VLAN Interface unable to PING(next hop) after apply policy route-map

Kumaran83 · ‎04-14-2016

Guys,

Need some explanation.

Im using Cisco Sw:

S2-EXT-24Port#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C3550 Software (C3550-I5Q3L2-M), Version 12.1(20)EA1a, RELEASE SOFTWARE
(fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Mon 19-Apr-04 21:50 by yenanh
Image text-base: 0x00003000, data-base: 0x008273B8

ROM: Bootstrap program is C3550 boot loader

S2-EXT-24Port uptime is 11 weeks, 1 day, 6 hours, 21 minutes
System returned to ROM by power-on
System image file is "flash:c3550-i5q3l2-mz.121-20.EA1a/c3550-i5q3l2-mz.121-20.E
A1a.bin"

Below is my config:

!
interface Vlan23
description *** SABAHNET_TO_CORE ***
ip address 172.31.32.53 255.255.255.252
ip policy route-map SABAHNET
end

if I remove "ip policy route-map SABAHNET" from above interface VLAN23, i can ping nex hop 172.31.32.54, if apply back unable to ping.

route-map SABAHNET permit 10
match ip address 106
set ip next-hop 27.146.107.185
!

Extended IP access list 106
permit ip 27.146.147.0 0.0.0.255 any
permit ip 27.146.168.0 0.0.0.255 any
permit ip 10.37.24.0 0.0.0.255 any
permit ip 10.66.1.0 0.0.0.255 any
permit ip 10.65.1.0 0.0.0.255 any
permit ip 10.39.12.0 0.0.0.255 any
permit ip 10.39.20.0 0.0.0.255 any
permit ip 10.65.5.0 0.0.0.255 any
permit ip 10.68.1.0 0.0.0.255 any
permit ip 10.67.1.0 0.0.0.255 any
permit ip 10.37.25.0 0.0.0.255 any
permit ip 10.34.8.0 0.0.0.255 any
permit ip 10.34.21.0 0.0.0.255 any
permit ip 10.25.8.0 0.0.0.255 any
permit ip 10.65.11.0 0.0.0.255 any
permit ip 10.65.10.0 0.0.0.255 any
permit ip 10.65.9.0 0.0.0.255 any
permit ip 10.65.8.0 0.0.0.255 any
permit ip 10.65.7.0 0.0.0.255 any
permit ip 10.65.6.0 0.0.0.255 any

Traffic is going thru but nothing hit the ACL too.. confused.. Expert please advice.

thanks in advance.

Philip D'Ath · ‎04-14-2016

Your config looks good to me, so I'm going to guess this is a software defect. However due to the age of the switch you are unlikely to get new software.

Perhaps a power cycle may resolve it.

Kumaran83 · ‎04-16-2016

May be needs power cycle. Will perform it during next maintenance windows and meanwhile keep this config as no issue with customer traffic.. Thanks Philip.

Richard Burts · ‎04-16-2016

If your attempt to ping the next hop is from any of these subnets

permit ip 27.146.147.0 0.0.0.255 any
permit ip 27.146.168.0 0.0.0.255 any
permit ip 10.37.24.0 0.0.0.255 any
permit ip 10.66.1.0 0.0.0.255 any
permit ip 10.65.1.0 0.0.0.255 any
permit ip 10.39.12.0 0.0.0.255 any
permit ip 10.39.20.0 0.0.0.255 any
permit ip 10.65.5.0 0.0.0.255 any
permit ip 10.68.1.0 0.0.0.255 any
permit ip 10.67.1.0 0.0.0.255 any
permit ip 10.37.25.0 0.0.0.255 any
permit ip 10.34.8.0 0.0.0.255 any
permit ip 10.34.21.0 0.0.0.255 any
permit ip 10.25.8.0 0.0.0.255 any
permit ip 10.65.11.0 0.0.0.255 any
permit ip 10.65.10.0 0.0.0.255 any
permit ip 10.65.9.0 0.0.0.255 any
permit ip 10.65.8.0 0.0.0.255 any
permit ip 10.65.7.0 0.0.0.255 any
permit ip 10.65.6.0 0.0.0.255 any

Then the PBR is likely causing the failure when you attempt to ping the next hop. It is not a software defect and a reboot is not going to change the behavior. With PBR in the config then your attempt to ping is being forwarded to 27.146.107.185 as the next hop instead of to 172.31.32.54 and my guess is that from 27.146.107.185 the ping does not get to its destination.

If you want to be able to ping the next hop then your access list 106 needs to deny traffic from those subnets to 172.31.32.54 before it permits the traffic to other destinations.

HTH

Rick

HTH

Rick