Solved: [Catalyst 3560] TOS based routing - Page 2

ICUBE2016 · ‎03-21-2016

Hi everyone,

This is my first topic and I hope I'm not doing something wrong.

I have 2 catalyst 3560 with two links between them (it's a testbed), and 1 network per catalyst (different subnets).

The links are using /30 between catalyst.

I would like to set the next-hop of incoming packets depending on the TOS value.

For example, packet with TOS 1 will take the first link and the others will take the second link.

I've been testing with route-map and ACLs, etc but can't figure out what's not working.

If someone can help me, that would be great.

Thank you all!

PS : Sorry for my english, but I'm french

ICUBE2016 · ‎03-23-2016

Here is my configuration.

!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R1
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/1
no switchport
ip address 10.0.0.1 255.255.255.252
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
no switchport
ip address 10.0.0.5 255.255.255.252
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
no switchport
ip address 10.0.1.254 255.255.255.0
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
!
ip classless
ip http server
ip http secure-server
!
!
ip access-list extended DSCP_MATCH
permit tcp 10.0.1.0 0.0.0.255 10.0.4.0 0.0.0.255 dscp af11
!
route-map PBR permit 10
match ip address DSCP_MATCH
set ip next-hop 10.0.0.2
!
!
control-plane
!
!
line con 0
line vty 0 4
no login
line vty 5 15
no login
!
end

When I want to add the route-map to int fa0/12 (ip policy route-map PBR), it outputs the previous error message.

In the link I posted before, it's written :

Unsupported Route-Map Configuration Commands

match ip address prefix-list prefix-list-name [prefix-list-name...]

and not "match ip address WORD" (sorry I made a mistake while reading).

Thank you

Shaunak · ‎03-23-2016

match ip address prefix-list is different as compared to the ACL variation so that should not be an issue.

Can you try to configure a VLAN interface and move the fa0/12 config under that configure fa0/12 as a L2 port in the appropriate VLAN and apply the PBR under the SVI?

See if this helps.

Thanks,

Shaunak

ICUBE2016 · ‎03-23-2016

If I understood correctly, I have to configure a vlan interface as L3, attach my fa0/12, previously configured as L2, to this VLAN and attach the PBR to the VLAN interface.

If I'm right, this outputs me the same error UNSUPPORTED_RMAP. :/

Shaunak · ‎03-23-2016

Can you check if your setup fulfils these requirements--

PBR Configuration Guidelines

Before configuring PBR, you should be aware of this information:

•To use PBR, you must have the IP services image installed on the switch.

•Multicast traffic is not policy-routed. PBR applies to only to unicast traffic.

•You can enable PBR on a routed port or an SVI.

•The switch does not support route-map deny statements for PBR.

There are more please check the link at the end. You might also have to change the SDM template on the switch use the command sdm prefer routing in the Global Config mode, this might require a reboot and then check if this works as long as the switch has an IP Services image as mentioned above.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_58_se/configuration/guide/3560scg/swiprout.html#pgfId-1228588

Thanks,

Shaunak

ICUBE2016 · ‎03-24-2016

Sorry for not answering but I had no access to the catalyst since now.

a "show ver" outputs me :

Switch   Ports Model              SW Version              SW Image
------   ----- -----              ----------              ----------
*    1   26     WS-C3560-24TS      12.2(25)SEE             C3560-ADVIPSERVICESK

According to "C3560-ADVIPSERVICESK", I think it is IP services image.

Same thing here : "System image file is "flash:/c3560-advipservicesk9-mZ.122-25.SEE.bin""

I tried the sdm prefer routing and after a reboot, a "show sdm prefer" outputs :

The current template is "desktop routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.

number of unicast mac addresses:                  3K
number of IPv4 IGMP groups + multicast routes:    1K
number of IPv4 unicast routes:                    11K
    number of directly-connected IPv4 hosts:        3K
    number of indirect IPv4 routes:                 8K
number of IPv4 policy based routing aces:         512
number of IPv4/MAC qos aces:                      512
number of IPv4/MAC security aces:                 1K

Unfortunately, I have the same error...

I tried, using a 7200 image under GNS3 and it seems that, using the same commands, it is ok, the policy is correctly applied...

I think I'm going crazy :D

Shaunak · ‎03-24-2016

Well, as per the show sdm prefer output we see that PBR ACE resources has been assigned --

number of IPv4 policy based routing aces: 512

Can you tell me the entire process detailing the steps you execute from creating the policy to applying it on the interface along with the specifics of the config?

This should have worked given the image and the SDM template. Can you also try to upgrade the switch image to a more recent release and check it? Please keep the major release train the same i.e. 12.2 and the packaging as well as we need the IP services image and see if that helps

Thanks,

Shaunak

Shaunak · ‎03-24-2016

Also, for DSCP mapping to work you need to enable mls qos on the switch and either mark the data on the L2 ingress ports to the appropriate values or trust the marking on the edge ports so that the switch does not rewrite the QOS markings.

Also, check by enabling mls qos on the switch, maybe it might be needed to correctly incorporate the ACL used for PBR. Although I don't think so this should make a difference and haven't seen this to be the case but lets try that and check if this works then.

Thanks,

Shaunak

ICUBE2016 · ‎03-24-2016

Regarding the update, I cannot do it as I'm not an administrator. I'm in a college and it is for some research so I'm not authorized to do anything about the IOS.

Regarding my steps :

ip access-list extended DSCP_MATCH

permit tcp 10.0.1.0 0.0.0.255 10.0.4.0 0.0.0.255 dscp af11

exit

route-map PBR permit 10

match ip add DSCP_MATCH

set ip next-hop 10.0.0.2

exit

int fa 0/12

no sw

ip add 10.0.1.254 255.255.255.0

no shut

ip policy route-map PBR

! Because it's not working, let's try in a VLAN

switchport

sw mode access

sw access vlan 3

exit

int vlan3

ip add 10.0.1.254 255.255.255.0

ip policy route-map PBR

! I have the same output here.

For the mls, I'll try to do it today, if I have access to the catalyst. Otherwise, it will be for Tuesday.

Thx again for your patience

Shaunak · ‎03-27-2016

You're welcome!

Do keep us posted.

Thanks,

Shaunak