Solved: "ip policy route-map" command does not exist

if_else__ · ‎10-29-2011

We have dual Catalyst 4506E switches (IOS 12.2(54)SG1) that work as the core of my company's infrastructure. We recently obtained a new DSL circuit for redundancy, and to reduce the load on our main dedicated Internet connection.

We want to use the DSL for browsing, and only certain people (and servers) are routed through the dedicated old link. Ofcourse, the first thing that comes to mind is "policy based routing". But unfortunately some obstacles showed in my way, first, it came to my knowledge that PBR cannot be done on ASA firewalls, we have two in active/passive fashion that work as gateways and do natting.

So I decided to implement PBR on the core switches, I did the access-list to capture traffic and the route-map to set the next-hop for that traffic, but the problem is when i try to apply policy routing on a vlan interface, or the access switch inbound trunk, the command is not recognized by the switch, there is no "policy route-map" entry after the "ip" command in interface configuration mode.

some cisco documents suggested that I need to enable extended routing on the switch first with the command "sdm prefer routing extended-match", but that too doesn't exist on the configuration mode!! so I'm clueless now on how to enable policy based routing on our core switches.

Your kind help & segestions are highly appreciated.

Majdi Osman

cadet alain · ‎10-29-2011

Hi,

this feature is not supported by IP Base image. You need Enterprise services image to do this.

Alain.

Don't forget to rate helpful posts.

View solution in original post

Kishore Chennupati · ‎10-30-2011

Hi majdi,

You cannot do policy based routing on the ASA even with the highest available license, because policy based routing is not supported on the ASA or PIX.

It's supported only in IOS and if you want to which model/IOS has the command you need you can always use the

cisco feature navigator.

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

HTH

Regards,

Kishore

View solution in original post

cadet alain · ‎10-29-2011

Hi,

Can you post sh version output.

It won't work on a switchport interface like the trunk but only on a L3 interface like a SVI or routed port.

Alain.

Don't forget to rate helpful posts.

if_else__ · ‎10-29-2011

Hi Alain,

Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-IPBASEK9-M), Version 12.2(54)SG1, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Compiled Thu 27-Jan-11 12:19 by prod_rel_team

Image text-base: 0x10000000, data-base: 0x12C41C68

ROM: 12.2(44r)SG9

Darkside Revision 4, Nexu Revision 12, Fortooine Revision 1.22

TCC-CORE1 uptime is 9 weeks, 5 days, 3 hours, 30 minutes

System returned to ROM by power-on

System image file is "bootflash:cat4500e-ipbasek9-mz.122-54.SG1.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

cisco WS-C4506-E (MPC8548) processor (revision 12) with 524288K bytes of memory.

Processor board ID FOX1521GXXB

MPC8548 CPU at 1GHz, Supervisor 6L-E

Last reset from PowerUp

19 Virtual Ethernet interfaces

16 Gigabit Ethernet interfaces

2 Ten Gigabit Ethernet interfaces

511K bytes of non-volatile configuration memory.

Configuration register is 0x2101

cadet alain · ‎10-29-2011

Hi,

this feature is not supported by IP Base image. You need Enterprise services image to do this.

Alain.

Don't forget to rate helpful posts.

if_else__ · ‎10-29-2011

So there's no easy way to get pbr running.

Thank you very much for your kind response

Giuseppe Larosa · ‎10-29-2011

Hello Alain,

good answer rated as it deserves

Best Regards

Giuseppe

cadet alain · ‎10-29-2011

Hi Giuseppe,

Thanks.

Alain.

Don't forget to rate helpful posts.

if_else__ · ‎10-29-2011

Good answer indeed.

Alain can you think of any way i can pull this off via the firewalls? they're asa5510, and here's a sh ver:

Cisco Adaptive Security Appliance Software Version 8.4(2)

Device Manager Version 6.4(5)

Compiled on Wed 15-Jun-11 18:17 by builders

System image file is "disk0:/asa842-k8.bin"

Config file at boot was "startup-config"

up 67 days 12 hours

failover cluster up 67 days 15 hours

Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06

Number of accelerators: 1

0: Ext: Ethernet0/0 : address is 0007.7d1a.561a, irq 9

1: Ext: Ethernet0/1 : address is 0007.7d1a.561b, irq 9

2: Ext: Ethernet0/2 : address is 0007.7d1a.561c, irq 9

3: Ext: Ethernet0/3 : address is 0007.7d1a.561d, irq 9

4: Ext: Management0/0 : address is 0007.7d1a.5619, irq 11

5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11

6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 100 perpetual

Inside Hosts : Unlimited perpetual

Failover : Active/Active perpetual

VPN-DES : Enabled perpetual

VPN-3DES-AES : Enabled perpetual

Security Contexts : 2 perpetual

GTP/GPRS : Disabled perpetual

AnyConnect Premium Peers : 2 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 250 perpetual

Total VPN Peers : 250 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5510 Security Plus license.

Failover cluster licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 100 perpetual

Inside Hosts : Unlimited perpetual

Failover : Active/Active perpetual

VPN-DES : Enabled perpetual

VPN-3DES-AES : Enabled perpetual

Security Contexts : 4 perpetual

GTP/GPRS : Disabled perpetual

AnyConnect Premium Peers : 4 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 250 perpetual

Total VPN Peers : 250 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

UC Phone Proxy Sessions : 4 perpetual

Total UC Proxy Sessions : 4 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5510 Security Plus license.

Serial Number: JMX1528L1M8

Running Permanent Activation Key: 0x2d30f460 0xf035ec8d 0xe403b508 0x8040903c 0x491d2799

Configuration register is 0x1

Configuration last modified by enable_15 at 05:21:14.116 UTC Wed Oct 26 2011

Thanks

Majdi

Kishore Chennupati · ‎10-30-2011

Hi majdi,

You cannot do policy based routing on the ASA even with the highest available license, because policy based routing is not supported on the ASA or PIX.

It's supported only in IOS and if you want to which model/IOS has the command you need you can always use the

cisco feature navigator.

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

HTH

Regards,

Kishore

if_else__ · ‎10-31-2011

Hey Kishore,

I see. Thank you very much.

What I could do now is connect the DSL modem to core switches (new vlan) directly and added selected users' ports to the new vlan. So now I'm actually partially relying on the modem's firewall! (ugggglyyy). I'm under the assumption that the dynamic WAN IP of the modem being changed frequently plus its natting can actually protect me to some level. utleast till I get my IOS upgraded.

Thanks again for the valueble replies gents.

Kishore Chennupati · ‎10-31-2011

Hi Majdi. Glad I could help. Thank you very much for the ratings Appreciate that