Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
809
Views
0
Helpful
7
Replies

question about the route map access list

jackson.ku
Level 3
Level 3

‎12-27-2013 07:10 PM - edited ‎03-07-2019 05:16 PM

Hi,

I want to use Catalyst 3750 PBR to reroute traffic. the traffic match the following ACL are route normally, all other traffic destination to 172.22.0.0/16 are route to 172.16.52.1 :

source : 172.18.0.0/16  destination : 172.22.0.0/16

source : 172.20.0.0/16  destination : 172.22.0.0/16

Does the following configuration correct?

ip access-list extended redirect

deny   ip 172.18.0.0 0.255.255 172.22.0.0 0.0.255.255

deny   ip 172.20.0.0 0.255.255 172.22.0.0 0.0.255.255

permit ip any 172.22.0.0 0.0.255.255

route-map redirect permit 10

match ip address redirect

set ip next-hop 172.16.52.1

interface GigabitEthernet0/1

no switchport

ip address 172.16.1.254 255.255.255.240

ip policy route-map redirect

Best Regards,

Jackson Ku

Labels:
0 Helpful
7 Replies 7

Abzal
Level 7
Level 7

‎12-27-2013 09:41 PM

Hi,

First of all to make PBR working on 3750 you should have IP Base image on the switch. Second SDM template should be set to prefer routing.

https://supportforums.cisco.com/community/netpro/network-infrastructure/routing/blog/2011/03/31/pbr-on-switches-37503560

Do you want to reroute traffic sourced from 172.18.0.0/16 and 172.20.0.0/16 subents to 172.22.0.0/16?

if so, then PBR is

ip access-list extended redirect

permit   ip 172.18.0.0 0.255.255 172.22.0.0 0.0.255.255

permit   ip 172.20.0.0 0.255.255 172.22.0.0 0.0.255.255

route-map redirect permit 10

match ip address redirect

set ip next-hop 172.16.52.1

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal
0 Helpful

jackson.ku
Level 3
Level 3

‎12-27-2013 09:55 PM

No, the source from these two subnet to 172.22.0.0 255.255.0.0 will route normally, the other traffic reroute.

Sent from Cisco Technical Support Android App

0 Helpful

Rolf Fischer
Level 9
Level 9
In response to jackson.ku

‎12-28-2013 01:53 AM

Hi,

you should avoid deny-statements in Policy ACLs:

https://supportforums.cisco.com/message/4117064

Possible solution:

ip access-list extended REDIRECT-RIB

permit ip 172.18.0.0 0.255.255 172.22.0.0 0.0.255.255

permit ip 172.20.0.0 0.255.255 172.22.0.0 0.0.255.255

ip access-list extended REDIRECT-PBR

permit ip any 172.22.0.0 0.0.255.255

route-map redirect permit 10

match ip address REDIRECT-RIB

! no set => RIB

route-map redirect permit 20

match ip address REDIRECT-PBR

set ip next-hop 172.16.52.1

HTH

Rolf

0 Helpful

paul driver
VIP
VIP

‎12-28-2013 01:57 AM

Hello

Anything not matched in the acl pertaining to PBR should be routed normally

Try amending you ace statements:

Access-list 10 deny 172.18.0.0 0.255.255
Access-list 10 deny 172.20.0.0 0.255.255
Access-list 10 permit 172.22.0.0 0.0.255.255


route-map redirect permit 10
match ip address 10
set ip next-hop 172.16.52.1
set ip next-hop verify-availability

This additional command in the route-map will check the next hop existence and if not available will stop the router arping for it and so route normally.


Res
Paul


Sent from Cisco Technical Support iPad App


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Rolf Fischer
Level 9
Level 9
In response to paul driver

‎12-28-2013 02:02 AM

Paul,

it is a c3750, which has some special platform-specific limitations:

Policy Based Routing (PBR) implementation in Cisco Catalyst 3750 switches has some limitations. If these restrictions are not followed, it can cause high CPU utilization.

  • You can enable PBR on a routed port or an SVI.

  • The switch does not support route-map deny statements for  PBR.

  • Multicast traffic is not policy-routed. PBR applies only to unicast  traffic.

  • Do not match ACLs that permit packets destined for a local address PBR forwards these packets, which can cause ping or Telnet failure or route protocol flapping.

  • Do not match ACLs with deny ACEs. Packets that match a deny ACE are sent to the CPU, which can cause high CPU utilization.

  • In order to use PBR, you must first enable the routing template with the sdm prefer routing global configuration command. PBR is not supported with the VLAN or default template.

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a00807213f5.shtml#pbr

Regards

Rolf

0 Helpful

jackson.ku
Level 3
Level 3
In response to Rolf Fischer

‎12-28-2013 04:00 AM

Hi,

I checked the document, the Catalyst 3750 dose not support "set ip next-hop verify-availability" command, so I change to use eem to track next-hop availibility :

https://supportforums.cisco.com/docs/DOC-8069

Best Regards,

Jackson Ku

0 Helpful

paul driver
VIP
VIP

‎12-28-2013 02:47 AM

Hello Rolf

Cheers for pointing this out -wasn't aware ace deny statements weren't applicable on 3750s

In that case your suggestion would be a much better approach


Access-list 10 permit 172.18.0.0 0.255.255
Access-list 10 permit 172.20.0.0 0.255.255
Access-list 20 permit 172.22.0.0 0.0.255.255


route-map redirect permit 10
match ip address 10

oute-map redirect permit 20
match ip address 20
set ip next-hop 172.16.52.1
set ip next-hop verify-availability



Res
Paul

Sent from Cisco Technical Support iPad App


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card