cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
408
Views
5
Helpful
9
Replies
Highlighted
Beginner

Unable to set PBR on a vlan ..Running Cisco IOS XE code on C9500-16X

I am trying to apply PBR on vlan 1 and 2 to reroute traffic for the specified host. However, the following errors are seen in the log message. Can someone advise a way to apply pbr on the C9500 L3 switch? 

 

The idea here is to pass all the internet and intranet traffic for the below host via MPLS. As of now, internet and intranet path are separate. 

 

BGP.png

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

Hi,

ip next-hop recursive and ip next-hop verify availability features are not available and the next-hop should be directly connected.

 

So, modify the configuration as:

 

route-map INTERNET_TEST deny 10
match ip address TO_RFC1918
route-map INTERNET_TEST permit 20
match ip address FROM_TEST_PC
set ip next-hop 172.16.1.3

 

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-8/configuration_guide/rtng/b_168_rtng_9500_cg/b_168_rtng_9500_cg_chapter_01100.html#ID8123

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution If this comment will make help you!

View solution in original post

Highlighted
VIP Mentor

Hello


@dev.puniya wrote:

ip access-list extended TO_RFC1918 <---not required
permit ip any 10.0.0.0 0.255.255.255 <---- not required
permit ip any 172.0.0.0 0.240.255.255  <-- not required but shouldn't this also be 0.15.255.255
permit ip any 192.168.0.0 0.0.255.255  <--- not required

Just like to ask - Why are you matching on subnet that isn't originating from your Lan, Also one of those ace entries isnt correct (bold.) 

Now you don't state what default path your users are taking but I am assuming its the DMVPN path given in your OP it is stating a next hop of 172.16.3.1 (mpls path) <- Can you confirm this please?
So as you just want two hosts to be policy routed via this path then you should only need to specify those two hosts in the one PBR acl FROM_TEST_PC and the TO_RFC1918 acl isn't required then just specify the ip next hop addressing of the mpls with the addition of the dmvpn next-hop 

example:
no route-map INTERNET_TEST deny 10

route-map INTERNET_TEST permit 20
no set ip next-hop recursive 172.16.1.3
set ip next-hop 172.16.1.3 172.16.1.1



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post

9 REPLIES 9
Highlighted
Beginner

logs-

003593: UTC: %FMANRP_PBR-3-UNSUPPORTED_RMAP: Route-map INTERNET_TEST has unsupported options for Policy-Based Routing. It has been removed from the interface, if applied.
003594: UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User: logged command:ip policy route-map INTERNET_TEST
003595: UTC: %FMANRP_PBR-3-UNSUPPORTED_RMAP: Route-map INTERNET_TEST has unsupported options for Policy-Based Routing. It has been removed from the interface, if applied.
003596: UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User: logged command:ip policy route-map INTERNET_TEST
003597: 6 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User: logged command:exit
003598: UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User: logged command:interface Vlan2
003599: UTC: %FMANRP_PBR-3-UNSUPPORTED_RMAP: Route-map INTERNET_TEST has unsupported options for Policy-Based Routing. It has been removed from the interface, if applied.
003600: UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User: logged command:ip policy route-map INTERNET_TEST
003601: UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User: logged command:exit

Highlighted

1. Quick question what kind of License you have, PBR to work you need network essential minimum on Cat 9500.

2. if you have already required a license, I would like to see the configuration. post relevant configuration to understand the issue.

BB
*** Rate All Helpful Responses ***
Highlighted

The error message does not seem to indicate that PBR is not supported but that an invalid option is specified. We need to see the details of the config and of the route map you are trying to use. 

HTH

Rick
Highlighted
VIP Advocate

Hi,

Can you share the configuration and IOS version?

 

As per my experience, I was working on Cisco 3850 and got the same error and finally, got to know that the 'verify-availability' command with IP SLA tracking is not supported on the ios on 3850. Make sure are you not making the same mistake (I know this is a different platform)

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution If this comment will make help you!
Highlighted
VIP Mentor

Hello,

 

what does your PBR policy actually look like ? Post the running configuration of your 9500, and have a look at the link below for what is allowed and what not...

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-8/configuration_guide/rtng/b_168_rtng_9500_cg/b_168_rtng_9500_cg_chapter_01100.html#ID8123

Highlighted

Thanks all for your response- Here are the additional information 

------------------------------------------------------------------------------
Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------------
network-advantage Smart License network-advantage
dna-advantage Subscription Smart License dna-advantage

Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 26 C9500-16X 16.9.4 CAT9K_IOSXE BUNDLE (System image file is "flash:cat9k_iosxe.16.09.04.SPA.bin") 
   2 26 C9500-16X 16.9.4 CAT9K_IOSXE BUNDLE

 

 

ip access-list extended FROM_TEST_PC
permit ip host 10.1.1.1 any
permit ip host 10.2.2.0 any

ip access-list extended TO_RFC1918
permit ip any 10.0.0.0 0.255.255.255
permit ip any 172.0.0.0 0.240.255.255
permit ip any 192.168.0.0 0.0.255.255


route-map INTERNET_TEST deny 10
match ip address TO_RFC1918
route-map INTERNET_TEST permit 20
match ip address FROM_TEST_PC
set ip next-hop recursive 172.16.1.3


interface Vlan1
ip address 10.1.1.1 255.255.255.0
ip policy route-map INTERNET_TEST>>>>>>>>>>..This is the statment I want to add
end

interface Vlan1
ip address 10.2.2.1 255.255.255.0
ip policy route-map INTERNET_TEST>>>>>>>>>>..This is the statment I want to add
end

 

 

router bgp 64497
bgp always-compare-med
bgp log-neighbor-changes
bgp deterministic-med
redistribute connected route-map REDIST_TO_BGP
redistribute static route-map REDIST_TO_BGP
neighbor 172.16.1.3 remote-as 64497
neighbor 172.16.1.3 timers 5 15
neighbor 172.16.1.3 fall-over bfd
neighbor 172.16.1.3 route-reflector-client
neighbor 172.16.1.3 next-hop-self
neighbor 172.16.1.3 send-community
neighbor 172.16.1.3 soft-reconfiguration inbound
neighbor 172.16.1.3 route-map MPLS_POLICY_IN in
neighbor 172.16.1.3 route-map MPLS_POLICY_OUT out
neighbor 172.16.1.1 remote-as 65112
neighbor 172.16.1.1 timers 5 15
neighbor 172.16.1.1 next-hop-self
neighbor 172.16.1.1 send-community
neighbor 172.16.1.1 soft-reconfiguration inbound
neighbor 172.16.1.1 route-map DMVPN_POLICY_IN_S in
neighbor 172.16.1.1 route-map DMVPN_POLICY_OUT_S out
maximum-paths 6
maximum-paths ibgp 6

 

Highlighted

Hi,

ip next-hop recursive and ip next-hop verify availability features are not available and the next-hop should be directly connected.

 

So, modify the configuration as:

 

route-map INTERNET_TEST deny 10
match ip address TO_RFC1918
route-map INTERNET_TEST permit 20
match ip address FROM_TEST_PC
set ip next-hop 172.16.1.3

 

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-8/configuration_guide/rtng/b_168_rtng_9500_cg/b_168_rtng_9500_cg_chapter_01100.html#ID8123

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution If this comment will make help you!

View solution in original post

Highlighted

The issue was with the recursive command, I removed it and it's accepted by under the VLAN. Thank you all for your help! 

Highlighted
VIP Mentor

Hello


@dev.puniya wrote:

ip access-list extended TO_RFC1918 <---not required
permit ip any 10.0.0.0 0.255.255.255 <---- not required
permit ip any 172.0.0.0 0.240.255.255  <-- not required but shouldn't this also be 0.15.255.255
permit ip any 192.168.0.0 0.0.255.255  <--- not required

Just like to ask - Why are you matching on subnet that isn't originating from your Lan, Also one of those ace entries isnt correct (bold.) 

Now you don't state what default path your users are taking but I am assuming its the DMVPN path given in your OP it is stating a next hop of 172.16.3.1 (mpls path) <- Can you confirm this please?
So as you just want two hosts to be policy routed via this path then you should only need to specify those two hosts in the one PBR acl FROM_TEST_PC and the TO_RFC1918 acl isn't required then just specify the ip next hop addressing of the mpls with the addition of the dmvpn next-hop 

example:
no route-map INTERNET_TEST deny 10

route-map INTERNET_TEST permit 20
no set ip next-hop recursive 172.16.1.3
set ip next-hop 172.16.1.3 172.16.1.1



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post