Solved: intervlan routing with multiple gateways

kaarthik sr · ‎02-16-2013

Greetings,

We have two Cisco 5505 firewalls connecting to two ISP's . The two internal LAN's on the firewalls are 192.168.184.0/24 &

192.168.186.0/24. We also have a Cisco C3560x layer3 switch with vlan interfaces 184.3 & 186.3. We have two DGS-3100 Dlink layer 2 switches connecting our users to the Layer 3. Ip routing is enabled for intervlan communication & I can reach the Switch interfaces & firewall gateways from machines on both on the vlans.

We have pbr enabled on the 3560 & users only on the .186 network can get to the internet. The switch is running the ipservices license & the sdm template is "desktop routing" .

Here is the problem,

Users on the .184 cannot access the internet but we can ping the layer3 interface & the firewall gateway. Please Help!!

Here is the switch configuration,

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname xyz

!

boot-start-marker

boot-end-marker

!

no aaa new-model

system mtu routing 1500

ip routing

!

crypto pki trustpoint TP-self-signed-325924480

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-325924480

revocation-check none

rsakeypair TP-self-signed-325924480

!

license boot level ipservices

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0

no ip address

no ip route-cache

!

interface GigabitEthernet0/1

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/2

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/3

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/4

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/5

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/6

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/7

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/8

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/9

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/10

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/11

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/12

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/13

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/14

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/15

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/16

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/17

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/18

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/19

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/20

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/21

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/22

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/23

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/24

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/1

!

interface GigabitEthernet1/2

!

interface GigabitEthernet1/3

!

interface GigabitEthernet1/4

!

interface TenGigabitEthernet1/1

!

interface TenGigabitEthernet1/2

!

interface Vlan1

no ip address

!

interface Vlan184

description "184 Vlan"

ip address 192.168.184.3 255.255.255.0

!

interface Vlan186

description "186 Vlan"

ip address 192.168.186.3 255.255.255.0

!

ip http server

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 192.168.184.1

ip route 0.0.0.0 0.0.0.0 192.168.186.1

!

access-list 160 permit ip 192.168.184.0 0.0.0.255 any

access-list 170 permit ip 192.168.186.0 0.0.0.255 any

!

route-map Tata permit 160

match ip address 160

set ip default next-hop 192.168.184.1

!

route-map Aircell permit 170

match ip address 170

set ip default next-hop 192.168.186.1

!

line con 0

line vty 0 4

login

line vty 5 15

login

!

end

jawad-mukhtar · ‎02-19-2013

access-list 190 deny ip 192.168.184.0 0.0.0.255 192.168.186.0 0.0.0.255

access-list 190 deny ip 192.168.184.0 0.0.0.255 host 192.168.184.3

access-list 190 permit ip 192.168.184.0 0.0.0.255 any

access-list 180 deny ip 192.168.186.0 0.0.0.255 192.168.184.0 0.0.0.255

access-list 180 deny ip 192.168.186.0 0.0.0.255 host 192.168.186.3

access-list 180 permit ip 192.168.186.0 0.0.0.255 any

!

route-map Tata permit 190

match ip address 190

set ip next-hop 192.168.184.1

!

route-map Aircell permit 180

match ip address 180

set ip next-hop 192.168.186.1

Jawad

View solution in original post

paul driver · ‎02-16-2013

Hello,

Can you ping the internet from the 3560 sourced from the svi of 184?

res

Paul

Please don't forget to rate this post if it has been helpful.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

kaarthik sr · ‎02-17-2013

Thanks for replying Paul .We can't reach the internet from the 3560 now. We are running the 15.0.2 SE(1) release.

milan.kulik · ‎02-17-2013

Hi,

I don't see in your config where the PBR is applied?

Also, which route-map is used for it?

IMHO, you would need one common route-map, not two?!

HTH,

Milan

kaarthik sr · ‎02-17-2013

The SDM template is desktop routing & that is hardware based on the switch. To my understanding it doesnt get displayed in "sh run". The route map for the next hop as gateway is applied on both the SVI's. Is there a way you could suggest for the switch to route traffic to two gateways based on the source Vlans?

Thanks.

milan.kulik · ‎02-17-2013

I don't see the route map for the next hop as gateway applied on both the SVI's.

What does

show ip policy

command display on your switch?

IMHO, you need to add

interface Vlan184

ip policy route-map Tata

!

interface Vlan186

ip policy route-map Aircell

to your config.

See

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swiprout.html#wp1392257

for details.

HTH,

Milan

jawad-mukhtar · ‎02-17-2013

Hi Please Remove Default Routes

Your Route Map is doing that work for you

route-map Tata permit 160

match ip address 160

set ip next-hop 192.168.184.1

!

route-map Aircell permit 170

match ip address 170

set ip next-hop 192.168.186.1

Apply Both Route-Map to ur SVI

Jawad

kaarthik sr · ‎02-17-2013

I couldnt find anything on sh ip policy. That was bad because I remember entering the command & it gave a "

PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map [chars] not supported for Policy-Based Routing " message. I checked this link -

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.1_14_ea1/system/message/msg_desc.html

* It turns out only the

route-map Tata permit 160 & set ip next-hop 192.168.184.1 needs to be entered.

I removed the match command & applied the policy route-map to the interface

& the message did not turn up. The policy is now shown under sh ip policy.
I am about to test the config tomorrow. I ll have everyone posted.Thanks for the support guys.

kaarthik sr · ‎02-18-2013

We had the route-map enabled & tied to the .184 & .186 interfaces. Now, we cant reach across Intervlan .I cant even reach the SVI .184.3 & 186.3 from the machines on their respective LAN. However I can ping 4.2.2.2 & the tracert shows it is going through the SVI. What am i doing wrong?

Thanks

kaarthik sr · ‎02-18-2013

PS: I created a new vlan 187 & tied a machine to it. I can ping from the 187 machine to the other vlans(184 & 186). So I am guessing it has something to do with the route-map. Please help.

jawad-mukhtar · ‎02-18-2013

access-list 160 deny ip 192.168.184.0 0.0.0.255 192.168.186.0 0.0.0.255

access-list 160 deny ip 192.168.184.0 0.0.0.255 host 192.168.184.3

access-list 160 permit ip 192.168.184.0 0.0.0.255 any

access-list 170 deny ip 192.168.186.0 0.0.0.255 192.168.184.0 0.0.0.255

access-list 170 deny ip 192.168.186.0 0.0.0.255 host 192.168.186.0

access-list 170 permit ip 192.168.186.0 0.0.0.255 any

Do Rate IT...

Jawad

jawad-mukhtar · ‎02-18-2013

access-list 160 deny ip 192.168.184.0 0.0.0.255 192.168.186.0 0.0.0.255

access-list 160 deny ip 192.168.184.0 0.0.0.255 host 192.168.184.3

access-list 160 permit ip 192.168.184.0 0.0.0.255 any

access-list 170 deny ip 192.168.186.0 0.0.0.255 192.168.184.0 0.0.0.255

access-list 170 deny ip 192.168.186.0 0.0.0.255 host 192.168.186.3

access-list 170 permit ip 192.168.186.0 0.0.0.255 any

Do Rate Helpful posts...

Jawad

kaarthik sr · ‎02-18-2013

Thanks Jawad. The access-lists did not help. With the ACL's applied , I cant reach the SVI or get intervlan but can get to the internet. With the policy/route-map removed, I can reach the SVI/intervlan but cant get to the internet.

jawad-mukhtar · ‎02-18-2013

Dear It Should Work. Are u getting any hits on your route-maps.

also post input of following command

show sdm prefer

Wat Typoe Lic are u using on 3560x

Jawad

kaarthik sr · ‎02-19-2013

Yes, I have hits on the route-maps. We have the evaluation license of ipservices running . Could that be a problem?

#sh sdm prefer

The current template is "desktop routing" template.

The selected template optimizes the resources in

the switch to support this level of features for

8 routed interfaces and 1024 VLANs.

number of unicast mac addresses: 3K

number of IPv4 IGMP groups + multicast routes: 1K

number of IPv4 unicast routes: 10.875k

number of directly-connected IPv4 hosts: 3K

number of indirect IPv4 routes: 7.875k

number of IPv6 multicast groups: 64

number of directly-connected IPv6 addresses: 0

number of indirect IPv6 unicast routes: 32

number of IPv4 policy based routing aces: 0.5K

number of IPv4/MAC qos aces: 0.375k

number of IPv4/MAC security aces: 0.875k

number of IPv6 policy based routing aces: 0

number of IPv6 qos aces: 0

number of IPv6 security aces: 58