Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Route-map, vlan routing

I have a 6509 that I've setup with route-maps in order to route VLANs in different ways. For example, if we wanted some vlans to get out to the internet we would route them to a certain address. Then there is another vlan that we route to another internet gateway. It was all working pretty good until we swapped out another switch gateway in the network and every since things have been wonky. It seems as though the switch is routing packets that would normally stay on that switch out of the switch then back in, even though my access-list are set to deny the traffic. Here are the access-list and route-maps:

 

access-list 10 permit 192.168.24.101
access-list 10 permit 192.168.24.102
access-list 100 permit tcp any 172.16.0.0 0.0.255.255 established
access-list 100 permit tcp 192.168.4.0 0.0.3.255 host 172.16.1.10 eq www
access-list 100 permit tcp 192.168.4.0 0.0.3.255 host 172.16.1.11 eq www
access-list 104 permit ip host 172.16.4.11 host 65.54.150.19
access-list 104 permit tcp host 172.16.4.20 any eq www

ip access-list extended BITCENTRAL_INTERNET
 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
 deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
 permit ip host 172.16.1.170 any
 permit ip host 172.16.1.150 any
ip access-list extended EDIT_BAYS
 deny   ip any 172.16.0.0 0.0.255.255
 deny   ip 172.16.0.0 0.0.255.255 any
 deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
 permit ip host 192.168.25.2 any
 permit ip host 192.168.26.80 any
 permit ip host 192.168.25.104 any
 permit ip host 192.168.25.3 any
 permit ip host 192.168.26.69 any
 permit ip host 192.168.26.71 any
 permit ip host 192.168.27.33 any
ip access-list extended ENPS
 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
 deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
 permit ip host 192.168.24.101 any
 permit ip host 192.168.24.102 any
 permit ip host 192.168.24.103 any
ip access-list extended ENTRIQ
 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
 deny   ip 172.16.0.0 0.0.255.255 192.168.24.0 0.0.3.255
 deny   ip 192.168.24.0 0.0.3.255 172.16.0.0 0.0.255.255
 deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
 permit ip 172.16.8.0 0.0.0.255 any
ip access-list extended MISC
 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
 deny   ip 172.16.0.0 0.0.255.255 192.168.24.0 0.0.3.255
 deny   ip 192.168.24.0 0.0.3.255 172.16.0.0 0.0.255.255
 deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
 permit ip 172.16.11.0 0.0.0.255 any
ip access-list extended Omneon
 deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
 deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 permit ip host 172.16.2.11 any
 permit ip host 172.16.2.2 any
ip access-list extended ROSS-VLAN
 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
 deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
 deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
 permit ip host 172.16.4.20 any
 permit ip host 172.16.4.32 any
 permit ip host 172.16.4.31 any
 permit ip host 172.16.4.29 any
 permit ip host 172.16.4.30 any
 permit ip host 172.16.4.28 any
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000

interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 ip address 172.16.1.1 255.255.255.0
 ip policy route-map BITCENTRAL
!
interface Vlan20
 ip address 172.16.2.1 255.255.255.0
 ip policy route-map OMNEON
!
interface Vlan30
 ip address 172.16.3.1 255.255.255.0
!
interface Vlan40
 ip address 172.16.4.1 255.255.255.0
 ip policy route-map ROSS-VLAN
!
interface Vlan50
 ip address 172.16.5.1 255.255.255.0
!
interface Vlan60
 ip address 172.16.6.1 255.255.255.0
!
interface Vlan70
 ip address 172.16.7.1 255.255.255.0
!
interface Vlan80
 ip address 172.16.8.1 255.255.255.0
 ip policy route-map ENTRIQ
!
interface Vlan100
 ip address 192.168.27.1 255.255.252.0
 ip helper-address 192.168.7.255
 ip policy route-map OMNIBUS-VLAN
!
interface Vlan110
 ip address 172.16.11.1 255.255.255.0
 ip helper-address 192.168.27.200
 ip policy route-map MISC
!
interface Vlan120
 ip address 172.16.10.1 255.255.255.240
 ip policy route-map EDIT_BAYS
!
interface Vlan140
 ip address 192.168.4.15 255.255.255.0
 ip directed-broadcast 10
!
interface Vlan500
 ip address 192.168.1.19 255.255.255.224
!
ip classless
ip route 172.22.0.0 255.255.255.248 192.168.4.1
ip route 192.168.0.0 255.255.255.224 192.168.4.254
ip route 192.168.5.0 255.255.255.0 192.168.4.1

!
route-map BITCENTRAL permit 60
 match ip address BITCENTRAL_INTERNET
 set ip next-hop 192.168.4.1
!
route-map EDIT_BAYS permit 50
 match ip address EDIT_BAYS
 set ip next-hop 192.168.4.1
!
route-map ENTRIQ permit 80
 match ip address ENTRIQ
 set ip next-hop 172.16.8.254
!
route-map MISC permit 40
 match ip address MISC
 set ip next-hop 192.168.4.1
!
route-map MSN permit 10
 match ip address 104
 set ip next-hop 192.168.4.1
!
route-map OMNEON permit 20
 match ip address Omneon
 set ip next-hop 192.168.4.1
!
route-map OMNIBUS-VLAN permit 30
 match ip address EDIT_BAYS
 set ip next-hop 192.168.4.1
!
route-map OMNIBUS-VLAN permit 40
 match ip address ENPS
 set ip next-hop 192.168.4.1
!
route-map ROSS-VLAN permit 70
 match ip address ROSS-VLAN
 set ip next-hop 192.168.4.1
!
route-map SEC-VLAN permit 30
 match ip address SEC-VLAN
 set ip next-hop 192.168.4.1

 

Here is how we tested the system and found the error. We cut the connection to 192.168.4.1 router, and when we try to ping a host on the 100 VLAN with the ip address of 192.168.24.101 from the MISC vlan with a ip address of 172.168.11.9 the ping just fails. When we enable the connection to the 192.168.4.1 router the pings go through again.  What in my route-map is causing this, I thought I setup the deny rules pretty good?

Everyone's tags (1)
1 REPLY

Hi Mike,Between you and me,

Hi Mike,

Between you and me, this is a lengthy config you have there.

Next don't forget that a route-map doesn't apply to traffic originated or destined to the self-device, unless you use ip local policy in which might work, but there I have seen some nasty bugs.

So if you can shorten your config to one example, then do the tests :

 - sourced from device A (it can be the SVI of another switch)

 - through your 6509 

 - destined to device B (it also can be the SVI of another switch, or even simpler some loopback inteface).

94
Views
0
Helpful
1
Replies
CreatePlease to create content