local policy configuration for ios version 12.2

Unanswered Question
Mar 26th, 2009
User Badges:

I have configured local policy for our route, but it seems working only for icmp. I can ping any where, but can not use ssh. configuration is:

ip local policy route-map manage

access-list 100 permit ip 10.1.0.0 0.0.255.255 any

route-map manage permit 10

match ip address 100

set ip next-hop 10.1.1.1


Could anyone advice what problem it may be?


Any comments will be appreciated


Thanks in advance



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lamav Thu, 03/26/2009 - 18:07
User Badges:
  • Blue, 1500 points or more

Can you provide more information?


What are you trying to SSH to? From where?


Can you show us the rest of the config of the router?

julxu Thu, 03/26/2009 - 18:17
User Badges:

nothing else, just


interface GigabitEthernet1/0/1

description test

no switchport

ip address 10.1.1.13 255.255.255.0

mls qos trust dscp


line vty 0 4

password xxxx

transport input ssh


I can ssh from subnet 10.1.1.0/24, but, if I can not ssh from 10.2.1.0/24. So the configuration for ssh do not have any problem.




lamav Thu, 03/26/2009 - 18:48
User Badges:
  • Blue, 1500 points or more

Im not sure I understand you completely, but I'll take a shot.


It seems that you have configured some policy routing for traffic originating from the 10.1.0.0/16 network. All traffic sourced from there will take a next hop of 10.1.1.1, whatever that host is.


Now, there is an implicit deny at the end of the route map, so all other traffic will not be policy routed, only 10.1.0.0/16 will be. All other traffic will be routed according to the route table.


So, Im assuming that the problem is that traffic from 10.2.0.0 is not reaching its intended target, and Im also assuming that there is no route in the routing table -- or the route is not what you want; hence, the creation of the route map. However, with the implicit deny, all traffic other than 10.1.0.0/16 will be routed the "normal" way.


I dont know if I have helped you...but good luck.


Victor

julxu Thu, 03/26/2009 - 19:06
User Badges:

first, great thanks for the replys.


I should mention what is my purpose to test this.


I want to configure an exception, so when my router's all route dead, I still can access the box from anywhere in my public and private networks.


I have done half success. when there is no any routes listed. I can ping from any where in my control subnets.


However, I can not ssh into the box.


I have tried to removed " access-list 100 permit ip 10.1.0.0 0.0.255.255 any " and change to "access-list 100 permit ip any any "


but, same result, that is I can ping from anywhere in my networks, but not ssh into it.


Please advice



Actions

This Discussion