3750 Route-Map Problem

Runner973 · ‎03-07-2010

Hi

I've a big problem with 3750 (IOS version c3750-ipservicesk9-tar.122-53.SE)

Two Vlan are defined on 3750:

- vlan 20 - ip 192.168.20.253

- vlan 10 - ip 192.168.10.253

All client on vlan 20 have as default gateway 192.168.20.253

All client on vlan 10 have as default gateway 192.168.10.253

I need this action

- All vlan 20 client must connect to vlan 10 client

- All vlan 10 client must connect to vlan 20 client

- If source address of a packet is in 192.168.20.0/24 and its destination address is different from 192.168.10.0/24 the next hop must be 192.168.20.254

- If source address of a packet is in 192.168.10.0/24 and its destination address is different from 192.168.20.0/24 the next hop must be 192.168.10.254

- If source address of a packet is in 192.168.10.0/24 and its destination address is equal to 192.168.20.0/24 the packet must be routing from 3750 and it haven't next hop

- If source address of a packet is in 192.168.20.0/24 and its destination address is equal to 192.168.10.0/24 the packet must be routing from 3750 and it haven't next hop

I've applied this command

!

interface Vlan10

ip address 192.168.10.253 255.255.255.0

ip pim sparse-dense-mode

ip policy route-map Vlan_10

!

interface Vlan20

ip address 192.168.20.253 255.255.255.0

ip pim sparse-dense-mode

ip policy route-map Vlan_20

!

ip classless

ip http server

ip http secure-server

!

ip sla enable reaction-alerts

access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 103 permit ip 192.168.10.0 0.0.0.255 any

access-list 105 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 106 permit ip 192.168.20.0 0.0.0.255 any

route-map Vlan_20 permit 10

match ip address 105

set ip next-hop 192.168.10.253

!

route-map Vlan_20 permit 30

match ip address 106

set ip next-hop 192.168.20.254

!

route-map Vlan_10 permit 10

match ip address 101

set ip next-hop 192.168.20.253

!

route-map Vlan_10 permit 30

match ip address 103

set ip next-hop 192.168.10.254

Results is:

Vlan10 Client go on the web by 192.168.10.254 (correct)

Vlan20 Client go on the web by 192.168.20.254 (correct)

It's impossible ping 192.168.10.253 or 192.168.20.253 from rispective vlan (error)

Vlan10 CLient and Vlan20 CLient not ping between each other

Anyone can help me?

Sorry for my bad english

Antonio

milan.kulik · ‎03-07-2010

Hi,

IMHO, there's a mistake

route-map Vlan_20 permit 10

match ip address 105

set ip next-hop 192.168.10.253

should be

route-map Vlan_20 permit 10

match ip address 105

set ip next-hop 192.168.20.253

and also

route-map Vlan_10 permit 10

match ip address 101

set ip next-hop 192.168.20.253

should be

route-map Vlan_10 permit 10

match ip address 101

set ip next-hop 192.168.10.253

Or you could even remove the "set ..." portions of both "route-map Vlan_20 permit 10" and "route-map Vlan_10 permit 10" route-map sections.

HTH,

Milan

Runner973 · ‎03-09-2010

Hi

The next hop is correct because packet from 10 to 20 must be processed by 192.168.20.253 and pachet from 20 to 10 must be processed by 192.168.10.253.

I solved the problem by correct use the access-list

interface Vlan10
ip address 192.168.10.253 255.255.255.0
ip pim sparse-dense-mode
ip policy route-map Vlan_10
!
interface Vlan20
ip address 192.168.20.253 255.255.255.0
ip pim sparse-dense-mode
ip policy route-map Vlan_20
!
access-list 101 deny   ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 deny   ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 deny   ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 102 deny   ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 permit ip 192.168.20.0 0.0.0.255 any
route-map Vlan_20 permit 10
match ip address 102
set ip next-hop 192.168.20.254
!
route-map Vlan_10 permit 10
match ip address 101
set ip next-hop 192.168.10.254