Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

PBR fails with "set tag" statement.

Hi

I have a PBR problem on a 3750 running 12.35SE5 (C3750-IPSERVICES-M). SDM configured as "desktop routing".

I have a couple of entry points in to my network with specific exit points based on the source of the traffic.

With my policy configured with ONE set command it works fine.

route-map rm-in permit 10

match ip address sites-in-1

set ip next-hop 172.18.21.110

!

route-map rm-in permit 20

match ip address sites-in-2

set ip next-hop 172.18.21.120

!

The problem starts as soon as I configure TWO set statements. Although the config is allowed in the policy I cannot apply this to the interface. The system does not report any errors but does not configure the policy on the SVI. Once the "set tag" statement is removed, the policy could be applied.

route-map rm-in permit 10

match ip address sites-in-1

set tag 2

set ip next-hop 172.18.21.110

!

route-map rm-in permit 20

match ip address sites-in-2

set tag 2

set ip next-hop 172.18.21.120

!

Any assistance or advice  will be welcome.

3 REPLIES
Hall of Fame Super Gold

PBR fails with "set tag" statement.

I do not understand what you are trying to do. Setting a tag in a route map is usually done on routing protocol updates. This route map is about how to forward data packets. What function would a tag have on a data packet?

I believe that the issue is that your route map becomes logically inconsistent when you attempt to apply a routing protocol function to a packet forwarding route map. Perhaps if you explain what you are trying to accomplish we might find some other way to do it that would work.

HTH

Rick

Community Member

PBR fails with "set tag" statement.

Hi

Thanks for the reply.

The network is somewhat complex. It was inherited with bandwidth optimisers installed off-path. Some firewalls were added and later two VRFs are used to connect four different site profiles to the HO.

As soon as I receive traffic inbound on my core switch (from VRF1 or VRF2), it is passed to some bandwidth optimisers (one of six units) for decompression via PBR process 1. This decision is done by source IP.

Once decompressed the traffic passes through my core switch again and  forwarded to one of three interfaces on my firewall. This task is performed by PBR process 2 on the optimiser SVI.

If traffic leaves the firewall outbound, PBR process 3 will forward traffic to the appropriate bandwidth optimiser (all firewall SVIs) based on destination IP address.  Once it reaches the core switch after it is compressed the source address is that of the DC and not defined in any policy on the optimiser SVI. This will cause the PBR not to act on the traffic and it is routed normally to the remote site.  As long as all traffic flows to and from the DC it all functions correctly.

The problem comes in if a site on VRF1 tries to connect to a site on VRF2.  Now the traffic runs through PBR1 and PBR2 as per usual. Then enters the firewall and is forwarded back out instead of in to the DC. The outbound traffic now has a source IP of a remote site and will be forwarded back to the firewall once optimised and to the remote site.

The plan is to tag the traffic as it passes through PBR2 (set tag and set next hop) on this policy. The first line of the policy will check for the tag and drop the traffic if present. This will be very similar to solving a route redistribution problem between two networks interconnected with two routers.

Kobus

Hall of Fame Super Gold

PBR fails with "set tag" statement.

Kobus

Thank you for the additional information. It does help to understand what you are trying to accomplish and I agree that the approach is very logical to try to solve your problem as you would solve a route redistribution problem. Unfortunately I do not think that this use of set tag is supported. I have checked several command references and they mention set tag only in the context of tagging route advertisements and not of tagging data packets. Perhaps someone else in the community may have some ideas of how to accomplish what you need?

HTH

Rick

207
Views
0
Helpful
3
Replies
CreatePlease to create content