cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3440
Views
5
Helpful
4
Replies

PBR can't be assigned to vlan interface, why?

edikmkoyan
Level 1
Level 1

Hi guys,
this is my first question, so thank you for support.

I have one WS-C3750G-24TS-1U and one WS-C3750G-24T stacked, they run 12.2(55)SE7           C3750-IPSERVICESK9-M, the sdm tmeplate is desktop routing, I can configure policy map, but when I assign it to vlan interface nothing is happen, ios takes the command, no error messages, but when I look at running configuration there is nothing about policy map, it simply dissapears.
How can I solve this problem?

4 Replies 4

Hi ,

 1) check show SDM Prefer Routing on your switch 

 http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swiprout.html#wp1228588

PBR Configuration Guidelines

To use PBR, you must have the IP services feature set enabled on the switch or stack master.

Multicast traffic is not policy-routed. PBR applies to only to unicast traffic.

You can enable PBR on a routed port or an SVI.

The switch does not support route-map deny statements for PBR.

You can apply a policy route map to an EtherChannel port channel in Layer 3 mode, but you cannot apply a policy route map to a physical interface that is a member of the EtherChannel. If you try to do so, the command is rejected. When a policy route map is applied to a physical interface, that interface cannot become a member of an EtherChannel.

You can define a maximum of 246 IP policy route maps on the switch or switch stack.

You can define a maximum of 512 access control entries (ACEs) for PBR on the switch or switch stack.

When configuring match criteria in a route map, follow these guidelines:

Do not match ACLs that permit packets destined for a local address. PBR would forward these packets, which could cause ping or Telnet failure or route protocol flappping.

Do not match ACLs with deny ACEs. Packets that match a deny ACE are sent to the CPU, which could cause high CPU utilization.

To use PBR, you must first enable the routing template by using the sdm prefer routing global configuration command. PBR is not supported with the VLAN or default template. For more information on the SDM templates, see Chapter 8 "Configuring SDM Templates."

VRF and PBR are mutually exclusive on a switch interface. You cannot enable VRF when PBR is enabled on an interface. The reverse is also true, you cannot enable PBR when VRF is enabled on an interface.

Web Cache Communication Protocol (WCCP) and PBR are mutually exclusive on a switch interface. You cannot enable WCCP when PBR is enabled on an interface. The reverse is also true, you cannot enable PBR when WCCP is enabled on an interface.

The number of hardware entries used by PBR depends on the route map itself, the ACLs used, and the order of the ACLs and route-map entries.

Policy-based routing based on packet length, TOS, set interface, set default next hop, or set default interface are not supported. Policy maps with no valid set actions or with set action set to Don't Fragment are not supported.

The switch supports QoS DSCP and IP precedence matching in PBR route maps, with these limitations:

You cannot apply QoS DSCP mutation maps and PBR route maps to the same interface.

You cannot configure DSCP transparency and PBR DSCP route maps on the same switch.

When you configure PBR with QoS DSCP, you can set QoS to be enabled (by entering the mls qos global configuration command) or disabled (by entering the no mls qos command). When QoS is enabled, to ensure that the DSCP value of the traffic is unchanged, you should configure DSCP trust state on the port where traffic enters the switch by entering the mls qos trust dscp interface configuration command. If the trust state is not DSCP, by default all nontrusted traffic would have the DSCP value marked as 0.

Enabling PBR

By default, PBR is disabled on the switch. To enable PBR, you must create a route map that specifies the match criteria and the resulting action if all of the match clauses are met. Then, you must enable PBR for that route map on an interface. All packets arriving on the specified interface matching the match clauses are subject to PBR.

PBR can be fast-switched or implemented at speeds that do not slow down the switch. Fast-switched PBR supports most match and set commands. PBR must be enabled before you enable fast-switched PBR. Fast-switched PBR is disabled by default.

Packets that are generated by the switch, or local packets, are not normally policy-routed. When you globally enable local PBR on the switch, all packets that originate on the switch are subject to local PBR. Local PBR is disabled by default.

 

Share me your config , 

HTH

Sandy

I use WS-C3750G-24TS-1U andWS-C3750G-24T switch stack, this link is for 3750x series, how can I find out if there is some hardware limitation.

Here is tshoot data.

core#show sdm prefer
 The current template is "desktop routing" template.
 The selected template optimizes the resources in
 the switch to support this level of features for
 8 routed interfaces and 1024 VLANs.

  number of unicast mac addresses:                  3K
  number of IPv4 IGMP groups + multicast routes:    1K
  number of IPv4 unicast routes:                    11K
    number of directly-connected IPv4 hosts:        3K
    number of indirect IPv4 routes:                 8K
  number of IPv4 policy based routing aces:         0.5K
  number of IPv4/MAC qos aces:                      0.5K
  number of IPv4/MAC security aces:                 1K

----

core#show ip access-lists ops
Standard IP access list ops
    10 permit 10.1.1.0, wildcard bits 0.0.0.255

--------

core#show route-map
route-map ops, permit, sequence 10
  Match clauses:
    ip address (access-lists): ops
  Set clauses:
    ip next-hop 192.168.0.20
    ip default next-hop 192.168.0.24
    default interface Vlan111
  Policy routing matches: 0 packets, 0 bytes

----

and the configuration

core(config)#interface vlan 111
core(config-if)#ip pol
core(config-if)#ip policy ?
  route-map  Policy route map

core(config-if)#ip policy rou
core(config-if)#ip policy route-map ?
  WORD  Route map name

core(config-if)#ip policy route-map ops ?
  <cr>

core(config-if)#ip policy route-map ops
core(config-if)#do sh run int Vlan111
Building configuration...

Current configuration : 63 bytes
!
interface Vlan111
 ip address 10.11.1.254 255.255.255.0
end

 

 

Hi ,

 Have you rebooted your switch after applying the command 

sdm prefer routing

 

After the system reboots, you can use the show sdm prefer privileged EXEC command to verify the new template configuration. If you enter the show sdm prefer command before you enter the reload privileged EXEC command, the show sdm prefer command shows the template currently in use and the template that will become active after a reload.

 

HTH

Sandy

Sure I did, the configuration I show is current.

core#show sdm prefer
 The current template is "desktop routing" template.
 The selected template optimizes the resources in
 the switch to support this level of features for
 8 routed interfaces and 1024 VLANs.

  number of unicast mac addresses:                  3K
  number of IPv4 IGMP groups + multicast routes:    1K
  number of IPv4 unicast routes:                    11K
    number of directly-connected IPv4 hosts:        3K
    number of indirect IPv4 routes:                 8K
  number of IPv4 policy based routing aces:         0.5K
  number of IPv4/MAC qos aces:                      0.5K
  number of IPv4/MAC security aces:                 1K

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: