cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1260
Views
4
Helpful
5
Replies

Routing on the 3560C

rasmus.elmholt
Level 7
Level 7

Hi

I have a 3560C switch i'm using for Routing between some VLANs and default route. But the default route is giving me some problems, because as far as I can se the Switch does not support indirectly connected routes on the defualt SDM template and i can't change the template.

The routing is working but with high CPU utilization and an error:

Cisco IOS Software, C3560C Software (C3560c405ex-UNIVERSALK9-M), Version 15.2(2)E5

SW-SYG-01#show sdm pref
The current template is "default" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 4K
number of IPv4 IGMP groups + multicast routes: 0.25K
number of IPv4 unicast routes: 0.875k
number of directly-connected IPv4 hosts: 0.875k
number of indirect IPv4 routes: 0
number of IPv6 multicast groups: 0.25K
number of IPv6 unicast routes: 0.25K
number of directly-connected IPv6 addresses: 0.25K
number of indirect IPv6 unicast routes: 0
number of IPv4 policy based routing aces: 0
number of IPv4/MAC qos aces: 0.375k
number of IPv4/MAC security aces: 0.375k
number of IPv6 policy based routing aces: 0
number of IPv6 qos aces: 60
number of IPv6 security aces: 0.125k
IPv4 unicast indirectly-connected routes
Max Mask: 0 - Used Mask: 29 (290% utilization)
IPv4 unicast indirectly-connected routes
Max Mask: 0 - Used Mask: 29 (290% utilization)
5 Replies 5

Kallol Bosu
Cisco Employee
Cisco Employee

Hello Rasmus,

Can you share the output of "show version" from the switch in question? I want to know the exact switch model and it's license level. 

I guess you are using Gigabit switch model which does not allow you to change the default SDM template. It is a limitation on this platform. 

You must be seeing high CPU or TCAM related error because routes are failing to get installed in TCAM table. Output of following CLIs might be helpful to understand the situation better- 

show platform tcam utilization asic all
sh ip route sum
show platform ip unicast failed route

!

few notes-

1. If you are using IPBASE license, then whatever you see in SDM output that definitely looks buggy. You must see support of Indirectly connected routes with IPBASE license. It should support 4K directly connected and 875 indirectly connected routes.  With IPBASE license, we have seen some issues where TCAM output shows incorrectly but that was cosmetic. A bug (CSCtz11560) was filed to correct that issue, it is not fixed yet.  But I don't think your issue is cosmetic. 

2. LAN BASE feature do support static routing on quite a few  platforms but I need to check if 3560CG supports that or not. Feature navigator indicates it does not but I can double check for you if you confirm that your switch is running LANBASE. If this turns out to be bottleneck then you may need to upgrade the license to IPBASE. 

 http://tools.cisco.com/ITDIT/CFN/jsp/by-feature-technology.jsp 

Search for 'static route support on lanbase images', click add and then click on continue.

From the release/platform tree, choose platform tab.

You will notice that your platform which < WS-C3560CG-8TC-S > not included on the supported platforms list.

Please rate this post if helpful

Regards,
Kallol

Hi Kallol

Thanks for the reply.

It is an IPBASE license

SW-SYG-01#show ver
Cisco IOS Software, C3560C Software (C3560c405ex-UNIVERSALK9-M), Version 15.2(2)E5, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Thu 02-Jun-16 04:53 by prod_rel_team
ROM: Bootstrap program is C3560C boot loader
BOOTLDR: C3560C Boot Loader (C3560C-HBOOT-M) Version 12.2(55r)EX11, RELEASE SOFTWARE (fc1)
SW-SYG-01 uptime is 3 weeks, 4 days, 9 hours, 36 minutes
System returned to ROM by power-on
System restarted at 22:37:45 utc Sun Jul 17 2016
System image file is "flash:/c3560c405ex-universalk9-mz.152-2.E5/c3560c405ex-universalk9-mz.152-2.E5.bin"
Last reload reason: Unknown reason
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
License Level: ipbase
License Type: Permanent
Next reload license Level: ipbase
cisco WS-C3560CG-8PC-S (PowerPC) processor (revision D0) with 131072K bytes of memory.
Processor board ID F*********E
Last reset from power-on
5 Virtual Ethernet interfaces
10 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 0C:27:24:9B:47:00
Motherboard assembly number : 73-13272-07
Power supply part number : 341-0407-01
Motherboard serial number : F**********G
Power supply serial number : L**********3
Model revision number : D0
Motherboard revision number : A0
Model number : WS-C3560CG-8PC-S
System serial number : F*********E
Top Assembly Part Number : 800-33676-03
Top Assembly Revision Number : A0
Version ID : V03
CLEI Code Number : CMMD900ARC
Hardware Board Revision Number : 0x00
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 10 WS-C3560CG-8PC-S 15.2(2)E5 C3560c405ex-UNIVERSALK9-M
Configuration register is 0xF
SW-SYG-01# show platform tcam utilization asic all
CAM Utilization for ASIC# 0 Max Used
Masks/Values Masks/values
Unicast mac addresses: 4316/4316 33/33
IPv4 IGMP groups + multicast routes: 368/368 1/1
IPv4 unicast routes: 0/0 0/0
IPv6 Multicast groups: 320/320 11/11
IPv6 unicast routes: 256/256 3/3
IPv4 policy based routing aces: 32/32 12/12
IPv4 qos aces: 384/384 6/6
IPv4 security aces: 384/384 72/72
IPv6 policy based routing aces: 16/16 8/8
IPv6 qos aces: 60/60 5/5
IPv6 security aces: 128/128 17/17
Note: Allocation of TCAM entries per feature uses
a complex algorithm. The above information is meant
to provide an abstract view of the current TCAM utilization
CAM Utilization for ASIC# 1 Max Used
Masks/Values Masks/values
Unicast mac addresses: 4316/4316 33/33
IPv4 IGMP groups + multicast routes: 368/368 1/1
IPv4 unicast routes: 0/0 0/0
IPv6 Multicast groups: 320/320 11/11
IPv6 unicast routes: 256/256 3/3
IPv4 policy based routing aces: 32/32 0/0
IPv4 qos aces: 384/384 6/6
IPv4 security aces: 384/384 72/72
IPv6 policy based routing aces: 16/16 0/0
IPv6 qos aces: 60/60 5/5
IPv6 security aces: 128/128 17/17
Note: Allocation of TCAM entries per feature uses
a complex algorithm. The above information is meant
to provide an abstract view of the current TCAM utilization
SW-SYG-01#show ip route sum
IP routing table name is default (0x0)
IP routing table maximum-paths is 32
Route Source Networks Subnets Replicates Overhead Memory (bytes)
connected 0 6 0 432 1080
static 1 0 0 72 180
ospf 1 0 0 0 0 0
Intra-area: 0 Inter-area: 0 External-1: 0 External-2: 0
NSSA External-1: 0 NSSA External-2: 0
internal 1 560
Total 2 6 0 504 1820
SW-SYG-01#
SW-SYG-01#show platform ip unicast failed route
Total of 0 covering fib entries

Hey Rasmus,

Thanks for the outputs. With IPBASE license , you should be able to work with direct and indirect routes both. 

I know a few platforms which needs "IP Routing" need to be enabled explicitly, can you check if you have that enabled on your switch or not (Don't go by "show ip route" output) ? Running-config should display that - "ip routing". 

If it is not then I think you should just enabled that globally and verify the TCAM again. Ideally the TCAM output on this switch with ipbase license should look like this. If it is already enabled then kindly attach the "show tech" pls. 

The current template is "default" template.
 The selected template optimizes the resources in
 the switch to support this level of features for
 8 routed interfaces and 1024 VLANs. 

  number of unicast mac addresses:                  4K
  number of IPv4 IGMP groups + multicast routes:    0.25K
  number of IPv4 unicast routes:                    4.875k
    number of directly-connected IPv4 hosts:        4K
    number of indirect IPv4 routes:                 0.875k <<<<<<<<<<
  number of IPv6 multicast groups:                  0.25K
  number of directly-connected IPv6 addresses:      0.25K
  number of indirect IPv6 unicast routes:           0
  number of IPv4 policy based routing aces:         0
  number of IPv4/MAC qos aces:                      0.375k
  number of IPv4/MAC security aces:                 0.375k
  number of IPv6 policy based routing aces:         0
  number of IPv6 qos aces:                          60
  number of IPv6 security aces:                     0.125k

Please rate this post if helpful. 

Regards,
Kallol

Hi Kallol

Thanks for the quick reply

ip routing is enabled and CEF is as well.

Hello Rasmus,

It looks buggy. Can you open a TAC case and give me the case number? 

Can you tell me when did u start seeing this strange output of "show SDM prefer" ? Is it seen after upgrading the software or doing any change with SSH etc? 

A reload of the box might help. If it does not then try downgrading the software. 15.2(2)E5 is very promising code but this symptom does not look good. 

One more thing - I noticed that your switch is reporting lot of "Adj resolve request failed" error, and it has potential of spiking CPU.  

Aug 11 04:26:52.467: %ADJ-5-RESOLVE_REQ_FAIL: Adj resolve request failed for 10.7.200.130 on Vlan200
Aug 11 04:26:57.889: %ADJ-5-RESOLVE_REQ_FAIL: Adj resolve request failed for 10.7.10.35 on Vlan10
Aug 11 04:27:02.891: %ADJ-5-RESOLVE_REQ_FAIL: Adj resolve request failed for 10.7.200.144 on Vlan200

This is due to ARP retry feature enhancement,  I guess your switch has quite a few incomplete ARP entries. Try following commands, it should stop printing these logs.

no ip arp incomplete enable
no ip cef optimize neighbor resolution <<<try this only if above command does not help

But check why it has incomplete ARP entries. Make sure default-route's next hop is reachable. 

Regards,

Kallol

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: