cisco6509 route-map config

Discussion in 'Cisco' started by Craig D. Rice, Nov 14, 2003.

  1. We are trying to set up a VLAN for wireless nodes and want to apply
    some access-lists to it. Unfortunately, because the 6509 does not
    process access-lists between VLANs (switching takes place in hardware,
    and the 6509 does not support ACL matching at the MSFC level --
    verified with TAC), we want to send all local traffic from this VLAN
    off the 6509 to another router. We will apply the access lists on
    this router, then send permitted traffic back to the 6509. (Yes, a
    kludge. -- Alternative suggestions most welcome!)

    We tried configuring policy-based routing -- it looks like it should
    do the trick, but for some reason, it's not working...

    Our "wireless VLAN" (VLAN52) is on the 6509: 130.71.248.0/21 (so the
    valid IP address in this subnetwork are 130.71.248.1-130.71.255.254).

    We set up a spare Cisco 4500 router with two ethernet interfaces; we
    set up two new VLANs (63 and 64) on the 6509 as follows:

    +---------------+ +----------------+
    |Cisco ETH0 |-130.71.246.2---130.71.246.1-| Vlan63 Cisco|
    |4500 ETH1 |-130.71.247.2---130.71.247.1-| Vlan64 6509|
    +---------------+ +----------------+
    |VLAN52
    (130.71.248/21)
    |
    X Node: 130.71.255.254

    We then ping'd from 130.71.255.254 (a node on VLAN52) to a node in our
    network, but the traffic stays on the 6509; the route-map is not
    effective.

    Cisco4500:

    130.71.0.0/24 is subnetted, 2 subnets
    C 130.71.247.0 is directly connected, Ethernet1
    C 130.71.246.0 is directly connected, Ethernet0
    S* 0.0.0.0/0 [1/0] via 130.71.247.1

    We have verified IP connectivity from everywhere to 130.71.246.2 and
    130.71.247.2.

    Cisco 6509:

    interface Vlan63
    ip address 130.71.246.1 255.255.255.0
    ip broadcast-address 130.71.246.255

    interface Vlan64
    ip address 130.71.247.1 255.255.255.0
    ip broadcast-address 130.71.247.255

    access-list 111 permit ip 130.71.248.0 0.0.7.255 any
    (we also tried "access-list 111 permit ip any any")

    route-map STOWLAN permit 11
    match ip address 111
    (we also tried without the "match ip address 111")
    set ip next-hop 130.71.246.2
    (we also tried "set ip default next-hop 130.71.246.2)

    interface Vlan52
    ip address 130.71.248.1 255.255.248.0
    ip broadcast-address 130.71.255.255
    ip helper-address 130.71.128.8
    no ip mroute-cache
    ip policy route-map STOWLAN

    We turned on "debug ip packet detail" on the Cisco 4500, but it sees
    no traffic we originate from our test node.

    If it's relevant, right after putting in: "ip policy route-map
    STOWLAN" on vlan52, we did get:

    *Jan 16 20:07:32 CST: %FM-2-TCAM_ERROR: TCAM programming error 18

    IOS version details are below.

    Should this approach work? If so, any suggestions why it's not
    working?

    Craig
    --
    Craig D. Rice Associate Director of Information Systems
    cdr at stolaf.edu Information and Instructional Technologies
    +1 507 646-3631 St. Olaf College
    +1 507 646-3096 FAX 1510 St. Olaf Avenue
    http://www.stolaf.edu/people/cdr Northfield, MN 55057-1097 USA

    ----- show vers for cisco 6509 -----

    Cisco Internetwork Operating System Software
    IOS (tm) MSFC Software (C6MSFC-DSV-M), Version 12.1(8b)E15, EARLY
    DEPLOYMENT RELEASE SOFTWARE (fc1)
    TAC Support: http://www.cisco.com/tac
    Copyright (c) 1986-2003 by cisco Systems, Inc.
    Compiled Fri 18-Jul-03 00:05 by hqluong
    Image text-base: 0x60008950, data-base: 0x616BA000

    ROM: System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE
    BOOTFLASH: MSFC Software (C6MSFC-DSV-M), Version 12.1(8b)E15, EARLY
    DEPLOYMENT RELEASE SOFTWARE (fc1)

    cisco6509 uptime is 2 weeks, 2 days, 2 hours, 40 minutes
    System returned to ROM by power-on
    System image file is "bootflash:c6msfc-dsv-mz.121-8b.E15"

    cisco Cat6k-MSFC (R5000) processor with 114688K/16384K bytes of
    memory.
    Processor board ID SAD04240N0U
    R5000 CPU at 200Mhz, Implementation 35, Rev 2.1, 512KB L2 Cache
    Last reset from power-on
    Bridging software.
    X.25 software, Version 3.0.0.
    53 Virtual Ethernet/IEEE 802.3 interface(s)
    123K bytes of non-volatile configuration memory.
    4096K bytes of packet SRAM memory.

    16384K bytes of Flash internal SIMM (Sector size 256K).
    Configuration register is 0x2101

    ----- show vers for cisco 4500 -----

    Cisco Internetwork Operating System Software
    IOS (tm) 4500 Software (C4500-I-M), Version 12.0(9), RELEASE SOFTWARE
    (fc1)
    Copyright (c) 1986-2000 by cisco Systems, Inc.
    Compiled Tue 25-Jan-00 04:22 by bettyl
    Image text-base: 0x60008930, data-base: 0x606CE000

    ROM: System Bootstrap, Version 5.1(1) [daveu 1], RELEASE SOFTWARE
    (fc1)
    BOOTFLASH: 4500-XBOOT Bootstrap Software, Version 10.1(1), RELEASE
    SOFTWARE (fc1)

    cisco4500.stolaf.edu uptime is 1 hour, 16 minutes
    System restarted by reload
    System image file is "flash:c4500-i-mz_120-9.bin"

    cisco 4500 (R4K) processor (revision 0x00) with 32768K/4096K bytes of
    memory.
    Processor board ID 01387457
    R4600 processor, Implementation 32, Revision 1.0
    G.703/E1 software, Version 1.0.
    Bridging software.
    X.25 software, Version 3.0.0.
    2 Ethernet/IEEE 802.3 interface(s)
    1 FastEthernet/IEEE 802.3 interface(s)
    4 Serial network interface(s)
    128K bytes of non-volatile configuration memory.
    8192K bytes of processor board System flash (Read/Write)
    4096K bytes of processor board Boot flash (Read/Write)

    Configuration register is 0x2102
    Craig D. Rice, Nov 14, 2003
    #1
    1. Advertising

  2. On 14 Nov 2003 08:18:43 -0800, (Craig D. Rice) wrote:

    >We are trying to set up a VLAN for wireless nodes and want to apply
    >some access-lists to it. Unfortunately, because the 6509 does not
    >process access-lists between VLANs (switching takes place in hardware,
    >and the 6509 does not support ACL matching at the MSFC level --
    >verified with TAC), we want to send all local traffic from this VLAN
    >off the 6509 to another router. We will apply the access lists on
    >this router, then send permitted traffic back to the 6509. (Yes, a
    >kludge. -- Alternative suggestions most welcome!)


    6509's can filter inter-VLAN traffic just fine. I've done it without
    issue.

    -Terry
    Terry Baranski, Nov 15, 2003
    #2
    1. Advertising

  3. Craig D. Rice

    Andre Beck Guest

    Terry Baranski <0VE> writes:
    > On 14 Nov 2003 08:18:43 -0800, (Craig D. Rice) wrote:
    >
    > >We are trying to set up a VLAN for wireless nodes and want to apply
    > >some access-lists to it. Unfortunately, because the 6509 does not
    > >process access-lists between VLANs (switching takes place in hardware,
    > >and the 6509 does not support ACL matching at the MSFC level --
    > >verified with TAC), we want to send all local traffic from this VLAN
    > >off the 6509 to another router. We will apply the access lists on
    > >this router, then send permitted traffic back to the 6509. (Yes, a
    > >kludge. -- Alternative suggestions most welcome!)

    >
    > 6509's can filter inter-VLAN traffic just fine. I've done it without
    > issue.


    6509s are just chassis. What processors are we speaking of? I would
    expect the SUP2+MSFC2+PFC2 can ACL just fine (I'd get really annoyed
    if it wouldn't), but the MSFC mentioned by the original poster might
    be different. Their L3 switching approach (MLS) is different, I was
    assured here.

    If it is this way, the resolution would either be to upgrade the CPUs
    to some that can do ACLs properly, or indeed to use an external router
    to do it for them. A 3750 might fit quite nicely (however I'm not fully
    aware to the quality of ACL support you get on them).

    --
    The _S_anta _C_laus _O_peration
    or "how to turn a complete illusion into a neverending money source"

    -> Andre "ABPSoft" Beck +++ ABP-RIPE +++ Dresden, Germany, Spacetime <-
    Andre Beck, Nov 15, 2003
    #3
  4. On 15 Nov 2003 20:39:12 +0100, Andre Beck <> wrote:

    >Terry Baranski <0VE> writes:
    >> On 14 Nov 2003 08:18:43 -0800, (Craig D. Rice) wrote:
    >>
    >> >We are trying to set up a VLAN for wireless nodes and want to apply
    >> >some access-lists to it. Unfortunately, because the 6509 does not
    >> >process access-lists between VLANs (switching takes place in hardware,
    >> >and the 6509 does not support ACL matching at the MSFC level --
    >> >verified with TAC), we want to send all local traffic from this VLAN
    >> >off the 6509 to another router. We will apply the access lists on
    >> >this router, then send permitted traffic back to the 6509. (Yes, a
    >> >kludge. -- Alternative suggestions most welcome!)

    >>
    >> 6509's can filter inter-VLAN traffic just fine. I've done it without
    >> issue.

    >
    >6509s are just chassis. What processors are we speaking of? I would
    >expect the SUP2+MSFC2+PFC2 can ACL just fine (I'd get really annoyed
    >if it wouldn't), but the MSFC mentioned by the original poster might
    >be different. Their L3 switching approach (MLS) is different, I was
    >assured here.


    MLS is different but ACL's still work when it's being used.

    -Terry
    Terry Baranski, Nov 16, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AM
    Replies:
    3
    Views:
    597
  2. Replies:
    1
    Views:
    5,135
    Barry Margolin
    Aug 13, 2005
  3. Steven V.A
    Replies:
    0
    Views:
    867
    Steven V.A
    Apr 29, 2008
  4. Replies:
    9
    Views:
    4,856
    Scott Perry
    Aug 7, 2008
  5. Geoffrey Sinclair

    Policy map using policy map

    Geoffrey Sinclair, Jul 27, 2009, in forum: Cisco
    Replies:
    1
    Views:
    504
    bod43
    Jul 27, 2009
Loading...

Share This Page