cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

PBR on Switches (3750/3560)

795
Views
0
Helpful
0
Comments
Beginner

Issue while configuring PBR in a 3750/3560 switch ?

 

Some of the common scenarios we come across

 

1.       We are able to configure route-map but the router does not support the “ip policy route-map” under the interface

2.       We are able to configure the command but this does not reflect under the interface while issuing the “show run”

 

 

These are two issues, we will be addressing separately.

 

è For the first issue:

We need to make sure that we are not running an IP Base image.  Policy-based routing (PBR) allows superior control by facilitating flow redirection regardless of the routing protocol configured. The IP Services image is required for the same to be supported.

 

Kindly refer the following document for reference

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps5023/product_data_sheet0900aecd80371991.html

 

http://www.cisco.com/en/US/products/hw/switches/ps5528/index.html

 

è For the second issue:

Incase our image is not a Base feature set, and we are facing the second condition mentioned, check the following

 

n  3750/3560 switches Switch Database Management (SDM) use  templates.

 

Understanding the SDM Templates

You can use SDM templates to configure system resources in the switch to optimize support for specific features, depending on how the switch is used in the network. You can select a template to provide maximum system usage for some functions; for example, use the default template to balance resources, and use access template to obtain maximum ACL usage.

To allocate ternary content addressable memory (TCAM) resources for different usages, the switch SDM templates prioritize system resources to optimize support for certain features. You can select SDM templates for IP Version 4 (IPv4) to optimize these features:

Routing—The routing template maximizes system resources for unicast routing, typically required for a router or aggregator in the center of a network.

VLANs—The VLAN template disables routing and supports the maximum number of unicast MAC addresses. It would typically be selected for a Layer 2 switch.

Default—The default template gives balance to all functions.

Access—The access template maximizes system resources for access control lists (ACLs) to accommodate a large number of ACLs.

By default these switches use the Default SDM Template  which is the default desktop template. This default does not allocate any resources for the PBR and hence we notice the issue of being unable see  the command entered under the interface even though it should ideally support it.

 

n  Issue the following command to check the sdm preferred template on your device . Note the line “number of policy based routing aces” showing up as “0”.

 

 

Switch# show sdm prefer

The current template is "desktop default" template.

The selected template optimizes the resources in

the switch to support this level of features for

8 routed interfaces and 1024 VLANs.

  number of unicast mac addresses:             6K

  number of igmp groups + multicast routes:    1K

  number of unicast routes:                    8K

    number of directly connected hosts:        6K

    number of indirect routes:                 2K

  number of policy based routing aces:         0

  number of qos aces:                          512

  number of security aces:                     1K

 

Therefore to enable the switch to be able to do Policy Based Routing, we first need to allocate resources for the same.

Here is how we allocate the resources,

 

This example shows how to configure a switch with the routing template.

 
Switch(config)# sdm prefer routing
 
Switch(config)# end
Switch# wr mem
Switch# reload
Proceed with reload? [confirm]

 

Note that the resources will be allocated only after the reload.

 

Issue the following command to check the sdm prefer after reload.

 

Switch# show sdm prefer 
"desktop routing" template:
 The selected template optimizes the resources in
 the switch to support this level of features for
 8 routed interfaces and 1024 VLANs.
 
  number of unicast mac addresses:             3K
  number of igmp groups + multicast routes:    1K
  number of unicast routes:                    11K
    number of directly connected hosts:        3K
    number of indirect routes:                 8K
  number of policy based routing aces:         512
  number of qos aces:                          512
  number of security aces:                     1K

 

Notice now that resources have been allocated for PBR

 

number of policy based routing aces:   512

 

n  After making sure that resources have been allocated, we will be able to both configure route-maps and also PBR under the interfaces.

 

Note:- allocating resources in a base image will not help us configure PBR, we would require the IP services image for the same.

 

Some Points I would like to share here.

1.       At times, on certain switches, where everything is switched in the hardware we might not see any hits in the access-list neither in the PBR. The best way to check here if the packets are getting policy routed, is to run a trace from the source to destination.

2.       Also note that, when we have “log” statement at the end of an ACL that is called in a PBR , the PBR  will not work as expected  unless we turn off CEF or by remove the ip route cache cef on interface

 

 

Find the following table that shows the different SDM templates available and the resources allocated

 

lists the approximate numbers of each resource supported in each of the three templates for a desktop switch.

 

Approximate Number of Feature Resources Allowed by Each   Template

Resource

Access

Default

Routing

VLAN

Unicast MAC addresses

4 K

6 K

3 K

12 K

IGMP groups and multicast routes

1 K

1 K

1 K

1 K

Unicast routes

6 K

8 K

11 K

0

Directly connected hosts

4 K

6 K

3 K

0

Indirect routes

2 K

2 K

8 K

0

Policy-based routing ACEs

512

0

512

0

QoS classification ACEs

512

512

512

512

Security ACEs

2 K

1 K

1 K

1 K

Layer 2 VLANs

1 K

1 K

1 K

1 K

 

The first eight rows in the tables (unicast MAC addresses through security ACEs) represent approximate hardware boundaries set when a template is selected. If a section of a hardware resource is full, all processing overflow is sent to the CPU, seriously impacting switch performance. The last row is a guideline used to calculate hardware resource consumption related to the number of Layer 2 VLANs on the switch.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards