Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3653
Views
5
Helpful
5
Replies

PBR configured with missing ACL

Go to solution
aweise
Level 1
Level 1

‎04-02-2012 10:19 AM - edited ‎03-07-2019 05:55 AM

I ran into a strange problem this morning. We have a working PBR route map on a 6509 switch and a 3750 switch, each in different locations.

On both devices, the route-map is configured to match on one of multiple ACLs, then set the next hop to a directly-connected IP address, like so:

route-map PBR-map

  match ip address ACL1

  match ip address ACL2

  ....

  match ip address ACL20

  set ip next-hop 1.1.1.5

When copying in the ACL contents for "ACL20", they were accidentally copied in to the ACL1 list, and ACL20 was never created.

Shortly after this was done, the next hop router went unreachable in both locations. Pings failed and the 6509 and 3750 each lost the EIGRP adjacency to the 1.1.1.5 router. After troubleshooting, I removed "match ip address ACL20" and connectivity returned.

My question is...if a PBR route-map tries to match on a non-existent ACL, what happens? Does it mark the next hop unreachable (even though it's directly connected) or does it match for ALL traffic and send *everything* there (thus, making it appear unreachable, as if a broadcast storm was happening)?

Thanks,

-Andy

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vasileios Bouloukos MSc, ITIL, CCIE
Level 3
Level 3

‎04-02-2012 02:32 PM

Hi,

If you try to match to an access-list that does not exist then it permit any by default

Check the next link by Cisco

"If an access list is referenced by name in a command, but the access list does not exist, all packets pass."

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsaclseq.html

Hope that helps!

Vasilis

View solution in original post

5 Replies 5

Go to solution
lucentmoon
Level 1
Level 1

‎04-02-2012 01:53 PM

For Policy-Based Routing - If no traffic is matched it will simply be processed/forwarded normally by looking at the routing table or with cef.   However it is possible to blackhole traffic IF the traffic is matched and the next-hop is not correct.

0 Helpful

Go to solution
Vasileios Bouloukos MSc, ITIL, CCIE
Level 3
Level 3

‎04-02-2012 02:32 PM

Hi,

If you try to match to an access-list that does not exist then it permit any by default

Check the next link by Cisco

"If an access list is referenced by name in a command, but the access list does not exist, all packets pass."

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsaclseq.html

Hope that helps!

Vasilis

Go to solution
lucentmoon
Level 1
Level 1
In response to Vasileios Bouloukos MSc, ITIL, CCIE

‎04-02-2012 03:26 PM

My apologies for giving you incorrect information Andy,  Vasilis is absolutely correct.  I was not aware of this sort of implicit permit for a non-existent access-list.    Thank you for teaching me something new Vasilis

0 Helpful

Go to solution
Vasileios Bouloukos MSc, ITIL, CCIE
Level 3
Level 3
In response to lucentmoon

‎04-02-2012 11:25 PM

Hi Nicholas,

If you do not have any additional questions then please set your question as answered.

Thanks!

Vasilis

0 Helpful

Go to solution
aweise
Level 1
Level 1
In response to Vasileios Bouloukos MSc, ITIL, CCIE

‎04-03-2012 05:29 AM

Thank you for the answer. It seems odd to me that it would work that way - typically, for an ACL that used for filtering purposes, if a non-existent one is applied to an interface, then it would block everything by default. My original thought was that using a non-existent ACL would simply not match and move on to the next ACL.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card