Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

route map problem in 3750 switch.

we are facing an issue on Cisco 3750G-48TS switch with IOS version 12.2(46)SE.

When we are applying the route-map Server could not communicate with internal LAN, even not able to ping its own Gateway, and only communicate with Internet.

When we are removing the route-map Server can easily communicate with Internal LAN, but could not communicate with Internet.

Jon Marshall
VIP Community Legend

Your route-map acl is -

ip access-list extended proxy

permit ip any

this will match ALL traffic, internal and external, and then send it to the next-hop of

if you do not want to send internal traffic to then you need to modify the acl ie.

ip access-list extended proxy

deny ip   <-- you need an entry for each internal subnet. Alternatively you could summarise if your internal addressing is all private eg.

deny ip

then at the end have the

permit ip any

you need to use deny statements to tell PBR not to policy route this traffic ie. don't send it to

There is one problem with this though. From memory if you use deny statements in your PBR access-list all this traffic is software switched and not hardware switched so you may get a big preformance hit because you are software switching all your internal traffic from the servers. I'll check the release notes but i don't think this has changed.


Apologies for the multiple posts.

It's really not a good idea to use deny statements in your route-map acl because of the performance hit.


Jon Marshall
VIP Community Legend

The traffic you want to policy route. Is it specifically http traffic ie. can ou specify the actual ports. If so we can probably modify the acl so that a lot less traffic is software switched.


Jon Marshall
VIP Community Legend

Okay, just tested this on routers in GNS3 but it should work with 3750 switch. The way to avoid using deny statements is -

1) create an access-list that covers all internal traffic ie.

ip access-list extended internal

permit ip

etc..for each internal subnet. As mentioned before you can use summarised addressing if all internal addressing is private addressing

2) create a second access for any other traffic from the server vlan ie.

ip access-list extended external

permit ip any

3) then configure your route-map as follows -

route-map Serco permit 10

match ip address 101

route-map Serco permit 20

match ip address 102

set ip next-hop

this allows you to avoid using deny statements in your acls. Note in the first route-map permit statement there is no next-hop set.