Cisco 3550 - IP policy Routing

IPsec88
IPsec88 used Ask the Experts™
on
Hi everyone
I have a problem that really freaked me out
It's related to Ip policy routing on cisco 3550
We have 4 3com SW which are  connected to our cisco 3550,(Trunk links)
I've created 4 vlans and their appropriate interface vlan on c3550 I've configured c3550 as DHCP server too (DHCP network range : 192.168.200.0)
The defualt route for the c3550 is to our 3570 SW (c3570 192.168.53.129) and then goes to Internet
We have a lan manager which NAT the invalid IP addresses to have internet access , it have 2 interfaces connected to c3550 (1 interface have valid IP and the other Invalid IP (192.168.199.2)

I want the traffic related to those clients which get IP address from C3550 DHCP , goes to LAN manager so I use route map and IP policy but when I set the ip policy on the interface vlan the clients wouldn't be able to ping the defualt gateway anymore





              Trunk
3com --------->
3com --------->
3com --------->                         Defualt route to
3com ---------> CISCO 3550 -----------------------> c3570 192.168.53.129----- > Core Router ----> Internet
                               |  |
                               |  | Vlan 205
                               |  |
                               |  |
                  LAN Manager




cisco 3550 configurations :


!

ip dhcp pool Call-Center
   network 192.168.200.0 255.255.255.224
   default-router 192.168.200.1
   netbios-name-server 192.168.199.2
   lease 7
!
ip dhcp pool Technical
   network 192.168.200.64 255.255.255.192
   default-router 192.168.200.65
   netbios-name-server 192.168.199.2
   lease 7
!
ip dhcp pool Commercial
   network 192.168.200.128 255.255.255.192
   default-router 192.168.200.129
   netbios-name-server 192.168.199.2
   lease 7
!
ip dhcp pool Officail
   network 192.168.200.192 255.255.255.192
   default-router 192.168.200.193
   netbios-name-server 192.168.199.2
   lease 7
!
ip dhcp pool Financial
   network 192.168.200.32 255.255.255.224
   default-router 192.168.200.33
   netbios-name-server 192.168.199.2
   lease 7

interface FastEthernet0/3
 description Call Center  //----------------> this port on c3550 is connected to one of the 3com switches
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no cdp enable
 spanning-tree portfast
!

interface FastEthernet0/10  //--------------> this port connected to LAN MAnager invlaid interface
 switchport access vlan 205
 switchport mode access
 no cdp enable
 spanning-tree portfast
!

interface Vlan200
 description Call-Center
 ip address 192.168.200.1 255.255.255.224
 ip policy route-map InternalLAN    //-----------> When I set this command the clients cannot ping 192.168.200.1 anymore
!
interface Vlan201
 description Technical
 ip address 192.168.200.65 255.255.255.192
 ip policy route-map InternalLAN
!
interface Vlan202
 description Commercial
 ip address 192.168.200.129 255.255.255.192
 ip policy route-map InternalLAN
!
interface Vlan203
 description Official
 ip address 192.168.200.193 255.255.255.192
 ip policy route-map InternalLAN
!
interface Vlan204
 description Financial
 ip address 192.168.200.33 255.255.255.224
 ip policy route-map InternalLAN
!
interface Vlan205
 ip address 192.168.199.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.53.129

access-list 150 permit ip 192.168.200.0 0.0.0.255 any

route-map test2 permit 10
 match ip address 150
 set ip next-hop 192.168.198.2


SDM is set to extended-match

c3550#sh sdm prefer
 The current template is the default extended-match template.
 The selected template optimizes the resources in
 the switch to support this level of features for
 8 routed interfaces and 1K VLANs.

 number of unicast mac addresses:   5K
 number of igmp groups:             1K
 number of qos aces:                1K
 number of security aces:           1K
 number of unicast routes:          4K
 number of multicast routes:        1K



 
On 3com switches when I put a port on vlan 200 it get an IP address from cisco DHCP pool and it can ping the defualt gateway but when I apply the
ip policy on interface vlan 200 it cannot ping it's defualt gateway (192.168.200.1) anymore
this Senario is exactly the same as here on cisco website:http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00802135d3.shtml

I've changed the port connected to LAN manager to routed port but , I had the same problem
I've also apply the ip policy on vlan 1 and it didn't work too....

and cisco 3550 doesnt support this set command :

Unsupported Route Map Commands

match length

route-map map-tag deny

set automatic-tag

set dampening half-life reuse suppress max-suppress-time

set default interface

set interface

set ip default next-hop

set ip destination ip-address mask

set ip df

set ip precedence value

set ip qos-group

set tag tag-value

set ip tos
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
Hi,

You able to confgure VRF-lite, whic is eating less proccess, and you able to add the vrf the default gw the lan magager!
Maybe this is too obvious, but you're invoking Policy Route-Map InternalLAN, but no such route map exists.

Do you mean for it to say "ip policy route-map test2" ?

Author

Commented:
no that was my mistake in copy/paste
the route map is ok ,, I created 2 route map,,,test2 and nternalLAN
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
Please upgrade it to EMI image!

Author

Commented:
It's already EMI

here is sh ver :

System image file is "flash:/c3550-ipservices-mz.122-25.SEB4.bin"
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
this commands belongs to BGP config not policy routing....
Ok, so the policy map is going to be matched regardless of which subnetwork the packet arrives in.

The Policy changes the Next Hop to 192.168.192.2.  

When using an EXTENDED ACL, the ACL refers to SOURCE and DESTINATION in that order.

So, you're setting it to match the SOURCE, and since all packets on that interface will always MATCH, it will be redirected to next-hop 192.168.192.2, wherever that is, and there's nothing out there to respond to the ping.

If you want them to be able to PING the 3550's interface, you probably need to set the Route Map like this:

access-list 149 permit ip any 192.168.200.1 0.0.0.0
access-list 149 permit ip any 192.168.200.65 0.0.0.0
.... and keep listing all Gateway Addresses in ACL 149...

access-list 150 permit ip 192.168.200.0 0.0.0.255 any

route-map test2 permit 10
 match ip address 149   <---- If destination is the GATEWAY, fall out of the policy.

route-map test2 permit 20
 match ip address 150
 set ip next-hop 192.168.198.2


Author

Commented:
woow
exactly right...
I should understand it before....
anyway
thank u thank u thank u, Tony

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial