03-21-2016 09:04 AM - edited 03-08-2019 05:03 AM
Hi everyone,
This is my first topic and I hope I'm not doing something wrong.
I have 2 catalyst 3560 with two links between them (it's a testbed), and 1 network per catalyst (different subnets).
The links are using /30 between catalyst.
I would like to set the next-hop of incoming packets depending on the TOS value.
For example, packet with TOS 1 will take the first link and the others will take the second link.
I've been testing with route-map and ACLs, etc but can't figure out what's not working.
If someone can help me, that would be great.
Thank you all!
PS : Sorry for my english, but I'm french
Solved! Go to Solution.
03-22-2016 01:44 AM
It would be difficult to dynamically modify the packet routing on the basis of the packet credentials like source IP or TOS etc. You can have a per-packet load balancing scenario on the link where regardless of the flow the packets are shared on equal cost paths on a per packet basis. This is however not a good practice since time sensitive data might suffer because of jitter and packet loss and different delay characteristics of the equal cost paths.
to configure a PBR you can configure an ACL matching the flows or ports etc. and then incorporating DSCP matching as well--
ip access-list extended DSCP_MATCH
permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 dscp af11
the above statement will match all TCP flows from the subnet 1.0 to 2.0 with a DSCP marking of af11.
Then you can call this ACL in a route-map and use it for PBR.
route-map PBR permit 10
match ip access-list DSCP_MATCH
set ip next-hop x.x.x.x <<<< the L3 next-hop of the appropriate link you want to use for these kinds of flows.
Please bear in mind that this route-map needs to be applied on a layer 3 interface on an ingress direction for PBR to take place. Once PBR is configured, conventional routing does not take place and PBR takes precedence. Although there are ways to influence this as well but we'll leave that for later.
interface fe/xe/vlan x/y etc
ip policy route-map PBR
Thanks,
Shaunak
03-21-2016 09:35 AM
Could you post your configs?
03-22-2016 12:23 AM
Hi ICUBE2016,
TOS based routing is not supported by conventional protocols you would need MPLS TE (RSVP) to do source based or TOS based forwarding. This would be an overkill in your network and a lot of overhead.
In your scenario you can use PBR calling ACLs which are matching the hosts or subnets communicating with each other along with the DSCP value and manually setting the next-hop to one of the interconnected links, please bear in mind that PBR is not dynamic in nature any changes in the network architecture might need an iteration of the config.
Please give more insights on how the network is setup and the config.
Thanks,
Shaunak
03-22-2016 01:29 AM
First, thank you both for your answers.
I don't have a real configuration yet as I'm continuously modifying it.
As I said, it's a testbed and is not intended to be in a production environment.
The only thing I want is to be able to "dynamically" modify the link used by packets, based on whatever you want but keeping the destination and source IP.
On the source of my TCP flow, I can change whatever value I want and the catalyst would change the path according to this difference.
This way, I would be able to decide what link to use for every single packet.
As said, it's not for a production env. but only for testing purposes (it's for a college research).
@Shaunack : I've found a post about PBR and ACLs but have not understood how to separate the next-hop or applying multiple ACL to one interface. Could you explain me how to do that? Or do you have a link? (I've found this http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html but not sure about how to do this with next-hop)
Thank you again!
03-22-2016 01:44 AM
It would be difficult to dynamically modify the packet routing on the basis of the packet credentials like source IP or TOS etc. You can have a per-packet load balancing scenario on the link where regardless of the flow the packets are shared on equal cost paths on a per packet basis. This is however not a good practice since time sensitive data might suffer because of jitter and packet loss and different delay characteristics of the equal cost paths.
to configure a PBR you can configure an ACL matching the flows or ports etc. and then incorporating DSCP matching as well--
ip access-list extended DSCP_MATCH
permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 dscp af11
the above statement will match all TCP flows from the subnet 1.0 to 2.0 with a DSCP marking of af11.
Then you can call this ACL in a route-map and use it for PBR.
route-map PBR permit 10
match ip access-list DSCP_MATCH
set ip next-hop x.x.x.x <<<< the L3 next-hop of the appropriate link you want to use for these kinds of flows.
Please bear in mind that this route-map needs to be applied on a layer 3 interface on an ingress direction for PBR to take place. Once PBR is configured, conventional routing does not take place and PBR takes precedence. Although there are ways to influence this as well but we'll leave that for later.
interface fe/xe/vlan x/y etc
ip policy route-map PBR
Thanks,
Shaunak
03-22-2016 01:50 AM
Thank you for your fast answer and explanation.
I will try that and get back. Thanks
03-22-2016 02:42 AM
I tried your steps. Unfortunately, my 3560 aren't providing match ip access-list :
Switch(config-route-map)#match ip access-list DSCP_MATCH
^
% Invalid input detected at '^' marker.
Switch(config-route-map)#match ip ?
address Match address of route or match packet
next-hop Match next-hop address of route
route-source Match advertising source address of route
Regarding the others :
Switch(config-route-map)#match ip address ?
<1-199> IP access-list number
<1300-2699> IP access-list number (expanded range)
WORD IP access-list name
prefix-list Match entries of prefix-lists
<cr>
Switch(config-route-map)#match ip address pre ?
WORD IP prefix-list name
<cr>
Switch(config-route-map)#match ip r ?
<1-99> IP access-list number
<1300-1999> IP access-list number (expanded range)
WORD IP standard access-list name
prefix-list Match entries of prefix-lists
<cr>
I used "match ip address DSCP_MATCH" + set ip next-hop x.x.x.x
Then, in the interface :
Switch(config-if)#ip policy route-map PBR
^
% Invalid input detected at '^' marker.
Switch(config-if)#ip ?
Interface IP configuration subcommands:
access-group Specify access control for packets
admission Apply Network Admission Control
arp Configure ARP features
auth-proxy Apply authenticaton proxy
dhcp DHCP
igmp IGMP interface commands
verify verify
vrf VPN Routing/Forwarding parameters on the interface
Thank you
03-22-2016 03:16 AM
You're very welcome.
My bad I jumped the gun, it is match ip address <ACL Name or Number>. Was too fixated on the ACL part hence made a typo.
The PBR needs to be applied on a layer 3 boundary. The hosts in subnet 1 connected to SW1 say they are in VLAN 10 then try to apply the PBR on interface vlan 10 which is also the default gateway of the hosts.
Edit: Also, check the license requirement for the PBR feature you might have to buy an appropriate License.
Thanks,
Shaunak
03-22-2016 03:16 AM
This time, my bad. You said it... After setting it as L3, the command works.
Is it possible to use multiple ACL like :
ip access-list extended DSCP_MATCH
permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 dscp af11
ip access-list extended DSCP_MATCH2
permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 dscp af12
route-map PBR permit 10
match ip access-list DSCP_MATCH
set ip next-hop x.x.x.x
match ip access-list DSCP_MATCH2
set ip next-hop y.y.y.y
or multiple route-map ?
03-22-2016 03:20 AM
This config is correct, only one PBR route-map can be associated with an interface. Hence you can work around with the logic and the structure of the route-map and ACLs to achieve the desired results.
Thanks,
Shaunak
03-22-2016 03:22 AM
Great, thank you for your patience and your information!
03-22-2016 03:46 AM
Happy to help :)
Have a good one.
Thanks,
Shaunak
03-22-2016 06:38 AM
Unfortunately, typing in "ip policy route-map PBR" outputs me :
%PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map PBR not supported for Policy-Based Routing
As found HERE, I tried without the "match ip address DSCP_MATCH", so only the "set ip next-hop" and it seems to be ok.
Do you have any information about that?
03-22-2016 07:14 AM
Okay, I've found my answer :
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swuncli.html#wp1020652
Any workaround?
03-22-2016 11:00 PM
Hi ICUBE2016,
ACL match under the route-map should be permitted. on the 3560 set ip next-hop verify-availability etc. such commands don't work but an ACL match should work. Can you post the relevant config here? Including the ACL, route-map and the interface config.
Thanks,
Shaunak
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide