05-13-2013 06:13 AM - edited 03-07-2019 01:19 PM
We have two L3 3560's. One 3560 has an upstream MPLS router. The other 3560 has an upstream backup VPN router. Both of these 3560's are L3 switches with IP routing enabled. I created a PBR on both so that specific traffic routes through the MPLS router, while other traffic routes over the backup VPN router. I'm trying to apply the PBR to the SVI's, on each switch. However, when I do a "sh run", the PBR does not appear under either SVI. I've enabled the SDM Routing template, made sure that ip routing was enabled, and even verified that the IOS has the capability. Not sure what else to check for. Thanks for any help, in advance!
05-13-2013 06:41 AM
To do PBR, you need IP Service license. Check your license level.
sh lice
or
sh ver
HTH
05-13-2013 07:00 AM
Reza,
Thank you for your response. I thought the same thing, when I came upon this issue. However, I was under the assumption that the 3560's were feature specific. They only run the IP Base or IP Services IOS. Which doesn't require a license activation. Since we're licensed for the IP Services IOS, we should have full L3 capabilities. I might be wrong, so please tell me if I am. Again, thanks for your prompt response!
05-13-2013 09:26 AM
Hi Dan,
You are correct. The older 3560s run feature specific IOS. So, if you have IP Services feature set, you should be able to do PBR.
What version of IOS are you running?
HTH
05-13-2013 09:33 AM
Reza,
It's 12.2(55)SE6. It's the latest IOS for this model 3560. It's just an odd issue. When I go to the SVI (int vlan 100), and do an ip policy route-map routemapname, and hit enter, it appears to take the command. However, when I do a sh run, and look at the L3 SVI, I don't see the policy applied to the SVI. I thought that maybe this was just a bug, and that the PBR would work, but that is not the case. The PBR does not work at all. I tried applying the PBR to a physical interface, and that works. However, the traffic does not go through the physical interface. Thanks for all of your assitance!
05-13-2013 09:43 AM
Dan,
Did you make sure to reboot after applying "sdm prefer routing" command?
HTH
05-13-2013 09:48 AM
Reza,
Yes, absolutely. After the reboot, I did a sh sdm prefer, and I do see that the default has not changed to routing. This is one problem that has really stumped me!
05-13-2013 09:57 AM
Then that is the problem. SDM needs to be routing.
Can you post sh ver?
05-13-2013 09:57 AM
stupid question, did you reload the switch after u changed the SDM Template, because that is necessary!
Do your have WCCP oder VRF enabled, because that will prevent PBR..
these are the guidlines for a 3560:
Before configuring PBR, you should be aware of this information:
•To use PBR, you must have the IP services image installed on the switch.
•Multicast traffic is not policy-routed. PBR applies to only to unicast traffic.
•You can enable PBR on a routed port or an SVI.
•The switch does not support route-map deny statements for PBR.
•You can apply a policy route map to an EtherChannel port channel in Layer 3 mode, but you cannot apply a policy route map to a physical interface that is a member of the EtherChannel. If you try to do so, the command is rejected. When a policy route map is applied to a physical interface, that interface cannot become a member of an EtherChannel.
•You can define a maximum of 246 IP policy route maps on the switch.
•You can define a maximum of 512 access control entries (ACEs) for PBR on the switch.
•When configuring match criteria in a route map, follow these guidelines:
–Do not match ACLs that permit packets destined for a local address. PBR would forward these packets, which could cause ping or Telnet failure or route protocol flapping.
–Do not match ACLs with deny ACEs. Packets that match a deny ACE are sent to the CPU, which could cause high CPU utilization.
•To use PBR, you must first enable the routing template by using the sdm prefer routing global configuration command. PBR is not supported with the VLAN or default template. For more information on the SDM templates, see "Configuring SDM Templates."
•VRF and PBR are mutually exclusive on a switch interface. You cannot enable VRF when PBR is enabled on an interface. The reverse is also true, you cannot enable PBR when VRF is enabled on an interface.
•Web Cache Communication Protocol (WCCP) and PBR are mutually exclusive on a switch interface. You cannot enable WCCP when PBR is enabled on an interface. The reverse is also true, you cannot enable PBR when WCCP is enabled on an interface.
•The number of TCAM entries used by PBR depends on the route map itself, the ACLs used, and the order of the ACLs and route-map entries.
•Policy-based routing based on packet length, TOS, set interface, set default next hop, or set default interface are not supported. Policy maps with no valid set actions or with set action set to Don't Fragment are not supported.
•Beginning with Cisco IOS Release 12.2(35)SE, the switch supports quality of service (QoS) DSCP and IP precedence matching in PBR route maps, with these limitations:
–You cannot apply QoS DSCP mutation maps and PBR route maps to the same interface.
–You cannot configure DSCP transparency and PBR DSCP route maps on the same switch.
–When you configure PBR with QoS DSCP, you can set QoS to be enabled (by entering the mls qos global configuration command) or disabled (by entering the no mls qos command). When QoS is enabled, to ensure that the DSCP value of the traffic is unchanged, you should configure a DSCP trust state on the port where traffic enters the switch by entering the mls qos trust dscp interface configuration command. If the trust state is not DSCP, by default all nontrusted traffic would have the DSCP value marked as 0.
o
12-29-2013 07:14 AM
Dan Man,
I'd the same problem. But if the policy route does not appear under the interface configuration, it means that the entered command has been rejected due to some reasons. The switch will show some syslog message but if you are connected using telnet or ssh, you won't be able to see that message. I've a couple of suggestions for you. First enter terminal monitor privilege exec mode. Second, check that your route map does not have unsupported entries. Here is a list of unsupported route-map commands in 3560:
Best
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide