Using an access-list to change a default next-hop doesn't seem to match traffic or reroute the traffic.

Hi everyone...

I have traffic with a route map on a cisco router that i want to redirect to a different default gateway.  So we have two subnets and one needs to go to one gateway and the other needs a different one.  It was working fine, but I changed some transport vlans and now it doesn't seem to work no matter what I do...  Also it seems like the access list is working as I'm getting matches on it and quickly...   So this traffic does have to traverse vlan 5 across a trunk to another switch to get to the firewall 192.168.75.254.  Previously, the switches didn't have a trunk link and were just connected via an access port on a different vlan.  Right now the traffic goes to the standard default gateway of the router which is 10.10.0.3.  Thanks for your help!

show access-list
Extended IP access list 101
    10 permit ip 192.168.100.0 0.0.0.255 any (1275192617 matches)

Here is a snippet of the config...  


access-list 101 permit ip 192.168.100.0 0.0.0.255 any
route-map T permit 10
 match ip address 101
 set ip default next-hop 192.168.75.254

interface Vlan300
 description SERVERS2
 ip address 192.168.100.3 255.255.255.0
 no ip redirects
 ip policy route-map T
publicvoidDirector of ITAsked:
Who is Participating?
 
atlas_shudderedSr. Network EngineerCommented:
Also.  Can you build an SVI in vlan 5 with an IP on it?   That would greatly simplify things

If you can then the route maps on both east and west would be built on vlan 300 with next hop set to 192.168.168.11 (TWSTACK vlan 5 SVI) then allow default route to push traffic to the .222 interface (assuming that is the firewall).  No map on TWSTACK
0
 
atlas_shudderedSr. Network EngineerCommented:
Couple of things real quick:

access-list 101 permit ip 192.168.100.0 0.0.0.255 any

Open in new window


Remove
any

Open in new window


Second thing, can you run a show ip route 192.168.75.254 and confirm where you are learning this from and what the path is?
0
 
publicvoidDirector of ITAuthor Commented:
Sure thing...  it wont let me remove any. it errors with incomplete command.

Core#show ip route 192.168.75.254
Routing entry for 192.168.75.0/24
  Known via "static", distance 1, metric 0 (connected)
  Routing Descriptor Blocks:
  * directly connected, via Vlan5
      Route metric is 0, traffic share count is 1

I have put a manual route for that over vlan5 which is the (transport vlan to the other router) in the config-
ip route 192.168.75.0 255.255.255.0 Vlan5


interface Vlan5
 description TTRANSPORT
 ip address 192.168.168.10 255.255.255.0
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
atlas_shudderedSr. Network EngineerCommented:
Okay, so one last change:

access-list 101 permit ip 192.168.100.0 0.0.0.255 any
route-map T permit 10
 match ip address 101
 set ip default next-hop 192.168.75.254

Open in new window


on this line:

set ip default next-hop 192.168.75.254

Open in new window


Remove the keyword default

Why you ask?



The set ip default next-hop command verifies the existence of the destination IP in routing table, then:

- if the destination address exists, no policy routing of packet, forwards packet based on the routing table.

- if the destination address does not exist, policy routes the packet by sending to the configured next hop.

The set ip next-hop command verifies the existence of the next hop, then:

- if the next hop exists in routing table, policy routes the packet to the next hop.

- if the next hop does not exist in routing table, the command uses the normal routing table to forward (through default path).

Presently you are getting caught in the flip between the two.  Removal of the default argument should rectify.
0
 
publicvoidDirector of ITAuthor Commented:
Unfortunately, that didn't work and created another problem (or just made one surface that didn't show before)  I made the changes and it didn't change anything but then i changed it back and i noticed that I can't ping from one router to anything on another vlan on the other router but I can ping from hosts connected to that router to hosts on the other routers vlan.  So something is screwy.

So router/switch 1-
vlan1 hosts use 192.168.75.X

vlan5 is a transport vlan over fiber connecting the two routers
router1 has 192.168.168.11
router 2 has 192.168.168.10

router 1 has this route:
ip route 192.168.100.0 255.255.255.0 192.168.168.10

router 2 has this route:
ip route 192.168.75.0 255.255.255.0 192.168.168.11

router/switch 2-
vlan300 hosts use 192.168.100.X


I can ping from a host behind router 1 to router 2 and reverse but when i ping from router 1 to a host behind router 2 it wont work, but the opposite will work.

So everything on the network is working (I turned off the policy route just to make sure it wasn't causing this) except i can't ping or traceroute to a host behind router 2 from router 1.
0
 
publicvoidDirector of ITAuthor Commented:
There is actually a third router in the mix as well but for simplification i just left it out as the other router is the same as router2 and using HSRP to mirror it.  I can post configs if needed.
0
 
StolsieCommented:
Hi OP

can you post full configs router 1 to router 2?
also i'm guessing here but are you using Layer 3 switches?
0
 
publicvoidDirector of ITAuthor Commented:
ok i solved all the other problems that arose turns out the third router needed a route back to the transit VLAN on the second router.  Not sure exactly why, but it works.  Now that still hasn't solved the original problem that the traffic isn't sent to the other gateway.  I think I know why, just not how to solve it now.  So I did a debug ip policy and saw that the traffic is being matched, but then it is giving me these messages:

-1743189796: Apr  3 12:58:18.008 PDT: IP: s=192.168.100.16 (Vlan300), d=23.196.36.225, len 1500, FIB policy rejected - normal forwarding
-1743189795: Apr  3 12:58:18.008 PDT: IP: s=192.168.100.16 (Vlan300), d=23.196.36.225, len 1500, FIB policy match
-1743189794: Apr  3 12:58:18.012 PDT: CEF-IP-POLICY: fib for address 192.168.75.222 is with flag 0


So the 192 address is the remote gateway.  it is two hops away but there is a route to it.  I have read that it needs to be on the same network... so is that what flag 0 means?
0
 
atlas_shudderedSr. Network EngineerCommented:
OKay, so 192.168.75.254 is not a direct network, there is a transit to get to it?
0
 
publicvoidDirector of ITAuthor Commented:
yes there is a transit vlan VLAN5 192.168.168.10.  That transit vlan is on a different router but the routing tables for the routers are as follows:

Router that the servers are behind that need to use the remote gateway: (WESTCORE)
Gateway of last resort is 10.10.0.3 to network 0.0.0.0

S    192.168.46.0/24 [1/0] via 192.168.168.11
S    192.168.44.0/24 [1/0] via 192.168.168.11
S    192.168.75.0/24 [1/0] via 192.168.168.11
S    192.168.45.0/24 [1/0] via 192.168.168.11
C    192.168.200.0/24 is directly connected, Vlan200
     192.168.4.0/32 is subnetted, 1 subnets
S       192.168.4.254 [1/0] via 10.10.0.3
S    192.168.20.0/24 [1/0] via 192.168.168.11
     10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
C       10.40.0.0/24 is directly connected, Vlan40
C       10.50.0.0/24 is directly connected, Vlan50
C       10.10.0.0/24 is directly connected, Vlan1
C       10.20.0.0/16 is directly connected, Vlan20
C       10.30.0.0/24 is directly connected, Vlan30
C       10.10.201.0/24 is directly connected, Vlan201
C       10.10.254.0/24 is directly connected, Vlan254
C       10.10.13.0/24 is directly connected, Vlan13
C       10.10.1.0/24 is directly connected, Vlan10
C    192.168.1.0/24 is directly connected, Vlan654
S    192.168.168.0/24 [1/0] via 10.10.0.5
C    192.168.100.0/24 is directly connected, Vlan300
S*   0.0.0.0/0 [1/0] via 10.10.0.3

Router that is sitting at the edge between us and the remote router and carries the transit vlan: (EASTCORE)

Gateway of last resort is 10.10.0.3 to network 0.0.0.0

S    192.168.46.0/24 [1/0] via 192.168.168.11
S    192.168.44.0/24 [1/0] via 192.168.168.11
S    192.168.75.0/24 [1/0] via 192.168.168.11
S    192.168.45.0/24 [1/0] via 192.168.168.11
     192.168.4.0/32 is subnetted, 1 subnets
S       192.168.4.254 [1/0] via 10.10.0.3
S    192.168.20.0/24 [1/0] via 192.168.168.11
     10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
C       10.10.0.0/24 is directly connected, Vlan1
S       10.10.0.0/16 is directly connected, Vlan1
C       10.10.1.0/24 is directly connected, Vlan10
C       10.10.13.0/24 is directly connected, Vlan13
C       10.30.0.0/24 is directly connected, Vlan30
C       10.20.0.0/16 is directly connected, Vlan20
C       10.40.0.0/24 is directly connected, Vlan40
C       10.50.0.0/24 is directly connected, Vlan50
C       10.10.254.0/24 is directly connected, Vlan254
C    192.168.168.0/24 is directly connected, Vlan5
C    192.168.100.0/24 is directly connected, Vlan300
S*   0.0.0.0/0 [1/0] via 10.10.0.3
EastCore#

and finally the remote router called TSTACK that the remote gateway sits behind...

Gateway of last resort is 192.168.75.222 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.75.222
      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
S        10.10.0.0/24 [1/0] via 192.168.168.10
S        10.10.1.0/24 [1/0] via 192.168.168.10
S        10.20.0.0/16 [1/0] via 192.168.168.10
S        10.30.0.0/24 [1/0] via 192.168.168.10
S        10.40.0.0/24 [1/0] via 192.168.168.10
      172.16.0.0/24 is subnetted, 1 subnets
S        172.16.30.0 [1/0] via 192.168.168.10
      192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.20.0/24 is directly connected, Vlan20
L        192.168.20.254/32 is directly connected, Vlan20
      192.168.75.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.75.0/24 is directly connected, Vlan1
L        192.168.75.254/32 is directly connected, Vlan1
S     192.168.100.0/24 [1/0] via 192.168.168.10
      192.168.168.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.168.0/24 is directly connected, Vlan5
L        192.168.168.11/32 is directly connected, Vlan5
0
 
publicvoidDirector of ITAuthor Commented:
EastCore has addresses of 192.168.168.10 (transit vlan5), 10.10.0.5 for vlan 1
Westcore has 10.10.0.4 for vlan1

TSTACK has 192.168.168.11 for the transit vlan5 and 192.168.75.254 for it's vlan 1
0
 
atlas_shudderedSr. Network EngineerCommented:
okay, if I understand everything correctly, your desired path looks like this:

net:192.168.100.0/24
WESTCORE
EASTCORE
TSTACK
TSTACK default route

Is that correct?
0
 
publicvoidDirector of ITAuthor Commented:
yes, that is correct.
0
 
atlas_shudderedSr. Network EngineerCommented:
And EASTCORE and WESTCORE are the HSRP pair correct?  Technically both of them constitute the transit network
0
 
publicvoidDirector of ITAuthor Commented:
Yes they are the HSRP pair, but the transit vlan to the remote site isn't on the westcore since there was no physical connection there.  (Well the vlan is there but not a vlan interface.)
0
 
atlas_shudderedSr. Network EngineerCommented:
Okay   One last question.

On TSTACK -

The next hop 192.168.168.10 in the route table is the external HSRP address of EASTCORE and WESTCORE correct?
0
 
publicvoidDirector of ITAuthor Commented:
Well that is the address of eastcore on the transit vlan5...  I'll post the config for the routers... let me sanitize it.
0
 
atlas_shudderedSr. Network EngineerCommented:
No need.  Just wanted to confirm there wasn't a different path.

Try this then:

On:
WESTCORE:
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
!
!
!
route-map T permit 10
 match ip address 101
 set ip default next-hop 192.168.75.11

Open in new window


This assumes that the IP facing the 192.168.100.0/24 net on WESTCORE is 192.168.75.11 - if not, need to identify and change to correct next hop



EASTCORE:

access-list 101 permit ip 192.168.100.0 0.0.0.255 any
!
!
!
route-map T permit 10
 match ip address 101
 set ip next-hop 192.168.75.11

Open in new window


This assumes same as above on WESTCORE

On TSTACK:

access-list 101 permit ip 192.168.100.0 0.0.0.255 any
!
!
!
route-map T permit 10
 match ip address 101
 set ip next-hop 192.168.75.254

Open in new window


The reason for implementing on both routers is due to the HSRP and the "potential" for the connectivity back to VLAN300 at some point future (config now, avoid later).
0
 
atlas_shudderedSr. Network EngineerCommented:
Check the edits I just pushed
0
 
publicvoidDirector of ITAuthor Commented:
So the ip facing the 192.168.100.0/24 network is 192.168.100.1


Here is the config for all the routers:


WestCore#show run
Building configuration...

hostname WestCore

!
ip ssh time-out 60
ip ssh authentication-retries 2
no ip domain-lookup
ip name-server 10.10.10.2
ip name-server 10.10.10.1
ip sla monitor 1
 type echo protocol ipIcmpEcho 10.10.0.3
ip sla monitor schedule 1 life forever start-time now
no mls acl tcam share-global
mls netflow interface
no mls flow ip
mls cef error action freeze
!

!
redundancy
 keepalive-enable
 mode sso
 main-cpu
  auto-sync running-config
!
spanning-tree mode rapid-pvst
spanning-tree vlan 1-1001 priority 7000
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
class-map match-any voip-rtp
  match access-group 105
!
!
policy-map QOS-VOICE
  class voip-rtp
!
!
!

interface TenGigabitEthernet3/1
 description Backup
 switchport
 switchport access vlan 10
 switchport voice vlan 20
 spanning-tree portfast
!
interface TenGigabitEthernet3/2
 description EastcoreLink
 switchport
 switchport trunk encapsulation dot1q
 switchport mode trunk
 spanning-tree guard loop
!
interface TenGigabitEthernet3/3
 description Cabinet2Link
 switchport
 switchport trunk encapsulation dot1q
 switchport mode trunk
 spanning-tree guard loop
!
interface TenGigabitEthernet3/4
 description Cabinet1Link
 switchport
 switchport trunk encapsulation dot1q
 switchport mode trunk
 spanning-tree guard loop
!

!
interface GigabitEthernet5/3
 switchport
 switchport access vlan 20
 switchport mode access
 spanning-tree portfast
!
interface TenGigabitEthernet5/4
 description Stack1Link
 switchport
 switchport trunk encapsulation dot1q
 switchport mode trunk
 spanning-tree guard loop
!
interface TenGigabitEthernet5/5
 description Cabinet3Link
 switchport
 switchport trunk encapsulation dot1q
 switchport mode trunk
 spanning-tree guard loop
!

!
interface Vlan1
 ip address 10.10.0.4 255.255.255.0
 ip helper-address 10.10.1.1
 ip helper-address 10.10.1.2
 no ip redirects
 standby 5 ip 10.10.0.1
 standby 5 priority 110
 standby 5 preempt
 standby 5 authentication yvi5
 standby 6 ip 10.10.0.2
 standby 6 preempt
!
interface Vlan2
 no ip address
!

!
interface Vlan10
 ip address 10.10.1.251 255.255.255.0
 ip helper-address 10.10.1.1
 ip helper-address 10.10.1.2
 ip helper-address 10.10.1.24
 no ip redirects
 standby 19 ip 10.10.1.253
 standby 19 priority 110
 standby 19 preempt
 standby 19 authentication yvi5
 standby 20 ip 10.10.1.254
 standby 20 preempt
!
interface Vlan13
 ip address 10.10.13.3 255.255.255.0
 ip helper-address 10.10.1.1
 ip helper-address 10.10.1.2
 ip helper-address 10.10.1.24
 no ip redirects
 standby 21 ip 10.10.13.1
 standby 21 priority 110
 standby 21 preempt
 standby 21 authentication yvi5
 standby 22 ip 10.10.13.2
 standby 22 preempt
!
interface Vlan20
 description Voice
 ip address 10.20.0.3 255.255.0.0
 ip helper-address 10.10.1.1
 ip helper-address 10.10.1.24
 standby 9 ip 10.20.0.1
 standby 9 priority 110
 standby 9 preempt
 standby 9 authentication yvi9
 standby 10 ip 10.20.0.2
 standby 10 preempt
!
interface Vlan30
 description East Workstations
 ip address 10.30.0.3 255.255.255.0
 ip helper-address 10.10.1.1
 ip helper-address 10.10.1.24
 standby 7 ip 10.30.0.1
 standby 7 priority 110
 standby 7 preempt
 standby 7 authentication yvi7
 standby 8 ip 10.30.0.2
 standby 8 preempt
!
interface Vlan40
 description WEST Workstations
 ip address 10.40.0.3 255.255.255.0
 ip helper-address 10.10.1.1
 ip helper-address 10.10.1.24
 standby 11 ip 10.40.0.1
 standby 11 priority 110
 standby 11 preempt
 standby 11 authentication yvi11
 standby 12 ip 10.40.0.2
 standby 12 preempt
!
interface Vlan50
 description Production
 ip address 10.50.0.3 255.255.255.0
 ip helper-address 10.10.1.1
 ip helper-address 10.10.1.2
 ip helper-address 10.10.1.24
 standby 15 ip 10.50.0.1
 standby 15 priority 110
 standby 15 preempt
 standby 15 authentication yvi15
 standby 16 ip 10.50.0.2
 standby 16 preempt
!
interface Vlan200
 ip address 192.168.200.2 255.255.255.0
!
interface Vlan201
 ip address 10.10.201.254 255.255.255.0
 ip helper-address 10.10.1.1
!
interface Vlan254
 ip address 10.10.254.251 255.255.255.0
 ip helper-address 10.10.1.1
 ip helper-address 10.10.1.2
 ip helper-address 10.10.1.24
 no ip redirects
 standby 17 ip 10.10.254.253
 standby 17 priority 110
 standby 17 preempt
 standby 17 authentication yvi5
 standby 18 ip 10.10.254.254
 standby 18 preempt
!
interface Vlan300
 ip address 192.168.100.3 255.255.255.0
 no ip redirects
 ip policy route-map TWC
 standby 22 preempt
 standby 30 ip 192.168.100.1
 standby 30 priority 110
 standby 30 preempt
 standby 30 authentication yvi5
 standby 31 ip 192.168.100.2
!
interface Vlan654
 ip address 192.168.1.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.0.3
ip route 192.168.4.254 255.255.255.255 10.10.0.3
ip route 192.168.20.0 255.255.255.0 192.168.168.11
ip route 192.168.44.0 255.255.255.0 192.168.168.11
ip route 192.168.45.0 255.255.255.0 192.168.168.11
ip route 192.168.46.0 255.255.255.0 192.168.168.11
ip route 192.168.75.0 255.255.255.0 192.168.168.11
ip route 192.168.168.0 255.255.255.0 10.10.0.5
ip route 192.168.200.0 255.255.255.0 192.168.200.1
!

access-list 101 permit ip 192.168.100.0 0.0.0.255 any
route-map TWC permit 10
 match ip address 101
 set ip default next-hop 192.168.75.222

end

















EastCore#show run
!
upgrade fpd auto
version 12.2
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
service counters max age 5
!
hostname EastCore

!
!
no ip domain-lookup
ip domain-name yourvitamins.com
ip name-server 10.10.10.2
ip name-server 10.10.10.1
ipv6 mfib hardware-switching replication-mode ingress
mls ip multicast flow-stat-timer 9
no mls flow ip
no mls flow ipv6
no mls acl tcam share-global
mls cef error action recover
!
!
!
!
!
!
redundancy
 mode sso
 main-cpu
  auto-sync running-config
!
spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
spanning-tree vlan 1-1001 priority 8000
system flowcontrol bus auto
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
!

!
interface TenGigabitEthernet5/1
 description *WestCore Link, TenGig 5/1*
 switchport
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no ip address
 spanning-tree guard loop
!
interface TenGigabitEthernet5/2
 description *WestStack Link, TenGig 8/0/2*
 switchport
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no ip address
 spanning-tree guard loop
!
interface GigabitEthernet5/3
 no ip address
!
interface TenGigabitEthernet6/1
 desc TSTACK
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 2,5
 switchport mode trunk
 no ip address
 spanning-tree guard loop
!
interface TenGigabitEthernet6/2
 no ip address
 shutdown
!
interface GigabitEthernet6/3
 no ip address
 shutdown
!
interface Vlan1
 ip address 10.10.0.5 255.255.255.0
 ip helper-address 10.10.1.1
 ip helper-address 10.10.1.2
 no ip redirects
 standby 5 ip 10.10.0.1
 standby 5 preempt
 standby 5 authentication yvi5
 standby 6 ip 10.10.0.2
 standby 6 priority 110
 standby 6 preempt
!
interface Vlan2
 no ip address

!
interface Vlan5
 ip address 192.168.168.10 255.255.255.0
!
interface Vlan10
 ip address 10.10.1.252 255.255.255.0
 ip helper-address 10.10.1.1
 ip helper-address 10.10.1.2
 ip helper-address 10.10.1.24
 no ip redirects
 standby 19 ip 10.10.1.253
 standby 19 preempt
 standby 19 authentication yvi5
 standby 20 ip 10.10.1.254
 standby 20 priority 110
 standby 20 preempt
!
interface Vlan13
 ip address 10.10.13.4 255.255.255.0
 ip helper-address 10.10.1.1
 ip helper-address 10.10.1.2
 ip helper-address 10.10.1.24
 no ip redirects
 standby 21 ip 10.10.13.1
 standby 21 preempt
 standby 21 authentication yvi5
 standby 22 ip 10.10.13.2
 standby 22 priority 110
 standby 22 preempt
!
interface Vlan20
 description VOICE
 ip address 10.20.0.4 255.255.0.0
 ip helper-address 10.10.1.1
 ip helper-address 10.10.1.24
 no ip redirects
 standby 9 ip 10.20.0.1
 standby 9 preempt
 standby 9 authentication yvi9
 standby 10 ip 10.20.0.2
 standby 10 priority 110
 standby 10 preempt
!
interface Vlan30
 ip address 10.30.0.4 255.255.255.0
 ip helper-address 10.10.1.1
 ip helper-address 10.10.1.2
 ip helper-address 10.10.1.24
 no ip redirects
 standby 7 ip 10.30.0.1
 standby 7 preempt
 standby 7 authentication yvi7
 standby 8 ip 10.30.0.2
 standby 8 priority 110
 standby 8 preempt
!
interface Vlan40
 ip address 10.40.0.4 255.255.255.0
 ip helper-address 10.10.1.1
 ip helper-address 10.10.1.2
 ip helper-address 10.10.1.24
 no ip redirects
 standby 11 ip 10.40.0.1
 standby 11 preempt
 standby 11 authentication yvi11
 standby 12 ip 10.40.0.2
 standby 12 priority 110
 standby 12 preempt
!
interface Vlan50
 description Production
 ip address 10.50.0.4 255.255.255.0
 ip helper-address 10.10.1.1
 ip helper-address 10.10.1.2
 ip helper-address 10.10.1.24
 no ip redirects
 standby 15 ip 10.50.0.1
 standby 15 preempt
 standby 15 authentication yvi15
 standby 16 ip 10.50.0.2
 standby 16 priority 110
 standby 16 preempt
!
interface Vlan254
 ip address 10.10.254.252 255.255.255.0
 ip helper-address 10.10.1.1
 ip helper-address 10.10.1.2
 ip helper-address 10.10.1.24
 no ip redirects
 standby 17 ip 10.10.254.253
 standby 17 preempt
 standby 17 authentication yvi5
 standby 18 ip 10.10.254.254
 standby 18 priority 110
 standby 18 preempt
!
interface Vlan300
 ip address 192.168.100.4 255.255.255.0
 no ip redirects
 standby 30 ip 192.168.100.1
 standby 30 preempt
 standby 30 authentication yvi5
 standby 31 ip 192.168.100.2
 standby 31 priority 110
 standby 31 preempt
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.0.3
ip route 10.10.0.0 255.255.0.0 Vlan1
ip route 10.20.0.0 255.255.0.0 Vlan20
ip route 192.168.4.254 255.255.255.255 10.10.0.3
ip route 192.168.20.0 255.255.255.0 192.168.168.11
ip route 192.168.44.0 255.255.255.0 192.168.168.11
ip route 192.168.45.0 255.255.255.0 192.168.168.11
ip route 192.168.46.0 255.255.255.0 192.168.168.11
ip route 192.168.75.0 255.255.255.0 192.168.168.11
ip route 192.168.100.0 255.255.255.0 10.10.0.4
!
no ip http server
!
logging 10.40.0.21
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
!
route-map TWC permit 10
 match ip address 101
 set ip default next-hop 192.168.75.254

end






TWCSTACK#show run

version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TSTACK

system mtu routing 1500
ip routing
!
!
no ip domain-lookup
vtp mode transparent

!
!
!
vlan internal allocation policy ascending
!
vlan 2
 name NTERNET
!
vlan 5
 name TTRANSIT
!
vlan 20
 name voice
!
vlan 75
 name Workstations

!
interface GigabitEthernet2/0/47
 description LINK TO INTERNET VLAN
 switchport access vlan 2
 switchport trunk encapsulation dot1q
 switchport mode access
 spanning-tree portfast
!


!
interface TenGigabitEthernet4/0/1
 description EASTCORE
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 2,5
 switchport mode trunk
!
interface TenGigabitEthernet4/0/2
!
interface Vlan1
 description DATA
 ip address 192.168.75.254 255.255.255.0
 ip helper-address 10.10.1.2
 ip helper-address 192.168.100.16
!
interface Vlan5
 description TRANSIT
 ip address 192.168.168.11 255.255.255.0
!
interface Vlan20
 description voice
 ip address 192.168.20.254 255.255.255.0
 ip helper-address 10.10.1.2
 ip helper-address 192.168.100.16
!
interface Vlan75
 description Workstations
 no ip address
 ip helper-address 10.10.1.2
 ip helper-address 192.168.100.16
!

!
ip route 0.0.0.0 0.0.0.0 192.168.75.222
ip route 10.10.0.0 255.255.255.0 192.168.168.10
ip route 10.10.1.0 255.255.255.0 192.168.168.10
ip route 10.20.0.0 255.255.0.0 192.168.168.10
ip route 10.30.0.0 255.255.255.0 192.168.168.10
ip route 10.40.0.0 255.255.255.0 192.168.168.10
ip route 172.16.30.0 255.255.255.0 192.168.168.10
ip route 192.168.100.0 255.255.255.0 192.168.168.10
!
!
0
 
atlas_shudderedSr. Network EngineerCommented:
Is 192.168.75.222 in the routes for TWCSTACK the firewall interface?
0
 
publicvoidDirector of ITAuthor Commented:
Thanks Atlas...  So to clarify this, I would build the SVI on westcore in vlan 5?
0
 
atlas_shudderedSr. Network EngineerCommented:
Yes, it will give you a pin point for the mappings.  EAST already has an SVI in vlan 5
0
 
publicvoidDirector of ITAuthor Commented:
Perfect!  It worked like a charm.  Thank you so much.  I owe you a beer at the very least!
0
 
publicvoidDirector of ITAuthor Commented:
Seriously great help by atlas_shuddered!  Thanks!
0
 
atlas_shudderedSr. Network EngineerCommented:
lol   no worries public.  Sorry it took so long.  Should have looked at the configs sooner.  Good luck.  Cheers
1
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.