Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

PBR configured with missing ACL

I ran into a strange problem this morning. We have a working PBR route map on a 6509 switch and a 3750 switch, each in different locations.

On both devices, the route-map is configured to match on one of multiple ACLs, then set the next hop to a directly-connected IP address, like so:

route-map PBR-map

  match ip address ACL1

  match ip address ACL2

  ....

  match ip address ACL20

  set ip next-hop 1.1.1.5

When copying in the ACL contents for "ACL20", they were accidentally copied in to the ACL1 list, and ACL20 was never created.

Shortly after this was done, the next hop router went unreachable in both locations. Pings failed and the 6509 and 3750 each lost the EIGRP adjacency to the 1.1.1.5 router. After troubleshooting, I removed "match ip address ACL20" and connectivity returned.

My question is...if a PBR route-map tries to match on a non-existent ACL, what happens? Does it mark the next hop unreachable (even though it's directly connected) or does it match for ALL traffic and send *everything* there (thus, making it appear unreachable, as if a broadcast storm was happening)?

Thanks,

-Andy

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

PBR configured with missing ACL

Hi,

If you try to match to an access-list that does not exist then it permit any by default

Check the next link by Cisco

"If an access list is referenced by name in a command, but the access list does not exist, all packets pass."

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsaclseq.html

Hope that helps!

Vasilis

5 REPLIES
New Member

PBR configured with missing ACL

For Policy-Based Routing - If no traffic is matched it will simply be processed/forwarded normally by looking at the routing table or with cef.   However it is possible to blackhole traffic IF the traffic is matched and the next-hop is not correct.

PBR configured with missing ACL

Hi,

If you try to match to an access-list that does not exist then it permit any by default

Check the next link by Cisco

"If an access list is referenced by name in a command, but the access list does not exist, all packets pass."

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsaclseq.html

Hope that helps!

Vasilis

New Member

PBR configured with missing ACL

My apologies for giving you incorrect information Andy,  Vasilis is absolutely correct.  I was not aware of this sort of implicit permit for a non-existent access-list.    Thank you for teaching me something new Vasilis

PBR configured with missing ACL

Hi Nicholas,

If you do not have any additional questions then please set your question as answered.

Thanks!

Vasilis

New Member

PBR configured with missing ACL

Thank you for the answer. It seems odd to me that it would work that way - typically, for an ACL that used for filtering purposes, if a non-existent one is applied to an interface, then it would block everything by default. My original thought was that using a non-existent ACL would simply not match and move on to the next ACL.

1373
Views
5
Helpful
5
Replies
CreatePlease to create content