Solved: Re: Policy based routing

john.barber · ‎01-14-2019

I am trying to set up policy based routing on a Cisco 2960XR. IoS version 152.2.E5. This will be used to route depending on source IP address.

I have added an ACL and created the route-map however when I try to apply it to the interface, the option in the example is not available. The example state

switch(config)#interface gigabitethernet 1/0/1

switch(config-if)#ip policy route-map pbr-map

When I try to add my route-map to an interface, there is no option for 'policy' after entering ip ?

all I am offered is

access-group

admission

arp

device

dhcp

flow

igmp

verify

Is this down to IoS version or am I missing something, e.g a service or something I need to enable.

Jon Marshall · ‎01-15-2019

John

Just apply the PBR to the SVI, that is what you should be doing anyway and this will achieve what you want.

I suspect you cannot use the interface as it was not configured as a L3 interface but regardless from your description the SVI is where you should be applying the route map.

Jon

View solution in original post

Jon Marshall · ‎01-14-2019

You don't say which feature set you are running but according to the configuration guide you need IP Lite -

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960xr/software/15-0_2_EX1/routing/configuration_guide/b_rt_152ex1_2960-xr_cg/b_rt_152ex1_2960-xr_cg_chapter_011.html#task_504D4683DC6446D0B25E276C79F15E4E

Jon

john.barber · ‎01-14-2019

Hi Jon
>From what I have read, the 2960XR only comes with the IP Lite feature set so assumed it would be enabled.

Georg Pauwen · ‎01-14-2019

Hello,

I think you need 15.2(6)E2. Check the release notes and scroll down to High Performance Routing (IP Lite Image):

High Performance Routing (IP Lite Image)

--> Policy-based routing (PBR) allows superior traffic control by providing flow redirection regardless of the routing protocol configured.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15_2_6_e/release_notes/rn-1526e2-2960x-xr.html#High%20Performance%20Routing%20(IP%20Lite%20Image)

Jon Marshall · ‎01-15-2019

John

Apologies, I have not used those switches and just assumed there were multiple feature sets available (teach me to be more careful next time).

I think Georg is right ie. you may need to upgrade the IOS.

Jon

Mike.Cifelli · ‎01-14-2019

What is the rest of your config under interface gigabitethernet 1/0/1? If this interface is a L2 switchport you will not have the ip policy command set. If the interface is a trunk, and you are attempting to steer traffic for a specific VLAN then apply the route-map under that SVI. Hope this helps.

majid.jaffari1 · ‎01-14-2019

Hi,

The best way to find the solution is, please post the configuration here after removing the sensitive information.

Best regards,

john.barber · ‎01-15-2019

Hi All and thanks for your responses.

1. I have updated to 15.2(6)E2 and I still get the same options, no IP Policy.

2. Although I don't get the option for IP Policy on the interface, I do get it on the SVI.

3. I think I have found a solution using the IP Access-group command but im not sure that is doing what I think its doing.

Here is a cut down copy of the config. What I am trying to achieve is;

traffic coming into the switch on interfaces G1/0/47 and 48 from our firewall is checked for source address. If it matches the address in access-list 102 it is send down interface G1/0/25. If it doesn't match it sends it out interface G1/0/49

version 15.2
no service pad
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
boot-start-marker
boot-end-marker
!
aaa session-id common
switch 1 provision ws-c2960xr-48fpd-i
system mtu routing 1500
!
ip routing
!

no setup express
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan 20
name FW_N3_Uplink
!
vlan 30
name HSCN_Uplink
!
interface FastEthernet0
no ip address
no ip route-cache
!
interface GigabitEthernet1/0/1
shutdown

!
interface GigabitEthernet1/0/25
description "Link to HSCN"
switchport access vlan 30
switchport mode access
!
!
interface GigabitEthernet1/0/47
description "Link to FW01 Cab 10"
switchport access vlan 20
switchport mode access
ip access-group 102 in
!
interface GigabitEthernet1/0/48
description "Link to FW01 Cab 11"
switchport access vlan 20
switchport mode access
ip access-group 102 in
!
interface GigabitEthernet1/0/49
description "Link to BT"
switchport access vlan 20
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust dscp
auto qos voip trust
!
!
!
interface Vlan20
ip address 10.1.1.2 255.255.255.240
!
interface Vlan30
ip address 10.2.2.2 255.255.255.252
!
ip forward-protocol nd
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip ssh version 2
!
!
access-list 102 permit ip 10.3.3.0 0.0.0.127 any
!
!
route-map HSCN-Traffic permit 10
match ip address 102
set ip next-hop 10.2.2.1
!

Thanks.

Jon Marshall · ‎01-15-2019

John

Just apply the PBR to the SVI, that is what you should be doing anyway and this will achieve what you want.

I suspect you cannot use the interface as it was not configured as a L3 interface but regardless from your description the SVI is where you should be applying the route map.

Jon

john.barber · ‎01-15-2019

Many thanks Jon.

paul driver · ‎01-14-2019

Hello

what sdm template are you running?

sh sdm prefer

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul