Solved: [Catalyst 3560] TOS based routing

ICUBE2016 · ‎03-21-2016

Hi everyone,

This is my first topic and I hope I'm not doing something wrong.

I have 2 catalyst 3560 with two links between them (it's a testbed), and 1 network per catalyst (different subnets).

The links are using /30 between catalyst.

I would like to set the next-hop of incoming packets depending on the TOS value.

For example, packet with TOS 1 will take the first link and the others will take the second link.

I've been testing with route-map and ACLs, etc but can't figure out what's not working.

If someone can help me, that would be great.

Thank you all!

PS : Sorry for my english, but I'm french

Shaunak · ‎03-22-2016

It would be difficult to dynamically modify the packet routing on the basis of the packet credentials like source IP or TOS etc. You can have a per-packet load balancing scenario on the link where regardless of the flow the packets are shared on equal cost paths on a per packet basis. This is however not a good practice since time sensitive data might suffer because of jitter and packet loss and different delay characteristics of the equal cost paths.

to configure a PBR you can configure an ACL matching the flows or ports etc. and then incorporating DSCP matching as well--

ip access-list extended DSCP_MATCH

permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 dscp af11

the above statement will match all TCP flows from the subnet 1.0 to 2.0 with a DSCP marking of af11.

Then you can call this ACL in a route-map and use it for PBR.

route-map PBR permit 10

match ip access-list DSCP_MATCH

set ip next-hop x.x.x.x <<<< the L3 next-hop of the appropriate link you want to use for these kinds of flows.

Please bear in mind that this route-map needs to be applied on a layer 3 interface on an ingress direction for PBR to take place. Once PBR is configured, conventional routing does not take place and PBR takes precedence. Although there are ways to influence this as well but we'll leave that for later.

interface fe/xe/vlan x/y etc

ip policy route-map PBR

Thanks,

Shaunak

View solution in original post

Joseph W. Doherty · ‎03-21-2016

Could you post your configs?

Shaunak · ‎03-22-2016

Hi ICUBE2016,

TOS based routing is not supported by conventional protocols you would need MPLS TE (RSVP) to do source based or TOS based forwarding. This would be an overkill in your network and a lot of overhead.

In your scenario you can use PBR calling ACLs which are matching the hosts or subnets communicating with each other along with the DSCP value and manually setting the next-hop to one of the interconnected links, please bear in mind that PBR is not dynamic in nature any changes in the network architecture might need an iteration of the config.

Please give more insights on how the network is setup and the config.

Thanks,

Shaunak

ICUBE2016 · ‎03-22-2016

First, thank you both for your answers.

I don't have a real configuration yet as I'm continuously modifying it.

As I said, it's a testbed and is not intended to be in a production environment.

The only thing I want is to be able to "dynamically" modify the link used by packets, based on whatever you want but keeping the destination and source IP.

On the source of my TCP flow, I can change whatever value I want and the catalyst would change the path according to this difference.

This way, I would be able to decide what link to use for every single packet.

As said, it's not for a production env. but only for testing purposes (it's for a college research).

@Shaunack : I've found a post about PBR and ACLs but have not understood how to separate the next-hop or applying multiple ACL to one interface. Could you explain me how to do that? Or do you have a link? (I've found this http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html but not sure about how to do this with next-hop)

Thank you again!

Shaunak · ‎03-22-2016

It would be difficult to dynamically modify the packet routing on the basis of the packet credentials like source IP or TOS etc. You can have a per-packet load balancing scenario on the link where regardless of the flow the packets are shared on equal cost paths on a per packet basis. This is however not a good practice since time sensitive data might suffer because of jitter and packet loss and different delay characteristics of the equal cost paths.

to configure a PBR you can configure an ACL matching the flows or ports etc. and then incorporating DSCP matching as well--

ip access-list extended DSCP_MATCH

permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 dscp af11

the above statement will match all TCP flows from the subnet 1.0 to 2.0 with a DSCP marking of af11.

Then you can call this ACL in a route-map and use it for PBR.

route-map PBR permit 10

match ip access-list DSCP_MATCH

set ip next-hop x.x.x.x <<<< the L3 next-hop of the appropriate link you want to use for these kinds of flows.

Please bear in mind that this route-map needs to be applied on a layer 3 interface on an ingress direction for PBR to take place. Once PBR is configured, conventional routing does not take place and PBR takes precedence. Although there are ways to influence this as well but we'll leave that for later.

interface fe/xe/vlan x/y etc

ip policy route-map PBR

Thanks,

Shaunak

ICUBE2016 · ‎03-22-2016

Thank you for your fast answer and explanation.

I will try that and get back. Thanks

ICUBE2016 · ‎03-22-2016

I tried your steps. Unfortunately, my 3560 aren't providing match ip access-list :

Switch(config-route-map)#match ip access-list DSCP_MATCH

^

% Invalid input detected at '^' marker.

Switch(config-route-map)#match ip ?

address Match address of route or match packet

next-hop Match next-hop address of route

route-source Match advertising source address of route

Regarding the others :

Switch(config-route-map)#match ip address ?
<1-199>      IP access-list number
<1300-2699> IP access-list number (expanded range)
WORD         IP access-list name
prefix-list Match entries of prefix-lists
<cr>

Switch(config-route-map)#match ip address pre ?
WORD IP prefix-list name
<cr>

Switch(config-route-map)#match ip r ?
<1-99>       IP access-list number
<1300-1999> IP access-list number (expanded range)
WORD         IP standard access-list name
prefix-list Match entries of prefix-lists
<cr>

I used "match ip address DSCP_MATCH" + set ip next-hop x.x.x.x

Then, in the interface :

Switch(config-if)#ip policy route-map PBR
                     ^
% Invalid input detected at '^' marker.

Switch(config-if)#ip ?
Interface IP configuration subcommands:
access-group Specify access control for packets
admission     Apply Network Admission Control
arp           Configure ARP features
auth-proxy    Apply authenticaton proxy
dhcp          DHCP
igmp          IGMP interface commands
verify        verify
vrf           VPN Routing/Forwarding parameters on the interface

Thank you

Shaunak · ‎03-22-2016

You're very welcome.

My bad I jumped the gun, it is match ip address <ACL Name or Number>. Was too fixated on the ACL part hence made a typo.

The PBR needs to be applied on a layer 3 boundary. The hosts in subnet 1 connected to SW1 say they are in VLAN 10 then try to apply the PBR on interface vlan 10 which is also the default gateway of the hosts.

Edit: Also, check the license requirement for the PBR feature you might have to buy an appropriate License.

Thanks,

Shaunak

ICUBE2016 · ‎03-22-2016

This time, my bad. You said it... After setting it as L3, the command works.

Is it possible to use multiple ACL like :

ip access-list extended DSCP_MATCH

permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 dscp af11

ip access-list extended DSCP_MATCH2

permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 dscp af12

route-map PBR permit 10

match ip access-list DSCP_MATCH

set ip next-hop x.x.x.x

match ip access-list DSCP_MATCH2

set ip next-hop y.y.y.y

or multiple route-map ?

Shaunak · ‎03-22-2016

This config is correct, only one PBR route-map can be associated with an interface. Hence you can work around with the logic and the structure of the route-map and ACLs to achieve the desired results.

Thanks,

Shaunak

ICUBE2016 · ‎03-22-2016

Great, thank you for your patience and your information!

Shaunak · ‎03-22-2016

Happy to help :)

Have a good one.

Thanks,

Shaunak

ICUBE2016 · ‎03-22-2016

Unfortunately, typing in "ip policy route-map PBR" outputs me :

%PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map PBR not supported for Policy-Based Routing

As found HERE, I tried without the "match ip address DSCP_MATCH", so only the "set ip next-hop" and it seems to be ok.

Do you have any information about that?

ICUBE2016 · ‎03-22-2016

Okay, I've found my answer :

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swuncli.html#wp1020652

Any workaround?

Shaunak · ‎03-22-2016

Hi ICUBE2016,

ACL match under the route-map should be permitted. on the 3560 set ip next-hop verify-availability etc. such commands don't work but an ACL match should work. Can you post the relevant config here? Including the ACL, route-map and the interface config.

Thanks,

Shaunak