Solved: Problem with PBR on C3550-12G

stefan.gillich · ‎04-20-2011

Hi All

I'm using a Cisco Catalyst 3550-12G running IOS 12.2(40)SE in a kind of lab environment. SDM template is default. Trying to configure ip policy route-map on an VLAN interface fails. Entering the command works fine (no error message). But checking the configuration afterwards with sh run doesn't show this command on the interface. Tried using a physical interface with same result. What is going wrong?

Doing the same on a Cisco 881 with IOS 12.4(24)T3 works fine.

Is this a problem with IOS version 12.2(40)SE ???

Thanks for your help.

cadet alain · ‎04-20-2011

Hi,

You must change the sdm template: sdm prefer extended-match or sdm prefer routing extended-match or sdm prefer access extended-match.

the switch must have IP services image installed.

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎04-20-2011

Hi,

You must change the sdm template: sdm prefer extended-match or sdm prefer routing extended-match or sdm prefer access extended-match.

the switch must have IP services image installed.

Regards.

Alain.

Don't forget to rate helpful posts.

stefan.gillich · ‎04-20-2011

Hi cadet alain

IP Service Image is installed (C3550-ipservicesk9-mz.122-40.SE.bin).

Accoring to the command reference (http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_40_se/command/reference/cli2.html#wp8724564) the command sdm prefer offeres the following options:

access	Provide maximum system usage for access control lists (ACLs). Use this template if you have a large number of ACLs.
default	Give balance to all functions.
dual-ipv4-and-ipv6 {default \| routing \| vlan}	Select a template that supports both IPv4 and IPv6 routing. •default—Provide balance to IPv4 and IPv6 Layer 2 and Layer 3 functionality. •routing—Provide maximum system usage for IPv4 and IPv6 routing, including IPv4 policy-based routing. •vlan—Provide maximum system usage for IPv4 and IPv6 VLANs.
routing	Provide maximum system usage for unicast routing. You would typically use this template for a router or aggregator in the middle of a network.
vlan	Provide maximum system usage for VLANs. This template maximizes system resources for use as a Layer 2 switch with no routing.

extended-match (in any combination) as stated in your post is not available (according to command refernce). According to that I didn't expect to change funktionality using this command. I would have expected to just reserve more or less recources to specific tasks.

Edit:

OK, checked right now using the CLI and found that you are right. The command reference is telling something differnt than CLI is offering. Strange. Will give the sdm prefer extended-match a try.

Thanks for helping me on this topic.

stefan.gillich · ‎04-21-2011

Hi cadet alain

Tested some minutes ago and just works. Thanks a lot for supporting me.

bmuggall · ‎04-20-2011

Hi,

Can you post the config hee?

Reg,

Balu

stefan.gillich · ‎04-20-2011

Hi Balajee Muggalla

I copied the relating part below:

===========================================================================

version 12.2
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service sequence-numbers
!
ip subnet-zero
no ip source-route
ip routing
!
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree backbonefast
spanning-tree vlan 7,54 priority 24576
!
vlan internal allocation policy ascending
!
vlan 7
name VLAN-CLIENT-2
!
vlan 54
name VLAN-CLIENT-1
!
ip ssh version 2
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 7,54
switchport mode trunk
switchport nonegotiate
udld port aggressive
!
interface GigabitEthernet0/2-10
switchport trunk allowed vlan 54
switchport mode trunk
switchport nonegotiate
udld port aggressive
!

interface GigabitEthernet0/11
no switchport
ip address 192.168.1.10 255.255.255.0
no ip redirects
no ip proxy-arp
udld port aggressive
!
interface GigabitEthernet0/12
no switchport
no ip address
!
interface Vlan7
description *** VLAN-CLIENT-2 ***
ip address 192.168.3.1 255.255.255.0
ip helper-address 192.168.1.100
no ip redirects
no ip proxy-arp
!
interface Vlan54
description *** VLAN-CLIENT-1 ***
ip address 192.168.2.1 255.255.255.0
ip helper-address 192.168.1.10
no ip redirects
no ip proxy-arp
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
ip http secure-server
!
access-list 110 remark *** ROUTE-MAP VLAN-CLIENT-2 ***
access-list 110 permit ip 192.168.3.0 0.0.0.255 any
route-map VLAN-CLIENT-2 permit 10
description *** VLAN-CLIENT-2 ***
match ip address 110
set ip next-hop 192.168.1.100
!

=============================================================================

The interface VLAN 7 is missing the route-map entry. What im trying is:

conf t

int vlan7

ip policy route-map VLAN-CLIENT-2

The command is accepted without error message but the config (VLAN 7) afterwards looks exat like above. It should look like:

interface Vlan7
description *** VLAN-CLIENT-2 ***
ip address 192.168.3.1 255.255.255.0
ip helper-address 192.168.1.100
no ip redirects
no ip proxy-arp
ip policy route-map VLAN-CLIENT-2

Thnaks for your support.