nothing else, just

interface GigabitEthernet1/0/1

description test

no switchport

ip address 10.1.1.13 255.255.255.0

mls qos trust dscp

line vty 0 4

password xxxx

transport input ssh

I can ssh from subnet 10.1.1.0/24, but, if I can not ssh from 10.2.1.0/24. So the configuration for ssh do not have any problem.

Im not sure I understand you completely, but I'll take a shot.

It seems that you have configured some policy routing for traffic originating from the 10.1.0.0/16 network. All traffic sourced from there will take a next hop of 10.1.1.1, whatever that host is.

Now, there is an implicit deny at the end of the route map, so all other traffic will not be policy routed, only 10.1.0.0/16 will be. All other traffic will be routed according to the route table.

So, Im assuming that the problem is that traffic from 10.2.0.0 is not reaching its intended target, and Im also assuming that there is no route in the routing table -- or the route is not what you want; hence, the creation of the route map. However, with the implicit deny, all traffic other than 10.1.0.0/16 will be routed the "normal" way.

I dont know if I have helped you...but good luck.

Victor

first, great thanks for the replys.

I should mention what is my purpose to test this.

I want to configure an exception, so when my router's all route dead, I still can access the box from anywhere in my public and private networks.

I have done half success. when there is no any routes listed. I can ping from any where in my control subnets.

However, I can not ssh into the box.

I have tried to removed " access-list 100 permit ip 10.1.0.0 0.0.255.255 any " and change to "access-list 100 permit ip any any "

but, same result, that is I can ping from anywhere in my networks, but not ssh into it.

Please advice