cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3863
Views
3
Helpful
9
Replies

PBR Not Applying To SVI

Dan Man
Level 1
Level 1

We have two L3 3560's.  One 3560 has an upstream MPLS router.  The other 3560 has an upstream backup VPN router.  Both of these 3560's are L3 switches with IP routing enabled.  I created a PBR on both so that specific traffic routes through the MPLS router, while other traffic routes over the backup VPN router.  I'm trying to apply the PBR to the SVI's, on each switch.  However, when I do a "sh run", the PBR does not appear under either SVI.  I've enabled the SDM Routing template, made sure that ip routing was enabled, and even verified that the IOS has the capability.  Not sure what else to check for.  Thanks for any help, in advance!

9 Replies 9

Reza Sharifi
Hall of Fame
Hall of Fame

To do PBR, you need IP Service license.  Check your license level.

sh lice

or

sh ver

HTH

Reza,

Thank you for your response.  I thought the same thing, when I came upon this issue.  However, I was under the assumption that the 3560's were feature specific.  They only run the IP Base or IP Services IOS.  Which doesn't require a license activation.  Since we're licensed for the IP Services IOS, we should have full L3 capabilities.  I might be wrong, so please tell me if I am.  Again, thanks for your prompt response!

Hi Dan,

You are correct. The older 3560s run feature specific IOS.  So, if you have IP Services feature set, you should be able to do PBR.

What version of IOS are you running?

HTH

Reza,

It's 12.2(55)SE6.  It's the latest IOS for this model 3560.  It's just an odd issue.  When I go to the SVI (int vlan 100), and do an ip policy route-map routemapname, and hit enter, it appears to take the command.  However, when I do a sh run, and look at the L3 SVI, I don't see the policy applied to the SVI.  I thought that maybe this was just a bug, and that the PBR would work, but that is not the case.  The PBR does not work at all.  I tried applying the PBR to a physical interface, and that works.  However, the traffic does not go through the physical interface.  Thanks for all of your assitance!

Dan,

Did you make sure to reboot after applying "sdm prefer routing" command?

HTH

Reza,

Yes, absolutely.  After the reboot, I did a sh sdm prefer, and I do see that the default has not changed to routing.  This is one problem that has really stumped me!

Then that is the problem.  SDM needs to be routing.

Can you post sh ver?

stupid question, did you reload the switch after u changed the SDM Template, because that is necessary!

Do your have WCCP oder VRF enabled, because that will prevent PBR..

these are the guidlines for a 3560:

PBR Configuration Guidelines

Before configuring PBR, you should be aware of this information:

To use PBR, you must have the IP services image installed on the switch.

Multicast traffic is not policy-routed. PBR applies to only to unicast traffic.

You can enable PBR on a routed port or an SVI.

The switch does not support route-map deny statements for PBR.

You  can apply a policy route map to an EtherChannel port channel in Layer 3  mode, but you cannot apply a policy route map to a physical interface  that is a member of the EtherChannel. If you try to do so, the command  is rejected. When a policy route map is applied to a physical interface,  that interface cannot become a member of an EtherChannel.

You can define a maximum of 246 IP policy route maps on the switch.

You can define a maximum of 512 access control entries (ACEs) for PBR on the switch.

When configuring match criteria in a route map, follow these guidelines:

Do  not match ACLs that permit packets destined for a local address. PBR  would forward these packets, which could cause ping or Telnet failure or  route protocol flapping.

Do not match ACLs with deny ACEs. Packets that match a deny ACE are sent to the CPU, which could cause high CPU utilization.

To use PBR, you must first enable the routing template by using the sdm prefer routing global configuration command. PBR is not supported with the VLAN or  default template. For more information on the SDM templates, see "Configuring SDM Templates."

VRF  and PBR are mutually exclusive on a switch interface. You cannot enable  VRF when PBR is enabled on an interface. The reverse is also true, you  cannot enable PBR when VRF is enabled on an interface.

Web  Cache Communication Protocol (WCCP) and PBR are mutually exclusive on a  switch interface. You cannot enable WCCP when PBR is enabled on an  interface. The reverse is also true, you cannot enable PBR when WCCP is  enabled on an interface.

The  number of TCAM entries used by PBR depends on the route map itself, the  ACLs used, and the order of the ACLs and route-map entries.

Policy-based  routing based on packet length, TOS, set interface, set default next  hop, or set default interface are not supported. Policy maps with no  valid set actions or with set action set to Don't Fragment are not supported.

Beginning  with Cisco IOS Release 12.2(35)SE, the switch supports quality of  service (QoS) DSCP and IP precedence matching in PBR route maps, with  these limitations:

You cannot apply QoS DSCP mutation maps and PBR route maps to the same interface.

You cannot configure DSCP transparency and PBR DSCP route maps on the same switch.

When you configure PBR with QoS DSCP, you can set QoS to be enabled (by entering the mls qos global configuration command) or disabled (by entering the no mls qos command).  When QoS is enabled, to ensure that the DSCP value of the traffic is  unchanged, you should configure a DSCP trust state on the port where  traffic enters the switch by entering the mls qos trust dscp interface configuration command. If the trust state is not DSCP, by  default all nontrusted traffic would have the DSCP value marked as 0.

o

SaidJawad
Level 1
Level 1

Dan Man,

I'd the same problem. But if the policy route does not appear under the interface configuration, it means that the entered command has been rejected due to some reasons. The switch will show some syslog message but if you are connected using telnet or ssh, you won't be able to see that message. I've a couple of suggestions for you. First enter terminal monitor privilege exec mode. Second, check that your route map does not have unsupported entries. Here is a list of unsupported route-map commands in 3560:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/configuration/guide/swuncli.html#wp1014499

Best