We are trying to set up a VLAN for wireless nodes and want to apply
some access-lists to it. Unfortunately, because the 6509 does not
process access-lists between VLANs (switching takes place in hardware,
and the 6509 does not support ACL matching at the MSFC level --
verified with TAC), we want to send all local traffic from this VLAN
off the 6509 to another router. We will apply the access lists on
this router, then send permitted traffic back to the 6509. (Yes, a
kludge. -- Alternative suggestions most welcome!)
We tried configuring policy-based routing -- it looks like it should
do the trick, but for some reason, it's not working...
Our "wireless VLAN" (VLAN52) is on the 6509: 130.71.248.0/21 (so the
valid IP address in this subnetwork are 130.71.248.1-130.71.255.254).
We set up a spare Cisco 4500 router with two ethernet interfaces; we
set up two new VLANs (63 and 64) on the 6509 as follows:
+---------------+ +----------------+
|Cisco ETH0 |-130.71.246.2---130.71.246.1-| Vlan63 Cisco|
|4500 ETH1 |-130.71.247.2---130.71.247.1-| Vlan64 6509|
+---------------+ +----------------+
|VLAN52
(130.71.248/21)
|
X Node: 130.71.255.254
We then ping'd from 130.71.255.254 (a node on VLAN52) to a node in our
network, but the traffic stays on the 6509; the route-map is not
effective.
Cisco4500:
130.71.0.0/24 is subnetted, 2 subnets
C 130.71.247.0 is directly connected, Ethernet1
C 130.71.246.0 is directly connected, Ethernet0
S* 0.0.0.0/0 [1/0] via 130.71.247.1
We have verified IP connectivity from everywhere to 130.71.246.2 and
130.71.247.2.
Cisco 6509:
interface Vlan63
ip address 130.71.246.1 255.255.255.0
ip broadcast-address 130.71.246.255
interface Vlan64
ip address 130.71.247.1 255.255.255.0
ip broadcast-address 130.71.247.255
access-list 111 permit ip 130.71.248.0 0.0.7.255 any
(we also tried "access-list 111 permit ip any any")
route-map STOWLAN permit 11
match ip address 111
(we also tried without the "match ip address 111")
set ip next-hop 130.71.246.2
(we also tried "set ip default next-hop 130.71.246.2)
interface Vlan52
ip address 130.71.248.1 255.255.248.0
ip broadcast-address 130.71.255.255
ip helper-address 130.71.128.8
no ip mroute-cache
ip policy route-map STOWLAN
We turned on "debug ip packet detail" on the Cisco 4500, but it sees
no traffic we originate from our test node.
If it's relevant, right after putting in: "ip policy route-map
STOWLAN" on vlan52, we did get:
*Jan 16 20:07:32 CST: %FM-2-TCAM_ERROR: TCAM programming error 18
IOS version details are below.
Should this approach work? If so, any suggestions why it's not
working?
Craig
--
Craig D. Rice Associate Director of Information Systems
cdr at stolaf.edu Information and Instructional Technologies
+1 507 646-3631 St. Olaf College
+1 507 646-3096 FAX 1510 St. Olaf Avenue
http://www.stolaf.edu/people/cdr Northfield, MN 55057-1097 USA
----- show vers for cisco 6509 -----
Cisco Internetwork Operating System Software
IOS (tm) MSFC Software (C6MSFC-DSV-M), Version 12.1(8b)E15, EARLY
DEPLOYMENT RELEASE SOFTWARE (fc1)
TAC Support:
http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Fri 18-Jul-03 00:05 by hqluong
Image text-base: 0x60008950, data-base: 0x616BA000
ROM: System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE
BOOTFLASH: MSFC Software (C6MSFC-DSV-M), Version 12.1(8b)E15, EARLY
DEPLOYMENT RELEASE SOFTWARE (fc1)
cisco6509 uptime is 2 weeks, 2 days, 2 hours, 40 minutes
System returned to ROM by power-on
System image file is "bootflash:c6msfc-dsv-mz.121-8b.E15"
cisco Cat6k-MSFC (R5000) processor with 114688K/16384K bytes of
memory.
Processor board ID SAD04240N0U
R5000 CPU at 200Mhz, Implementation 35, Rev 2.1, 512KB L2 Cache
Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.
53 Virtual Ethernet/IEEE 802.3 interface(s)
123K bytes of non-volatile configuration memory.
4096K bytes of packet SRAM memory.
16384K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2101
----- show vers for cisco 4500 -----
Cisco Internetwork Operating System Software
IOS (tm) 4500 Software (C4500-I-M), Version 12.0(9), RELEASE SOFTWARE
(fc1)
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Tue 25-Jan-00 04:22 by bettyl
Image text-base: 0x60008930, data-base: 0x606CE000
ROM: System Bootstrap, Version 5.1(1) [daveu 1], RELEASE SOFTWARE
(fc1)
BOOTFLASH: 4500-XBOOT Bootstrap Software, Version 10.1(1), RELEASE
SOFTWARE (fc1)
cisco4500.stolaf.edu uptime is 1 hour, 16 minutes
System restarted by reload
System image file is "flash:c4500-i-mz_120-9.bin"
cisco 4500 (R4K) processor (revision 0x00) with 32768K/4096K bytes of
memory.
Processor board ID 01387457
R4600 processor, Implementation 32, Revision 1.0
G.703/E1 software, Version 1.0.
Bridging software.
X.25 software, Version 3.0.0.
2 Ethernet/IEEE 802.3 interface(s)
1 FastEthernet/IEEE 802.3 interface(s)
4 Serial network interface(s)
128K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
4096K bytes of processor board Boot flash (Read/Write)
Configuration register is 0x2102
Similar Threads
