PBR on 3560

Unanswered Question
Jul 21st, 2008

Configured PBR on 3560 but not working, IOS is advipservices and sdm prefer dual-ipv4-and-ipv6 is configured on the switch. The moment I apply the ip policy command on the SVI, i am losing connectivity to the SVI on which is apply the policy, I can't even ping it, once I remove the policy, connectivity is restored. Please help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
lgijssel Mon, 07/21/2008 - 05:13

This appears to me as an indication that your PBR-config is in fact working, it is just not doing what you expect it to do!

Instead it appears to be causing your SDM connection to fail, presumably because the policy affects your management traffic.

If you need more help on this, please post your config and also include a description of what your policy should do.



AJAZ NAWAZ Mon, 07/21/2008 - 08:52

Symptoms are consistent with misconfiguration.

yes - config please?


renato.berana Mon, 07/21/2008 - 20:32

The switch is connected to two firewalls the default gateway is pointing to FW1( and on the PBR policy web traffic should got to FW2(, but when I apply the policy it is not working, can't even ping SVI of Vlan20. As of now the policy is only applied to VLAN20.

michaelchoo Tue, 07/22/2008 - 00:36

I think your issue is the fact that your missing an empty route-map line. Currently, what your route-map is saying is all traffic that matches access-list 100 gets policy routed, the rest.... DROP!

Try adding the following:

route-map ADSL permit 20

(i.e. empty route-map statement for your PBR route-map).

That *should* fix your issue.

Edit: adding the empty route-map statement essentially ensures your PBR to fallback to normal routing if the 1st route-map condition is not met.

renato.berana Tue, 07/22/2008 - 01:51

I think the rest of the traffic will not be dropped but it will be forwarded normally. Correct me if Im wrong. And one more thing "Why I can't ping the SVI IP if the policy is applied?"

michaelchoo Tue, 07/22/2008 - 04:26

Well, if you don't add empty route-map statement, other traffic will be dropped. Remember, route-map follows the same logic as access-list: implicit deny any.

If your policy still doesn't have the empty route-map statement, then the reason why you can't ping the SVI is because the traffic is dropped by your route-map. Edit: If you've added the statement, does the switch know how to get to the ping source? Do traceroute to see the path it's attempting to take.

renato.berana Tue, 07/22/2008 - 05:04

The ping source and is from the same segment and the ping destination is the which is the gateway, if the policy is applied the on the SVI the ping will fail.

michaelchoo Tue, 07/22/2008 - 14:12

Try adding the endpoints for your ping command into the access-list for your PBR and test again. Be mindful of the path that echo-reply packets may traverse. Depending on how your topology looks and how you configure the routing, you might encounter asymmetrical path.


This Discussion