Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problem with Route Maps on 3560G

Hi Everyone,

I have a 3560G with 3 VLANs connected to a Cisco ASA with the same VLANs. I want to have the switch interface for each VLAN as the default gateway for clients and then forward this traffic to the ASA for firewalling. Problem is, due to the switch knowing about the destination VLAN, it will send it directly and bypass the FW. So, I want to use route maps to forward the traffic received on say, VLAN 100, to the IP address of the FW in VLAN 100. This is how I am trying to do it.

This is my VLAN config on the switch and the default gateway:

interface Vlan100

ip address

This is my route map statement to force the traffic from (on VLAN 100) to go to the FW interface on the same network.

access-list 100 permit ip host any

route-map HIST-FTP permit 10

match ip address 100

set ip next-hop

The route map see's no matching packets when I ping from to

SL-3560G-Switch#sh route-map

route-map HIST-FTP, permit, sequence 10

  Match clauses:

    ip address (access-lists): 100

  Set clauses:

    ip next-hop

  Policy routing matches: 0 packets, 0 bytes

This is my routing table on the switch.

Gateway of last resort is to network

S* [1/0] via is variably subnetted, 8 subnets, 3 masks

C is directly connected, Vlan100

L is directly connected, Vlan100

C is directly connected, Vlan216

L is directly connected, Vlan216

C is directly connected, Vlan224

L is directly connected, Vlan224

C is directly connected, Vlan500

L is directly connected, Vlan500

When I ping from, I get this.

Pinging with 32 bytes of data:

Reply from Destination host unreachable.

Any help would be greatly appreciated.


Hall of Fame Super Silver

Problem with Route Maps on 3560G


Can you verify whether is reachable? If you do show arp is there an entry for this address?



New Member

Problem with Route Maps on 3560G

it is reachable from the switch, ie the switch has an arp for it, but not from the host within that VLAN.


New Member

Problem with Route Maps on 3560G

sorry I should have added, the host can ping, so therefore it gets an ARP for it.


New Member

Problem with Route Maps on 3560G

quick update.

I can now ping it, but I think this is because the switch see's it as directly connected and therefore it is not going to the FW as I get no matching hits on the ACL applied to the ASA interface.

Also, my route map config gets no matching packets. Not sure why.


Cisco Employee

Problem with Route Maps on 3560G

Did you add this command to the vlan interface? 

ip policy route-map HIST-FTP

You will also want to add no ip redirects on the vlan 100 interface to avoid having the traffic be software switched.  You will never see matches on the route-map when the traffic is being hardware switched, but the traffic will be forwarded.


New Member

Problem with Route Maps on 3560G


I had tried to do it but it wasnt an available command. So, I downloaded a later code and added that command, now all works fine.

Thank you!