12-11-2009 03:47 AM - edited 03-06-2019 08:55 AM
unable ping vlan interface with policy routing , but able access the resouces (CISCO 3750)
interface Vlan3
ip address 10.151.1.1 255.255.255.0
ip policy route-map VAUS
thanks
Mk
12-11-2009 04:14 AM
mkkeyan wrote:
unable ping vlan interface with policy routing , but able access the resouces (CISCO 3750)
interface Vlan3
ip address 10.151.1.1 255.255.255.0
ip policy route-map VAUSthanks
Mk
Mk
We try and help on this forum but we are not mind readers
We need a bit more info to help you out ie.
1) ping from where ie. IP addresses
2) which vlan interface - presumably the one above
3) what does the PBR look like ie. route-map/access-list details
Jon
12-11-2009 06:28 AM
aplogizes Jon , I understood.
_
1)ping from 10.151.1.0 network . PC will have 10.151.1.1 gateway.
2) vlan 3 inteface
3) rouete map access-list details
ip access-list extended AUSTRALIA-IN
permit ip any any
deny ip 10.151.1.0 0.0.0.255 10.20.31.0 0.0.0.255
ip access-list extended AUSTRALIA-OUT
permit ip 10.151.1.0 0.0.0.255 host 10.20.31.210
permit ip 10.151.1.0 0.0.0.255 host 10.20.31.194
permit ip 10.151.1.0 0.0.0.255 host 10.20.31.201
permit ip 10.151.1.0 0.0.0.255 host 192.114.152.106
permit ip 10.151.1.0 0.0.0.255 192.252.5.112 0.0.0.7
permit ip 10.151.1.0 0.0.0.255 host 10.20.31.103
permit ip 10.151.1.0 0.0.0.255 host 206.65.166.236
permit ip 10.151.1.0 0.0.0.255 host 10.20.31.208
permit ip 10.151.1.0 0.0.0.255 host 10.21.36.194
permit ip 10.151.1.0 0.0.0.255 host 10.21.36.201
permit ip 10.151.1.0 0.0.0.255 host 10.21.36.103
permit ip 10.151.1.0 0.0.0.255 host 10.21.36.208
permit ip 10.151.1.0 0.0.0.255 host 10.33.120.85
permit ip 10.151.1.0 0.0.0.255 host 10.33.120.134
permit ip 10.151.1.0 0.0.0.255 host 10.33.120.138
permit ip 10.151.1.0 0.0.0.255 host 10.206.163.60
permit ip 10.151.1.0 0.0.0.255 host 10.24.32.3
permit ip 10.151.1.0 0.0.0.255 host 10.24.32.2
permit ip host 10.151.1.227 host 10.24.32.100
permit ip host 10.151.1.112 host 10.20.31.201
permit ip host 10.151.1.227 host 10.20.31.201
permit ip 10.151.1.0 0.0.0.255 host 10.20.33.211
permit ip host 10.151.1.112 any
route-map VAUS permit 40
match ip address AUSTRALIA-OUT
!
route-map VAUS permit 50
match ip address AUSTRALIA-IN
set ip next-hop 10.151.1.225
!
route-map VAUS permit 60
interface Vlan3
ip address 10.151.1.1 255.255.255.0
ip policy route-map VAUS
----------------------------------------------------------------
when i do traceroute for 151.1.1.1 it getting loop..
10.151.1.1 between 10.151.1.225 till 30 hops
PC- gateway with 10.151.1.1
thanks
Mk
12-11-2009 08:00 AM
mkkeyan wrote:
aplogizes Jon , I understood.
_
1)ping from 10.151.1.0 network . PC will have 10.151.1.1 gateway.
2) vlan 3 inteface
3) rouete map access-list details
ip access-list extended AUSTRALIA-IN
permit ip any any
deny ip 10.151.1.0 0.0.0.255 10.20.31.0 0.0.0.255ip access-list extended AUSTRALIA-OUT
permit ip 10.151.1.0 0.0.0.255 host 10.20.31.210
permit ip 10.151.1.0 0.0.0.255 host 10.20.31.194
permit ip 10.151.1.0 0.0.0.255 host 10.20.31.201
permit ip 10.151.1.0 0.0.0.255 host 192.114.152.106
permit ip 10.151.1.0 0.0.0.255 192.252.5.112 0.0.0.7
permit ip 10.151.1.0 0.0.0.255 host 10.20.31.103
permit ip 10.151.1.0 0.0.0.255 host 206.65.166.236
permit ip 10.151.1.0 0.0.0.255 host 10.20.31.208
permit ip 10.151.1.0 0.0.0.255 host 10.21.36.194
permit ip 10.151.1.0 0.0.0.255 host 10.21.36.201
permit ip 10.151.1.0 0.0.0.255 host 10.21.36.103
permit ip 10.151.1.0 0.0.0.255 host 10.21.36.208
permit ip 10.151.1.0 0.0.0.255 host 10.33.120.85
permit ip 10.151.1.0 0.0.0.255 host 10.33.120.134
permit ip 10.151.1.0 0.0.0.255 host 10.33.120.138
permit ip 10.151.1.0 0.0.0.255 host 10.206.163.60
permit ip 10.151.1.0 0.0.0.255 host 10.24.32.3
permit ip 10.151.1.0 0.0.0.255 host 10.24.32.2
permit ip host 10.151.1.227 host 10.24.32.100
permit ip host 10.151.1.112 host 10.20.31.201
permit ip host 10.151.1.227 host 10.20.31.201
permit ip 10.151.1.0 0.0.0.255 host 10.20.33.211
permit ip host 10.151.1.112 any
route-map VAUS permit 40
match ip address AUSTRALIA-OUT
!
route-map VAUS permit 50
match ip address AUSTRALIA-IN
set ip next-hop 10.151.1.225
!
route-map VAUS permit 60interface Vlan3
ip address 10.151.1.1 255.255.255.0
ip policy route-map VAUS----------------------------------------------------------------
when i do traceroute for 151.1.1.1 it getting loop..
10.151.1.1 between 10.151.1.225 till 30 hops
PC- gateway with 10.151.1.1
thanks
Mk
Mk
What is the address of the PC you are pinging from.
Also can you explain the logic behind the route-map ie.
1) You match on AUSTRALIA_OUT but don't do anything
2) Your AUSTRALIA_IN acl permit all then denies a specific destination but it will never get to the deny if you permit all
Jon
12-11-2009 08:06 AM
Just do this
ip access-list ALLOW_ICMP
permit icmp any host 10.151.1.1
route-map VAUS deny 1
match ip address ALLOW_ICMP
12-14-2009 02:30 AM
Pinging from IP address 10.151.1.147
If packets match with AUSTRALIA-OUT, it needs to go IP 10.20.31.248
here is the static route :
10.0.0.0/8 is variably subnetted, 73 subnets, 4 masks
S 10.20.40.0/24 [1/0] via 10.20.31.248
S 10.20.33.0/24 [1/0] via 192.168.101.2
S* 0.0.0.0/0 [1/0] via 10.20.31.248
since default route is 10.20.31.248 even if i have not mentioned next-hop IP address in route-map its exit,
if packet does not match with AUSTRALIA-OUT
it should go to IP 10.151.1.225
Pl correct me to achieve the above scenario.
thanks
MK
12-14-2009 03:15 AM
mkkeyan wrote:
Pinging from IP address 10.151.1.147
If packets match with AUSTRALIA-OUT, it needs to go IP 10.20.31.248
here is the static route :
10.0.0.0/8 is variably subnetted, 73 subnets, 4 masks
S 10.20.40.0/24 [1/0] via 10.20.31.248
S 10.20.33.0/24 [1/0] via 192.168.101.2
S* 0.0.0.0/0 [1/0] via 10.20.31.248since default route is 10.20.31.248 even if i have not mentioned next-hop IP address in route-map its exit,
if packet does not match with AUSTRALIA-OUT
it should go to IP 10.151.1.225
Pl correct me to achieve the above scenario.
thanks
MK
MK
Okay, i see the logic. Because you have a permit ip any any in AUSTRALIA-IN you need to match traffic in AUSTRALIA-OUT so it won't get to the 2nd route-map permit statement. Still not sure what the deny line is doing in the 2nd route-map statement though.
Anyway, that aside, i did some testing on a router and could not emulate the problem you are having. Unfortunately i don't have a L3 switch to test on at the moment but it may well be worth trying what the other poster suggested ie. in your AUSTRALIA-IN acl -
ie. deny icmp from 10.151.1.0/24 to 10.151.1.1
permit ip any any
Jon
12-14-2009 03:58 AM
Hi,
Your packet with Source 10.151.1.147, and Destination 10.20.31.248 does not seems to be matching your access-list AUSTRALIA-OUT.
The other access-list you have defined AUSTRALIA-IN, I hope has the right sequence of commands you have mentioned. I am saying this because your first statement suggests permit ip any any, which will infact match everything (only if there are more things other than IP). So, assuming you have pasted the right sequence, your packet will match this access-list, and will go to the next-hop address 10.151.1.225.
If you can paste further, the config of 10.151.1.225 router, then I can let you know where the problem is.
Also, I am still not sure what exactly are you trying to achieve.
If you can let know your requirement in full, and complete; I'll be in a position to provide you simplified configuration.
HTH
cheers,
Saurabh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide