06-15-2011 12:59 PM - edited 03-07-2019 12:50 AM
Hello All,
I am trying to enable policy based routing on a new 3560x switch.
The device has the following code c3560e-universalk9-mz.122-55.SE1.bin and the IPSERVICES license
I can create the route map in global config mode but when I try to enable pbr under the required interface the commands are not there.
therefore I am typing ip policy route-map "name" the word policy does not show up in the interface config mode.
I have also change the sdm profile to routing this has not made a difference.
Any assitance would be greatly appreciated.
Thanks,
Marc
Index 1 Feature: ipservices
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Priority: Medium
License Count: Non-Counted
06-15-2011 01:42 PM
Make sure you've enabled ip routing:
ip routing
06-20-2011 08:53 AM
Hi Antonio I am also running ospf on the device so ip routing was already configured. Any other ideas ?
Thanks,
Marc
06-24-2011 03:25 AM
Hi Antonio ,
I believe I have worked it out . It seems that unlike a standard router like asr or 2800 series, The 3650X does not support configuration of the commands" ip wccp" and "ip policy" at the same time under its interfaces.Therefore you can either do WCCP or PBR. In the end I continued to do the WCCP only on the 3650X an the PBR was done on another upstream router.
Thanks & Regards,
Marc
06-01-2013 05:13 AM
Hi,
I'm having the exact same issue.
I have a 3560-X with ipservices license. I had the sdm template set to dual-IPv4-IPv6-routing which acording to cisco documentation should support PBR for IPv4.....the ip policy route-map NAME does not show up in the interface config.
I even tried changing the SDM template to just IPv4 routing but again the ip policy route-map is not taken in by the 3560-X.
It doesn't give out any errors it just simply doesn't do anything when the command is typed in.
Does anyone have any ideea on how to fix this?
Thanks,
06-01-2013 10:17 AM
Hello
Looking at cisco navigator 3650x supports PBR on 12.2 and 15.1 -15.3 universal ip services
Res
Paul
Sent from Cisco Technical Support iPad App
06-01-2013 10:27 AM
Hello, In addition to Paul's confirmation that PBR is supported on the platform, here is the software configuration guide for PBR on the 3560X and 3750X - version 12.2 55 SE
To use PBR, you must first enable the routing template by using the sdm prefer routing global configuration command. PBR is not supported with the VLAN or default template. For more information on the SDM templates, see Chapter 8 "Configuring SDM Templates."
Please rate useful posts & remember to mark any solved questions as answered. Thank you.
06-01-2013 03:48 PM
Well guys, I've already established based on documentation and cisco Feature Navigator that PBR >> should << be supported.
I'm trying to find out why it doesn't actually work.
I'm running the latest IOS for the 3560-X c3560e-universalk9-mz.150-2.SE2
I tried both with sdm template "dual-ipv4-and-ipv6 routing" and "routing" (IPv4 PBR should work with both these templates based on cisco documentation).
I'm basically trying to set it up in the same I have it working on a 6506-E.
Configuring ACLs and route-maps works just fine, but when applying "ip policy route-map RM-NAME" to an interface it doesn't do anything. It takes in the command without any error but it doesn't show up in the config.
Like:
My3560X#sh run interface Vlan10
interface Vlan10
ip address 172.16.10.1 255.255.255.0
no ip unreachables
no ip proxy-arp
end
My3560X#conf t
My3560X(config)#interface Vlan10
My3560X(config-if)#ip policy route-map NAT-POLICY
My3560X(config-if)#end
My3560X#sh run interface Vlan10
interface Vlan10
ip address 172.16.10.1 255.255.255.0
no ip unreachables
no ip proxy-arp
end
So as you can see command does nothing.
I thought maybe it doesn't work on vlan interfaces (even if the documentation says it does)...I also tried on a physical routed interface....same result.
So what am I missing?
06-01-2013 11:19 PM
Hello, So if I understood you correctly, you have an ip services license which supports PBR and you followed the correct steps of changing the SDM template, and still does not apply the route map policy...
Could you kindly show the output of 'show sdm prefer'
I'd say a TAC case is required here.
Just as a note though, once you configure SDM templates, you do need to reload the switch. But you may have done this.
====================
Conf t
!
sdm prefer routing
!
End
Copy run start
Reload
====================
Then try PBR configuration
Hope this helps
Sent from Cisco Technical Support iPhone App
06-02-2013 04:35 AM
Hi,
I already tried changing the sdm template a few times (rebooted each time)
3560X#sh sdm prefer
The current template is "desktop routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 3K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 10.875k
number of directly-connected IPv4 hosts: 3K
number of indirect IPv4 routes: 7.875k
number of IPv6 multicast groups: 64
number of directly-connected IPv6 addresses: 0
number of indirect IPv6 unicast routes: 32
number of IPv4 policy based routing aces: 0.5K
number of IPv4/MAC qos aces: 0.375k
number of IPv4/MAC security aces: 0.875k
number of IPv6 policy based routing aces: 0
number of IPv6 qos aces: 0
number of IPv6 security aces: 58
3560X#sh license
Index 1 Feature: ipservices
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Priority: Medium
License Count: Non-Counted
Index 2 Feature: ipbase
Period left: Life time
License Type: Permanent
License State: Active, Not in Use
License Priority: Medium
License Count: Non-Counted
Index 3 Feature: lanbase
Period left: 0 minute 0 second
Unfortunately we don't have an active cisco support contract so I guess I can't ask TAC for help
06-03-2013 05:52 AM
Can you post the PRB config (ACL, route map, etc)? Sanitize if need be, but this smells like a config issue. Everything else seems to be in place for a successful config.
06-03-2013 05:58 AM
Hello
Where are you trying to aplly PBR - SVI or switchport? ( if its on a switchport it will not work - the ports needs to be routed ports)
example:
int fax/x
ip po ?
Interface IP configuration subcommands:
access-group Specify access control for packets
admission Apply Network Admission Control
arp Configure ARP features
dhcp Configure DHCP parameters for this interface
igmp IGMP interface commands
verify verify
vrf VPN Routing/Forwarding parameters on the interface
int fa0/0
no switchport
ip policy ?
route-map Policy route map
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
06-03-2013 09:26 AM
Well gentlemen I think I got to the bottom of it.
First of all the configs i was using were something like this:
ACL:
ip access-list extended ANY
permit ip any any
ip access-list extended NAT-BUILDING1
permit ip 10.20.0.0 0.0.255.255 any
ip access-list extended NAT-BUILDING2
permit ip 10.23.0.0 0.0.255.255 any
ip access-list extended NAT-BUILDING3
permit ip 10.25.0.0 0.0.255.255 any
ip access-list extended NAT-INTERNAL
permit ip any 10.0.0.0 0.255.255.255
permit ip any 172.16.0.0 0.15.255.255
permit ip any 192.168.0.0 0.0.255.255
route-map:
route-map NAT-POLICY permit 100
description Bypass PBR for local destinations
match ip address NAT-INTERNAL
continue 9999
!
route-map NAT-POLICY permit 1100
match ip address NAT-BUILDING1
set ip next-hop 10.0.0.16
!
route-map NAT-POLICY permit 1200
match ip address NAT-BUILDING2
set ip next-hop 10.0.0.11
!
route-map NAT-POLICY permit 9999
match ip address ANY
!
So I started removing lines from the route-map and soon enough I found out that it does not like the "continue 9999" command (works just fine on the 6506-E).
I have no ideea why. Once I removed i could apply it to the interface. Fortunately in this case it works even without it (I think there's an implied "permit" in the route-map, I remember reading something like that at one point that's how I came up with the ideea of removing the continue command). If anyone could explain why it doesn't accept the continue argument it would be helpfull.
So I reverted back to my dual-ipv4-and-ipv6 routing SDM template since I also have some IPv6 configs on it and seems to be working ok.
Another thing I noticed is that with the new v15 IOS adding "set interface" to route-map is also supported. I remember i tried it a while back on an 3560-X with v12.2 it would give out an error.
Thanks a lot for your help everyone.
06-04-2013 12:06 PM
d.draghichi, you would be correct in your analysis. The route map works somewhat like an ACL in that it works top-down until there's a match. If there's no match, then it forwards traffic based on the routing table. So, you can say that there is an implicit 'permit' in place here.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide