Issue while configuring PBR in a 3750/3560 switch ?
Some of the common scenarios we come across
- We are able to configure route-map but the router does not support the “ip policy route-map” under the interface.
- We are able to configure the command but this does not reflect under the interface while issuing the “show run”
These are two issues, we will be addressing separately.
For the first issue:
We need to make sure that we are not running an IP Base image. Policy-based routing (PBR) allows superior control by facilitating flow redirection regardless of the routing protocol configured. The IP Services image is required for the same to be supported.
Kindly refer the following document for reference
For the second issue:
Incase our image is not a Base feature set, and we are facing the second condition mentioned, check the following
- 3750/3560 switches Switch Database Management (SDM) use templates.
Understanding the SDM Templates
You can use SDM templates to configure system resources in the switch to optimize support for specific features, depending on how the switch is used in the network. You can select a template to provide maximum system usage for some functions; for example, use the default template to balance resources, and use access template to obtain maximum ACL usage.
To allocate ternary content addressable memory (TCAM) resources for different usages, the switch SDM templates prioritize system resources to optimize support for certain features. You can select SDM templates for IP Version 4 (IPv4) to optimize these features:
- Routing—The routing template maximizes system resources for unicast routing, typically required for a router or aggregator in the center of a network.
- VLANs—The VLAN template disables routing and supports the maximum number of unicast MAC addresses. It would typically be selected for a Layer 2 switch.
- Default—The default template gives balance to all functions.
- Access—The access template maximizes system resources for access control lists (ACLs) to accommodate a large number of ACLs.
By default these switches use the Default SDM Template which is the default desktop template. This default does not allocate any resources for the PBR and hence we notice the issue of being unable see the command entered under the interface even though it should ideally support it.
- Issue the following command to check the sdm preferred template on your device . Note the line “number of policy based routing aces” showing up as “0”.
Switch# show sdm prefer
The current template is "desktop default" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 6K
number of igmp groups + multicast routes: 1K
number of unicast routes: 8K
number of directly connected hosts: 6K
number of indirect routes: 2K
number of policy based routing aces: 0
number of qos aces: 512
number of security aces: 1K
Therefore to enable the switch to be able to do Policy Based Routing, we first need to allocate resources for the same.
Here is how we allocate the resources,
This example shows how to configure a switch with the routing template.
Switch(config)# sdm prefer routing
Switch(config)# end
Switch# wr mem
Switch# reload
Proceed with reload? [confirm]
Note that the resources will be allocated only after the reload.
Issue the following command to check the sdm prefer after reload.
Switch# show sdm prefer "desktop routing" template:
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 3K
number of igmp groups + multicast routes: 1K
number of unicast routes: 11K
number of directly connected hosts: 3K
number of indirect routes: 8K
number of policy based routing aces: 512number of qos aces: 512
number of security aces: 1K
Notice now that resources have been allocated for PBR
number of policy based routing aces: 512
- After making sure that resources have been allocated, we will be able to both configure route-maps and also PBR under the interfaces.
Note:- allocating resources in a base image will not help us configure PBR, we would require the IP services image for the same.
Some Points I would like to share here.
1. At times, on certain switches, where everything is switched in the hardware we might not see any hits in the access-list neither in the PBR. The best way to check here if the packets are getting policy routed, is to run a trace from the source to destination.
2. Also note that, when we have “log” statement at the end of an ACL that is called in a PBR , the PBR will not work as expected unless we turn off CEF or by remove the ip route cache cef on interface
Find the following table that shows the different SDM templates available and the resources allocated
This table lists the approximate numbers of each resource supported in each of the three templates for a desktop switch.
Approximate Number of Feature Resources Allowed by Each Template | ||||
Resource | Access | Default | Routing | VLAN |
Unicast MAC addresses | 4K | 6 K | 3 K | 12 K |
IGMP groups and multicast routes | 1 K | 1 K | 1 K | 1 K |
nicast routes | 6 K | 8 K | 11 K | 0 |
* Directly connected hosts | 4 K | 6 K | 3 K | 0 |
* Indirect routes | 2 K | 2 K | 8 K | 0 |
Policy-based routing ACEs | 512 | 0 | 512 | 0 |
QoS classification ACEs | 512 | 512 | 512 | 512 |
Security ACEs | 2 K | 1 K | 1 K | 1 K |
Layer 2 VLANs | 1 K | 1 K | 1 K | 1 K |
The first eight rows in the tables (unicast MAC addresses through security ACEs) represent approximate hardware boundaries set when a template is selected. If a section of a hardware resource is full, all processing overflow is sent to the CPU, seriously impacting switch performance. The last row is a guideline used to calculate hardware resource consumption related to the number of Layer 2 VLANs on the switch.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
COMMENTS? QUESTIONS? SUGGESTIONS?
Please sign in, and enter your feedback below! Thank you!
1 Comment
