
C 10.10.10.227/32 is directly connected, Loopback100
192.168.227.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.227.0/24 is directly connected, Vlan100
L 192.168.227.1/32 is directly connected, Vlan100
But When I try to ping it still doesn´t work:
#ping vrf FVRF 192.168.227.1 source fastEthernet 4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.227.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.6
Success rate is 0 percent (0/5)
#ping 10.0.0.1 source vlan 100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.227.1
Success rate is 0 percent (0/5)
Any ideas?
Regards,
Laurent -
Route Map Policy on SVI - Trunk from ESX
Hi,
I have a question regarding the following configuration.
A route map matches traffic from a particular subnet, say on VLAN 10 (using an ACL).
A route map policy is applied on this SVI (int vlan 10)
A server on this subnet is running on ESX which is connected to the switch on a trunk port.
The ESX host tags all frames from this server as VLAN 10.
In this scenario, should the route map pick up the traffic from this server? I don't see why not, but in my testing it doesn't seem to be working :)
Thanks for any help.Hi Alex,
It's a 3750x (stack) with 12.2(55)SE5.
I've already changed the SDM template to routing and rebooted the switch.
I don't think the route map is working at all actually :) See config below, let me know if you can spot anything obvious but the networks on the ACL are definitely correct.
Thanks again.
Extended IP access list UPLINK2
10 permit ip 192.168.1.0 0.0.0.255 any
20 permit ip 192.168.4.0 0.0.1.255 any (305 matches)
route-map ROUTE1 permit 10
match ip address UPLINK2
set ip next-hop 10.1.1.253
interface Vlan10
ip address 192.168.5.254 255.255.254.0
ip policy route-map ROUTE1
end -
881 - How to configure inter-VLAN routing
I hesitate to post here -- I know that I should know my job. But here goes...
Small business wants to use an ASA 5505 firewall on the edge connected to VDSL modem, and then an 881 to route internally (see attachment). The 881 has a downstream link to a 2960.
Want the following "blocks":
VLAN 33 - CLIENTS
VLAN 55 - SERVERS
VLAN 101 - CDLAB
The lab is for testing, and will be connected via Cisco 2500 series router. The server farm (Server 2008 domain +) will be connected via layer 2 switch over VLAN. A DMZ is anticipated after basic connectivity is established. Connectivity is already verified from a client connected to the INSIDE interface of the ASA going to the OUTSIDE and back.
Before I started I wiped the devices in order to start clean. Both the router and the switch are in vtp mode transparent.
To build a trunk link, I connected the 881 and the 2960 using a crossover cable from int fa0 to int fa0/8 respectively.
On both devices' interfaces I set switchport mode trunk.
I configured the 3 VLANs on the 881, assigned IP addresses to them, and used switchport trunk allowed vlan add 33,55,101 to assign them to the trunk but that doesn't appear in the sh run output under the interface.
I set both devices' to switchport nonegotiate (best practices?). Once again, on the 881 this command doesn't appear in the running config.
I configured the 3 VLANs on the 2960, then used the same switchport commands as above to assign them to the trunk.
Here's the deal.
From a client connected to a VLAN 33 access port on the 2960, I can't ping, for example, the VLAN 55 IP address. I can ping the VLAN 33 IP address. I also can't ping the IP address of the interface on the far side of the router headed to the ASA (int fa4).
What am I doing wrong? I'll gladly post the running configs if anyone wants to see. I've spent most of the day on this racking my brain and literally scouring the Internet. I'd be very grateful for some assistance.
Help!Thanks, Mike.
Yeah, I might not have been too clear. But on the router, each VLAN was created using the vlan 33 command (for example) and given a name. Then I went to int vlan 33 (for example) and used ip address 10.0.33.xx 255.255.255.0 for the address and subnet mask. Those have been in place since I started. And like I said, I can ping the SVI for VLAN 33, which is mapped to the client access port I'm on.
The problem is, I still can't ping inter-VLAN and I still can't ping the far side interface.
Bummer... -
Hi all,
may some of you tell me the real meaning of the sub-command "set interface <intf>" under the route-map section?
I thought it was like the <intf> parameter whe you set a route out of an interface.
I tried it with a PIX that should have to act as proxy-arp device but nothing happened.
Everything worked fine using "set ip next-hop ..."
The topology appears a little bit complicated if explained how I built it in practice.
Just a PIX525, a switch and a router 877 that manages VLANS.
I reproduced the environment that doesn't see 2 ethernet interfaces on the router where the policy is applied but 1 serial and 1 ethernet. By now there are 2 devices, one per link, and the def route is based on proxy-arp both for the serial and the ethernet.
Hope the scenario was clearly depicted.
TIA
AlexPlease refer to this document..
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009481d.shtml
HTH,
Ahmed -
Hi All,
I'm trying to achieve the following -
I have a host 10.44.125.70.
If going to any Internal address space I want the host to use a certain next hop (vlan interface on core this PBR is configured). Then IF going to anywhere else (e.g external address) , use a different next hop. I have the below but doesn't seem to be working as expected. Is my first route-map entry catching all traffic? I'm sure what I'm trying to do is very simple...
IP access list Sent_Inside
10 permit ip host 10.44.125.70 172.12.0.0 0.0.15.255
30 permit ip host 10.44.125.70 10.0.0.0 0.255.255.255
IP access list Sent_Outside
10 permit ip host 10.44.125.70 any
20 permit ip host 10.44.125.70 any
route-map TEST permit 20
match ip address Sent_Inside
set ip next-hop 10.44.125.1
route-map TEST permit 30
match ip address Sent_Outside
set ip next-hop 10.44.141.7Exactly John, a different default route already exists. Because I have a static NAT on the ASA (10.44.141.7) for this host of mine, I need to make sure all Internet traffic uses the ASA and not the default route on the Core.
What is happening at the moment is - If I have just the below.Then the device 10.44.125.70 is accessible from the Outside on my Nat'd external address (ASA config is all good and setup with NAT etc..). I then realised I could not access my hosts internal IP within the network so i added the extra parts to my route-map. Upon doing this my NAT stopped working (but I could then access my internal address internally). Not going to be able to test this again until tomorrow either which isn't ideal.
IP access list Sent_Outside
10 permit ip host 10.44.125.70 any
20 permit ip host 10.44.125.70 any
route-map TEST permit 30
match ip address Sent_Outside
set ip next-hop 10.44.141.7 -
PBR - adding a route map to an interface
Hello.
I cannot add a route-map to an interface on a C3750 stack
I have copied the switch details below
#sho ver
Cisco IOS Software, C3750 Software (C3750-IPSERVICES-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Thu 19-Jul-07 19:15 by nachen
Image text-base: 0x00003000, data-base: 0x01280000
ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(25r)SEE3, RELEASE SOFTWARE (fc1)
Pleidelsheim_V1B_Core uptime is 16 hours, 43 minutes
System returned to ROM by power-on
System restarted at 22:01:48 CET Wed Mar 3 2010
System image file is "flash:/c3750-ipservices-mz.122-35.SE5.bin"
cisco WS-C3750G-24TS (PowerPC405) processor (revision P0) with 118784K/12280K bytes of memory.
Processor board ID CAT1130ZK5F
Last reset from power-on
9 Virtual Ethernet interfaces
56 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 00:1D:46:8C:22:80
Motherboard assembly number : 73-7058-14
Power supply part number : 341-0045-01
Motherboard serial number : CAT113059LV
Power supply serial number : PHI1114L1PJ
Model revision number : P0
Motherboard revision number : A0
Model number : WS-C3750G-24TS-E
System serial number : CAT1130ZK5F
Top Assembly Part Number : 800-22348-07
Top Assembly Revision Number : A0
Version ID : V07
CLEI Code Number : COM7700ARA
Hardware Board Revision Number : 0x09
Switch Ports Model SW Version SW Image
* 1 28 WS-C3750G-24TS 12.2(35)SE5 C3750-IPSERVICES-M
2 28 WS-C3750G-24TS 12.2(35)SE5 C3750-IPSERVICES-M
Switch 02
Switch Uptime : 16 hours, 43 minutes
Base ethernet MAC Address : 00:21:A1:2E:78:00
Motherboard assembly number : 73-7058-15
Power supply part number : 341-0045-01
Motherboard serial number : FDO121903D2
Power supply serial number : LIT121603VV
Model revision number : Q0
Motherboard revision number : A0
Model number : WS-C3750G-24TS-E
System serial number : CAT1105RGN2
Top assembly part number : 800-22348-08
Top assembly revision number : A0
Version ID : V08
CLEI Code Number : COMUJ10ARA
Configuration register is 0xF
#sho sdm prefer
The current template is "desktop routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 3K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 11K
number of directly-connected IPv4 hosts: 3K
number of indirect IPv4 routes: 8K
number of IPv4 policy based routing aces: 0.5K
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 1K
When I try to add the route map
interface Vlanx
ip policy route-map xx
%PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map xx not supported for Policy-Based Routing
Can anyone see what could be wrong?Okay, just realised the route-map is not valid.
The settings are okay.
access-list 160 remark WIRELESS GUEST PBR FWD TRAFFIC
access-list 160 permit tcp 172.16.168.128 0.0.0.63 any
access-list 160 permit udp 172.16.168.128 0.0.0.63 any
access-list 160 permit ip 172.16.168.128 0.0.0.63 any
access-list 160 permit icmp 172.16.168.128 0.0.0.63 any
route-map GUEST_VLAN-to-WEB permit 20
description FWD REMAINING GUEST TRAFFIC TO PROXY
match ip address 160
set interface Null0
Doesn't like the set interface Null0
How else could I setup a black hole
Maybe you are looking for
-
Hello Community "forestA" is my forest it is a Windows 2008 Server Enterprise Edition domain controller using Active Directory and the UI. In my forest ("forestA") trust relationship I created a "One-Way, Out-going" forest trust with Forest-W
-
Hi all, Iam working with an application which has Jsp pages and Iam using WEBLOGIC 8 to deploy the application.My first page is named as say xx.jsp. This page gets the users input and involves in lot of calculation. When I start the application(in th
-
I have a pdf file that I have converted to a microsoft word document. I want to change the font of the document and cannot figure out how to do this. Can you help?
-
How to config PKCS11.cfg during FAXs installation
Hi guys, I am the rookie in Flash Access and want to setup environment on my local site. I have gone through steps from quickstart guide. I have a problem in installing license server now. I want to run Validator.bat to verify configuration, but I am
-
Hi..handling events in console applications
Hi, Can anyone tell me how to handle events in cosole applications... I want to trap the event when a user closes the the console window.... THANKS IN ADVANCE Rama