3560 IOS upgrade and PBR question

itadmin · ‎11-22-2012

Hi,

I have a 3560, which is being used as our core router that I have recently installed. It still has the standard IOS which came with

(C3560E-UNIVERSALK9-M) it but I need to implement policy based routing so need to upgrade it and have downloaded c3560-ipservicesk9-mz.122-58.SE2.bin and indeally would like to install it in the morning before people start work.

I have 2 questions, 1, Is the ipservices capable of PBR as I have been reading conflicting reports, in fact my friend who works for Cisco has advised that it is not possible on the 3560.

2, When I do upgrade will there be any current configurations that are not compatible with the new one, I wouldnt image that there would be any but just wanted to make sure as it would be the biggest headache ever if it went wrong!!

Thanks in advance.

Jake

Christos Papageorgopoulos · ‎11-22-2012

Hi Jake,

For your first question you can see:

https://supportforums.cisco.com/community/netpro/network-infrastructure/routing/blog/2011/03/31/pbr-on-switches-37503560

for the second you should send us what type of service you have implemented.

itadmin · ‎11-22-2012

Hi Christos,

Thanks for the quick reply. Please see my sho run below

!

no aaa new-model

system mtu routing 1500

ip routing

ip dhcp excluded-address 10.10.11.0 10.10.11.199

ip dhcp excluded-address 10.10.200.0 10.10.200.219

ip dhcp excluded-address 192.168.100.0 192.168.100.50

!

ip dhcp pool VLAN-11

network 10.10.11.0 255.255.255.0

dns-server 8.8.8.8 8.8.4.4

default-router 10.10.11.1

!

ip dhcp pool VLAN-200

network 10.10.200.0 255.255.255.0

dns-server 8.8.8.8 8.8.4.4

default-router 10.10.200.1

!

ip dhcp pool VLAN-192

network 192.168.100.0 255.255.255.0

default-router 192.168.100.1

dns-server 8.8.8.8 8.8.4.4

!

no ip domain-lookup

ip domain-name xxxx.xxxx

!

spanning-tree mode rapid-pvst

spanning-tree extend system-id

spanning-tree vlan 1-2,5,9-11,50,60,70,80,100,192,200 priority 24576

!

vlan access-map 192_block 10

action drop

match ip address Block_WiFi_from_Int

!

vlan internal allocation policy ascending

!

ip ssh version 2

!

class-map match-all llp_to_watchguard

match access-group 101

!

policy-map pm_llp_to_watchguard

class llp_to_watchguard

!

interface FastEthernet0

no ip address

no ip route-cache cef

no ip route-cache

no ip mroute-cache

!

interface GigabitEthernet0/1

description LINK TO BHM_C4L_SWI

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 100

switchport mode trunk

!

interface GigabitEthernet0/2

switchport access vlan 50

switchport mode access

!

interface GigabitEthernet0/3

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/4

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/5

description link to netgear wireless

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/6

description Trunk to Server switch, rack 2

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/7

description Trunk to SW19 (floor 11)

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/8

description Trunk to SW20 (floor 11)

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/9

description Trunk to SW21 (floor 11)

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/10

description Trunk link to edge_poe_flr10

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/11

!

interface GigabitEthernet0/12

description LINK FOR EXTERNAL CALLS

switchport access vlan 2

switchport mode access

!

interface GigabitEthernet0/13

description LINK TO fmts_bhm_sw_edge_01 (flr 11)

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/14

description LINK TO fmts_bhm_sw_edge_02

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/15

description LINK TO fmts_bhm_edge_poe1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/16

description LINK to fmts_bhm_c4l_swi

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 100

switchport mode trunk

!

interface GigabitEthernet0/17

!

interface GigabitEthernet0/18

!

interface GigabitEthernet0/19

!

interface GigabitEthernet0/20

!

interface GigabitEthernet0/21

description link to LLP ASA 5510

no switchport

ip address X.X.X.X X.X.X.X

!

interface GigabitEthernet0/22

description LINK TO FMTS_BHM_VIDOPS

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/23

description link to LLP ASA/Watchguard

no switchport

ip address X.X.X.X X.X.X.X

!

interface GigabitEthernet0/24

description link to MTS Watchguard

no switchport

ip address X.X.X.X X.X.X.X

!

interface GigabitEthernet1/1

!

interface GigabitEthernet1/2

!

interface GigabitEthernet1/3

!

interface GigabitEthernet1/4

!

interface TenGigabitEthernet1/1

!

interface TenGigabitEthernet1/2

!

interface Vlan1

ip address X.X.X.X X.X.X.X

ip helper-address X.X.X.X

!

interface Vlan2

ip address 172.28.1.1 255.255.255.0

ip helper-address X.X.X.X

!

interface Vlan9

ip address X.X.X.X X.X.X.X

ip helper-address X.X.X.X

!

interface Vlan11

ip address X.X.X.X X.X.X.X

!

interface Vlan28

ip address X.X.X.X X.X.X.X

!

interface Vlan50

ip address X.X.X.X X.X.X.X

ip helper-address X.X.X.X

!

interface Vlan60

ip address X.X.X.X X.X.X.X

ip helper-address X.X.X.X

!

interface Vlan70

ip address X.X.X.X X.X.X.X

ip helper-address X.X.X.X

!

interface Vlan80

ip address X.X.X.X X.X.X.X

ip helper-address X.X.X.X

!

interface Vlan100

ip address X.X.X.X X.X.X.X

!

interface Vlan192

ip address X.X.X.X X.X.X.X

ip helper-address X.X.X.X X.X.X.X

!

interface Vlan200

ip address X.X.X.X X.X.X.X

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.3.1

ip route 10.10.3.0 255.255.255.252 10.10.3.1

ip route 10.10.8.0 255.255.255.0 10.10.3.1

ip route 10.10.10.0 255.255.255.0 10.10.3.1

ip route 10.15.0.0 255.255.0.0 10.10.3.5

ip route X.X.X.X X.X.X.X 10.10.3.5

ip route X.X.X.X X.X.X.X X.X.X.X

no ip http server

ip http secure-server

!

ip access-list standard Block_wifi_from_internal

deny 10.0.0.0 0.255.255.255

deny 172.20.2.0 0.0.0.255

deny 172.20.0.0 0.0.255.255

permit any

!

ip access-list extended ACL_LLP_SSL_ASA

deny ip 10.0.0.0 0.255.255.255 10.10.0.0 0.0.255.255

permit ip 10.10.0.0 0.0.255.255 10.0.0.0 0.255.255.255

ip access-list extended ACL_LLP_SSL_Watch

deny ip 10.0.0.0 0.255.255.255 10.10.0.0 0.0.255.255

permit ip 10.10.0.0 0.0.255.255 10.0.0.0 0.255.255.255

ip access-list extended ACL_MTS_SSL_ASA

deny ip 10.0.0.0 0.255.255.255 10.10.0.0 0.0.255.255

permit ip 10.10.0.0 0.0.255.255 10.0.0.0 0.255.255.255

ip access-list extended ACL_NY_VPN

permit ip 10.10.0.0 0.0.255.255 10.15.0.0 0.0.255.255

ip access-list extended PERMIT_MTS_ENF

permit ip 10.10.32.0 0.0.15.255 10.100.0.0 0.0.255.255

permit ip 10.10.64.0 0.0.15.255 10.100.0.0 0.0.255.255

ip access-list extended acl-pbr

deny ip 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255

deny ip 10.10.0.0 0.0.255.255 172.20.0.0 0.0.255.255

permit ip 10.10.0.0 0.0.255.255 any

!

access-list 10 deny X.X.X.X X.X.X.X

access-list 10 permit any

access-list 101 permit ip X.X.X.X X.X.X.X host 0.0.0.0

access-list 101 deny ip any any

access-list 150 remark LLP traffic to flow through old watchguard

route-map RM_ENF_VPN permit 10

match ip address PERMIT_MTS_ENF

set interface GigabitEthernet0/24

!

route-map LLP-Watchguard permit 10

match ip address 150

set ip next-hop X.X.X.X

!

route-map rm-pbr permit 10

match ip address acl-pbr

set ip default next-hop X.X.X.X

!

line con 0

line vty 0 4

login local

transport input ssh

line vty 5 15

login local

transport input ssh

!

end

Do you think that would be OK on the new ipservices IOS?

Thanks a lot

Jake

Christos Papageorgopoulos · ‎11-22-2012

Hi Jake,

Send me also a sh ver from your router to see what IOS you have now.

itadmin · ‎11-22-2012

Thanks for this Christos!

Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)

Image text-base: 0x00003000, data-base: 0x02800000

ROM: Bootstrap program is C3560E boot loader

BOOTLDR: C3560E Boot Loader (C3560X-HBOOT-M) Version 12.2(53r)SE2, RELEASE SOFTWARE (fc1)

System returned to ROM by power-on

System image file is "flash:/c3560e-universalk9-mz.122-55.SE5/c3560e-universalk9-mz.122-55.SE5.bin"

License Level: ipbase

License Type: Permanent

Next reload license Level: ipbase

cisco WS-C3560X-24 (PowerPC405) processor (revision K0) with 262144K bytes of memory.

Processor board ID FDO1641P2AG

Last reset from power-on

12 Virtual Ethernet interfaces

1 FastEthernet interface

28 Gigabit Ethernet interfaces

2 Ten Gigabit Ethernet interfaces

512K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address : AC:F2:C5:04:85:00

Motherboard assembly number : 73-12554-08

Motherboard serial number : FDO164120UU

Model revision number : K0

Motherboard revision number : A0

Model number : WS-C3560X-24T-S

Daughterboard assembly number : 800-32786-02

Daughterboard serial number : FDO16410SP3

System serial number : FDO1641P2AG

Top Assembly Part Number : 800-31331-07

Top Assembly Revision Number : A0

Version ID : V04

CLEI Code Number : COMJU00ARD

Hardware Board Revision Number : 0x04

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 30 WS-C3560X-24 12.2(55)SE5 C3560E-UNIVERSALK9-M

Configuration register is 0xF

Christos Papageorgopoulos · ‎11-22-2012

I checked this IOS will be ok, no problem.

itadmin · ‎11-22-2012

Thanks a lot for the Christos, as a matter of interest, where did you check the IOS?

Thanks again

Jake

Christos Papageorgopoulos · ‎11-22-2012

Software advisor from cisco site

http://tools.cisco.com/Support/Fusion/FusionHome.do