PBR (Policy Based Routing) - Connected Routes 3750

Ralphy006 · ‎10-21-2014

Hey guys,

Does anyone know if PBR take precedence over connected routers?

I have a scenario with a 3750 acting as a layer 3 switch with 2 default routes.

I am trying to keep the ACE's referenced to a minimum per these guidelines (no deny's and no ACE's mentioning local traffic): http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/68461-high-cpu-utilization-cat3750.html#pbr

But I have a bunch of SVI's on the layer 3 switch that need to talk locally. They are considered "connected" routes.

For example, if I have networks A,B,C,D. And they are all SVI's on the layer 3 switch. There are default routes, 1 and 2.

I want to send A and B out the default route of 1 (Global default route). Then I want to send C and D out of default route 2 (PBR)

BUt, I want A,B,C and D all to be able to talk to each other locally on the layer 3 switch without being referenced in the PBR. Possible?

Richard Burts · ‎10-21-2014

I find your description of the environment and of your requirements to be confusing. So I will address the part of the question that is clear. You ask if PBR takes precedence over connected routes. Since PBR will make forwarding decisions before the forwarding process looks into the routing table (where connected routes are identified) then I would say that the answer to your question is yes PBR does take precedence. If you want answers to the other parts of your question then you need to provide some clarification.

HTH

Rick

HTH

Rick

Ralphy006 · ‎10-21-2014

Thanks for the response Rick.

Sorry that my statements were confusing! I will try my best to clarify.

I was hoping connected routes would take precedence over PBR.

In my scenario, I have some networks that need to use one default route, and some other networks that need to use a different default route. In order to do this, PBR is necessary.

For example:

int vlan 1

ip address 192.168.1.1 255.255.255.0

int vlan 2

ip address 192.168.2.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.0.1.1 1

With the current setup, devices in both vlan 1 and vlan 2 networks will use the default route of 10.0.1.1.

But let's pretend I have a different possible default route that I want to use for vlan 2 (for load balancing purposes). Let's pretend the 2nd next hop is 10.0.2.1. So I would use PBR as such:

access-list 10 permit 192.168.2.0 0.0.0.255 (devices on vlan 2)

route-map pbr permit 10

match ip address 10

set ip next-hop 10.0.2.1

int vlan 2

ip policy route-map pbr

These commands will accomplish the default route issue. BUT, if users from 192.168.2.0 /24 try to talk to 192.168.1.0 /24, it will use PBR and use the next hop of 10.0.2.1, as opposed to the connected route. (since you said PBR takes precedence over any connected routes)

I have read that I can put deny statements or other match statements as part of the PBR policy so traffic from 192.168.2.0/24 to 192.168.1.0/24 does not use the PBR next hop and force it use the connected route.

BUT, I am concerned this will cause CPU issues on the 3750. Based on the Cisco article I posted above, it says:

Do not match ACLs that permit packets destined for a local address. PBR forwards these packets, which can cause ping or Telnet failure or route protocol flapping.
The switch does not support route-map deny statements for PBR.

Does that make more sense?

houtan haddadlarijani · ‎10-22-2014

If the RP address falls within the range of a PBR ACL, traffic addressed to the RP is policy routed in hardware instead of being forwarded to the RP. To prevent policy routing of traffic addressed to the RP, configure PBR ACLs to deny traffic addressed to the RP.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-0SY/configuration/guide/15_0_sy_swcg/policy_based_routing_pbr.html#wp1010814

I think you can tackle the problem like this:

interface vlan 2
ip address 192.168.2.1 255.255.255.0
ip policy route-map pol

!
access-list 10 permit 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

!
route-map pol permit 10
match ip address 110
!
route-map pol permit 20
match ip address 10
set ip next-hop 10.0.1.2
!
route-map pol permit 30
!

I tried this on lab and it worked

*Mar 1 00:50:30.707: IP: s=192.168.2.2 , d=192.168.1.2, len 92, FIB policy match
*Mar 1 00:50:30.707: IP: s=192.168.2.2 , d=192.168.1.2, len 92, FIB policy rejected - normal forwarding

*Mar 1 00:50:40.043: IP: s=192.168.2.2 , d=10.0.1.2, len 92, FIB policy match
*Mar 1 00:50:40.043: IP: s=192.168.2.2 , d=10.0.1.2, g=10.0.1.2, len 92, FIB policy routed

HTH

Houtan

I

Ralphy006 · ‎10-22-2014

Thanks Houtan.

What kind of hardware did you run your lab on?

houtan haddadlarijani · ‎10-22-2014

It's Catalyst 3650-24P

I think cisco explanation is not clear about cause of the CPU usage.

local ACL itself or PBR routing?

But I don't think above configuration pose heavy cpu usage on switch. because local traffic is being forwarded normally by RP not PBR.

Houtan