Solved: Re: Unable to set PBR on a vlan ..Running Cisco IOS XE code on C9500-1

dev.puniya · ‎06-13-2020

I am trying to apply PBR on vlan 1 and 2 to reroute traffic for the specified host. However, the following errors are seen in the log message. Can someone advise a way to apply pbr on the C9500 L3 switch?

The idea here is to pass all the internet and intranet traffic for the below host via MPLS. As of now, internet and intranet path are separate.

Deepak Kumar · ‎06-14-2020

Hi,

ip next-hop recursive

and

ip next-hop verify availability

features are not available and the

next-hop

should be directly connected.

So, modify the configuration as:

route-map INTERNET_TEST deny 10
match ip address TO_RFC1918
route-map INTERNET_TEST permit 20
match ip address FROM_TEST_PC
set ip next-hop 172.16.1.3

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-8/configuration_guide/rtng/b_168_rtng_9500_cg/b_168_rtng_9500_cg_chapter_01100.html#ID8123

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

paul driver · ‎06-14-2020

Hello

@dev.puniya wrote:

ip access-list extended TO_RFC1918 <---not required
permit ip any 10.0.0.0 0.255.255.255 <---- not required
permit ip any 172.0.0.0 0.240.255.255  <-- not required but shouldn't this also be 0.15.255.255
permit ip any 192.168.0.0 0.0.255.255  <--- not required

Just like to ask - Why are you matching on subnet that isn't originating from your Lan, Also one of those ace entries isnt correct (bold.)

Now you don't state what default path your users are taking but I am assuming its the DMVPN path given in your OP it is stating a

 next hop of 172.16.3.1 (mpls path)

<- Can you confirm this please?
So as you just want two hosts to be policy routed via this path then you should only need to specify those two hosts in the one PBR acl FROM_TEST_PC and the TO_RFC1918 acl isn't required then just specify the

ip next hop addressing

of the mpls with the addition of the

dmvpn next-hop

example:


no route-map INTERNET_TEST deny 10
route-map INTERNET_TEST permit 20
no set ip next-hop recursive 172.16.1.3
set ip next-hop 172.16.1.3 172.16.1.1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

dev.puniya · ‎06-13-2020

logs-

003593: UTC: %FMANRP_PBR-3-UNSUPPORTED_RMAP: Route-map INTERNET_TEST has unsupported options for Policy-Based Routing. It has been removed from the interface, if applied.
003594: UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User: logged command:ip policy route-map INTERNET_TEST
003595: UTC: %FMANRP_PBR-3-UNSUPPORTED_RMAP: Route-map INTERNET_TEST has unsupported options for Policy-Based Routing. It has been removed from the interface, if applied.
003596: UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User: logged command:ip policy route-map INTERNET_TEST
003597: 6 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User: logged command:exit
003598: UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User: logged command:interface Vlan2
003599: UTC: %FMANRP_PBR-3-UNSUPPORTED_RMAP: Route-map INTERNET_TEST has unsupported options for Policy-Based Routing. It has been removed from the interface, if applied.
003600: UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User: logged command:ip policy route-map INTERNET_TEST
003601: UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User: logged command:exit

balaji.bandi · ‎06-13-2020

1. Quick question what kind of License you have, PBR to work you need network essential minimum on Cat 9500.

2. if you have already required a license, I would like to see the configuration. post relevant configuration to understand the issue.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Richard Burts · ‎06-13-2020

The error message does not seem to indicate that PBR is not supported but that an invalid option is specified. We need to see the details of the config and of the route map you are trying to use.

HTH

Rick

Deepak Kumar · ‎06-13-2020

Hi,

Can you share the configuration and IOS version?

As per my experience, I was working on Cisco 3850 and got the same error and finally, got to know that the

verify-availability

command with IP SLA tracking is not supported on the ios on 3850. Make sure are you not making the same mistake (I know this is a different platform)

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Georg Pauwen · ‎06-13-2020

Hello,

what does your PBR policy actually look like ? Post the running configuration of your 9500, and have a look at the link below for what is allowed and what not...

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-8/configuration_guide/rtng/b_168_rtng_9500_cg/b_168_rtng_9500_cg_chapter_01100.html#ID8123

dev.puniya · ‎06-14-2020

Thanks all for your response- Here are the additional information

------------------------------------------------------------------------------
Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------------
network-advantage Smart License network-advantage
dna-advantage Subscription Smart License dna-advantage

Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 26 C9500-16X 16.9.4 CAT9K_IOSXE BUNDLE (System image file is "flash:cat9k_iosxe.16.09.04.SPA.bin") 
   2 26 C9500-16X 16.9.4 CAT9K_IOSXE BUNDLE







ip access-list extended FROM_TEST_PC
permit ip host 10.1.1.1 any
permit ip host 10.2.2.0 any

ip access-list extended TO_RFC1918
permit ip any 10.0.0.0 0.255.255.255
permit ip any 172.0.0.0 0.240.255.255
permit ip any 192.168.0.0 0.0.255.255


route-map INTERNET_TEST deny 10
match ip address TO_RFC1918
route-map INTERNET_TEST permit 20
match ip address FROM_TEST_PC
set ip next-hop recursive 172.16.1.3


interface Vlan1
ip address 10.1.1.1 255.255.255.0
ip policy route-map INTERNET_TEST>>>>>>>>>>..This is the statment I want to add
end

interface Vlan1
ip address 10.2.2.1 255.255.255.0
ip policy route-map INTERNET_TEST>>>>>>>>>>..This is the statment I want to add
end







router bgp 64497
bgp always-compare-med
bgp log-neighbor-changes
bgp deterministic-med
redistribute connected route-map REDIST_TO_BGP
redistribute static route-map REDIST_TO_BGP
neighbor 172.16.1.3 remote-as 64497
neighbor 172.16.1.3 timers 5 15
neighbor 172.16.1.3 fall-over bfd
neighbor 172.16.1.3 route-reflector-client
neighbor 172.16.1.3 next-hop-self
neighbor 172.16.1.3 send-community
neighbor 172.16.1.3 soft-reconfiguration inbound
neighbor 172.16.1.3 route-map MPLS_POLICY_IN in
neighbor 172.16.1.3 route-map MPLS_POLICY_OUT out
neighbor 172.16.1.1 remote-as 65112
neighbor 172.16.1.1 timers 5 15
neighbor 172.16.1.1 next-hop-self
neighbor 172.16.1.1 send-community
neighbor 172.16.1.1 soft-reconfiguration inbound
neighbor 172.16.1.1 route-map DMVPN_POLICY_IN_S in
neighbor 172.16.1.1 route-map DMVPN_POLICY_OUT_S out
maximum-paths 6
maximum-paths ibgp 6

Deepak Kumar · ‎06-14-2020

Hi,

ip next-hop recursive

and

ip next-hop verify availability

features are not available and the

next-hop

should be directly connected.

So, modify the configuration as:

route-map INTERNET_TEST deny 10
match ip address TO_RFC1918
route-map INTERNET_TEST permit 20
match ip address FROM_TEST_PC
set ip next-hop 172.16.1.3

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/16-8/configuration_guide/rtng/b_168_rtng_9500_cg/b_168_rtng_9500_cg_chapter_01100.html#ID8123

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

dev.puniya · ‎06-14-2020

The issue was with the

recursive

command, I removed it and it's accepted by under the VLAN. Thank you all for your help!

paul driver · ‎06-14-2020

Hello

@dev.puniya wrote:

ip access-list extended TO_RFC1918 <---not required
permit ip any 10.0.0.0 0.255.255.255 <---- not required
permit ip any 172.0.0.0 0.240.255.255  <-- not required but shouldn't this also be 0.15.255.255
permit ip any 192.168.0.0 0.0.255.255  <--- not required

Just like to ask - Why are you matching on subnet that isn't originating from your Lan, Also one of those ace entries isnt correct (bold.)

Now you don't state what default path your users are taking but I am assuming its the DMVPN path given in your OP it is stating a

 next hop of 172.16.3.1 (mpls path)

<- Can you confirm this please?
So as you just want two hosts to be policy routed via this path then you should only need to specify those two hosts in the one PBR acl FROM_TEST_PC and the TO_RFC1918 acl isn't required then just specify the

ip next hop addressing

of the mpls with the addition of the

dmvpn next-hop

example:


no route-map INTERNET_TEST deny 10
route-map INTERNET_TEST permit 20
no set ip next-hop recursive 172.16.1.3
set ip next-hop 172.16.1.3 172.16.1.1

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Unable to set PBR on a vlan ..Running Cisco IOS XE code on C9500-16X