Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1738
Views
0
Helpful
26
Replies

EIGRP will only route to VLAN1 on 4507

Go to solution
thunder_denton
Level 1
Level 1

‎02-13-2019 08:29 AM

I am setting up Layer 3 switches (3560s) at our remote sites to allow me to use EIGRP and MPLS to add an additional route back to corporate (currently using ASA VPN Tunnels).

 

From at 4507r+e at corporate on VLAN1, I can reach any computer on any of the VLANs I have setup as Network (and visa versa)....  But ONLY VLAN1 at corporate. 

Maybe my version is not correct?  Version 03.09.01.E  I have downloaded the latest version, but I hesitate to do the upgrade if not needed.

Labels:
0 Helpful
26 Replies 26

Go to solution
Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to thunder_denton

‎02-13-2019 01:03 PM

Dear Thunder,

After you apply static route. The output of: show ip route
the networks added earlier are present in routing table?
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

Go to solution
thunder_denton
Level 1
Level 1
In response to Jaderson Pessoa

‎02-13-2019 01:08 PM

Yes:





CoreSwitch4507#config t

Enter configuration commands, one per line. End with CNTL/Z.

CoreSwitch4507(config)#ip route 10.10.5.0 255.255.255.0 10.10.5.2

CoreSwitch4507(config)#ip route 10.100.10.0 255.255.255.0 10.10.5.2

CoreSwitch4507(config)#show ip route

^

% Invalid input detected at '^' marker.



CoreSwitch4507(config)#exit

CoreSwitch4507#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

a - application route

+ - replicated route, % - next hop override, p - overrides from PfR



Gateway of last resort is 192.168.0.253 to network 0.0.0.0



S* 0.0.0.0/0 [1/0] via 192.168.0.253

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C 10.10.5.0/24 is directly connected, GigabitEthernet7/14

L 10.10.5.1/32 is directly connected, GigabitEthernet7/14

D 10.10.10.0/24 [90/3072] via 10.10.5.2, 00:27:46, GigabitEthernet7/14

S 10.100.10.0/24 [1/0] via 10.10.5.2

172.16.0.0/16 is variably subnetted, 8 subnets, 2 masks

C 172.16.90.0/24 is directly connected, Vlan909

L 172.16.90.1/32 is directly connected, Vlan909

C 172.16.100.0/24 is directly connected, Vlan901

L 172.16.100.1/32 is directly connected, Vlan901

C 172.16.102.0/24 is directly connected, Vlan902

L 172.16.102.1/32 is directly connected, Vlan902

C 172.16.103.0/24 is directly connected, Vlan903

L 172.16.103.1/32 is directly connected, Vlan903

192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.0.0/24 is directly connected, Vlan100

L 192.168.0.1/32 is directly connected, Vlan100

192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.10.0/24 is directly connected, Vlan10

L 192.168.10.1/32 is directly connected, Vlan10

192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.12.0/24 is directly connected, Vlan12

L 192.168.12.1/32 is directly connected, Vlan12

192.168.15.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.15.0/24 is directly connected, Vlan15

L 192.168.15.1/32 is directly connected, Vlan15

192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.20.0/24 is directly connected, Vlan20

L 192.168.20.1/32 is directly connected, Vlan20

192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.100.0/24 is directly connected, Vlan1

L 192.168.100.1/32 is directly connected, Vlan1

192.168.200.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.200.0/24 is directly connected, Vlan200

L 192.168.200.1/32 is directly connected, Vlan200

192.168.201.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.201.0/24 is directly connected, Vlan201

L 192.168.201.1/32 is directly connected, Vlan201

192.168.202.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.202.0/24 is directly connected, Vlan202

L 192.168.202.1/32 is directly connected, Vlan202

CoreSwitch4507#


0 Helpful

Go to solution
Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to thunder_denton

‎02-13-2019 01:16 PM

Could you provide the output from:
ping ip 10.100.10.1 source 10.10.5.1
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

Go to solution
thunder_denton
Level 1
Level 1
In response to Jaderson Pessoa

‎02-13-2019 01:23 PM

Not exactly what you asked for, but on VLAN100 at the remote site...



Computer on VLAN100 at remote site



CoreSwitch4507#ping ip 10.10.10.100 source 10.10.5.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.100, timeout is 2 seconds:

Packet sent with a source address of 10.10.5.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms



VLAN100 at remote site



CoreSwitch4507#ping ip 10.10.10.1 source 10.10.5.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:

Packet sent with a source address of 10.10.5.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms





I will have to put a machine on the other VLAN before it will answer. Give me a moment and I will get that for you.




0 Helpful

Go to solution
thunder_denton
Level 1
Level 1
In response to thunder_denton

‎02-13-2019 01:30 PM

For the original request (machine is on there).



CoreSwitch4507#ping ip 10.100.10.1 source 10.10.5.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.100.10.1, timeout is 2 seconds:

Packet sent with a source address of 10.10.5.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/20 ms


0 Helpful

Go to solution
Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to thunder_denton

‎02-13-2019 02:26 PM

Great.. 

 

Which network doens't working with other? ( that you have problem )

Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Jaderson Pessoa

‎02-14-2019 06:11 AM

I am wondering why the 4507 did not learn 10.100.10.0 as an EIGRP route and it was necessary to add a static route for it. On the remote would you post the output of show ip interface brief and of show ip route

 

Thinking about the static route - there is no need for the static route for 10.10.5.0. The core knows that network as a connected route (not as an EIGRP route).

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Richard Burts

‎02-14-2019 06:56 AM

I do not know why 10.100.10.0 is not advertised to the core (and that would impact access to anything on the core from that subnet). But I have identified the main reason why the remote can only access vlan 1 of the core. Other than the connected subnet of 10.10.5.0 the core advertises 3 subnets to the remote. It advertises 192.168.100.0 which is vlan 1 and that works. It advertises 192.168.0.0 which is vlan 100 and it does not work. It advertises 172.16.103.0 which is vlan 903 and it does not work. The two vlans that do not work have configured Policy Based Routing. The normal route to get to the Remote is to use connected 10.10.5.2 but the PBR over rides the normal routing and set ip next-hop to a different IP and that prevents traffic from those vlans returning to the remote. 

 

The solution for this issue is to revise the ACL used by PBR for those subnets and make the ACL deny traffic from the core subnets to the remote subnets. This will allow normal routing to take place and the remote will be able to access those subnets.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
thunder_denton
Level 1
Level 1
In response to Richard Burts

‎02-14-2019 10:34 AM

I was starting to think along those same lines. The route of last resort is my ASA. It doesn't know about the EIGRP network (yet), and the switch doesn't allow the VLANs to communicate directly (the deny statements)....



I had some more pressing projects push this back, but maybe after hours today I can take another stab at this.


0 Helpful

Go to solution
thunder_denton
Level 1
Level 1
In response to Richard Burts

‎02-14-2019 11:00 AM

It is working after doing the following for VLAN100

 

C
THIS IS A PRIVATE COMPUTER SYSTEM. It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.

Any or all uses of this system and all files on this system may
be intercepted, monitored, recorded, copied, audited, inspected,
and disclosed to authorized site and law enforcement personnel,
as well as authorized officials of other agencies, both domestic
and foreign.  By using this system, the user consents to such
interception, monitoring, recording, copying, auditing, inspection,
and disclosure at the discretion of authorized site personnel.

Unauthorized or improper use of this system may result in
administrative disciplinary action and civil and criminal penalties.
By continuing to use this system you indicate your awareness of and
consent to these terms and conditions of use.   LOG OFF IMMEDIATELY
if you do not agree to the conditions stated in this warning.

User Access Verification

Enter Username: thunder
Password:

CoreSwitch4507#config t
Enter configuration commands, one per line.  End with CNTL/Z.
CoreSwitch4507(config)#exit
CoreSwitch4507#show access-list
Standard IP access list 23
    10 permit 24.28.23.243 log
    20 permit 192.168.0.0, wildcard bits 0.0.255.255 log (246 matches)
    30 permit 172.16.0.0, wildcard bits 0.0.255.255 log (151 matches)
    40 deny   any log
Extended IP access list 101
    10 deny ip any 170.146.0.0 0.0.255.255 log
    20 permit ip any any
Extended IP access list 102
    10 deny ip any 170.146.0.0 0.0.255.255 log
    20 permit ip any any
Extended IP access list 199
    10 deny tcp host 192.168.0.99 eq www any log
    20 deny tcp any eq www host 192.168.0.99 log
    30 deny tcp 192.168.0.0 0.0.0.255 eq 443 any log
    40 permit ip any any
Extended IP access list CISCO-CWA-URL-REDIRECT-ACL
    100 deny udp any any eq domain
    101 deny tcp any any eq domain
    102 deny udp any eq bootps any
    103 deny udp any any eq bootpc
    104 deny udp any eq bootpc any
    105 permit tcp any any eq www
Extended IP access list PolicyRoute_1
    10 deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255 log
    20 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 log
    30 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255 log
    40 deny ip 192.168.0.0 0.0.0.255 192.168.20.0 0.0.0.255 log
    50 deny ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255 log
    60 deny ip 192.168.0.0 0.0.0.255 192.168.40.0 0.0.0.255 log
    70 deny ip 192.168.0.0 0.0.0.255 192.168.99.0 0.0.0.255 log
    80 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255 log
    90 deny ip 192.168.0.0 0.0.0.255 192.168.101.0 0.0.0.255 log
    100 deny ip 192.168.0.0 0.0.0.255 192.168.200.0 0.0.0.255 log
    110 deny ip 192.168.0.0 0.0.0.255 192.168.201.0 0.0.0.255 log
    120 deny ip 192.168.0.0 0.0.0.255 192.168.202.0 0.0.0.255 log
    130 deny ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255 log
    140 permit ip 192.168.0.0 0.0.0.255 any
    150 deny ip 192.168.0.0 0.0.0.255 192.168.12.0 0.0.0.255 log
Extended IP access list PolicyRoute_10
    10 deny ip 192.168.10.0 0.0.0.255 172.16.90.0 0.0.0.255
    20 deny ip 192.168.10.0 0.0.0.255 172.16.100.0 0.0.0.255 log (1160 matches)
    30 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255 log (156725963 matches)
    40 deny ip 192.168.10.0 0.0.0.255 172.16.101.0 0.0.0.255
    50 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255 log (437913 matches)
    60 deny ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255 log (45993241 matches)
    70 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 log
    80 deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 log
    90 deny ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255 log
    100 deny ip 192.168.10.0 0.0.0.255 192.168.99.0 0.0.0.255 log
    110 deny ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255 log (18408908 matches)
    120 deny ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255 log (78097889 matches)
    130 deny ip 192.168.10.0 0.0.0.255 192.168.254.0 0.0.0.255 log (794 matches)
    140 deny ip 192.168.10.0 0.0.0.255 192.168.201.0 0.0.0.255 log (242 matches)
    150 deny ip 192.168.10.0 0.0.0.255 192.168.202.0 0.0.0.255 log
    160 permit ip any any (974510854 matches)
    170 deny ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255 log
Extended IP access list PolicyRoute_100
    10 deny ip 192.168.0.0 0.0.0.255 172.16.90.0 0.0.0.255
    20 deny ip 192.168.0.0 0.0.0.255 172.16.100.0 0.0.0.255 log (41892 matches)
    30 deny ip 192.168.0.0 0.0.0.255 172.16.101.0 0.0.0.255
    40 deny ip 192.168.0.0 0.0.0.255 172.16.103.0 0.0.0.255 log (1695997 matches)
    50 deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255 log (32930640 matches)
    60 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 log (2667 matches)
    70 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255 log (66966973 matches)
    80 deny ip 192.168.0.0 0.0.0.255 192.168.15.0 0.0.0.255 log (2590332 matches)
    90 deny ip 192.168.0.0 0.0.0.255 192.168.20.0 0.0.0.255 log (2678093 matches)
    100 deny ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255 log (194036 matches)
    110 deny ip 192.168.0.0 0.0.0.255 192.168.40.0 0.0.0.255 log (1 match)
    120 deny ip 192.168.0.0 0.0.0.255 192.168.99.0 0.0.0.255 log (1 match)
    130 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255 log (2043 matches)
    140 deny ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255 log (9692 matches)
    150 deny ip 192.168.0.0 0.0.0.255 192.168.101.0 0.0.0.255 log (2 matches)
    160 deny ip 192.168.0.0 0.0.0.255 192.168.200.0 0.0.0.255 log (1164894 matches)
    170 deny ip 192.168.0.0 0.0.0.255 192.168.201.0 0.0.0.255 log (101310 matches)
    180 deny ip 192.168.0.0 0.0.0.255 192.168.202.0 0.0.0.255 log (2292 matches)
    190 permit ip 192.168.0.0 0.0.0.255 any (4427173709 matches)
    200 deny ip 192.168.0.0 0.0.0.255 192.168.12.0 0.0.0.255 log
    210 deny ip 192.168.0.0 0.0.0.255 172.16.102.0 0.0.0.255
    220 deny ip 192.168.0.0 0.0.0.255 10.10.5.0 0.0.0.255
    230 deny ip 192.168.0.0 0.0.0.255 10.100.10.0 0.0.0.255
Extended IP access list PolicyRoute_12
    10 deny ip 192.168.12.0 0.0.0.255 172.16.90.0 0.0.0.255
    20 deny ip 192.168.12.0 0.0.0.255 172.16.100.0 0.0.0.255 log
    30 deny ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.0.255 log
    40 deny ip 192.168.12.0 0.0.0.255 172.16.101.0 0.0.0.255
    50 deny ip 192.168.12.0 0.0.0.255 192.168.1.0 0.0.0.255 log
    60 deny ip 192.168.12.0 0.0.0.255 192.168.12.0 0.0.0.255 log
    70 deny ip 192.168.12.0 0.0.0.255 192.168.20.0 0.0.0.255 log
    80 deny ip 192.168.12.0 0.0.0.255 192.168.30.0 0.0.0.255 log
    90 deny ip 192.168.12.0 0.0.0.255 192.168.40.0 0.0.0.255 log
    100 deny ip 192.168.12.0 0.0.0.255 192.168.99.0 0.0.0.255 log
    110 deny ip 192.168.12.0 0.0.0.255 192.168.100.0 0.0.0.255 log
    120 deny ip 192.168.12.0 0.0.0.255 192.168.200.0 0.0.0.255 log
    130 deny ip 192.168.12.0 0.0.0.255 192.168.254.0 0.0.0.255 log
    140 deny ip 192.168.12.0 0.0.0.255 192.168.201.0 0.0.0.255 log
    150 deny ip 192.168.12.0 0.0.0.255 192.168.202.0 0.0.0.255 log
    160 permit ip any any
    170 deny ip 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255 log
Extended IP access list PolicyRoute_15
    10 deny ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.0.255 log
    20 deny ip 192.168.15.0 0.0.0.255 192.168.1.0 0.0.0.255 log
    30 deny ip 192.168.15.0 0.0.0.255 192.168.10.0 0.0.0.255 log
    40 deny ip 192.168.15.0 0.0.0.255 192.168.15.0 0.0.0.255 log
    50 deny ip 192.168.15.0 0.0.0.255 192.168.20.0 0.0.0.255 log
    60 deny ip 192.168.15.0 0.0.0.255 192.168.30.0 0.0.0.255 log
    70 deny ip 192.168.15.0 0.0.0.255 192.168.40.0 0.0.0.255 log
    80 deny ip 192.168.15.0 0.0.0.255 192.168.99.0 0.0.0.255 log
    90 deny ip 192.168.15.0 0.0.0.255 192.168.100.0 0.0.0.255 log
    100 deny ip 192.168.15.0 0.0.0.255 192.168.101.0 0.0.0.255 log
    110 deny ip 192.168.15.0 0.0.0.255 192.168.200.0 0.0.0.255 log
    120 deny ip 192.168.15.0 0.0.0.255 192.168.201.0 0.0.0.255 log
    130 deny ip 192.168.15.0 0.0.0.255 192.168.202.0 0.0.0.255 log
    140 deny ip 192.168.15.0 0.0.0.255 192.168.254.0 0.0.0.255 log
    150 permit ip 192.168.15.0 0.0.0.255 any
    160 deny ip 192.168.15.0 0.0.0.255 192.168.12.0 0.0.0.255 log
Extended IP access list PolicyRoute_20
    10 deny ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.0.255 log
    20 deny ip 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255 log
    30 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 log
    40 deny ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255 log
    50 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 log
    60 deny ip 192.168.20.0 0.0.0.255 192.168.40.0 0.0.0.255 log
    70 deny ip 192.168.20.0 0.0.0.255 192.168.50.0 0.0.0.255 log
    80 deny ip 192.168.20.0 0.0.0.255 192.168.99.0 0.0.0.255 log
    90 deny ip 192.168.20.0 0.0.0.255 192.168.100.0 0.0.0.255 log
    100 deny ip 192.168.20.0 0.0.0.255 192.168.200.0 0.0.0.255 log
    110 deny ip 192.168.20.0 0.0.0.255 192.168.201.0 0.0.0.255 log
    120 deny ip 192.168.20.0 0.0.0.255 192.168.202.0 0.0.0.255 log
    130 permit ip any any
    140 deny ip 192.168.20.0 0.0.0.255 192.168.12.0 0.0.0.255 log
Extended IP access list PolicyRoute_200
    10 deny ip 192.168.200.0 0.0.0.255 172.16.100.0 0.0.0.255 log (184 matches)
    20 deny ip 192.168.200.0 0.0.0.255 192.168.0.0 0.0.0.255 log (467702 matches)
    30 deny ip 192.168.200.0 0.0.0.255 172.16.101.0 0.0.0.255
    40 deny ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255 log
    50 deny ip 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255 log (2859055 matches)
    60 deny ip 192.168.200.0 0.0.0.255 192.168.20.0 0.0.0.255 log
    70 deny ip 192.168.200.0 0.0.0.255 192.168.30.0 0.0.0.255 log
    80 deny ip 192.168.200.0 0.0.0.255 192.168.40.0 0.0.0.255 log
    90 deny ip 192.168.200.0 0.0.0.255 192.168.99.0 0.0.0.255 log
    100 deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255 log
    110 deny ip 192.168.200.0 0.0.0.255 192.168.200.0 0.0.0.255 log (746621 matches)
    120 deny ip 192.168.200.0 0.0.0.255 192.168.201.0 0.0.0.255 log
    130 deny ip 192.168.200.0 0.0.0.255 192.168.202.0 0.0.0.255 log
    140 deny ip 192.168.200.0 0.0.0.255 192.168.254.0 0.0.0.255 log
    150 permit ip any any (100253992 matches)
    160 deny ip 192.168.200.0 0.0.0.255 192.168.12.0 0.0.0.255 log
Extended IP access list PolicyRoute_201
    10 deny ip 192.168.201.0 0.0.0.255 192.168.0.0 0.0.0.255 log (2580 matches)
    20 deny ip 192.168.201.0 0.0.0.255 192.168.1.0 0.0.0.255 log
    30 deny ip 192.168.201.0 0.0.0.255 192.168.10.0 0.0.0.255 log
    40 deny ip 192.168.201.0 0.0.0.255 192.168.20.0 0.0.0.255 log
    50 deny ip 192.168.201.0 0.0.0.255 192.168.30.0 0.0.0.255 log
    60 deny ip 192.168.201.0 0.0.0.255 192.168.40.0 0.0.0.255 log
    70 deny ip 192.168.201.0 0.0.0.255 192.168.99.0 0.0.0.255 log
    80 deny ip 192.168.201.0 0.0.0.255 192.168.100.0 0.0.0.255 log
    90 deny ip 192.168.201.0 0.0.0.255 192.168.101.0 0.0.0.255 log
    100 deny ip 192.168.201.0 0.0.0.255 192.168.200.0 0.0.0.255 log
    110 deny ip 192.168.201.0 0.0.0.255 192.168.201.0 0.0.0.255 log (59412 matches)
    120 deny ip 192.168.201.0 0.0.0.255 192.168.202.0 0.0.0.255 log
    130 deny ip 192.168.201.0 0.0.0.255 192.168.254.0 0.0.0.255 log
    140 permit ip 192.168.201.0 0.0.0.255 any (996849 matches)
    150 deny ip 192.168.201.0 0.0.0.255 192.168.12.0 0.0.0.255 log
Extended IP access list PolicyRoute_202
    10 deny ip 192.168.202.0 0.0.0.255 192.168.0.0 0.0.0.255 log
    20 deny ip 192.168.202.0 0.0.0.255 192.168.1.0 0.0.0.255 log
    30 deny ip 192.168.202.0 0.0.0.255 192.168.10.0 0.0.0.255 log
    40 deny ip 192.168.202.0 0.0.0.255 192.168.20.0 0.0.0.255 log
    50 deny ip 192.168.202.0 0.0.0.255 192.168.30.0 0.0.0.255 log
    60 deny ip 192.168.202.0 0.0.0.255 192.168.40.0 0.0.0.255 log
    70 deny ip 192.168.202.0 0.0.0.255 192.168.99.0 0.0.0.255 log
    80 deny ip 192.168.202.0 0.0.0.255 192.168.100.0 0.0.0.255 log
    90 deny ip 192.168.202.0 0.0.0.255 192.168.101.0 0.0.0.255 log
    100 deny ip 192.168.202.0 0.0.0.255 192.168.200.0 0.0.0.255 log
    110 deny ip 192.168.202.0 0.0.0.255 192.168.201.0 0.0.0.255 log
    120 deny ip 192.168.202.0 0.0.0.255 192.168.202.0 0.0.0.255 log
    130 permit ip 192.168.202.0 0.0.0.255 any
    140 deny ip 192.168.202.0 0.0.0.255 192.168.12.0 0.0.0.255 log
Extended IP access list PolicyRoute_901
    10 deny ip 172.16.100.0 0.0.0.255 172.16.100.0 0.0.0.255 (2641976 matches)
    20 deny ip 172.16.100.0 0.0.0.255 172.16.101.0 0.0.0.255
    30 deny ip 172.16.100.0 0.0.0.255 192.168.0.0 0.0.0.255 (18988602 matches)
    40 deny ip 172.16.100.0 0.0.0.255 192.168.10.0 0.0.0.255 (18057617 matches)
    50 deny ip 172.16.100.0 0.0.0.255 192.168.15.0 0.0.0.255
    60 deny ip 172.16.100.0 0.0.0.255 192.168.20.0 0.0.0.255
    70 deny ip 172.16.100.0 0.0.0.255 192.168.30.0 0.0.0.255
    80 deny ip 172.16.100.0 0.0.0.255 192.168.40.0 0.0.0.255
    90 deny ip 172.16.100.0 0.0.0.255 192.168.99.0 0.0.0.255
    100 deny ip 172.16.100.0 0.0.0.255 192.168.100.0 0.0.0.255 (1394848 matches)
    110 deny ip 172.16.100.0 0.0.0.255 192.168.254.0 0.0.0.255
    120 deny ip 172.16.100.0 0.0.0.255 192.168.101.0 0.0.0.255
    130 deny ip 172.16.100.0 0.0.0.255 192.168.200.0 0.0.0.255 (18371214 matches)
    140 deny ip 172.16.100.0 0.0.0.255 192.168.201.0 0.0.0.255
    150 deny ip 172.16.100.0 0.0.0.255 192.168.202.0 0.0.0.255
    160 permit ip 172.16.100.0 0.0.0.255 any (86544882 matches)
    170 deny ip 172.16.100.0 0.0.0.255 192.168.12.0 0.0.0.255 log
Extended IP access list PolicyRoute_902
    10 deny ip 172.16.102.0 0.0.0.255 172.16.100.0 0.0.0.255
    20 deny ip 172.16.102.0 0.0.0.255 172.16.101.0 0.0.0.255
    30 deny ip 172.16.102.0 0.0.0.255 172.16.102.0 0.0.0.255 (51579 matches)
    40 deny ip 172.16.102.0 0.0.0.255 192.168.0.0 0.0.0.255 (4417 matches)
    50 deny ip 172.16.102.0 0.0.0.255 192.168.10.0 0.0.0.255
    60 deny ip 172.16.102.0 0.0.0.255 192.168.15.0 0.0.0.255
    70 deny ip 172.16.102.0 0.0.0.255 192.168.20.0 0.0.0.255
    80 deny ip 172.16.102.0 0.0.0.255 192.168.30.0 0.0.0.255
    90 deny ip 172.16.102.0 0.0.0.255 192.168.40.0 0.0.0.255
    100 deny ip 172.16.102.0 0.0.0.255 192.168.99.0 0.0.0.255
    110 deny ip 172.16.102.0 0.0.0.255 192.168.100.0 0.0.0.255
    120 deny ip 172.16.102.0 0.0.0.255 192.168.254.0 0.0.0.255
    130 deny ip 172.16.102.0 0.0.0.255 192.168.101.0 0.0.0.255
    140 deny ip 172.16.102.0 0.0.0.255 192.168.200.0 0.0.0.255
    150 deny ip 172.16.102.0 0.0.0.255 192.168.201.0 0.0.0.255
    160 deny ip 172.16.102.0 0.0.0.255 192.168.202.0 0.0.0.255
    170 permit ip 172.16.102.0 0.0.0.255 any (25969 matches)
    180 deny ip 172.16.102.0 0.0.0.255 192.168.12.0 0.0.0.255 log
Extended IP access list PolicyRoute_903
    10 deny ip 172.16.103.0 0.0.0.255 192.168.0.0 0.0.0.255 (222565230 matches)
    20 deny ip 172.16.103.0 0.0.0.255 192.168.10.0 0.0.0.255 (114570947 matches)
    30 deny ip 172.16.103.0 0.0.0.255 192.168.200.0 0.0.0.255 (70681186 matches)
    40 deny ip 172.16.103.0 0.0.0.255 172.16.90.0 0.0.0.255
    50 deny ip 172.16.103.0 0.0.0.255 172.16.100.0 0.0.0.255 (8958 matches)
    60 permit ip 172.16.103.0 0.0.0.255 any (496118685 matches)
    70 deny ip 172.16.103.0 0.0.0.255 192.168.12.0 0.0.0.255 log
Extended IP access list PolicyRoute_909
    10 deny ip 172.16.90.0 0.0.0.255 172.16.90.0 0.0.0.255 (151 matches)
    20 deny ip 172.16.90.0 0.0.0.255 172.16.101.0 0.0.0.255
    30 deny ip 172.16.90.0 0.0.0.255 192.168.0.0 0.0.0.255
    40 deny ip 172.16.90.0 0.0.0.255 192.168.10.0 0.0.0.255
    50 deny ip 172.16.90.0 0.0.0.255 192.168.15.0 0.0.0.255
    60 deny ip 172.16.90.0 0.0.0.255 192.168.20.0 0.0.0.255
    70 deny ip 172.16.90.0 0.0.0.255 192.168.30.0 0.0.0.255
    80 deny ip 172.16.90.0 0.0.0.255 192.168.40.0 0.0.0.255
    90 deny ip 172.16.90.0 0.0.0.255 192.168.99.0 0.0.0.255
    100 deny ip 172.16.90.0 0.0.0.255 192.168.100.0 0.0.0.255
    110 deny ip 172.16.90.0 0.0.0.255 192.168.254.0 0.0.0.255
    120 deny ip 172.16.90.0 0.0.0.255 192.168.101.0 0.0.0.255
    130 deny ip 172.16.90.0 0.0.0.255 192.168.200.0 0.0.0.255
    140 deny ip 172.16.90.0 0.0.0.255 192.168.201.0 0.0.0.255
    150 deny ip 172.16.90.0 0.0.0.255 192.168.202.0 0.0.0.255
    160 permit ip 172.16.90.0 0.0.0.255 any (1468038 matches)
    170 deny ip 172.16.90.0 0.0.0.255 192.168.12.0 0.0.0.255 log
Extended IP access list preauth_ipv4_acl (per-user)
    10 permit udp any any eq domain
    20 permit tcp any any eq domain
    30 permit udp any eq bootps any
    40 permit udp any any eq bootpc
    50 permit udp any eq bootpc any
    60 deny ip any any
Extended IP access list system-cpp-all-routers-on-subnet
    10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
    10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
    10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
    10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
    10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
    10 permit udp any any eq 0
Extended IP access list system-cpp-hsrpv2
    10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
    10 permit igmp any 224.0.0.0 31.255.255.255
Extended IP access list system-cpp-ip-mcast-linklocal
    10 permit ip any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ospf
    10 permit ospf any any
Extended IP access list system-cpp-pim
    10 permit pim any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ripv2
    10 permit ip any host 224.0.0.9
IPv6 access list DHCP Sever
    permit udp any eq 546 any eq 547 sequence 10
    permit udp any eq 547 any eq 546 sequence 20
IPv6 access list preauth_ipv6_acl (per-user)
    permit udp any any eq domain sequence 10
    permit tcp any any eq domain sequence 20
    permit icmp any any nd-ns sequence 30
    permit icmp any any nd-na sequence 40
    permit icmp any any router-solicitation sequence 50
    permit icmp any any router-advertisement sequence 60
    permit icmp any any redirect sequence 70
    permit udp any eq 547 any eq 546 sequence 80
    permit udp any eq 546 any eq 547 sequence 90
    deny ipv6 any any sequence 100
IPv6 access list system-cpp-dhcpv6-cs
    permit udp any eq 546 any eq 547 sequence 10
IPv6 access list system-cpp-dhcpv6-sc
    permit udp any eq 547 any eq 546 sequence 10
IPv6 access list system-cpp-icmpv6-na
    permit icmp any any nd-na sequence 10
IPv6 access list system-cpp-icmpv6-ns
    permit icmp any any nd-ns sequence 10
IPv6 access list system-cpp-icmpv6-ra
    permit icmp any any router-advertisement sequence 10
IPv6 access list system-cpp-icmpv6-rr
    permit icmp any any redirect sequence 10
IPv6 access list system-cpp-icmpv6-rs
    permit icmp any any router-solicitation sequence 10
Extended MAC access list system-cpp-bpdu-range
    permit any 0180.c200.0000 0000.0000.0003
Extended MAC access list system-cpp-cdp
    permit any host 0100.0ccc.cccc
Extended MAC access list system-cpp-dot1x
    permit any any 0x888E
Extended MAC access list system-cpp-mcast-cfm
    permit any 0180.c200.0030 0000.0000.000f
Extended MAC access list system-cpp-sstp
    permit any host 0100.0ccc.cccd
Extended MAC access list system-cpp-ucast-cfm
    permit any host 00d7.8f0d.413d
CoreSwitch4507#config t
Enter configuration commands, one per line.  End with CNTL/Z.
CoreSwitch4507(config)#Extended IP access list PolicyRoute_100
                         ^
% Invalid input detected at '^' marker.

CoreSwitch4507(config)#ip access-list extended PolicyRoute_100
CoreSwitch4507(config-ext-nacl)#no deny ip 192.168.0.0 0.0.0.255 192.168.12.0 0.0.0.255 log
CoreSwitch4507(config-ext-nacl)#no deny ip 192.168.0.0 0.0.0.255 172.16.102.0 0.0.0.255
CoreSwitch4507(config-ext-nacl)#no deny ip 192.168.0.0 0.0.0.255 10.10.5.0 0.0.0.255
CoreSwitch4507(config-ext-nacl)#no deny ip 192.168.0.0 0.0.0.255 10.100.10.0 0.0.0.255
CoreSwitch4507(config-ext-nacl)# 181 deny   ip 192.168.0.0 0.0.0.255 192.168.12.0 0.0.0.255 log
CoreSwitch4507(config-ext-nacl)# 182 deny   ip 192.168.0.0 0.0.0.255 172.16.102.0 0.0.0.255
CoreSwitch4507(config-ext-nacl)# 183 deny   ip 192.168.0.0 0.0.0.255 10.10.5.0 0.0.0.255
CoreSwitch4507(config-ext-nacl)# 184 deny   ip 192.168.0.0 0.0.0.255 10.100.10.0 0.0.0.255
CoreSwitch4507(config-ext-nacl)#

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to thunder_denton

‎02-14-2019 11:57 AM

Thank you for the clarification that the issue about 10.100.10.0 was that there was no active device on that vlan and that when you do connect something in that vlan that then the subnet is advertised. It was a good test to try with a static route but it is not needed. 

 

So the real issue was the PBR being applied to traffic for the remote. Changing the acl to deny that traffic is the appropriate solution to the problem. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This was a subtle problem and quite interesting. I believe that other participants will benefit from this discussion. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
thunder_denton
Level 1
Level 1
In response to Richard Burts

‎02-14-2019 10:30 AM

It only learns the route when I place a machine on that subnet. A static route was not really needed, but I was willing to test the issue.


0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card