cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1484
Views
7
Helpful
3
Replies

Cannot Ping Default Gateway with Route Map Applied

danbowencisco
Level 1
Level 1

Hi Everyone,

I have a 3560G and an ASA FW, for which I am trying to use PBR to append the next hop. The gateway is the switch VLAN address and the amended net hop is the same VLAN interface on the ASA. Trouble is, I can ping the FW from a client, but not the switch. If I remove the route map, I can ping both. Even more strange is this is the case for some VLANs, but not all!

Config:

HOST ON VLAN 96

IP 10.11.120.99

S/M 255.255.255.240

D/G 10.11.120.98

FIREWALL

interface g0/0.96

ip address 10.11.120.97/28

interface Vlan96

description Information Network

ip address 10.11.120.98 255.255.255.240

ip access-group 2030 in

ip policy route-map Information-RM

access-list 2030 remark ***Information Network ACL***

access-list 2030 remark ###PST to All Networks(ICMP Traffic)###

access-list 2030 permit icmp host 10.11.120.99 any echo log

access-list 2030 permit icmp host 10.11.120.99 any echo-reply log

access-list 2030 deny   ip any any log

access-list 2530 remark ***Information Network Route Map ACL***

access-list 2530 permit ip 10.11.120.96 0.0.0.15 any

route-map Information-RM permit 10

match ip address 2530

set ip next-hop 10.11.120.97

SL-3560G-Switch#sh sdm prefer

The current template is "desktop routing" template.

The selected template optimizes the resources in

the switch to support this level of features for

8 routed interfaces and 1024 VLANs.

  number of unicast mac addresses:                  3K

  number of IPv4 IGMP groups + multicast routes:    1K

  number of IPv4 unicast routes:                    11K

    number of directly-connected IPv4 hosts:        3K

    number of indirect IPv4 routes:                 8K

  number of IPv4 policy based routing aces:         0.5K

  number of IPv4/MAC qos aces:                      0.5K

  number of IPv4/MAC security aces:                 1K

SL-3560G-Switch#sh route-map Information-RM

route-map Information-RM, permit, sequence 10

  Match clauses:

    ip address (access-lists): 2530

  Set clauses:

    ip next-hop 10.11.120.97

  Policy routing matches: 1734 packets, 164439 bytes

Cannot understand why I cannot ping my d/g (switch) when the route map is applied.

Any help would be great.

Thanks,


Dan

3 Replies 3

danbowencisco
Level 1
Level 1

anyone got any ideas?

Im really confused as I have another VLAN, and this works fine it seems. The config is the same.

Dan

Dan

I believe that the issue with the route map is fairly simple. The way the route map is configured it takes any incoming packet with source address in subnet 96 and forwards it to the firewall. So when you attempt to ping the default gateway the PC sends the ping packet, the switch sets the next hop as the firewall and forwards it, and the firewall does not send the packet back to the switch (and even if it did the policy would forward it back to the firewall again creating a loop). So what you need to do to fix this is to change the access list used in the route map. The new access list should deny packets with source in subnet 96 and destination of the switch interface address and then the existing statement ot permit packets from subnet 96.

HTH

Rick

HTH

Rick

Thank you. I was facing same issue.Deny local traffic resolves the issue.

 

 

Extended IP access list 101
10 deny ip 192.168.8.0 0.0.0.255 192.168.0.0 0.0.255.255 (1113 matches)
20 permit ip 192.168.8.0 0.0.0.255 any (149 matches)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco