12-27-2013 07:10 PM - edited 03-07-2019 05:16 PM
Hi,
I want to use Catalyst 3750 PBR to reroute traffic. the traffic match the following ACL are route normally, all other traffic destination to 172.22.0.0/16 are route to 172.16.52.1 :
source : 172.18.0.0/16 destination : 172.22.0.0/16
source : 172.20.0.0/16 destination : 172.22.0.0/16
Does the following configuration correct?
ip access-list extended redirect
deny ip 172.18.0.0 0.255.255 172.22.0.0 0.0.255.255
deny ip 172.20.0.0 0.255.255 172.22.0.0 0.0.255.255
permit ip any 172.22.0.0 0.0.255.255
route-map redirect permit 10
match ip address redirect
set ip next-hop 172.16.52.1
interface GigabitEthernet0/1
no switchport
ip address 172.16.1.254 255.255.255.240
ip policy route-map redirect
Best Regards,
Jackson Ku
12-27-2013 09:41 PM
Hi,
First of all to make PBR working on 3750 you should have IP Base image on the switch. Second SDM template should be set to prefer routing.
Do you want to reroute traffic sourced from 172.18.0.0/16 and 172.20.0.0/16 subents to 172.22.0.0/16?
if so, then PBR is
ip access-list extended redirect
permit ip 172.18.0.0 0.255.255 172.22.0.0 0.0.255.255
permit ip 172.20.0.0 0.255.255 172.22.0.0 0.0.255.255
route-map redirect permit 10
match ip address redirect
set ip next-hop 172.16.52.1
Hope it will help.
Best regards,
Abzal
12-27-2013 09:55 PM
No, the source from these two subnet to 172.22.0.0 255.255.0.0 will route normally, the other traffic reroute.
Sent from Cisco Technical Support Android App
12-28-2013 01:53 AM
Hi,
you should avoid deny-statements in Policy ACLs:
https://supportforums.cisco.com/message/4117064
Possible solution:
ip access-list extended REDIRECT-RIB
permit ip 172.18.0.0 0.255.255 172.22.0.0 0.0.255.255
permit ip 172.20.0.0 0.255.255 172.22.0.0 0.0.255.255
ip access-list extended REDIRECT-PBR
permit ip any 172.22.0.0 0.0.255.255
route-map redirect permit 10
match ip address REDIRECT-RIB
! no set => RIB
route-map redirect permit 20
match ip address REDIRECT-PBR
set ip next-hop 172.16.52.1
HTH
Rolf
12-28-2013 01:57 AM
Hello
Anything not matched in the acl pertaining to PBR should be routed normally
Try amending you ace statements:
Access-list 10 deny 172.18.0.0 0.255.255
Access-list 10 deny 172.20.0.0 0.255.255
Access-list 10 permit 172.22.0.0 0.0.255.255
route-map redirect permit 10
match ip address 10
set ip next-hop 172.16.52.1
set ip next-hop verify-availability
This additional command in the route-map will check the next hop existence and if not available will stop the router arping for it and so route normally.
Res
Paul
Sent from Cisco Technical Support iPad App
12-28-2013 02:02 AM
Paul,
it is a c3750, which has some special platform-specific limitations:
Policy Based Routing (PBR) implementation in Cisco Catalyst 3750 switches has some limitations. If these restrictions are not followed, it can cause high CPU utilization.
You can enable PBR on a routed port or an SVI.
The switch does not support route-map deny statements for PBR.
Multicast traffic is not policy-routed. PBR applies only to unicast traffic.
Do not match ACLs that permit packets destined for a local address PBR forwards these packets, which can cause ping or Telnet failure or route protocol flapping.
Do not match ACLs with deny ACEs. Packets that match a deny ACE are sent to the CPU, which can cause high CPU utilization.
In order to use PBR, you must first enable the routing template with the sdm prefer routing global configuration command. PBR is not supported with the VLAN or default template.
http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a00807213f5.shtml#pbr
Regards
Rolf
12-28-2013 04:00 AM
Hi,
I checked the document, the Catalyst 3750 dose not support "set ip next-hop verify-availability" command, so I change to use eem to track next-hop availibility :
https://supportforums.cisco.com/docs/DOC-8069
Best Regards,
Jackson Ku
12-28-2013 02:47 AM
Hello Rolf
Cheers for pointing this out -wasn't aware ace deny statements weren't applicable on 3750s
In that case your suggestion would be a much better approach
Access-list 10 permit 172.18.0.0 0.255.255
Access-list 10 permit 172.20.0.0 0.255.255
Access-list 20 permit 172.22.0.0 0.0.255.255
route-map redirect permit 10
match ip address 10
oute-map redirect permit 20
match ip address 20
set ip next-hop 172.16.52.1
set ip next-hop verify-availability
Res
Paul
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide