unable ping Vlan interface -with route map

mkkeyan · ‎12-11-2009

unable ping vlan interface with policy routing , but able access the resouces (CISCO 3750)

interface Vlan3
ip address 10.151.1.1 255.255.255.0
ip policy route-map VAUS

thanks

Mk

Jon Marshall · ‎12-11-2009

mkkeyan wrote:

unable ping vlan interface with policy routing , but able access the resouces (CISCO 3750)

interface Vlan3
ip address 10.151.1.1 255.255.255.0
ip policy route-map VAUS

thanks

Mk

We try and help on this forum but we are not mind readers

We need a bit more info to help you out ie.

1) ping from where ie. IP addresses

2) which vlan interface - presumably the one above

3) what does the PBR look like ie. route-map/access-list details

Jon

mkkeyan · ‎12-11-2009

aplogizes Jon , I understood.

_

1)ping from 10.151.1.0 network . PC will have 10.151.1.1 gateway.

2) vlan 3 inteface

3) rouete map access-list details

ip access-list extended AUSTRALIA-IN
permit ip any any
deny ip 10.151.1.0 0.0.0.255 10.20.31.0 0.0.0.255

ip access-list extended AUSTRALIA-OUT
permit ip 10.151.1.0 0.0.0.255 host 10.20.31.210
permit ip 10.151.1.0 0.0.0.255 host 10.20.31.194
permit ip 10.151.1.0 0.0.0.255 host 10.20.31.201
permit ip 10.151.1.0 0.0.0.255 host 192.114.152.106
permit ip 10.151.1.0 0.0.0.255 192.252.5.112 0.0.0.7
permit ip 10.151.1.0 0.0.0.255 host 10.20.31.103
permit ip 10.151.1.0 0.0.0.255 host 206.65.166.236
permit ip 10.151.1.0 0.0.0.255 host 10.20.31.208
permit ip 10.151.1.0 0.0.0.255 host 10.21.36.194
permit ip 10.151.1.0 0.0.0.255 host 10.21.36.201
permit ip 10.151.1.0 0.0.0.255 host 10.21.36.103
permit ip 10.151.1.0 0.0.0.255 host 10.21.36.208
permit ip 10.151.1.0 0.0.0.255 host 10.33.120.85
permit ip 10.151.1.0 0.0.0.255 host 10.33.120.134
permit ip 10.151.1.0 0.0.0.255 host 10.33.120.138
permit ip 10.151.1.0 0.0.0.255 host 10.206.163.60
permit ip 10.151.1.0 0.0.0.255 host 10.24.32.3
permit ip 10.151.1.0 0.0.0.255 host 10.24.32.2
permit ip host 10.151.1.227 host 10.24.32.100
permit ip host 10.151.1.112 host 10.20.31.201
permit ip host 10.151.1.227 host 10.20.31.201
permit ip 10.151.1.0 0.0.0.255 host 10.20.33.211
permit ip host 10.151.1.112 any

route-map VAUS permit 40
match ip address AUSTRALIA-OUT
!
route-map VAUS permit 50
match ip address AUSTRALIA-IN
set ip next-hop 10.151.1.225
!
route-map VAUS permit 60

interface Vlan3
ip address 10.151.1.1 255.255.255.0
ip policy route-map VAUS

----------------------------------------------------------------

when i do traceroute for 151.1.1.1 it getting loop..

10.151.1.1 between 10.151.1.225 till 30 hops

PC- gateway with 10.151.1.1

thanks

Mk

Jon Marshall · ‎12-11-2009

mkkeyan wrote:

aplogizes Jon , I understood.

_

1)ping from 10.151.1.0 network . PC will have 10.151.1.1 gateway.

2) vlan 3 inteface

3) rouete map access-list details

ip access-list extended AUSTRALIA-IN
permit ip any any
deny ip 10.151.1.0 0.0.0.255 10.20.31.0 0.0.0.255

ip access-list extended AUSTRALIA-OUT
permit ip 10.151.1.0 0.0.0.255 host 10.20.31.210
permit ip 10.151.1.0 0.0.0.255 host 10.20.31.194
permit ip 10.151.1.0 0.0.0.255 host 10.20.31.201
permit ip 10.151.1.0 0.0.0.255 host 192.114.152.106
permit ip 10.151.1.0 0.0.0.255 192.252.5.112 0.0.0.7
permit ip 10.151.1.0 0.0.0.255 host 10.20.31.103
permit ip 10.151.1.0 0.0.0.255 host 206.65.166.236
permit ip 10.151.1.0 0.0.0.255 host 10.20.31.208
permit ip 10.151.1.0 0.0.0.255 host 10.21.36.194
permit ip 10.151.1.0 0.0.0.255 host 10.21.36.201
permit ip 10.151.1.0 0.0.0.255 host 10.21.36.103
permit ip 10.151.1.0 0.0.0.255 host 10.21.36.208
permit ip 10.151.1.0 0.0.0.255 host 10.33.120.85
permit ip 10.151.1.0 0.0.0.255 host 10.33.120.134
permit ip 10.151.1.0 0.0.0.255 host 10.33.120.138
permit ip 10.151.1.0 0.0.0.255 host 10.206.163.60
permit ip 10.151.1.0 0.0.0.255 host 10.24.32.3
permit ip 10.151.1.0 0.0.0.255 host 10.24.32.2
permit ip host 10.151.1.227 host 10.24.32.100
permit ip host 10.151.1.112 host 10.20.31.201
permit ip host 10.151.1.227 host 10.20.31.201
permit ip 10.151.1.0 0.0.0.255 host 10.20.33.211
permit ip host 10.151.1.112 any

route-map VAUS permit 40
match ip address AUSTRALIA-OUT
!
route-map VAUS permit 50
match ip address AUSTRALIA-IN
set ip next-hop 10.151.1.225
!
route-map VAUS permit 60

interface Vlan3
ip address 10.151.1.1 255.255.255.0
ip policy route-map VAUS

----------------------------------------------------------------

when i do traceroute for 151.1.1.1 it getting loop..

10.151.1.1 between 10.151.1.225 till 30 hops

PC- gateway with 10.151.1.1

thanks

Mk

What is the address of the PC you are pinging from.

Also can you explain the logic behind the route-map ie.

1) You match on AUSTRALIA_OUT but don't do anything

2) Your AUSTRALIA_IN acl permit all then denies a specific destination but it will never get to the deny if you permit all

Jon

Marcin Zgola · ‎12-11-2009

Just do this

ip access-list ALLOW_ICMP

permit icmp any host 10.151.1.1

route-map VAUS deny 1

match ip address ALLOW_ICMP

CCIE 18676

mkkeyan · ‎12-14-2009

Pinging from IP address 10.151.1.147

If packets match with AUSTRALIA-OUT, it needs to go IP 10.20.31.248

here is the static route :

     10.0.0.0/8 is variably subnetted, 73 subnets, 4 masks
S       10.20.40.0/24 [1/0] via 10.20.31.248
S       10.20.33.0/24 [1/0] via 192.168.101.2
S*   0.0.0.0/0 [1/0] via 10.20.31.248

since default route is 10.20.31.248 even if i have not mentioned next-hop IP address in route-map its exit,

if packet does not match with AUSTRALIA-OUT

it should go to IP 10.151.1.225

Pl correct me to achieve the above scenario.

thanks

MK

Jon Marshall · ‎12-14-2009

mkkeyan wrote:
Pinging from IP address 10.151.1.147
If packets match with AUSTRALIA-OUT, it needs to go IP 10.20.31.248
here is the static route :
     10.0.0.0/8 is variably subnetted, 73 subnets, 4 masks
 S       10.20.40.0/24 [1/0] via 10.20.31.248
 S       10.20.33.0/24 [1/0] via 192.168.101.2
 S*   0.0.0.0/0 [1/0] via 10.20.31.248
since default route  is 10.20.31.248 even if i have not mentioned next-hop IP address in route-map its exit,
if packet does not match with AUSTRALIA-OUT
it should go to IP 10.151.1.225
Pl correct  me to achieve the above scenario.
 thanks
MK

MK

Okay, i see the logic. Because you have a permit ip any any in AUSTRALIA-IN you need to match traffic in AUSTRALIA-OUT so it won't get to the 2nd route-map permit statement. Still not sure what the deny line is doing in the 2nd route-map statement though.

Anyway, that aside, i did some testing on a router and could not emulate the problem you are having. Unfortunately i don't have a L3 switch to test on at the moment but it may well be worth trying what the other poster suggested ie. in your AUSTRALIA-IN acl -

ie. deny icmp from 10.151.1.0/24 to 10.151.1.1

permit ip any any

Jon

saurabh_knl · ‎12-14-2009

Hi,

Your packet with Source 10.151.1.147, and Destination 10.20.31.248 does not seems to be matching your access-list AUSTRALIA-OUT.

The other access-list you have defined AUSTRALIA-IN, I hope has the right sequence of commands you have mentioned. I am saying this because your first statement suggests permit ip any any, which will infact match everything (only if there are more things other than IP). So, assuming you have pasted the right sequence, your packet will match this access-list, and will go to the next-hop address 10.151.1.225.

If you can paste further, the config of 10.151.1.225 router, then I can let you know where the problem is.

Also, I am still not sure what exactly are you trying to achieve.

If you can let know your requirement in full, and complete; I'll be in a position to provide you simplified configuration.

HTH

cheers,

Saurabh