When you reply to a message, click on the 'Add Attachments' link.

dang it! I read that elsewhere but alas i have no such link....I've seen others post that same complaint. no blocker on this site and am using IE 6 with massive updates...will get out and try firefox i guess....

If I cant find it what specifically are you looking for, perhaps I can pare down the show tech.

That's very strange.

See the attached file on this post to see how my reply screen looks like :)

LOL!!!

I can't download anything either. I see the attachment listed but have no link with which to open. Clicking on it doesn't help.

I emailed the showtech to my home email address and tonight I will use Mozilla from home and see if maybe that will get me more access.

Thanks for all your so far and I hope to find this pesky problem. I'm past the point of learning the CCNP material, now I'm just driven by "why doesn't this work????!!"

Will post later and hope to hear back from you then or possibly tomorrow depending on where you are in the world.

well, I guess you have to be a CCIE to have access those functions because even from home with no firewall using firefox instead of IE I don't see a way to download the image you posted nor to post my file with the Showtech. There simply are no buttons or links for these functions.

I tried to pare it down by getting rid of all the references to the interfaces not connected to anything which is all but 3, still not small enough.

I really would like to understand what I'm doing wrong in my lab and why it won't work. Can I cut and paste sections of the show tech that would help you to help me?

Let's start by posting the output of show run

Thank you. I'm putting that in below, less the ports that don't matter any way. BUT...desparate times call for desparate measures. If you are inclined, I have posted the whole show tech on my road runner page... http://home.kc.rr.com/rogerandsue/. here is show run:

------------------ show running-config ------------------

Building configuration...

Current configuration : 15763 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log datetime

service password-encryption

!

hostname prf_switch

!

enable secret 5

!

username ciscoadmin privilege 15 password 7

no aaa new-model

switch 1 provision ws-c3750g-48ts

system mtu routing 1500

ip subnet-zero

ip routing

no ip domain-lookup

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

!

!

!

interface Loopback1

ip address 137.135.128.232 255.255.255.255

!

interface GigabitEthernet1/0/1

description router a

switchport trunk encapsulation dot1q

switchport mode trunk

switchport nonegotiate

switchport port-security maximum 8

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

spanning-tree portfast disable

spanning-tree bpduguard disable

spanning-tree link-type point-to-point

!

!

interface GigabitEthernet1/0/3

description router b

switchport trunk encapsulation dot1q

switchport mode trunk

switchport nonegotiate

switchport port-security maximum 8

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

spanning-tree portfast disable

spanning-tree bpduguard disable

spanning-tree link-type point-to-point

!

!

interface GigabitEthernet1/0/5

switchport mode access

switchport port-security maximum 8

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

spanning-tree portfast

!

interface Vlan1

ip address 10.1.1.50 255.255.0.0 secondary

ip address 10.1.1.11 255.255.0.0

ip policy route-map prefroute

!

interface Vlan5

ip address 10.10.16.1 255.255.255.0

ip policy route-map prefroute

!

interface Vlan6

ip address 192.201.1.194 255.255.255.224

!

router eigrp 1

network 10.1.0.0 0.0.255.255

no auto-summary

!

ip local policy route-map prefroute

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.2.103

ip http server

ip http secure-server

!

!

access-list 118 permit ip any 10.128.0.0 0.63.255.255

access-list 118 deny ip any any

route-map prefroute permit 10

match ip address 118

set ip next-hop 10.1.1.33 10.1.1.22

!

!

control-plane

!

line con 0

exec-timeout 0 0

logging synchronous

line vty 0 4

exec-timeout 0 0

logging synchronous

no login

line vty 5 15

password 7

logging synchronous

login local

!

end

- Remove

ip local policy route-map prefroute

(please leave it off)

- Turn debug on ip policy

- Initiate a ping from host 10.1.1.69 to a device located in 10.128.0.0/18 subnet

- Please post the output from this debug

_______________

Based on the show tech, the log displays that the source is 10.1.1.11 and the destination is 10.1.1.69.

It also shows the policy does not match (ACL 118 does not cover the source and destination network, on this example) which makes a lot of sense.

Thank you and you are right about 118 not applying to the traffic between 10.1.1.11 and .69.

When I turn off ip local policy route-map prefroute I get no debug output whatsoever from traces or pings on 10.1.1.69 to 10.132.20.1.

If I turn it back on, I get the packets which you saw earlier where 10.1.1.11 is the source and 10.1.1.69 is the destination. Those are caused by the fact that my workstation (.69) is telneted into the switch (.11) in order to issue commands and observe the output. I believe the local policy, when on, applies to the traffic generated by the switch, in this case the return packets for the telnet session. Of course I would expect them to be rejected by the route map because that address, understandably is not in the range to be routed via one path or the other to the opposite side of the network. Thus they fall right through to the normal processing, and the set is not applied.

But the fact that there is no debug output apart from that local policy indicates that my route map, for whatever reason is NOT even being invoked in spite of the fact that there is a policy for it applied to vlan 1. I've tried other vlans as well just for grins but to no avail.

What would keep a route-map from even being invoked?

I wish there was something to post but there is nothing with that local policy removed.

Try downgrading to an earlier IOS version.

EUREAKA!!! I found it!!!

It's upper/lower case. When I put in the route map I used all upper case. When I applied the statement to the local policy using upper case that is how it stored it. But when I applied it to the VLAN interface it is in lower case.

I just deleted the ip policy from vlan1 and put it back, forcing the name to all upper case but, when I do a show run it comes back all lower case. SOOOOO...the name of the policy isn't technically the same.

Since I can't force the interface to save my name in all uppercase, I deleted my policy and recreated using all lower case for the name. It's working like it should now!

Funny I was about to backrev from 122.40 SE to your version for grins when I happened to notice this and thought...what the heck????

Something else that is odd: the showtech displays in lower case but the show run does not...I dunno what's up with that.

AH.....Thanks so much for all your help. I'm curious you can reproduce the problem by naming your route-map in all upper, trying to apply it in all upper to vlan1 only to have it convert to lower and thus...not work there any more. But I realize you are busy and probably don't have time.

I don't even have to test it, route-maps are case sensitive.

I find it very strange that it didn't show on the output you posted.

One lesson learned, keep track of upper/lower case when creating anything in the configuration. That is, route-maps - ACLs - among other things.

I usually go with Upper case for any labeling on the router (route-maps, ACLs, etc).

Glad you were able to solve the problem, I'm sure you learned a lot from this :)