Route-Map on Catalyst 4507R with Supervisor IV

ger.harris · ‎03-14-2008

Hello All,

I'm trying to get a route-map to work for a NAC installation that I am doing for a customer. From the feature navigator and command reference I keep reading that this platform/software combination supports policy routing. I know that in the other L3-switching platforms (3560/3750) you have to do a "sdm prefer" to allocate resources to the route-map, however there is no mention (that I can find) about an equivalent command for the Catalyst 4507R.

Other details:

1) The IP next hop IS layer-3 adjacent to the Catalyst 4507R

2) There IS an ARP/MAC entry for the next-hop address

3) The "set ip default next-hop" works and matches, but the "set ip next-hop" does not. (Go figure :P)

Hard Details:

Cisco IOS Software, Catalyst 4000 L3 Switch Software (cat4000-I5S-M), Version 12.2(25)EWA13, RELEASE SOFTWARE (fc1)

ip access-list extended NACACL

remark *** Redirect Traffic ***

permit ip 10.75.6.0 0.0.0.255 any

!

route-map NACRedirect permit 10

match ip address NACACL

set ip next-hop 10.0.3.15

!

interface FastEthernet4/48

! Attached to an upstream L3 switch communicating via EIGRP

no switchport

ip address 10.10.10.2 255.255.255.0

ip policy route-map NACRedirect

!

This is what occurs when I change it to "ip default next-hop"

route-map NACRedirect, permit, sequence 10

Match clauses:

ip address (access-lists): NACACL

Set clauses:

ip default next-hop 10.0.3.15

Policy routing matches: 36 packets, 2603 bytes <====

But I need "next-hop" NOT "default next-hop" to work.

No match in the bug-tracker regarding the behavior.

Any assistance is greatly appreciated!

Thanks,

Ger (CCIE#5464,R&S/Security)

Edison Ortiz · ‎03-14-2008

Did you try turning debug on the PBR ?

Can you post the show ip route 10.0.3.15 output ?

__

Edison.

ger.harris · ‎03-17-2008

This is the adjacency response....

Lab_sw1#show ip route 10.0.3.15

Routing entry for 10.0.3.0/24

Known via "connected", distance 0, metric 0 (connected, via interface)

Redistributing via eigrp 1

Routing Descriptor Blocks:

* directly connected, via Vlan3

Route metric is 0, traffic share count is 1

Apparently I'm getting matches with "set ip default next-hop" but that is not the behavior I need...

Lab_sw1#

Lab_sw1#debug ip policy

Policy NextHop Inquiry: 10.0.3.15, SW_OBJ_TYPE: 19, SW_HANDLE: 1892B5AC

Mar 17 08:53:05: IP: s=10.75.6.1 (FastEthernet4/48), d=66.66.66.66, len 100, policy match

Mar 17 08:53:05: IP: route map NACRedirect, item 10, permit

Mar 17 08:53:05: IP: s=10.75.6.1 (FastEthernet4/48), d=66.66.66.66 (Vlan3), len 100, policy routed

Mar 17 08:53:05: IP: FastEthernet4/48 to Vlan3 10.0.3.15Policy NextHop Inquiry: 10.0.3.15, SW_OBJ_TYPE: 19, SW_HANDLE: 1892B5AC

Policy NextHop Inquiry: 10.0.3.15, SW_OBJ_TYPE: 19, SW_HANDLE: 1892B5AC

Changing the "set" command to "set ip next-hop" never results in a hit...

Lab_sw1#debug ip policy

Policy NextHop Inquiry: 10.0.3.15, SW_OBJ_TYPE: 19, SW_HANDLE: 1892B5AC

Hmmm..... Maybe it is just time to upgrade the code or go with a "real" multilayer switch.....

Ger (CCIE#5464 - R&S/Security)

Edison Ortiz · ‎03-17-2008

Very strange. I recommend trying a new code on this switch. The syntax seems fine. Let us know how it works out.

__

Edison.

ger.harris · ‎03-18-2008

We figured out the issue...

Since most of my experience was route-map's on routers, I didn't expect certain L3 switch behavior. It turns out that "show route-map" does not increment match counters as on a router. It IS functioning, but you have to use "debug ip policy" in order to see it operating.

Be forewarned with "debug ip policy" as well. It will only show redirection at the first match of a source-destination because the routing decision is cached after that.

In the words of someone from TAC I talked to "policy-maps on a L3 switch is sometimes an iffy proposition"

Hope this helps anyone else who has the problem...

Ger (CCIE#5464,R&S/Security)