You have also a PBR there : Supervisory-RM -> next-hop 10.11.120.129.

Beyond the initial query , what are you trying to achieve ?

What does the access-lists 2540 and 2550 contain ?

Dan

I am trying to configure the routing so that if they FW is down, the traffic will be routed via the switch. In normal operation, the packet hits the gateway (VLAN 160), the route map is applied and the next hop is set to the FW interface (120.161). Should the FW fail, the verify availability command should pick this up via icmp and not use the route map, instead using the routing table where it see's the destination address as being directly connected. Trouble is, unless I remove the route map, it times out.

The PBR isnt being used though as I have used the verify availability command on Supervisory-RM and shut down the FW interface for that VLAN.

The access lists are purely for the route map traffic, they are below:

SL-Cisco-3560G-SW#sh access-list 2550

Extended IP access list 2550

    10 deny icmp any host 10.11.120.162

    20 deny udp host 10.11.120.163 host 10.11.120.162 eq snmp

    30 deny udp host 10.11.120.163 host 10.11.120.162 eq snmptrap

    40 permit ip 10.11.120.160 0.0.0.15 any (7546 matches)

SL-Cisco-3560G-SW#sh access-list 2540

Extended IP access list 2540

    10 deny icmp any host 10.11.120.130

    20 permit ip 10.11.120.128 0.0.0.15 any (1077 matches)

my mistake Dan, you were right. I hadnt taken off the set ip next hop 10.11.120.129 - it works now!

Thank you so much!!!!

Dab

Daniel ,

You have some issues in your setup :

     1) what if just one interface of the firewall will fail ? =>just one track will fail , and all the traffic will be drop. in order to solve this issue you should use on the next-hop check availability a combined track of the onces already configured

   track 66 list boolean or

          object 128

          object 160

In case of any of the two track will fail , this track will fail. This track id should be used on both route-maps.

    2) in Failed mode the traffic is by-passed from the firewall, in case of recovery all the current traffic flows will be droped by the firewall.

[ Later edit ]

I have a strange fealing about this

I re-read your posts and : Do you get any error messages when you apply the route-map int the interface vlan 128 ?

Could you post "show ip policy"

Dan

thanks for the info regarding the tracking, I will apply that now.

Regarding failed mode, you mean when the FW recovers it will still route via the switch?

Dan

once the FW is back online, shouldnt the verify availability pick up that the FW is reachable and start using the route map again?

Dan

I have noticed when I shut down the FW ints, I get a 6 or 7 sec delay before traffic is rerouted, when I no shut the ints, it doesnt drop at all (as if it isnt failing back).

Daniel,

The switch will check every 2 seconds if the FW is up or not. This is not the problem.

From the moment of firewall failure, when the traffic si routed directly to the moment when the firewall will recover, let's consider some active flows. When the firewall will recover the flows will be droped, because there is no info about those flows. Those flows must re-initalise in order to work, and I am not talking about icmp, but about tcp/udp flow. This is the way that a statefull firewall would work

Dan

ah right, I understand. So the connection will need to be torn down and re-established for the traffic to pass. I understand now. This may not be too much of an issue.

Thank you so much for your time and help.

Dan

Right. You should have this in mind.

My pleasure.

Dan

can I have multiple verify-availability commands on a route map?

reason I ask is I have 6 VLANs in total. If VLAN 1 goes down I do not want traffic from VLAN 160 to 128 being routed via the switch as those interfaces are still up, I only want VLAN 1 to not have its next hop amended.

Is this possible?

Also, if I use the track list command, we are no longer getting it to track an IP SLA and therefore it will not be using icmp to monitor the next hop?

Dan,

Could you be more clear with what you what to achieve ?

Currently you have vlan 160 and 128 , and all traffic source from thouse vlans is forwarded to the Firewall based on the access-list applied on the route-map. This affectes only traffic sourced by this vlans. If you have other 4 vlans , the returning traffic will bypass the FW. The result will be Vlan 160, and 128 cannot communicate with the remaining vlans.

Dan

Sorry Dan.

In total I have VLANs 16,32,48,96,128 and 160. All VLANs have a route map applied amending their next hop to be their FW interface.

Should the FW fail completely, I want all traffic to be routed internally to the switch and not have the route map amend the next hop to the FW.

Should a particular interface on the FW fail, for example, VLAN 128, then I want traffic between VLAN 128 and all other VLANs to go via the switch. I do not want traffic between say VLANs 96 and 160 to be routed via the switch as they are not affected by the FW interface going down.

My opinion is that if I configure it as we discussed, should any VLAN interface go down, everything using the object tracking list (all VLANs) will route via the switch.

I want to avoid this if possible.

Thank you,

Dan