Re: Policy Based Routing

netsec123 · ‎09-20-2007

We are having a terrible time. We have a 3550 with the enhanced image. IT has a default gateway of an existing firewall. We have added a 2nd firewall and ISP. If the traffic is HTTP traffic, we want to point it to the NEW ISP AND FIREWALL. We thought PBR would solve this but the ip policy interface command does not exist in 12.1(22)EA1. IS there any other way to accomplish this such that I point HTTP traffic out another direction? PLEASE HELP!!!!

Edison Ortiz · ‎09-20-2007

Source based routing can only be accomplished with PBR.

According to the Feature Navigator, 12.1(22)EA1 does support PBR (the EMI IOS IMAGE) c3550-i5q3l2-mz.121-22.EA1.bin

However, you must change your SDM template from 'desktop' which is the default to 'routing'.

Look for the global config command 'sdm prefer'. A reboot is required after this change.

netsec123 · ‎09-20-2007

You're kidding!

I tried that. Would you know the exact SDM Command? I did the reboot too! When I go into the vlan1 interface and type ip ??, there is no ip policy command. :( Do you know the exact SDM command I need?

THANKS!

Edison Ortiz · ‎09-20-2007

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/command/reference/cli2.html#wp3417591

netsec123 · ‎09-21-2007

Thank you!

I will give this a go....

Edison Ortiz · ‎09-20-2007

Here is the documentation on PBR for the 3550.

Also, make sure 'ip routing' is enabled. It's disabled by default.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swiprout.html#wp1260543

netsec123 · ‎09-21-2007

Thank you for getting back to me.

This is killing me! Take a look at the output below and I will comment .. As you can see, the command is NOT listed, I put in the SDM statements, rebooted twice, and also listed a show ver on the switch! IP routing is enabled. I don't get it... I gotta be missing something stupid... Please help.... THANKS!

cef Cisco Express Fowarding interface commands

dhcp Configure DHCP parameters for this interface

directed-broadcast Enable forwarding of directed broadcasts

helper-address Specify a destination address for UDP broadcasts

irdp ICMP Router Discovery Protocol

load-sharing Style of load sharing

local-proxy-arp Enable local-proxy ARP

mask-reply Enable sending ICMP Mask Reply messages

mtu Set IP Maximum Transmission Unit

probe Enable HP Probe support

proxy-arp Enable proxy ARP

rarp-server Enable RARP server for static arp entries

redirects Enable sending ICMP Redirect messages

rip Router Information Protocol

route-cache Enable fast-switching cache for outgoing packets

security DDN IP Security Option

split-horizon Perform split horizon

summary-address Perform address summarization

unnumbered Enable IP processing without an explicit address

unreachables Enable sending ICMP Unreachable messages

vrf VPN Routing/Forwarding parameters on the interface

HaddRouter(config-if)#ip policy ?

% Unrecognized command

HaddRouter(config-if)#ip policy

sdm prefer routing extended-match

Cisco Internetwork Operating System Software

IOS (tm) C3550 Software (C3550-I9Q3L2-M), Version 12.1(22)EA1a, RELEASE SOFTWARE

(fc1)

Compiled Fri 20-Aug-04 00:30 by yenanh

Image text-base: 0x00003000, data-base: 0x006C5C6C

ROM: Bootstrap program is C3550 boot loader

HaddRouter uptime is 2 hours, 32 minutes

System returned to ROM by power-on

System image file is "flash:c3550-i9q3l2-mz.121-22.EA1a/c3550-i9q3l2-mz.121-22.E

A1a.bin"

cisco WS-C3550-48 (PowerPC) processor (revision Q0) with 65526K/8192K bytes of m

emory.

Processor board ID CAT0846N0M0

Last reset from warm-reset

Running Layer2/3 Switching Image

Edison Ortiz · ‎09-21-2007

You have c3550-i9q3l2-mz.121-22.EA1a and Cisco Feature Navigator list the supported IOS as c3550-i5q3l2-mz.121-22.EA1.bin

Please download such IOS and try again.

netsec123 · ‎09-21-2007

THANK YOU.

I WILL TRY THIS IMMEDIATELY!

Thank u so much!

netsec123 · ‎09-21-2007

Thank you for getting back to me.

This is killing me! Take a look at the output below and I will comment .. As you can see, the command is NOT listed, I put in the SDM statements, rebooted twice, and also listed a show ver on the switch! IP routing is enabled. I don't get it... I gotta be missing something stupid... Please help.... THANKS!

cef Cisco Express Fowarding interface commands

dhcp Configure DHCP parameters for this interface

directed-broadcast Enable forwarding of directed broadcasts

helper-address Specify a destination address for UDP broadcasts

irdp ICMP Router Discovery Protocol

load-sharing Style of load sharing

local-proxy-arp Enable local-proxy ARP

mask-reply Enable sending ICMP Mask Reply messages

mtu Set IP Maximum Transmission Unit

probe Enable HP Probe support

proxy-arp Enable proxy ARP

rarp-server Enable RARP server for static arp entries

redirects Enable sending ICMP Redirect messages

rip Router Information Protocol

route-cache Enable fast-switching cache for outgoing packets

security DDN IP Security Option

split-horizon Perform split horizon

summary-address Perform address summarization

unnumbered Enable IP processing without an explicit address

unreachables Enable sending ICMP Unreachable messages

vrf VPN Routing/Forwarding parameters on the interface

HaddRouter(config-if)#ip policy ?

% Unrecognized command

HaddRouter(config-if)#ip policy

sdm prefer routing extended-match

Cisco Internetwork Operating System Software

IOS (tm) C3550 Software (C3550-I9Q3L2-M), Version 12.1(22)EA1a, RELEASE SOFTWARE

(fc1)

Compiled Fri 20-Aug-04 00:30 by yenanh

Image text-base: 0x00003000, data-base: 0x006C5C6C

ROM: Bootstrap program is C3550 boot loader

HaddRouter uptime is 2 hours, 32 minutes

System returned to ROM by power-on

System image file is "flash:c3550-i9q3l2-mz.121-22.EA1a/c3550-i9q3l2-mz.121-22.E

A1a.bin"

cisco WS-C3550-48 (PowerPC) processor (revision Q0) with 65526K/8192K bytes of m

emory.

Processor board ID CAT0846N0M0

Last reset from warm-reset

Running Layer2/3 Switching Image

netsec123 · ‎09-21-2007

Uh oh ..... Turns out I have an SMI switch ... Am I hosed...

The password-recovery mechanism is enabled.

384K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: 00:12:80:43:AE:80

Motherboard assembly number: 73-5701-10

Power supply part number: 34-0967-02

Motherboard serial number: CAT084606YY

Power supply serial number: DTH08456JMV

Model revision number: Q0

Motherboard revision number: A0

Model number: WS-C3550-48-SMI

System serial number: CAT0846N0M0

Configuration register is 0x10F

Edison Ortiz · ‎09-21-2007

Indeed, you are :)

You need EMI ...

netsec123 · ‎09-22-2007

Thank you --- I missed that...

BUT, thank you so much for your help. I will bring in another router with a single ethernet and reroute packets that way... Waht would happen if I tried to install the EMI image on the SMI switch?

Edison Ortiz · ‎09-22-2007

I never tried myself. Legally, you need to purchase the EMI license product.

According to this link

http://www.cisco.com/en/US/products/hw/switches/ps646/ps3817/index.html

it seems it's a software upgrade vs a hardware upgrade.

Try it at your own risk ...

netsec123 · ‎09-22-2007

Thank you sir. I will not try this remotely! :) I will use another router. IN ANY CASE THANK YOU SO MUCH!

You rock!

Cheers!