Catalyst 3550-PBR

Unanswered Question
Aug 5th, 2010
User Badges:

I am trying to set default next-hop route on vlan10 and vlan20 interfaces because I wanna split up traffic on c3550 to reach two different ISPs. Somehow the route-map could not be applied on vlan interface. If I set just next-hop command then it works but default next-hop doesn't. PLEASE HELP!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 08/05/2010 - 04:41
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

ljube0131 wrote:


I am trying to set default next-hop route on vlan10 and vlan20 interfaces because I wanna split up traffic on c3550 to reach two different ISPs. Somehow the route-map could not be applied on vlan interface. If I set just next-hop command then it works but default next-hop doesn't. PLEASE HELP!


I can't find the 3550 configuration docs but from the 3560 configuration doc it states that using the "ip default next-hop" within a route-map is not supported -


http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst3560/software/release/12.2_25_sea/configuration/guide/swuncli.html#wp1034931


this also applies to the 3550 switch.


Jon

Nagaraja Thanthry Thu, 08/05/2010 - 05:49
User Badges:
  • Cisco Employee,

Hello,


In order for you to configure PBR on 3550, you need to have a minimum of IPServices image and your SDM template should be set to routing. You can verify the current SDM template using "show sdm prefer" command.


Switch#show sdm prefer

The current template is "desktop default" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.


  number of unicast mac addresses:                  6K
  number of IPv4 IGMP groups + multicast routes:    1K
  number of IPv4 unicast routes:                    8K
    number of directly-connected IPv4 hosts:        6K
    number of indirect IPv4 routes:                 2K
  number of IPv4 policy based routing aces:         0
  number of IPv4/MAC qos aces:                      0.5K
  number of IPv4/MAC security aces:                 1K


Once you verify the SDM template, if it is not set to routing, please set it to routing by issuing the command "sdm prefer routing"


Switch(config)#sdm prefer ?
  access              Access bias
  default             Default bias
  dual-ipv4-and-ipv6  Support both IPv4 and IPv6
  routing             Unicast bias
  vlan                VLAN bias


Then, you will be able to apply the route-map to the interface.You need to use "set ip next-hop" command under the route-map.


Hope this helps.


Regards,


NT

Ljube Tesan Fri, 08/06/2010 - 00:23
User Badges:

Configuration file is attached. I set sdm prefer extended -match because policy based routing on C3550 requires this but I find that fast-switched PBR restricts some set commands (default next-hop, default interface).

Attachment: 
Jon Marshall Fri, 08/06/2010 - 01:54
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

What is your question ? The default next-hop etc. commands are not supported with the 3550 no matter what IOS you run, see my previous post.


Are you now asking something else ?


Jon

Ljube Tesan Sun, 08/08/2010 - 22:24
User Badges:

My question is wether "default next-hop" is supported by c3550 because I see it as only way to split up traffic to two ISPs. Is there any other way to do that on C3550

Nagaraja Thanthry Sun, 08/08/2010 - 22:47
User Badges:
  • Cisco Employee,

Hello,


"default next-hop" command is not supported on DSBU switches. You can use "set ip next-hop" command instead.


http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/relea...


Here is an explanation of both commands in question:


https://www.cisco.com/en/US/tech/tk364/technologies_configuration_exampl...


If you want to send the traffic via routing table and send it via a specific path if the route does not exist, then you might have to do route tracking. Otherwise, if you are just looking to route specific traffic type through a specific path, then you need to use "set ip next-hop" configuration.


Hope this helps.


Regards,


NT

vragotha Sun, 08/08/2010 - 22:48
User Badges:
  • Silver, 250 points or more

If you can match the traffic based on an access list, you can try the following -


Define ACL 1 for traffic to ISP 1

access-list 1 permit < ip >


Define ACL 2 for traffic to ISP 2

access-list 2 permit < ip >


route-map test permit 10
match ip address 1
set ip next-hop
!
route-map test permit 20
match ip address 2
set ip next-hop


Apply the route map to the appropriate interface

Ljube Tesan Mon, 08/09/2010 - 05:36
User Badges:

I can't use "set next-hope" because it will take my all vlan traffic over the firewalls out and my vlans on c3550 will not be able to connect other parts of my local networks that are connected to c3550 over router 2610.

ISP1______c3500(VLANs10,20)

ISP2______/       |_2610----LANs

Jon Marshall Mon, 08/09/2010 - 06:30
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

ljube0131 wrote:


I can't use "set next-hope" because it will take my all vlan traffic over the firewalls out and my vlans on c3550 will not be able to connect other parts of my local networks that are connected to c3550 over router 2610.

ISP1______c3500(VLANs10,20)

ISP2______/       |_2610----LANs


I hestiated to reply to this post because you clearly didn't read my original answer ie. even after being told default next-hop is not supported you still were asking whether it was supported or not.


However this is a forum where we try to help so.


You can use set ip next-hop, you simply need to use deny statements in your access-list for that traffic you don't want PBR'd eg.


on your 3550 you have -


vlan 10 = 192.168.5.0/24

vlan 11 = 192.168.6.0/24



let says you have 2 other networks off the the 2610-


192.168.7.0/24

192.168.8.0/24


access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.255

access-list 101 deny ip 192.168.6.0 0.0.0.255 192.168.7.0 0.0.255

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.8.0 0.0.255

access-list 101 deny ip 192.168.6.0 0.0.0.255 192.168.8.0 0.0.255

access-list permit ip any any


route-map PBR permit 10

match ip address 101

set ip next-hop


the deny entries in your acl will not be policy routed ie. they will use the routing table, any other traffic will be policy routed.


Jon

Nagaraja Thanthry Mon, 08/09/2010 - 06:31
User Badges:
  • Cisco Employee,

Hello,


You can use extended access-lists and specify the exact matches. For

example, if the subnets behind 2620 are 10.x.x.x, you can do the following:


access-list 101 permit ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255


access-list 102 permit ip 192.168.10.0 0.0.0.255 any


route-map VL10 10

match ip address 101

set ip next-hop <2600's IP>


route-map VL10 20

match ip address 102

set ip next-hop


While you could also use deny statements in the access-lists, using deny

statements will send the traffic to CPU and could affect your performance.


Hope this helps.


Regards,


NT

Jon Marshall Mon, 08/09/2010 - 06:47
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

NT makes a good point and one i forgot about. If you mix deny statement and permit statements in the same acl the packets are software switched so it would be better to use the example provided by him.


Jon

Jon Marshall Mon, 08/09/2010 - 07:04
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

I hestiated to reply to this post because you clearly didn't read my original answer ie. even after being told default next-hop is not supported you still were asking whether it was supported or not.

However this is a forum where we try to help so.


Apologies. First post of the day and think you got some of my bad mood that i started today with. No offense intended, hopefully NT's solution works for you.


Jon

Ljube Tesan Tue, 08/10/2010 - 04:45
User Badges:

NT, this works! Thank you a lot!

No problem JM I really appreciate you assistance.

I am new in this and I was little-bit

confused because my c3550 route-map accept my

default next-hop command but I can't apply it on interface.


Thank you, once more!

Ljube Tesan Tue, 08/10/2010 - 04:45
User Badges:

NT, this works! Thank you a lot!

No problem JM I really appreciate you assistance.

I am new in this and I was little-bit

confused because my c3550 route-map accept my

default next-hop command but I can't apply it on interface.


Thank you, once more!

Actions

This Discussion