07-09-2013 12:15 PM - edited 03-07-2019 02:18 PM
If I set the next-hop in a route map to a local interface, will bad things happen? configs below...
interface Vlan2
description User Subnet
ip address 10.3.3.253 255.255.254.0
ip helper-address 10.77.42.12
no ip redirects
no ip proxy-arp
ip route-cache policy
no ip mroute-cache
interface Vlan32
description Server Subnet
ip address 10.77.43.253 255.255.254.0
no ip redirects
ip route-cache policy
no ip mroute-cache
route-map Hosted_Security permit 10
match ip address Hosted_Security_Internal <-----these addresses are on vlan 2
set ip next-hop 10.77.43.253 <---- this is what I am concerned about
!
route-map Hosted_Security permit 20
match ip address Hosted_Security_External
set ip next-hop 10.77.42.10
07-09-2013 05:31 PM
If you configure a route map for Policy Based Routing and you set the next hop to the IP address of a local interface then the router will attempt to forward the packet to itself. I would say that this was pretty much a bad thing to happen.
HTH
Rick
07-10-2013 06:23 AM
When the router sends the packet back to itself, will it ignore the route-map the second time it decides what to do with it?
07-10-2013 06:36 AM
I am not clear what the router would do. It is possible that the router would see it and just use normal routing. But it is possible that the router would treat it as a packet that it can not forward and drop the packet. And I am puzzled why you would want to set the next hop to its own interface, which is essentially not a valid configuration. If you want to forward differently than normal routing, that is what PBR is for and it needs a valid next hop. If you really want normal routing for the packet then why use PBR?
HTH
Rick
07-10-2013 06:48 AM
I originally had deny statements in the ACL that were not letting internal traffic be routed via the route map. The 3750 that I am using sends packets that match the deny statements to the CPU, which causes problems.
So, I want the ACL statements to look like this:
deny 10.3.2.0 0.0.0.255 10.0.0.0 0.255.255.255
permit 10.3.2.0 0.0.0.255 any
This makes the packets that are not destined for internal addresses get sent to the new address. It works, but with one host using this rule, the CPU hist ~70% utilization.
The above rules are an attempt to work around that limitation of the 3750. I am under a little bit of a time crunch, and I'm open to any suggestions on a better way to achieve this. I am attempting to change the default next-hop for only one vlan.
07-10-2013 07:15 AM
I dont have access to test lab, but if I remember correctly you can skip the "SET" clause in the route map permit statement and it should pass the traffic normally without any modification, so the permit statement 10 can only have the "MATCH" clause and that should do the job.
Than again, test it in a Lab or on GNS atleast.
Manish
07-10-2013 07:36 AM
The additional information is helpful. You can achieve what you want by having the first instance of the route map do the match and not have a set statement. That traffic will be routed normally. Then the second instance in the route map will policy route the desired traffic.
The config that you posted does a set IP next-hop. If what you want to change is really the default routing for the traffic that would be a slightly different set command.
HTH
Rick
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide