Challenging!!!How to use route-map on 3550 switch to do policy routing?

iamsong · ‎12-22-2005

Background:

I have a Cisco 3550-12G swtich as core and there're several VLANs created on this 3550-12G.

I have 2 ISPs connected,so I install 2 Firewalls as well to connect to different ISPs.The 2 Firewalls also connected to 3550-12 respectively.

My question:

1.Use route-map to deploy policy route to the 2 ISPs.

2.VLAN 1 goes to Firewall1 and VLAN 2 goes to Firewall2

Current Status:

I put a default route on 3550 now to direct all the Internet traffic to Firewall1,from both VLAN 1 and VLAN 2

IP Scheme:

1.3550 IP add:10.0.10.1

2.Firewall 1 IP add: 10.0.10.100

3.Firewall 2 IP add: 10.0.10.200

VLAN 1 IP scope: 10.0.1.0/24

VLAN 2 IP scope: 10.0.2.0/24

Looking forward to kind help...

Appreciated!

IOS (tm) C3550 Software (C3550-I5Q3L2-M), Version 12.1(22)EA1a, RELEASE SOFTWARE (fc1)

spremkumar · ‎12-22-2005

Hi

You can try out something like this to force the traffic based on the source ip address.

route-map vlan1 permit 10

match ip address 100

set ip next-hop 10.0.10.100

access-list 100 permit ip 10.0.1.0 0.0.0.255 any

interface VLAN 1

ip policy route-map vlan1

route-map vlan2 permit 10

match ip address 101

set ip next-hop 10.0.10.200

access-list 101 permit ip 10.0.2.0 0.0.0.255 any

interface VLAN 2

ip policy route-map vlan2

regds

mheusinger · ‎12-22-2005

Hi,

there is some documentation with limitations to watch out for under

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a0080211c5b.html#wp1260543

Hope this helps

Martin

iamsong · ‎12-22-2005

Hey,Martin,

For the URL you put does mean there's some limitations with 3550 policy routing ?

iamsong · ‎12-22-2005

My configuration:

interface Vlan1

ip address 10.0.1.1 255.255.255.0

interface Vlan2

ip address 10.0.2.1 255.255.255.0

ip policy route-map ISP2

interface Vlan10

ip address 10.0.10.1 255.255.255.0

router rip

version 2

network 10.0.0.0

no auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.10.100#Firewall 1

access-list 101 permit ip host 10.0.2.0 0.0.0.255 any

route-map ISP2 permit 10

match ip address 101

set ip default next-hop 10.0.10.200

mheusinger · ‎12-22-2005

Hi,

looks like your VLAN2 interface is missing the

"ip policy route-map ISP2" command.

And the access list should be

access-list 101 permit ip 10.0.2.0 0.0.0.255 any

Hope this helps

iamsong · ‎12-22-2005

Sorry,I missed type "ip policy route-map ISP2" command in my post here.

Actually,this command is put in my 3550,but it's still not working

mheusinger · ‎12-22-2005

Did you modify the TCAM SDM templates?

"The number of TCAM entries used by PBR depends on the route-map itself, the ACLs used, and the order of the ACLs and route-map entries.

•You must modify the SDM template to enable the switch to support the 144-bit Layer 3 TCAM. Use the sdm prefer extended-match, sdm prefer access extended-match, or the sdm prefer routing extended-match global configuration commands to reformat the TCAM space allocated to unicast routing in the default, access, or routing template, respectively. Reformatting the unicast routing TCAM reduces by half the number of supported unicast routes in the template."

Are there any error messages produced when you apply your config?

Martin

iamsong · ‎12-22-2005

Did you mean that,I need to modify SDM template to activate VLAN layer 3 routing function or...?

Not quite understand this yet:

You must use the extended-match keyword to support 144-bit Layer 3 TCAM when WCCP or multi-VRF CE is enabled on the switch. This keyword is not supported on the VLAN template.

Appreciate you pls give me some light..

Thanks.

iamsong · ‎12-25-2005

Hi Everyone,

Any updates?

In my current configuration,I use "RIP 2",is this the point?