The user uses USG5360 firewall which the version is V100R003C01SPC007, it has setted 3 exports on the firewall and 2 fixed public network IP address exports, one is the export of ADSL dialing, and configure the policy route of export, after testing user finds the internal network segment which is included by ACL 3002 cannot access public network, the user service under the other two export is normal.
route-policy 1 permit node 2
if-match acl 3002
apply output-interface GigabitEthernet0/0
apply ip-address next-hop 18.104.22.168
route-policy 1 permit node 10
if-match acl 3003
apply output-interface Dialer1
route-policy 2 permit node 20
we can find it uses interface and next hop IP address in the setting route information under node 2 by viewing this route policy. When the user deletes apply output-Internet GigabitEthernet0/0, and only holds next hop IP address no using interface, the user service under ACL 3002 restores normal
The ACL has hit times by viewing ACL 3002, and cancels this route policy 1, uses one of the dialer dialing export and one of the fixed public network IP export,the user of ACL 3002 can access public netwotk normally, this explains there is no problem with the basic route configuration on the layer 3 switch and firewall,we can judge this is the route policy problem for such phenomena.
When we configure route policy, if we not only configure using interface to be export but also to be next hop IP address to export the priority of interface is higher than the priority of next hop IP address,if we want to use interface to be export,besides it need configure the interface to go out in the route policy,the next hop of static route on the firewall need configure to interface, if static route next hop is IP address, it will appear this situation,the configuration of policy route and static route must be the same and use next hop address or interface at the same time.
Suggestion:when we configure export of route ,we had best use next hop to be IP address not use interface,because using interface will send a great deal of arp request by interface ,it will affect the performance of equipment.