Solved: Tonight I will perform the

Jesus Flores Tello · ‎08-14-2017

Dear, I would like to know if they support the L3 PBR + IP SLA functionalities of the WS-C3650-24TS switch. By doing the configuration I get a message indicating that this config parameter does not support it for a hardware issue.

I would also like to know by this means if they had a similar case and if for some reason they came to settle the report. Or in any case indicate me by some document that support or do not support the configuration parameters

SWSFMI11#show access-lists 101
Extended IP access list 101
10 permit ip any host 172.22.252.217 log
20 permit ip any host 172.22.173.48 log
30 permit ip any host 172.22.173.63 log (84 matches)
40 permit ip any host 172.22.4.31 log
50 permit ip any host 172.22.9.14 log
60 permit ip any host 172.22.9.15 log
70 permit ip any host 172.22.9.28 log
80 permit ip any host 172.22.9.29 log
90 permit ip any host 172.22.173.105 log
100 permit ip any host 172.22.2.32 log
SWSFMI11#

SWSFMI11#show route-map
route-map 10, permit, sequence 10
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map PBR_TdP, permit, sequence 10
Match clauses:
ip address (access-lists): 101 PBT_TdP
Set clauses:
ip next-hop verify-availability 172.24.235.174 1 track 1 [up]
Nexthop tracking current: 0.0.0.0
172.24.235.174, fib_nh:0,oce:0,status:0

Policy routing matches: 45 packets, 2700 bytes
SWSFMI11#

SWSFMI11#show ip sla statistics
IPSLAs Latest Operation Statistics

IPSLA operation id: 1
Latest RTT: 1 milliseconds
Latest operation start time: 12:31:38 GMT Mon Aug 14 2017
Latest operation return code: OK
Number of successes: 178
Number of failures: 1
Operation time to live: Forever

SWSFMI11#show ip sla summary

IPSLAs Latest Operation Summary
ID Type Destination Stats Return Last
(ms) Code Run
----------- ---------- --------------- ------ ---------- -----------------
*1 icmp-echo 6.6.6.6 RTT=1 OK 3 seconds ago

Aug 14 10:53:57: %PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map PBR_TdP not supported for Policy-Based Routing
Aug 14 10:53:58: %PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map PBR_TdP not supported for Policy-Based Routing
Aug 14 10:53:59: %PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map PBR_TdP not supported for Policy-Based Routing

Others:

SWSFMI11#show ver
Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.03.05SE RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Thu 30-Oct-14 13:12 by prod_rel_team

ROM: IOS-XE ROMMON
BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) Version 1.2, RELEASE SOFTWARE (P)

SWSFMI11 uptime is 5 weeks, 4 days, 6 hours, 16 minutes
Uptime for this control processor is 5 weeks, 4 days, 6 hours, 19 minutes
System returned to ROM by reload
System restarted at 06:15:54 GMT Thu Jul 6 2017
System image file is "flash:packages.conf"
Last reload reason: reload

This product contains cryptographic features and is subject to United

If you require further assistance please contact us by sending email to
export@cisco.com.

License Level: Ipservices
License Type: Permanent
Next reload license Level: Ipservices

cisco WS-C3650-24TS (MIPS) processor with 4194304K bytes of physical memory.
Processor board ID FDO1917E4T0
7 Virtual Ethernet interfaces
28 Gigabit Ethernet interfaces
2048K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
257008K bytes of Crash Files at crashinfo:.
1550272K bytes of Flash at flash:.
0K bytes of Dummy USB Flash at usbflash0:.
0K bytes of at webui:.

Base Ethernet MAC Address : 54:a2:74:7e:cd:00
Motherboard Assembly Number : 73-15127-05
Motherboard Serial Number : FDO191718UD
Model Revision Number : D0
Motherboard Revision Number : A0
Model Number : WS-C3650-24TS
System Serial Number : FDO1917E4T0

Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 28 WS-C3650-24TS 03.03.05SE cat3k_caa-universalk9 INSTALL

What if I verified is that the ip sla if it works, but the combination of both is not performing and the log that appears to me is that it does not support it. I mention that pbr without ip sla also works for me, but the combination of both does not.

Aug 14 10:53:57: %PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map PBR_TdP not supported for Policy-Based Routing

waiting for your answer.

thanks

Administrador de Red

Kevin Rivest · ‎08-14-2017

Can you try to configure the route-map with only the next hop specified without the next hop verification, like the following:

route-map PBR_TdP permit 10
 match ip address ip_services
 set ip next-hop 172.24.245.174

Then try to reapply the policy route-map to the interface:

interface Vlan502
 ip policy route-map PBR_Tdp

If this solves the issues then it may be an issue with the support of next-hop reachability tracking in PBR by your image.

If this does not solve the issue, it could also be because your next hop address seems to be recursive. If that is the case, recursive next hops may not be support by your image in PBR.

Also, it seems there is a Cisco bug, CSCun40727, that may cause this error message for certain PBR configurations and images.

If disabling the next hop availability does not resolve the issue, you may have to upgrade your image to get around the bug or recursive next hop.

The other option if you must verify reachability to the next hop and it is not supported is to tie the PBR configuration on the interface to an EEM policy that tracks an IP SLA and disables or enables PBR on the interface based on its status.

Hope this helps.

View solution in original post

Reza Sharifi · ‎08-14-2017

Hi,

3650 with IP Service license should support BPR with IP SLA. You may want to upgrade to this version and test again.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/3e/release_notes/OL3264701.html

HTH

Jesus Flores Tello · ‎08-15-2017

Tonight I will perform the update and test the functionality of PBR + IP SLA. I hope to get lucky.

I will be informing you anyway.

thanks

Administrador de Red

Kevin Rivest · ‎08-14-2017

Whether PBR and IP SLA are supported on your switch is based on the IOS version and SDM template. You must have an IP Services image to support PBR and IP SLA. Based on your show output your version does support PBR and IP SLA. Also because you are able to apply the policy route-map to the interface your SDM should be correct. In order to tell you can issue the command show sdm prefer. You must have an SDM of advanced to support PBR.

I believe more than likely the reason your PBR is failing is not because it is not supported by the switch but because of how your access list is configured for PBR. You have the log option configured after each ACE, this causes an interrupt to the processor for each packet policy routed. This is an issue for CEF or fast switched packets that normally due not require an interrupt. In order to correct the issue try to configure the access list without the log option on the ACEs, like the following:

ip access-list extended 101
 10 permit ip any host 172.22.252.217
 20 permit ip any host 172.22.173.48
 30 permit ip any host 172.22.173.63
 40 permit ip any host 172.22.4.31
 50 permit ip any host 172.22.9.14
 60 permit ip any host 172.22.9.15
 70 permit ip any host 172.22.9.28
 80 permit ip any host 172.22.9.29
 90 permit ip any host 172.22.173.105
 100 permit ip any host 172.22.2.32

Hopefully this corrects the issue and you should see the correct routing policy.

Jesus Flores Tello · ‎08-14-2017

Hello kevin, I was making your suggestion, but unfortunately the problem persists and the message is the same that I have reported.

SWSFMI11#show ip access-lists ip_services
Extended IP access list ip_services
10 permit ip any host 172.22.252.217
20 permit ip any host 6.6.6.6

SWSFMI11#show sdm prefer
Showing SDM Template Info

This is the Advanced (low scale) template.
Number of VLANs: 4094
Unicast MAC addresses: 32768
Overflow Unicast MAC addresses: 512
IGMP and Multicast groups: 4096
Overflow IGMP and Multicast groups: 512
Directly connected routes: 32768
Indirect routes: 7680
Security Access Control Entries: 1536
QoS Access Control Entries: 3072
Policy Based Routing ACEs: 1024
Netflow ACEs: 1024
Input Microflow policer ACEs: 256
Output Microflow policer ACEs: 256
Flow SPAN ACEs: 256
Tunnels: 256
Control Plane Entries: 512
Input Netflow flows: 8192
Output Netflow flows: 16384
SGT/DGT entries: 4096
SGT/DGT Overflow entries: 512
These numbers are typical for L2 and IPv4 features.
Some features such as IPv6, use up double the entry size;
so only half as many entries can be created.

SWSFMI11#show ip ospf nei

Neighbor ID Pri State Dead Time Address Interface
172.24.249.14 0 FULL/ - 00:00:31 172.24.235.182 Vlan902
172.24.249.16 0 FULL/ - 00:00:30 172.24.235.174 Vlan905 --> Router Backup
172.24.249.15 0 FULL/ - 00:00:36 172.24.235.166 Vlan900

Aug 14 16:08:49: %PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map PBR_TdP not supported for Policy-Based Routing

SWSFMI11#show ip sla summary

IPSLAs Latest Operation Summary
ID Type Destination Stats Return Last
(ms) Code Run
----------- ---------- --------------- ------ ---------- -----------------
*1 icmp-echo 172.24.235.174 RTT=1 OK 3 seconds ago

SWSFMI11#show route-map PBR_TdP
route-map PBR_TdP, permit, sequence 10
Match clauses:
ip address (access-lists): ip_services
Set clauses:
ip next-hop verify-availability 172.24.245.174 1 track 1 [up]
Nexthop tracking current: 0.0.0.0
172.24.245.174, fib_nh:0,oce:0,status:0

Policy routing matches: 0 packets, 0 bytes
SWSFMI11#

What I have noticed is when I apply the command in the vlan interface. It does not appear on the line and the hardware error message appears.
I sent you the runn show and the result of some commands for verification.

SWSFMI11#show run interface vlan 502
Building configuration...

Current configuration : 158 bytes
!
interface Vlan502
description Red_Admin
ip address 10.161.15.71 255.255.255.128
standby 2 ip 10.161.15.1
standby 2 priority 254
standby 2 preempt
end

thanks

Regards

Jesus Flores.

Administrador de Red

Jon Marshall · ‎08-14-2017

I think it might not support the "verify-availability" option.

Can you try with just "set up next-hop <IP address>" and see if it accepts it.

If it does then worth checking the configuration guides of later IOS versions to see if it is mentioned.

Jon

Jesus Flores Tello · ‎08-15-2017

Tonight I will perform the update and test the functionality of PBR + IP SLA. I hope to get lucky.

thanks Jon

Administrador de Red

Kevin Rivest · ‎08-14-2017

Can you try to configure the route-map with only the next hop specified without the next hop verification, like the following:

route-map PBR_TdP permit 10
 match ip address ip_services
 set ip next-hop 172.24.245.174

Then try to reapply the policy route-map to the interface:

interface Vlan502
 ip policy route-map PBR_Tdp

If this solves the issues then it may be an issue with the support of next-hop reachability tracking in PBR by your image.

If this does not solve the issue, it could also be because your next hop address seems to be recursive. If that is the case, recursive next hops may not be support by your image in PBR.

Also, it seems there is a Cisco bug, CSCun40727, that may cause this error message for certain PBR configurations and images.

If disabling the next hop availability does not resolve the issue, you may have to upgrade your image to get around the bug or recursive next hop.

The other option if you must verify reachability to the next hop and it is not supported is to tie the PBR configuration on the interface to an EEM policy that tracks an IP SLA and disables or enables PBR on the interface based on its status.

Hope this helps.

Jesus Flores Tello · ‎08-15-2017

In fact PBR works by itself independently, the question is when the one with IP SLA. Apparently everything implies that it is a bug.

According to what you indicate and consulting the other websites, the error is CSCun40727 and is solved by upgrading to Cisco IOS XE Release 3.6.3E.

I send some evidence where it shows that PBR is working correctly

SWSFMI11#show ip access-lists ip_services
Extended IP access list ip_services
10 permit ip any host 172.22.252.217 (12 matches)
20 permit ip any host 6.6.6.6
SWSFMI11#

SWSFMI13#traceroute 172.22.252.217
Type escape sequence to abort.
Tracing the route to bc_cpp.falabella.com (172.22.252.217)
VRF info: (vrf in name/id, vrf out name/id)
1 swsfmi11.saga.com (10.161.15.71) 3 msec 3 msec 11 msec
2 172.24.235.174 0 msec 4 msec 0 msec
3 10.195.230.153 0 msec 3 msec 0 msec
4 10.192.222.118 7 msec 7 msec 0 msec
5 swsi0d_wan.saga.com (172.22.252.100) 7 msec 3 msec 4 msec
6 bc_cpp.falabella.com (172.22.252.217) 3 msec 7 msec 7 msec

Aug 15 15:21:35.577: PR-RP: Set Vlan502 policy_routemap=PBR_TdP; cached_map=PBR_TdP
Aug 15 10:21:36: %SYS-5-CONFIG_I: Configured from console by _jflorest on vty0 (172.22.9.254)
Aug 15 15:22:10.124: IP: s=10.161.15.73 (Vlan502), d=172.22.252.217, len 28, policy match
Aug 15 15:22:10.124: IP: route map PBR_TdP, item 10, permit
Aug 15 15:22:10.124: IP: s=10.161.15.73 (Vlan502), d=172.22.252.217 (Vlan905), len 28, policy routed
Aug 15 15:22:10.124: IP: Vlan502 to Vlan905 172.24.235.174
Aug 15 15:22:10.131: IP: s=10.161.15.73 (Vlan502), d=172.22.252.217, len 28, policy match
Aug 15 15:22:10.131: IP: route map PBR_TdP, item 10, permit
Aug 15 15:22:10.131: IP: s=10.161.15.73 (Vlan502), d=172.22.252.217 (Vlan905), len 28, policy routed
Aug 15 15:22:10.132: IP: Vlan502 to Vlan905 172.24.235.174
Aug 15 15:22:10.135: IP: s=10.161.15.73 (Vlan502), d=172.22.252.217, len 28, policy match
Aug 15 15:22:10.136: IP: route map PBR_TdP, item 10, permit
Aug 15 15:22:10.136: IP: s=10.161.15.73 (Vlan502), d=172.22.252.217 (Vlan905), len 28, policy routed
Aug 15 15:22:10.136: IP: Vlan502 to Vlan905 172.24.235.174
Aug 15 15:22:28.066: IP: s=10.161.15.73 (Vlan502), d=172.22.252.217, len 28, policy match
Aug 15 15:22:28.066: IP: route map PBR_TdP, item 10, permit
Aug 15 15:22:28.066: IP: s=10.161.15.73 (Vlan502), d=172.22.252.217 (Vlan905), len 28, policy routed
Aug 15 15:22:28.066: IP: Vlan502 to Vlan905 172.24.235.174
Aug 15 15:22:28.071: IP: s=10.161.15.73 (Vlan502), d=172.22.252.217, len 28, policy match
Aug 15 15:22:28.071: IP: route map PBR_TdP, item 10, permit
Aug 15 15:22:28.071: IP: s=10.161.15.73 (Vlan502), d=172.22.252.217 (Vlan905), len 28, policy routed
Aug 15 15:22:28.072: IP: Vlan502 to Vlan905 172.24.235.174
Aug 15 15:22:28.076: IP: s=10.161.15.73 (Vlan502), d=172.22.252.217, len 28, policy match
Aug 15 15:22:28.076: IP: route map PBR_TdP, item 10, permit
Aug 15 15:22:28.076: IP: s=10.161.15.73 (Vlan502), d=172.22.252.217 (Vlan905), len 28, policy routed
Aug 15 15:22:28.076: IP: Vlan502 to Vlan905 172.24.235.174

SWSFMI11#show run interface vlan 502
Building configuration...

Current configuration : 187 bytes
!
interface Vlan502
description Red_Admin
ip address 10.161.15.71 255.255.255.128
standby 2 ip 10.161.15.1
standby 2 priority 254
standby 2 preempt
ip policy route-map PBR_TdP
end

SWSFMI11#show route-map PBR_TdP
route-map PBR_TdP, permit, sequence 10
Match clauses:
ip address (access-lists): ip_services
Set clauses:
ip next-hop 172.24.235.174
Nexthop tracking current: 172.24.235.174
172.24.235.174, fib_nh:383F2EF4,oce:3CDDF4D0,status:1

Policy routing matches: 6 packets, 360 bytes
SWSFMI11#

Tonight I will perform the update and test the functionality of PBR + IP SLA. I hope to get lucky.

thanks

Administrador de Red

Cisco Catalyst 3560 supports PBR + IP SLA ?