route map problem in 3750 switch.

AKIL HASAN · ‎08-16-2011

we are facing an issue on Cisco 3750G-48TS switch with IOS version 12.2(46)SE.

When we are applying the route-map Server could not communicate with internal LAN, even not able to ping its own Gateway, and only communicate with Internet.

When we are removing the route-map Server can easily communicate with Internal LAN, but could not communicate with Internet.

Jon Marshall · ‎08-16-2011

Your route-map acl is -

ip access-list extended proxy

permit ip 172.28.151.0 0.0.0.15 any

this will match ALL traffic, internal and external, and then send it to the next-hop of 172.28.156.250.

if you do not want to send internal traffic to 172.28.156.250 then you need to modify the acl ie.

ip access-list extended proxy

deny ip 172.28.151.0 0.0.0.15 <-- you need an entry for each internal subnet. Alternatively you could summarise if your internal addressing is all private eg.

deny ip 172.28.151.0 0.0.0.15 10.0.0.0 0.255.255.255

then at the end have the

permit ip 172.28.151.0 0.0.0.15 any

you need to use deny statements to tell PBR not to policy route this traffic ie. don't send it to 172.28.156.250.

There is one problem with this though. From memory if you use deny statements in your PBR access-list all this traffic is software switched and not hardware switched so you may get a big preformance hit because you are software switching all your internal traffic from the servers. I'll check the release notes but i don't think this has changed.

Jon

Jon Marshall · ‎08-16-2011

Apologies for the multiple posts.

It's really not a good idea to use deny statements in your route-map acl because of the performance hit.

Jon

Jon Marshall · ‎08-16-2011

The traffic you want to policy route. Is it specifically http traffic ie. can ou specify the actual ports. If so we can probably modify the acl so that a lot less traffic is software switched.

Jon

Jon Marshall · ‎08-16-2011

Okay, just tested this on routers in GNS3 but it should work with 3750 switch. The way to avoid using deny statements is -

1) create an access-list that covers all internal traffic ie.

ip access-list extended internal

permit ip 172.28.151.0 0.0.0.15

etc..for each internal subnet. As mentioned before you can use summarised addressing if all internal addressing is private addressing

2) create a second access for any other traffic from the server vlan ie.

ip access-list extended external

permit ip 172.28.151.0 0.0.0.15 any

3) then configure your route-map as follows -

route-map Serco permit 10

match ip address 101

route-map Serco permit 20

match ip address 102

set ip next-hop 172.28.156.250

this allows you to avoid using deny statements in your acls. Note in the first route-map permit statement there is no next-hop set.

Jon