Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3020
Views
0
Helpful
4
Replies

How to Implement PBR on the SVI on 6500 Platform?

shri krishan Bansal
Level 1
Level 1

‎10-20-2010 02:36 AM - edited ‎03-06-2019 01:37 PM

I have a 6500 switch with SUP720. I need to implement

the PBR on the SVI Interface. Whether this will be hardware based PBR or all the packets will routed by software?

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎10-20-2010 03:07 AM 

sk1.bansal wrote:
I have a 6500 switch with SUP720. I need to implement
the PBR on the SVI Interface. Whether this will be hardware based PBR or all the packets will routed by software?


PBR is implemented in hardware on the 6500 but there are restrictions. From the 12.2 release notes -

When configuring PBR, follow these guidelines and restrictions:

Releases earlier than Release 12.2(33)SXH use the syntax from Release 12.1, which supports preempt as a keyword for the standby priority command. Release 12.2(33)SXH and later releases use the Release 12.2 syntax, which requires standby preempt and standby priority to be entered as separate commands:

http://www.cisco.com/en/US/docs/ios/ipapp/command/reference/iap_s5.html#standby_priority

http://www.cisco.com/en/US/docs/ios/ipapp/command/reference/iap_s5.html#standby_preempt

The PFC provides hardware support for PBR configured on a tunnel interface.

The PFC does not provides hardware support for PBR configured with the set ip next-hop keywords if the next hop is a tunnel interface.

If the MSFC address falls within the range of a PBR ACL, traffic addressed to the MSFC is policy routed in hardware instead of being forwarded to the MSFC. To prevent policy routing of traffic addressed to the MSFC, configure PBR ACLs to deny traffic addressed to the MSFC. (CSCse86399)

Any options in Cisco IOS ACLs that provide filtering in a PBR route map that would cause flows to be sent to the MSFC3 to be switched in software are ignored. For example, logging is not supported in ACEs in Cisco IOS ACLs that provide filtering in PBR route maps.

PBR traffic through switching module ports where PBR is configured is routed in software if the switching module resets. (CSCee92191)

How to implement it - well lets say you have an SVI (int vlan 10) that traffic comes into. You have 2 sets for src IPs 192.168.5.0/24 and 192.168.10.0/24. You want to send the 192.168.5.0/24 to one next-hop and the 192.168.10.0.24 to another -

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

access-list 102 permit ip 192.168.10.0 0.0.0.255 any

route-map PBR permit 10

match ip address 101

set ip next-hop x.x.x.x

route-map PBR permit 20

match ip address 102

set ip next-hop y.y.y.y

int vlan 10

ip policy route-map PBR

Jon

0 Helpful

shri krishan Bansal
Level 1
Level 1
In response to Jon Marshall

‎10-20-2010 03:30 AM

Dear Jon,

Thanks for your prompt response. I am using IOS - 12.2(18)SXF16.

For Configuration below, packets will hardware based switched or MSFC will be used ?

Whether adding a PBR on SVI will add to CPU utilization ?

**************************************************************

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

access-list 102 permit ip 192.168.10.0 0.0.0.255 any

route-map PBR permit 10

match ip address 101

set ip next-hop x.x.x.x

route-map PBR permit 20

match ip address 102

set ip next-hop y.y.y.y

int vlan 10

ip policy route-map PBR

**************************************************************

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to shri krishan Bansal

‎10-20-2010 07:51 AM

I have already answered your question in the previous post. It is hardware switched unless you meet any of the criteria i included from the release notes. With the config i supplied it should be hadrware switched.

Jon

0 Helpful

zeeahmed123
Level 1
Level 1
In response to Jon Marshall

‎02-10-2011 11:57 PM

HI Jon,

I have a similar situation and need some advice if possible.

I have a 6500 series with SUP720-3B and I need to to do some kind of PBR so that my outbound traffic to the internet goes via ISP1 and my inbound VPN traffic goes via ISP2. The setup is as follows:

I have two vlans configured on my switch, VLAN 10 and VLAN 20 which are layer 2 VLANS with no SVIs. In these VLANS i have the repesctive ISP routers; ISP1 VLAN 10 and ISP2 in VLAN 20. The firewalls being used are the Cisco ASA 5520 models. For our example I will call tem ASA1 for ISP1 and ASA2 for ISP2. Now, ASA1 will be generating a default route into my network using the IP SLA feature and this default route is what will take the the users out to the internet via ISP1. The second ASA will be allowing inbound VPN connections (both remote access VPN and site-to-site VPN traffic.

I want the traffic that comes in via ASA2 to go back out the same way. The question I have is that when the remote access or the site-to-site VPN traffic comes into the network ow will it go back when the default route is pointing to ASA1?

My thoughts were to do PBR on the Catalyst 6500 which is my core switch, but i amnot sure where the PBR needs to be applied. Do I apply it to all SVIs interfaces of my internal VLANS so that returning traffic is PBR to ASA2? The VPN clients and the site-to-site VPN will require access to all the VLANS internally? The Cisco documentation states that the route-map be applied to the SVI of the VLAN from which the traffic is coming into; I am confused and need some advice..

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card