cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3306
Views
5
Helpful
5
Replies

PBR configured with missing ACL

aweise
Level 1
Level 1

I ran into a strange problem this morning. We have a working PBR route map on a 6509 switch and a 3750 switch, each in different locations.

On both devices, the route-map is configured to match on one of multiple ACLs, then set the next hop to a directly-connected IP address, like so:

route-map PBR-map

  match ip address ACL1

  match ip address ACL2

  ....

  match ip address ACL20

  set ip next-hop 1.1.1.5

When copying in the ACL contents for "ACL20", they were accidentally copied in to the ACL1 list, and ACL20 was never created.

Shortly after this was done, the next hop router went unreachable in both locations. Pings failed and the 6509 and 3750 each lost the EIGRP adjacency to the 1.1.1.5 router. After troubleshooting, I removed "match ip address ACL20" and connectivity returned.

My question is...if a PBR route-map tries to match on a non-existent ACL, what happens? Does it mark the next hop unreachable (even though it's directly connected) or does it match for ALL traffic and send *everything* there (thus, making it appear unreachable, as if a broadcast storm was happening)?

Thanks,

-Andy

1 Accepted Solution

Accepted Solutions

Hi,

If you try to match to an access-list that does not exist then it permit any by default

Check the next link by Cisco

"If an access list is referenced by name in a command, but the access list does not exist, all packets pass."

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsaclseq.html

Hope that helps!

Vasilis

View solution in original post

5 Replies 5

lucentmoon
Level 1
Level 1

For Policy-Based Routing - If no traffic is matched it will simply be processed/forwarded normally by looking at the routing table or with cef.   However it is possible to blackhole traffic IF the traffic is matched and the next-hop is not correct.

Hi,

If you try to match to an access-list that does not exist then it permit any by default

Check the next link by Cisco

"If an access list is referenced by name in a command, but the access list does not exist, all packets pass."

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsaclseq.html

Hope that helps!

Vasilis

My apologies for giving you incorrect information Andy,  Vasilis is absolutely correct.  I was not aware of this sort of implicit permit for a non-existent access-list.    Thank you for teaching me something new Vasilis

Hi Nicholas,

If you do not have any additional questions then please set your question as answered.

Thanks!

Vasilis

Thank you for the answer. It seems odd to me that it would work that way - typically, for an ACL that used for filtering purposes, if a non-existent one is applied to an interface, then it would block everything by default. My original thought was that using a non-existent ACL would simply not match and move on to the next ACL.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: