cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5259
Views
0
Helpful
6
Replies

Cannot Remove no ip redirects statement from VLAN

Tom Kohnen
Level 1
Level 1

I have HSRP setup on a two Cisco 4510 switches (VLAN 199).   I can only ping one of the physical IP addresses (.2), while the other (.3) returns a Destination net unreachable.  The vlan has no ip redirects on it and I cannot seem to get that to go away.  I have tried and it remains there.  Just not sure where the issue is as I only have this problem on this particluar VLAN at this particular site.  All my other sites allow me to ping both physical HSRP IP Addresses.

Below is my vlan setup, the sh standby vlan 199 and sh standby brief statements from these switches.  Any help would be greatly appreciated.

Switch-02#sh run int vlan 199
Building configuration...

Current configuration : 260 bytes
!
interface Vlan199
 description Unauthenticated VLAN
 ip address 10.2.199.3 255.255.255.0
 ip access-group Guest_Access_10.30.199.0 in
 ip helper-address 10.2.170.30
 no ip redirects
 standby 1 ip 10.2.199.1
 standby 1 priority 250
 standby 1 preempt

 

Swith-02#sh standby vlan 199
Vlan199 - Group 1
  State is Active
    17 state changes, last state change 4d13h
  Virtual IP address is 10.2.199.1
  Active virtual MAC address is 0000.0c07.ac01 (MAC In Use)
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.432 secs
  Preemption enabled
  Active router is local
  Standby router is 10.2.199.2, priority 150 (expires in 9.264 sec)
  Priority 250 (configured 250)
  Group name is "hsrp-Vl199-1" (default)

sh standby brief:

Interface   Grp  Pri P State   Active          Standby         Virtual IP
Vl199       1    250 P Active  local           10.2.199.2      10.2.199.1

Switch-01#sh run int vlan 199
Building configuration...

Current configuration : 241 bytes
!
interface Vlan199
 description Unauthenticated VLAN
 ip address 10.2.199.2 255.255.255.0
 ip access-group Guest_Access_10.30.199.0 in
 ip helper-address 10.2.170.30
 no ip redirects
 standby 1 ip 10.2.199.1
 standby 1 priority 150

 

Switch-01#sh standby vlan 199
Vlan199 - Group 1
  State is Standby
    12 state changes, last state change 4d13h
  Virtual IP address is 10.2.199.1
  Active virtual MAC address is 0000.0c07.ac01 (MAC Not In Use)
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.128 secs
  Preemption disabled
  Active router is 10.2.199.3, priority 250 (expires in 8.432 sec)
  Standby router is local
  Priority 150 (configured 150)
  Group name is "hsrp-Vl199-1" (default)

sh standby brief:

Interface   Grp  Pri P State   Active          Standby         Virtual IP
Vl199       1    150   Standby 10.2.199.3      local           10.2.199.1

 

6 Replies 6

Reza Sharifi
Hall of Fame
Hall of Fame

Have you tried removing "ip access-group Guest_Access_10.30.199.0 in" and test again?

HTH

Reza,

Yes.  If I remove the Access-Group off of Switch-02, then the replys start working.  I have the same access list on other switches and everything seems to work just fine.  Here is the Access-List:

    10 permit esp any any
    20 permit udp any any eq 1985 
    30 permit udp any any eq bootpc
    40 permit udp any any eq bootps
    50 permit tcp any host x.x.x.x eq 8443
    60 permit tcp any host x.x.x.x eq 8443
    70 permit udp 10.2.199.0 0.0.0.255 host x.x.x.x eq domain
    80 permit udp 10.2.199.0 0.0.0.255 host x.x.x.xeq domain
    90 permit udp 10.2.199.0 0.0.0.255 host x.x.x.xeq domain
    100 permit udp 10.2.199.0 0.0.0.255 host x.x.x.xeq domain
    110 permit udp 10.2.199.0 0.0.0.255 host x.x.x.xeq domain
    120 permit udp 10.2.199.0 0.0.0.255 host x.x.x.xeq domain
    130 permit udp 10.2.199.0 0.0.0.255 host x.x.x.xeq domain
    140 deny ip any x.x.x.x 0.16.255.255
    150 deny ip any x.x.x.x 0.0.255.255
    160 deny ip any x.x.x.x.255.255.255
    170 deny ip any x.x.x.x 0.0.0.255
    180 permit ip any any

If removing the access-group resolves the issue, than the problem has to be with one of the deny statement in your access-list.  Can you compare both access-lists from both switches and see if there is a difference?

Reza,

That's what I thought as well and both ACLs are exactly the same.   I even added the permit ip 10.2.199.0 0.0.0.255 10.2.199.0 0.0.0.255 statement hoping it would resolve the issue.  This VLAN is used for Cisco ISE, so that is why the Access-List is applied here. I have the same configuration at my other building and I can ping both physical addresses of the VLAN just fine.

Other Building Access List:

 10 permit esp any any
    20 permit udp any any eq 1985 
    30 permit udp any any eq bootpc 
    40 permit udp any any eq bootps 
    50 permit tcp any host x.x.x.x eq 8443
    60 permit tcp any host x.x.x.x eq 8443
    70 permit udp 10.1.199.0 0.0.0.255 host x.x.x.x eq domain
    80 permit udp 10.1.199.0 0.0.0.255 host x.x.x.x eq domain
    90 permit udp 10.1.199.0 0.0.0.255 host x.x.x.x eq domain
    100 permit udp 10.1.199.0 0.0.0.255 host x.x.x.x eq domain
    110 permit udp 10.1.199.0 0.0.0.255 host x.x.x.x eq domain
    120 permit udp 10.1.199.0 0.0.0.255 host x.x.x.x eq domain
    130 deny ip any x.x.x.x 0.16.255.255
    150 permit ip 10.1.199.0 0.0.0.255 10.1.199.0 0.0.0.255
    160 deny ip any x.x.x.x 0.255.255.255
    170 deny ip any x.x.x.x 0.0.0.255
    180 permit ip any any

I am just dumbfounded as to why I cannot ping this IP address unless I remove the Access-List from the VLAN or shut down the .2 interface.

Hi Tom,

130 deny ip any x.x.x.x 0.16.255.255

I think this is an invalid w/card mask
May should be

130 deny ip any x.x.x.x 0.15.255.255

Also you cannot enable ip redirects on an interface
that is running HSRP

http://www.cisco.com/c/en/us/support/docs/ip/hot-standby-router-protocol-hsrp/10583-62.html#topic1

ICMP Redirects

HSRP peer routers that protect a subnet are able to provide access to all other subnets in the network. This is the basis of HSRP. Therefore, which router becomes the active HSRP router is irrelevant. In Cisco IOS software releases earlier than Cisco IOS Software Release 12.1(3)T, ICMP redirects are automatically disabled on an interface when HSRP is used on that interface. Without this configuration, the hosts can be redirected away from the HSRP virtual IP address and toward an interface IP and MAC address of a single router. Redundancy is lost.

Cisco IOS Software Release 12.1(3)T introduces a method to allow ICMP redirects with HSRP. This method filters outbound ICMP redirect messages through HSRP. The next hop IP address is changed to an HSRP virtual address. The gateway IP address in the outbound ICMP redirect message is compared to a list of HSRP active routers that are present on that network. If the router that corresponds to the gateway IP address is an active router for an HSRP group, the gateway IP address is replaced with that group virtual IP address. This solution allows hosts to learn optimal routes to remote networks and, at the same time, maintain the resilience that HSRP provides.


Regards
Alex

Regards, Alex. Please rate useful posts.

brogers
Level 1
Level 1

Tom,

I know this is a few months old, but thought I would reply anyway. If you are just trying to remove the "no ip redirects" from the VLAN 199 interface, then just run the commands below.

  • configure terminal
  • interface vlan 199
  • ip redirects
  • end
  • copy running-configuration startup-configuration

Now if you if you look at the configuration of the VLAN's interface the "no ip redirects" command will no longer appear.