- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-16-2013 10:43 AM - edited 03-07-2019 11:44 AM
Greetings,
We have two Cisco 5505 firewalls connecting to two ISP's . The two internal LAN's on the firewalls are 192.168.184.0/24 &
192.168.186.0/24. We also have a Cisco C3560x layer3 switch with vlan interfaces 184.3 & 186.3. We have two DGS-3100 Dlink layer 2 switches connecting our users to the Layer 3. Ip routing is enabled for intervlan communication & I can reach the Switch interfaces & firewall gateways from machines on both on the vlans.
We have pbr enabled on the 3560 & users only on the .186 network can get to the internet. The switch is running the ipservices license & the sdm template is "desktop routing" .
Here is the problem,
Users on the .184 cannot access the internet but we can ping the layer3 interface & the firewall gateway. Please Help!!
Here is the switch configuration,
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xyz
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
ip routing
!
!
!
!
!
crypto pki trustpoint TP-self-signed-325924480
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-325924480
revocation-check none
rsakeypair TP-self-signed-325924480
!
!
license boot level ipservices
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
no ip route-cache
!
interface GigabitEthernet0/1
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/2
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/3
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/4
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/5
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/6
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/7
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/8
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/9
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/10
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/11
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/12
switchport access vlan 184
switchport mode access
!
interface GigabitEthernet0/13
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/14
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/15
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/16
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/17
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/18
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/19
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/20
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/21
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/22
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/23
switchport access vlan 186
switchport mode access
!
interface GigabitEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
!
interface GigabitEthernet1/3
!
interface GigabitEthernet1/4
!
interface TenGigabitEthernet1/1
!
interface TenGigabitEthernet1/2
!
interface Vlan1
no ip address
!
interface Vlan184
description "184 Vlan"
ip address 192.168.184.3 255.255.255.0
!
interface Vlan186
description "186 Vlan"
ip address 192.168.186.3 255.255.255.0
!
!
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.184.1
ip route 0.0.0.0 0.0.0.0 192.168.186.1
!
access-list 160 permit ip 192.168.184.0 0.0.0.255 any
access-list 170 permit ip 192.168.186.0 0.0.0.255 any
!
route-map Tata permit 160
match ip address 160
set ip default next-hop 192.168.184.1
!
route-map Aircell permit 170
match ip address 170
set ip default next-hop 192.168.186.1
!
!
!
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
end
Solved! Go to Solution.
- Labels:
-
Other Switching
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2013 01:05 AM
access-list 190 deny ip 192.168.184.0 0.0.0.255 192.168.186.0 0.0.0.255
access-list 190 deny ip 192.168.184.0 0.0.0.255 host 192.168.184.3
access-list 190 permit ip 192.168.184.0 0.0.0.255 any
access-list 180 deny ip 192.168.186.0 0.0.0.255 192.168.184.0 0.0.0.255
access-list 180 deny ip 192.168.186.0 0.0.0.255 host 192.168.186.3
access-list 180 permit ip 192.168.186.0 0.0.0.255 any
!
route-map Tata permit 190
match ip address 190
set ip next-hop 192.168.184.1
!
route-map Aircell permit 180
match ip address 180
set ip next-hop 192.168.186.1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-16-2013 12:58 PM
Hello,
Can you ping the internet from the 3560 sourced from the svi of 184?
res
Paul
Please don't forget to rate this post if it has been helpful.
Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.
Kind Regards
Paul
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2013 03:24 AM
Thanks for replying Paul .We can't reach the internet from the 3560 now. We are running the 15.0.2 SE(1) release.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2013 03:52 AM
Hi,
I don't see in your config where the PBR is applied?
Also, which route-map is used for it?
IMHO, you would need one common route-map, not two?!
HTH,
Milan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2013 05:16 AM
The SDM template is desktop routing & that is hardware based on the switch. To my understanding it doesnt get displayed in "sh run". The route map for the next hop as gateway is applied on both the SVI's. Is there a way you could suggest for the switch to route traffic to two gateways based on the source Vlans?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2013 06:18 AM
I don't see the route map for the next hop as gateway applied on both the SVI's.
What does
show ip policy
command display on your switch?
IMHO, you need to add
interface Vlan184
ip policy route-map Tata
!
interface Vlan186
ip policy route-map Aircell
to your config.
See
for details.
HTH,
Milan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2013 07:36 AM
Hi Please Remove Default Routes
Your Route Map is doing that work for you
route-map Tata permit 160
match ip address 160
set ip next-hop 192.168.184.1
!
route-map Aircell permit 170
match ip address 170
set ip next-hop 192.168.186.1
Apply Both Route-Map to ur SVI
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-17-2013 08:27 AM
I couldnt find anything on sh ip policy. That was bad because I remember entering the command & it gave a "
PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map [chars] not supported for Policy-Based Routing " message. I checked this link -* It turns out only the
route-map Tata permit 160 & set ip next-hop 192.168.184.1 needs to be entered.
I removed the match command & applied the policy route-map to the interface
& the message did not turn up. The policy is now shown under sh ip policy.
I am about to test the config tomorrow. I ll have everyone posted.Thanks for the support guys.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2013 10:45 AM
We had the route-map enabled & tied to the .184 & .186 interfaces. Now, we cant reach across Intervlan .I cant even reach the SVI .184.3 & 186.3 from the machines on their respective LAN. However I can ping 4.2.2.2 & the tracert shows it is going through the SVI. What am i doing wrong?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2013 10:47 AM
PS: I created a new vlan 187 & tied a machine to it. I can ping from the 187 machine to the other vlans(184 & 186). So I am guessing it has something to do with the route-map. Please help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2013 11:30 AM
access-list 160 deny ip 192.168.184.0 0.0.0.255 192.168.186.0 0.0.0.255
access-list 160 deny ip 192.168.184.0 0.0.0.255 host 192.168.184.3
access-list 160 permit ip 192.168.184.0 0.0.0.255 any
access-list 170 deny ip 192.168.186.0 0.0.0.255 192.168.184.0 0.0.0.255
access-list 170 deny ip 192.168.186.0 0.0.0.255 host 192.168.186.0
access-list 170 permit ip 192.168.186.0 0.0.0.255 any
Do Rate IT...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2013 11:34 AM
access-list 160 deny ip 192.168.184.0 0.0.0.255 192.168.186.0 0.0.0.255
access-list 160 deny ip 192.168.184.0 0.0.0.255 host 192.168.184.3
access-list 160 permit ip 192.168.184.0 0.0.0.255 any
access-list 170 deny ip 192.168.186.0 0.0.0.255 192.168.184.0 0.0.0.255
access-list 170 deny ip 192.168.186.0 0.0.0.255 host 192.168.186.3
access-list 170 permit ip 192.168.186.0 0.0.0.255 any
Do Rate Helpful posts...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2013 03:29 PM
Thanks Jawad. The access-lists did not help. With the ACL's applied , I cant reach the SVI or get intervlan but can get to the internet. With the policy/route-map removed, I can reach the SVI/intervlan but cant get to the internet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2013 11:18 PM
Dear It Should Work. Are u getting any hits on your route-maps.
also post input of following command
show sdm prefer
Wat Typoe Lic are u using on 3560x
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2013 12:07 AM
Yes, I have hits on the route-maps. We have the evaluation license of ipservices running . Could that be a problem?
#sh sdm prefer
The current template is "desktop routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 3K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 10.875k
number of directly-connected IPv4 hosts: 3K
number of indirect IPv4 routes: 7.875k
number of IPv6 multicast groups: 64
number of directly-connected IPv6 addresses: 0
number of indirect IPv6 unicast routes: 32
number of IPv4 policy based routing aces: 0.5K
number of IPv4/MAC qos aces: 0.375k
number of IPv4/MAC security aces: 0.875k
number of IPv6 policy based routing aces: 0
number of IPv6 qos aces: 0
number of IPv6 security aces: 58
