03-26-2009 05:55 PM - edited 03-06-2019 04:51 AM
I have configured local policy for our route, but it seems working only for icmp. I can ping any where, but can not use ssh. configuration is:
ip local policy route-map manage
access-list 100 permit ip 10.1.0.0 0.0.255.255 any
route-map manage permit 10
match ip address 100
set ip next-hop 10.1.1.1
Could anyone advice what problem it may be?
Any comments will be appreciated
Thanks in advance
03-26-2009 06:07 PM
Can you provide more information?
What are you trying to SSH to? From where?
Can you show us the rest of the config of the router?
03-26-2009 06:17 PM
nothing else, just
interface GigabitEthernet1/0/1
description test
no switchport
ip address 10.1.1.13 255.255.255.0
mls qos trust dscp
line vty 0 4
password xxxx
transport input ssh
I can ssh from subnet 10.1.1.0/24, but, if I can not ssh from 10.2.1.0/24. So the configuration for ssh do not have any problem.
03-26-2009 06:48 PM
Im not sure I understand you completely, but I'll take a shot.
It seems that you have configured some policy routing for traffic originating from the 10.1.0.0/16 network. All traffic sourced from there will take a next hop of 10.1.1.1, whatever that host is.
Now, there is an implicit deny at the end of the route map, so all other traffic will not be policy routed, only 10.1.0.0/16 will be. All other traffic will be routed according to the route table.
So, Im assuming that the problem is that traffic from 10.2.0.0 is not reaching its intended target, and Im also assuming that there is no route in the routing table -- or the route is not what you want; hence, the creation of the route map. However, with the implicit deny, all traffic other than 10.1.0.0/16 will be routed the "normal" way.
I dont know if I have helped you...but good luck.
Victor
03-26-2009 07:06 PM
first, great thanks for the replys.
I should mention what is my purpose to test this.
I want to configure an exception, so when my router's all route dead, I still can access the box from anywhere in my public and private networks.
I have done half success. when there is no any routes listed. I can ping from any where in my control subnets.
However, I can not ssh into the box.
I have tried to removed " access-list 100 permit ip 10.1.0.0 0.0.255.255 any " and change to "access-list 100 permit ip any any "
but, same result, that is I can ping from anywhere in my networks, but not ssh into it.
Please advice
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: