Solved: intervlan routing with multiple gateways - Page 2

kaarthik sr · ‎02-16-2013

Greetings,

We have two Cisco 5505 firewalls connecting to two ISP's . The two internal LAN's on the firewalls are 192.168.184.0/24 &

192.168.186.0/24. We also have a Cisco C3560x layer3 switch with vlan interfaces 184.3 & 186.3. We have two DGS-3100 Dlink layer 2 switches connecting our users to the Layer 3. Ip routing is enabled for intervlan communication & I can reach the Switch interfaces & firewall gateways from machines on both on the vlans.

We have pbr enabled on the 3560 & users only on the .186 network can get to the internet. The switch is running the ipservices license & the sdm template is "desktop routing" .

Here is the problem,

Users on the .184 cannot access the internet but we can ping the layer3 interface & the firewall gateway. Please Help!!

Here is the switch configuration,

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname xyz

!

boot-start-marker

boot-end-marker

!

no aaa new-model

system mtu routing 1500

ip routing

!

crypto pki trustpoint TP-self-signed-325924480

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-325924480

revocation-check none

rsakeypair TP-self-signed-325924480

!

license boot level ipservices

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0

no ip address

no ip route-cache

!

interface GigabitEthernet0/1

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/2

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/3

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/4

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/5

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/6

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/7

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/8

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/9

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/10

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/11

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/12

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/13

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/14

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/15

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/16

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/17

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/18

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/19

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/20

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/21

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/22

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/23

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/24

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/1

!

interface GigabitEthernet1/2

!

interface GigabitEthernet1/3

!

interface GigabitEthernet1/4

!

interface TenGigabitEthernet1/1

!

interface TenGigabitEthernet1/2

!

interface Vlan1

no ip address

!

interface Vlan184

description "184 Vlan"

ip address 192.168.184.3 255.255.255.0

!

interface Vlan186

description "186 Vlan"

ip address 192.168.186.3 255.255.255.0

!

ip http server

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 192.168.184.1

ip route 0.0.0.0 0.0.0.0 192.168.186.1

!

access-list 160 permit ip 192.168.184.0 0.0.0.255 any

access-list 170 permit ip 192.168.186.0 0.0.0.255 any

!

route-map Tata permit 160

match ip address 160

set ip default next-hop 192.168.184.1

!

route-map Aircell permit 170

match ip address 170

set ip default next-hop 192.168.186.1

!

line con 0

line vty 0 4

login

line vty 5 15

login

!

end

jawad-mukhtar · ‎02-19-2013

Post your Recent Config With Access List that i Told u.

Show Running

Jawad

kaarthik sr · ‎02-19-2013

!

boot-start-marker

boot-end-marker

!

enable password

!

no aaa new-model

system mtu routing 1500

ip routing

!

crypto pki trustpoint TP-self-signed-325924480

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-325924480

revocation-check none

rsakeypair TP-self-signed-325924480

!

crypto pki certificate chain TP-self-signed-325924480

certificate self-signed 01

30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33323539 32343438 30301E17 0D313130 33333030 31323932

345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3332 35393234

34383030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

D4C48D5E 2C3D980F DF4F3DB7 EB83CCC3 7A51121C 83822967 77D52E53 8F64EDF1

25FEB722 095A4A98 FC9C0692 0A98E98A 627E1289 8AC85AAC 9F107752 0F62755A

887ED39E 301532AD 49744F23 8219CDF1 1049A6DB D530C742 348417D7 319642C7

89D4BBAB CB1771DB FAAD371B 84D61E20 D0D9BAF8 9E03B37F 8F453ECF D5AAE34B

02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D

23041830 168014E8 A9D3F70D 73505887 E9E4FAC3 2B0E8126 5A1D3830 1D060355

1D0E0416 0414E8A9 D3F70D73 505887E9 E4FAC32B 0E81265A 1D38300D 06092A86

4886F70D 01010505 00038181 00B750DA 2026034E 6D9C8D84 A9ADB562 7F6BE8C2

A797AD04 7DA18B3F ECDCC82A D9AB48B3 15BDBFD9 884D5FDF 0099D987 0EF9C960

BF632509 B21B2D96 6D6A5673 2157C65F E430BEB8 9659CF19 AE6DD04E E63C833D

0338E381 B2A1EA6D 4E46E962 5B7A8549 13656597 F221BFA2 21939FB6 9B276FDE

9EE1CBCC 57E08DAC 70BB0AE8 8A

quit

license boot level ipservices

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0

no ip address

no ip route-cache

!

interface GigabitEthernet0/1

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/2

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/3

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/4

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/5

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/6

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/7

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/8

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/9

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/10

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/11

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/12

switchport access vlan 184

switchport mode access

!

interface GigabitEthernet0/13

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/14

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/15

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/16

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/17

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/18

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/19

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/20

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/21

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/22

switchport access vlan 186

switchport mode access

!

interface GigabitEthernet0/23

switchport access vlan 187

switchport mode access

!

interface GigabitEthernet0/24

!

interface GigabitEthernet1/1

!

interface GigabitEthernet1/2

!

interface GigabitEthernet1/3

!

interface GigabitEthernet1/4

!

interface TenGigabitEthernet1/1

!

interface TenGigabitEthernet1/2

!

interface Vlan1

no ip address

!

interface Vlan184

ip address 192.168.184.3 255.255.255.0

no ip route-cache

ip policy route-map Tata

!

interface Vlan186

ip address 192.168.186.3 255.255.255.0

no ip route-cache

ip policy route-map Aircell

!

interface Vlan187

ip address 192.168.187.3 255.255.255.0

!

ip http server

ip http secure-server

!

access-list 190 deny ip 192.168.184.0 0.0.0.255 192.168.186.0 0.0.0.255

access-list 190 deny ip 192.168.184.0 0.0.0.255 host 192.168.184.3

access-list 190 permit ip 192.168.184.0 0.0.0.255 any

access-list 180 deny ip 192.168.186.0 0.0.0.255 192.168.184.0 0.0.0.255

access-list 180 deny ip 192.168.186.0 0.0.0.255 host 192.168.186.3

access-list 180 permit ip 192.168.186.0 0.0.0.255 any

!

route-map Tata permit 190

set ip next-hop 192.168.184.1

!

route-map Aircell permit 180

set ip next-hop 192.168.186.1

!

line con 0

line vty 0 4

password

login

line vty 5 15

login

!

end

milan.kulik · ‎02-19-2013

Hi,

I never configiured a PBR on this platform.

Just guessing:

Why is there

interface Vlan184

no ip route-cache

configured?

I'd enable it and even try

ip route-cache policy

possibly?

It's also recommended:

Do not enter an ACL with a deny ACE or an ACL that permits a packet destined for a local address.

See http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swiprout.html#wp1228588

for details.

What does show ip policy

commad display on your switch?

HTH,

Milan

jawad-mukhtar · ‎02-19-2013

access-list 190 deny ip 192.168.184.0 0.0.0.255 192.168.186.0 0.0.0.255

access-list 190 deny ip 192.168.184.0 0.0.0.255 host 192.168.184.3

access-list 190 permit ip 192.168.184.0 0.0.0.255 any

access-list 180 deny ip 192.168.186.0 0.0.0.255 192.168.184.0 0.0.0.255

access-list 180 deny ip 192.168.186.0 0.0.0.255 host 192.168.186.3

access-list 180 permit ip 192.168.186.0 0.0.0.255 any

!

route-map Tata permit 190

match ip address 190

set ip next-hop 192.168.184.1

!

route-map Aircell permit 180

match ip address 180

set ip next-hop 192.168.186.1

Jawad

jawad-mukhtar · ‎02-19-2013

U hav'nt called access list in your route map

Check with above configurations

Jawad

kaarthik sr · ‎02-20-2013

Mr.Jawad, that was amazing. We have it working now. Thanks again.