Problem with Route Maps on 3560G

danbowencisco · ‎04-02-2012

Hi Everyone,

I have a 3560G with 3 VLANs connected to a Cisco ASA with the same VLANs. I want to have the switch interface for each VLAN as the default gateway for clients and then forward this traffic to the ASA for firewalling. Problem is, due to the switch knowing about the destination VLAN, it will send it directly and bypass the FW. So, I want to use route maps to forward the traffic received on say, VLAN 100, to the IP address of the FW in VLAN 100. This is how I am trying to do it.

This is my VLAN config on the switch and the default gateway:

interface Vlan100

ip address 10.11.120.14 255.255.255.240

This is my route map statement to force the traffic from 10.11.120.2 (on VLAN 100) to go to the FW interface on the same network.

access-list 100 permit ip host 10.11.120.2 any

route-map HIST-FTP permit 10

match ip address 100

set ip next-hop 10.11.120.1

The route map see's no matching packets when I ping from 10.11.120.2 to 10.11.121.3

SL-3560G-Switch#sh route-map

route-map HIST-FTP, permit, sequence 10

Match clauses:

ip address (access-lists): 100

Set clauses:

ip next-hop 10.11.120.1

Policy routing matches: 0 packets, 0 bytes

This is my routing table on the switch.

Gateway of last resort is 10.11.120.225 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.11.120.225

10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks

C 10.11.120.0/28 is directly connected, Vlan100

L 10.11.120.14/32 is directly connected, Vlan100

C 10.11.120.216/29 is directly connected, Vlan216

L 10.11.120.221/32 is directly connected, Vlan216

C 10.11.120.224/28 is directly connected, Vlan224

L 10.11.120.226/32 is directly connected, Vlan224

C 10.11.121.0/28 is directly connected, Vlan500

L 10.11.121.2/32 is directly connected, Vlan500

When I ping from 10.11.120.2, I get this.

Pinging 10.11.121.3 with 32 bytes of data:

Reply from 10.11.120.14: Destination host unreachable.

Any help would be greatly appreciated.

Dan

Richard Burts · ‎04-02-2012

Dan

Can you verify whether 10.11.120.1 is reachable? If you do show arp is there an entry for this address?

HTH

Rick

HTH

Rick

danbowencisco · ‎04-02-2012

it is reachable from the switch, ie the switch has an arp for it, but not from the host within that VLAN.

Dan

danbowencisco · ‎04-02-2012

sorry I should have added, the host can ping 10.11.120.1, so therefore it gets an ARP for it.

Dan

danbowencisco · ‎04-02-2012

quick update.

I can now ping it, but I think this is because the switch see's it as directly connected and therefore it is not going to the FW as I get no matching hits on the ACL applied to the ASA interface.

Also, my route map config gets no matching packets. Not sure why.

Dan

Matthew Blanshard · ‎04-02-2012

Did you add this command to the vlan interface?

ip policy route-map HIST-FTP

You will also want to add no ip redirects on the vlan 100 interface to avoid having the traffic be software switched. You will never see matches on the route-map when the traffic is being hardware switched, but the traffic will be forwarded.

-Matt

danbowencisco · ‎04-02-2012

brilliant.

I had tried to do it but it wasnt an available command. So, I downloaded a later code and added that command, now all works fine.

Thank you!