PBR with VLAN interface

Answered Question
Apr 20th, 2010

Hi,

I have configured step by step PBR on my core switch.  The core switch is using 2 L3 VLAN and it has connected 2 routers. Every VLAN has to use one router like default gateway, but If one router fails, all the traffic will be sending to the active router.

The problem that I have is that PBR is not working, when I put on VLAN interface ´ ip policy route-map NAME ´, the core switch doesn’t accept this command, it does nothing.

Do you have any idea why not?.

Thank you, best regards, Luis.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 7 months ago

Luis

Follow Allan's instructions about the sdm routing template and you should be fine.

Jon

Please also rate helpful posts

Correct Answer by allan.thomas about 6 years 7 months ago

Hi Luis,

Take a look at the following configuration guide for the 3560 below, it details the steps for configuring PBR including configuring the SDM template.

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/swiprout.html#wp1228588

To use PBR, you must first enable the routing  template by using the sdm prefer routing global  configuration command.

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/swsdm.html#wpxref88774

Regards

Allan.

Hope this helps, pls rate helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Tue, 04/20/2010 - 09:13

Luis

What switch, which IOS and which feature set (for IOS and feature set just post a "sh version").

Jon

lveraza2010 Tue, 04/20/2010 - 09:18

Here the info:

ROUTERNAME#sho ver

Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(40)SE, R

ELEASE SOFTWARE (fc3)

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Compiled Fri 24-Aug-07 01:39 by myl

Image text-base: 0x00003000, data-base: 0x01800000

ROM: Bootstrap program is C3560 boot loader

BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(25r)SEE4, RELEASE SOFTWA

RE (fc1)

ARBUESWTADM01 uptime is 12 weeks, 4 days, 17 hours, 26 minutes

System returned to ROM by power-on

System restarted at 19:49:45 HAA Thu Jan 21 2010

System image file is "flash:c3560-ipservicesk9-mz.122-40.SE.bin"

Thank you.

lveraza2010 Tue, 04/20/2010 - 09:24

No, I didn´t have any idea about sdm routing template, Do i need ?, for what is it ?. Thank you.

Correct Answer
allan.thomas Tue, 04/20/2010 - 10:39

Hi Luis,

Take a look at the following configuration guide for the 3560 below, it details the steps for configuring PBR including configuring the SDM template.

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/swiprout.html#wp1228588

To use PBR, you must first enable the routing  template by using the sdm prefer routing global  configuration command.

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/swsdm.html#wpxref88774

Regards

Allan.

Hope this helps, pls rate helpful posts.

Correct Answer
Jon Marshall Tue, 04/20/2010 - 11:27

Luis

Follow Allan's instructions about the sdm routing template and you should be fine.

Jon

Please also rate helpful posts

lveraza2010 Fri, 04/30/2010 - 06:37

Hi, based on Cisco document I have enabled sdm prefer dual-ipv4-and-ipv6 routing with PBR.

´´ The software supports IPv4 PBR only when the dual-ipv4-and-ipv6 routing template is configured´´

The show sdm prefer command is showing next:

ROUTER#sh sdm prefer

The current template is "desktop IPv4 and IPv6 routing" template.

The problem that I have yet, the IP policy route-map NAME is not working, I enable it but the switch does nothing.

Do you have another idea why is not working ?.

PBR is not working, as yo know, If I can´t enable IP policy route-map, PBR won´t work.

´´ Enables policy routing and identifies a route map to be used for policy routing ´´.

Thank you, best regards. Luis Veraza.

Jon Marshall Fri, 04/30/2010 - 06:39

Luis

Can you post the config together with the test details you carried out that didn't work.

Jon

lveraza2010 Fri, 04/30/2010 - 06:48

Here the config:

ROUTER#show conf
Using 8169 out of 524288 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service sequence-numbers
!
hostname ROUTER
!
enable password
!
no aaa new-model
clock timezone HAA -3
system mtu routing 1500
!
track 123 rtr 1 reachability
!
track 124 rtr 2 reachability
ip subnet-zero
ip routing
!
ip sla 1
icmp-echo 192.68.84.251
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 192.68.84.252
ip sla schedule 2 life forever start-time now
!
mls qos map cos-dscp 0 8 16 24 32 46 48 56
mls qos srr-queue input bandwidth 90 10
mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 67 33
mls qos srr-queue input cos-map queue 1 threshold 2  1
mls qos srr-queue input cos-map queue 1 threshold 3  0
mls qos srr-queue input cos-map queue 2 threshold 1  2
mls qos srr-queue input cos-map queue 2 threshold 2  4 6 7
mls qos srr-queue input cos-map queue 2 threshold 3  3 5
mls qos srr-queue input dscp-map queue 1 threshold 2  9 10 11 12 13 14 15
mls qos srr-queue input dscp-map queue 1 threshold 3  0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3  32
mls qos srr-queue input dscp-map queue 2 threshold 1  16 17 18 19 20 21 22 23
mls qos srr-queue input dscp-map queue 2 threshold 2  33 34 35 36 37 38 39 48
mls qos srr-queue input dscp-map queue 2 threshold 2  49 50 51 52 53 54 55 56
mls qos srr-queue input dscp-map queue 2 threshold 2  57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3  24 25 26 27 28 29 30 31
mls qos srr-queue input dscp-map queue 2 threshold 3  40 41 42 43 44 45 46 47
mls qos srr-queue output cos-map queue 1 threshold 3  5
mls qos srr-queue output cos-map queue 2 threshold 3  3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3  2 4
mls qos srr-queue output cos-map queue 4 threshold 2  1
mls qos srr-queue output cos-map queue 4 threshold 3  0
mls qos srr-queue output dscp-map queue 1 threshold 3  40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 2 threshold 3  24 25 26 27 28 29 30 31
mls qos srr-queue output dscp-map queue 2 threshold 3  48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3  56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3  16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 3 threshold 3  32 33 34 35 36 37 38 39
mls qos srr-queue output dscp-map queue 4 threshold 1  8
mls qos srr-queue output dscp-map queue 4 threshold 2  9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3  0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
vlan dot1q tag native
!
!
!
!
interface GigabitEthernet0/1

interface GigabitEthernet0/28
!
interface Vlan1
ip address 192.68.81.254 255.255.252.0
!
interface Vlan3
ip address 192.68.84.253 255.255.255.248
!
interface Vlan93
ip address 192.68.93.254 255.255.255.0
ip helper-address 192.168.81.4
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.68.84.251
ip route 0.0.0.0 0.0.0.0 192.68.84.252
ip http server
ip http secure-server
!
!
access-list 100 permit ip 192.68.80.0 0.0.3.255 any
access-list 101 permit ip 192.68.93.0 0.0.0.255 any
route-map BAD permit 10
match ip address 100
set ip next-hop verify-availability 192.68.84.251 10 track 123
set ip next-hop verify-availability 192.68.84.252 20 track 124
!
route-map BAV permit 10
match ip address 101
set ip next-hop verify-availability 192.68.84.252 10 track 124
set ip next-hop verify-availability 192.68.84.251 20 track 123
!
line con 0
password
line vty 0 4
password
login
length 0
line vty 5 15
password
login
!
ntp clock-period 36028795
end

ROUTER#

lveraza2010 Fri, 04/30/2010 - 07:02

I typed next:

ROUTER#show ip policy

Interface Route map

ROUTER#

It showed me nothing, later I reviewed the current config and the Interface VLAN1 is showing only the IP address.

Thanks, best regards, Luis.

Jon Marshall Fri, 04/30/2010 - 07:20

Luis

Have you tried applying the route-map to the vlan interface or even after setting up the SDM template are you saying it is still not applying ie.

vlan

ip policy route-map

Also note from your config you don't need 2 route-map names ie. you can just do -

route-map BAD permit 10
match ip address 100
set ip next-hop verify-availability 192.68.84.251 10 track 123
set ip next-hop verify-availability 192.68.84.252 20 track 124
!
route-map BAD permit 20
match ip address 101
set ip next-hop verify-availability 192.68.84.252 10 track 124
set ip next-hop verify-availability 192.68.84.251 20 track 123
!

Jon

lveraza2010 Fri, 04/30/2010 - 08:08

You´re right.

I changed these route-map numbers some days ago, they don´t have the same number now, BUT ! I removed them and I added again some minutes ago and the IP policy is working.

Thanks a lot, it´s working now.

Best regards, Luis.

Jon Marshall Fri, 04/30/2010 - 08:51

lveraza2010 wrote:

You´re right.

I changed these route-map numbers some days ago, they don´t have the same number now, BUT ! I removed them and I added again some minutes ago and the IP policy is working.

Thanks a lot, it´s working now.

Best regards, Luis.

Luis

Glad you got it working.

Jon

Actions

This Discussion