Re: Catalyst 3550-PBR

Ljube Tesan · ‎08-05-2010

I am trying to set default next-hop route on vlan10 and vlan20 interfaces because I wanna split up traffic on c3550 to reach two different ISPs. Somehow the route-map could not be applied on vlan interface. If I set just next-hop command then it works but default next-hop doesn't. PLEASE HELP!

Jon Marshall · ‎08-05-2010

ljube0131 wrote:

I am trying to set default next-hop route on vlan10 and vlan20 interfaces because I wanna split up traffic on c3550 to reach two different ISPs. Somehow the route-map could not be applied on vlan interface. If I set just next-hop command then it works but default next-hop doesn't. PLEASE HELP!

I can't find the 3550 configuration docs but from the 3560 configuration doc it states that using the "ip default next-hop" within a route-map is not supported -

http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst3560/software/release/12.2_25_sea/configuration/guide/swuncli.html#wp1034931

this also applies to the 3550 switch.

Jon

Nagaraja Thanthry · ‎08-05-2010

Hello,

In order for you to configure PBR on 3550, you need to have a minimum of IPServices image and your SDM template should be set to routing. You can verify the current SDM template using "show sdm prefer" command.

Switch#show sdm prefer

The current template is "desktop default" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.

number of unicast mac addresses:                  6K
number of IPv4 IGMP groups + multicast routes:    1K
number of IPv4 unicast routes:                    8K
    number of directly-connected IPv4 hosts:        6K
    number of indirect IPv4 routes:                 2K
number of IPv4 policy based routing aces:         0
number of IPv4/MAC qos aces:                      0.5K
number of IPv4/MAC security aces:                 1K

Once you verify the SDM template, if it is not set to routing, please set it to routing by issuing the command "sdm prefer routing"

Switch(config)#sdm prefer ?
access              Access bias
default             Default bias
dual-ipv4-and-ipv6 Support both IPv4 and IPv6
routing             Unicast bias
vlan                VLAN bias

Then, you will be able to apply the route-map to the interface.You need to use "set ip next-hop" command under the route-map.

Hope this helps.

Regards,

NT

Ljube Tesan · ‎08-06-2010

Configuration file is attached. I set sdm prefer extended -match because policy based routing on C3550 requires this but I find that fast-switched PBR restricts some set commands (default next-hop, default interface).

Jon Marshall · ‎08-06-2010

What is your question ? The default next-hop etc. commands are not supported with the 3550 no matter what IOS you run, see my previous post.

Are you now asking something else ?

Jon

Ljube Tesan · ‎08-08-2010

My question is wether "default next-hop" is supported by c3550 because I see it as only way to split up traffic to two ISPs. Is there any other way to do that on C3550

Nagaraja Thanthry · ‎08-08-2010

Hello,

"default next-hop" command is not supported on DSBU switches. You can use "set ip next-hop" command instead.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_se/configuration/guide/swiprout.html#wp1260543

Here is an explanation of both commands in question:

https://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a00801f3b54.shtml

If you want to send the traffic via routing table and send it via a specific path if the route does not exist, then you might have to do route tracking. Otherwise, if you are just looking to route specific traffic type through a specific path, then you need to use "set ip next-hop" configuration.

Hope this helps.

Regards,

NT

vragotha · ‎08-08-2010

If you can match the traffic based on an access list, you can try the following -

Define ACL 1 for traffic to ISP 1

access-list 1 permit < ip >

Define ACL 2 for traffic to ISP 2

access-list 2 permit < ip >

route-map test permit 10
 match ip address 1
 set ip next-hop 
!
route-map test permit 20
 match ip address 2
 set ip next-hop

Apply the route map to the appropriate interface

Ljube Tesan · ‎08-09-2010

I can't use "set next-hope" because it will take my all vlan traffic over the firewalls out and my vlans on c3550 will not be able to connect other parts of my local networks that are connected to c3550 over router 2610.

ISP1______c3500(VLANs10,20)

ISP2______/ |_2610----LANs

Jon Marshall · ‎08-09-2010

ljube0131 wrote:

I can't use "set next-hope" because it will take my all vlan traffic over the firewalls out and my vlans on c3550 will not be able to connect other parts of my local networks that are connected to c3550 over router 2610.

ISP1______c3500(VLANs10,20)

ISP2______/ |_2610----LANs

I hestiated to reply to this post because you clearly didn't read my original answer ie. even after being told default next-hop is not supported you still were asking whether it was supported or not.

However this is a forum where we try to help so.

You can use set ip next-hop, you simply need to use deny statements in your access-list for that traffic you don't want PBR'd eg.

on your 3550 you have -

vlan 10 = 192.168.5.0/24

vlan 11 = 192.168.6.0/24

let says you have 2 other networks off the the 2610-

192.168.7.0/24

192.168.8.0/24

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.255

access-list 101 deny ip 192.168.6.0 0.0.0.255 192.168.7.0 0.0.255

access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.8.0 0.0.255

access-list 101 deny ip 192.168.6.0 0.0.0.255 192.168.8.0 0.0.255

access-list permit ip any any

route-map PBR permit 10

match ip address 101

set ip next-hop

the deny entries in your acl will not be policy routed ie. they will use the routing table, any other traffic will be policy routed.

Jon

Nagaraja Thanthry · ‎08-09-2010

Hello,

You can use extended access-lists and specify the exact matches. For

example, if the subnets behind 2620 are 10.x.x.x, you can do the following:

access-list 101 permit ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 any

route-map VL10 10

match ip address 101

set ip next-hop <2600's IP>

route-map VL10 20

match ip address 102

set ip next-hop

While you could also use deny statements in the access-lists, using deny

statements will send the traffic to CPU and could affect your performance.

Hope this helps.

Regards,

NT

Jon Marshall · ‎08-09-2010

NT makes a good point and one i forgot about. If you mix deny statement and permit statements in the same acl the packets are software switched so it would be better to use the example provided by him.

Jon

Jon Marshall · ‎08-09-2010

I hestiated to reply to this post because you clearly didn't read my original answer ie. even after being told default next-hop is not supported you still were asking whether it was supported or not.

However this is a forum where we try to help so.

Apologies. First post of the day and think you got some of my bad mood that i started today with. No offense intended, hopefully NT's solution works for you.

Jon

Ljube Tesan · ‎08-10-2010

NT, this works! Thank you a lot!

No problem JM I really appreciate you assistance.

I am new in this and I was little-bit

confused because my c3550 route-map accept my

default next-hop command but I can't apply it on interface.

Thank you, once more!

Ljube Tesan · ‎08-10-2010

NT, this works! Thank you a lot!

No problem JM I really appreciate you assistance.

I am new in this and I was little-bit

confused because my c3550 route-map accept my

default next-hop command but I can't apply it on interface.

Thank you, once more!