Re: ipbase Vs ipservices for PBR

ribin.jones · ‎12-26-2010

Hi,

I have a cisco WS-C3560G-24TS layer 3 switch in my network where I have done vlan and some static routes. Current IOS in the switch is Cisco IOS Software, C3560 Software (C3560-IPBASE-M), Version 12.2(35)SE5. It seems this IOS doesn't support Policy Based Routing. I would like to get PBR feature also.

Does c3560-ipservicesk9-mz.122-55.SE1.bin IOS support PBR?

Shall I go ahead change the IOS from ipbase to ipservices?

Does this cause any issue in my network?

Does this ipservices IOS support all ipbase features as well?

Thanks for any response.

- Ribin

Dan-Ciprian Cicioiu · ‎12-26-2010

Hello Ribin ,

As far as i saw the last image is c3560-ipservicesk9-mz.122-55.SE, so no SE1

ipservices122-55 SE supports PBR.

Also the Ipservices has more featureas than Ipbase , so there should be no issues when migrating from ipbase to ipservices

Dan

ribin.jones · ‎12-26-2010

Thanks for the response Dan.

I found SE1 from the below url:

http://www.cisco.com/cisco/software/release.html?mdfid=278546112&catid=268438038&dvdid=282504484&flowid=13381&softwareid=280805680&release=12.2.55-SE1&rellifecycle=ED&relind=AVAILABLE&reltype=all

Does SE1 support PBR?

- Ribin

Dan-Ciprian Cicioiu · ‎12-26-2010

Yes, all the ipservices track images are supporting PBR.

Dan

ribin.jones · ‎12-27-2010

Thanks

- Ribin

andtoth · ‎12-27-2010

Hi,

The IP Services feature set supports PBR on 3560 switches and currently the latest available version is 12.2(55)SE1. IP Services contains every feature which is supported by IP Base.

In order to enable PBR support on the switch, you will also need to change the SDM (Switch Database Manager) template on the switch to be routing. The SDM template will repartition the TCAM (hardware memory) space to be able to store PBR entries.

Use the show sdm prefer command to see the currently configured SDM template and use the sdm prefer routing global configuration command to change it from default to routing. Please note that you will need to reload the switch after changing the SDM template in order to apply changes.

The above applies to both 3560 and 3750 switches.

For more information about SDM templates and configuration, please refer to the following documentations.

Configuring SDM Templates

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/swsdm.html

Understanding and Configuring Switching Database Manager on Catalyst 3750 Series Switches

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a00801e7bb9.shtml

Best regards,

Andras

ribin.jones · ‎12-31-2010

I updated the IOS to ipservices, but my PBR seems to be not working.

access-list 180 permit tcp host 192.168.40.50 any eq www
route-map webtraffic permit 180
match ip address 180
set ip next-hop 192.168.40.201

interface Vlan40
ip address 192.168.40.1 255.255.255.0
ip policy route-map webtraffic

192.168.40.50 is the IP of a machine in my network and 192.168.40.201 is the IP of squid (proxy).

Squid works well when I give its IP explicitly in the IE settings, but transparently its not working, I am not even getting hits in squid logs. But I am getting hits in the switch acl.

Any help?

- Ribin

ribin.jones · ‎01-01-2011

No help?

andtoth · ‎01-01-2011

Could you please paste the output of the 'sh sdm prefer' command from your switch?

Also, did you set a redirect/intercept on your squid proxy with iptables? It's necessary so that squid will process the packets originally not destined to it's own IP.

Please refer to the following link for more information about configuring squid interception:

http://wiki.squid-cache.org/SquidFaq/InterceptionProxy

Andras

ribin.jones · ‎01-02-2011

Sw#sh sdm prefer

The current template is "desktop routing" template.

The selected template optimizes the resources in

the switch to support this level of features for

8 routed interfaces and 1024 VLANs.

number of unicast mac addresses: 3K

number of IPv4 IGMP groups + multicast routes: 1K

number of IPv4 unicast routes: 11K

number of directly-connected IPv4 hosts: 3K

number of indirect IPv4 routes: 8K

number of IPv4 policy based routing aces: 0.5K

number of IPv4/MAC qos aces: 0.5K

number of IPv4/MAC security aces: 1K

Yes, I dide set a redirect/intercept on my squid proxy. I am not gtting any logs in my squid...It seems the switch is not redirecting the traffic to squid.

- Ribin

andtoth · ‎01-03-2011

Can you do a sniffer capture on the squid proxy? You can either use tcpdump on linux or you can do a SPAN capture on the switchport connecting the squid proxy.

From your description and configuration, it looks like the server is dropping the traffic because it's not destined to its own IP address. Note that PBR will not translate the destination IP address, it will remain as it is. The PBR set ip next-hop will just send the packets to the MAC address belonging to the next-hop IP and the IP headers will remain unchanged. That's why you need an iptables translation on the linux box in order to intercept/capture the packets destined to a foreign IP address.

Andras

ribin.jones · ‎01-03-2011

I did tcpdump in my linux box and there is no traffic coming to it. I also had iptables in my linux box, but I guess it comes into role only if traffic comes to the box, right?

- Ribin