Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problem with Route Maps on 3560G

Hi Everyone,

I have a 3560G with 3 VLANs connected to a Cisco ASA with the same VLANs. I want to have the switch interface for each VLAN as the default gateway for clients and then forward this traffic to the ASA for firewalling. Problem is, due to the switch knowing about the destination VLAN, it will send it directly and bypass the FW. So, I want to use route maps to forward the traffic received on say, VLAN 100, to the IP address of the FW in VLAN 100. This is how I am trying to do it.

This is my VLAN config on the switch and the default gateway:

interface Vlan100

ip address 10.11.120.14 255.255.255.240

This is my route map statement to force the traffic from 10.11.120.2 (on VLAN 100) to go to the FW interface on the same network.

access-list 100 permit ip host 10.11.120.2 any

route-map HIST-FTP permit 10

match ip address 100

set ip next-hop 10.11.120.1

The route map see's no matching packets when I ping from 10.11.120.2 to 10.11.121.3

SL-3560G-Switch#sh route-map

route-map HIST-FTP, permit, sequence 10

  Match clauses:

    ip address (access-lists): 100

  Set clauses:

    ip next-hop 10.11.120.1

  Policy routing matches: 0 packets, 0 bytes

This is my routing table on the switch.

Gateway of last resort is 10.11.120.225 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.11.120.225

      10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks

C        10.11.120.0/28 is directly connected, Vlan100

L        10.11.120.14/32 is directly connected, Vlan100

C        10.11.120.216/29 is directly connected, Vlan216

L        10.11.120.221/32 is directly connected, Vlan216

C        10.11.120.224/28 is directly connected, Vlan224

L        10.11.120.226/32 is directly connected, Vlan224

C        10.11.121.0/28 is directly connected, Vlan500

L        10.11.121.2/32 is directly connected, Vlan500

When I ping from 10.11.120.2, I get this.

Pinging 10.11.121.3 with 32 bytes of data:

Reply from 10.11.120.14: Destination host unreachable.

Any help would be greatly appreciated.


Dan

6 REPLIES
Hall of Fame Super Silver

Problem with Route Maps on 3560G

Dan

Can you verify whether 10.11.120.1 is reachable? If you do show arp is there an entry for this address?

HTH

Rick

New Member

Problem with Route Maps on 3560G

it is reachable from the switch, ie the switch has an arp for it, but not from the host within that VLAN.

Dan

New Member

Problem with Route Maps on 3560G

sorry I should have added, the host can ping 10.11.120.1, so therefore it gets an ARP for it.

Dan

New Member

Problem with Route Maps on 3560G

quick update.

I can now ping it, but I think this is because the switch see's it as directly connected and therefore it is not going to the FW as I get no matching hits on the ACL applied to the ASA interface.

Also, my route map config gets no matching packets. Not sure why.

Dan

Cisco Employee

Problem with Route Maps on 3560G

Did you add this command to the vlan interface? 

ip policy route-map HIST-FTP

You will also want to add no ip redirects on the vlan 100 interface to avoid having the traffic be software switched.  You will never see matches on the route-map when the traffic is being hardware switched, but the traffic will be forwarded.

-Matt

New Member

Problem with Route Maps on 3560G

brilliant.

I had tried to do it but it wasnt an available command. So, I downloaded a later code and added that command, now all works fine.

Thank you!

254
Views
0
Helpful
6
Replies