Cisco Switching/Routing :: Make Policy Based Routing On 3560?
Apr 17, 2012
I have tried to make policy based routing on Cisco 3560. I use ipservices ios (SW version 12.2.(50)SE3 and SW-IMAGE C3560-IPSERVICESK9-M) For below configuration there is no problem and pbr is working.
“Access-list 100 permit ip host 1.1.1.1 host 2.2.2.2
Access-list 101 permit ip host 1.1.1.1 host 3.3.3.3
Route-map pbr1 permit 10
Match ip address 100
Set ip next-hop verify-availability 1.1.1.2 1 track 11
interface fasthethernet 0/1
ip policy route-map pbr1”
But when i add another sequence to the "pbr1" with another sequence number like that.
“Route-map pbr1 permit 11
Match ip address 101
Set ip next-hop verify-availability 1.1.1.3 1 track 12”
pbr is not working. Switch gives message "PLATFORM_PBR-3-UNSUPPORTTED_RMP:Route-map pbr1 not supported for Policy Based Routing”"ip policy route-map pbr1" command not shown in the running config. And "show ip policy" output is blank.Configuration guide says you have insert many sequence to the route-map with the same name. And also this command is not in the unsupported command list.
I have 3560 with attached 3 networks, 172.16.1.0/24 172.16.2.0/24 and 172.16.4.0/24, all of them have a vlan interface, 172.16.1.254, 172.16.2.254, and 172.16.4.254, I have enabled intervlan routing with command ip routing and they have route beetwen each other. Now I want to create PBR and let them go to the internet from different gateways.
so i did 3 access list:
access-list 20 permit 172.16.1.0 0.0.0.255 access-list 10 permit 172.16.2.0 0.0.0.255 access-list 30 permit 172.16.4.0 0.0.0.255 and 3 pbr route-map supnet permit 20 match ip address 10 set ip next-hop 172.16.2.3 route-map blade permit 20 match ip address 30 set ip next-hop 172.16.4.250 route-map main permit 20 match ip address 20 set ip next-hop 172.16.1.4
attached them to corresponding vlan interfaces and everything ok they have different gateways to internet but now I dont have routing beetwen them?
I have a 1941 router configured for Policy based routing with two ISPs.Two static default routes configured to point the gateways of respoective ISPs with same metric.But the problem is, packets are going throug the one ISP only while doing traceroute.
N/W connectivity:
ISP1-----> <----------------------> LAN1 | Router | ISP-------> <----------------------> LAN 2
Below is my configuration :
Current configuration : 5958 bytes ! ! Last configuration change at 05:18:56 UTC Mon Jun 25 2012 ! version 15.0 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption
I have a simple design with 3750. I configured a route-map which define a next hop. I defined this route-map on a policy on a vlan interface.When I test some ping and a debug ip policy and it seems that my policy never match.Is there any mechanism that prevent the switch from using PBR? I think of CEF .
In our datacenter we have a 3750 stack with IP base image. I have enabled PBR and reloaded the switch. Show sdm prefer says i am using default template. The reason i want to use PBR is that we have 2 firewalls on the same work and want to be able to have granular control over which gateway out of the network they use but still be able to access all internal resouces accross wan and locally.
Created access list to identify traffic:
access-list 10 permit 10.2.3.59 (test workstation on vlan 3)
Created policy:
route-map TestASA permit 10 match ip address 10 set ip next-hop 10.2.0.3
Assigned policy to the user vlan3:
ip policy route-map TestASA
Results:It changed the default gateway to the above gateway but i could not access any resources on any other vlan, could not access resouces accross wan.
I have a simple design with 3750.I configured a route-map which define a next hop.I defined this route-map on a policy on a vlan interface.When I test some ping and a debug ip policy and it seems that my policy never match.Is there any mechanism that prevent the switch from using PBR?
I have problem while implementing policy based routing with a firewall. Let me explain in detail.
I have 2 remote site(Site A-small , Site B - Big) , Site B is connected with HQ with Tunnels 1 and 2 , Site B and Site A is connected with Tunnel 9941.
What I want is: Scenirio for Communication :
1)Site A--------->VPN Router Site B-----------> FW-------------->VPN Router Site B------------------>Central Site 2)Central Site--------->VPN Router Site B-----------> FW---------->VPN Router Site B-------------->Site A 3)Site B--------->FW-------------------->VPN Router Site B------>Central Site 4)Central Site--------->VPN Router Site B-------------------->FW------>Site B 5)Site A--------->VPN Router Site B-----------> Site B(no firewall) 6)Site B--------->VPN Router Site B-----------> Site A(no firewall)
I am having a problem with PBR done on a 7604-S router - It seems like it is not done in harware. I have an Iperf client and an Iperf server, and would like to test the performance of 7600 router for PBR, supervisor is RSP720-3C-G and used interface card is 7600-ES20-GE3C ESM20G.
I have read numerous discussions about PBR that is supposed to happen in hardware when you use it with matching access-list and set ip next-hop.Although, when I start the iperf, the 7600 cpu is hitting the 80-90 % boundary, and transfer bandwidth can't go over 120-130 Mbit/s.The IP Policy is applied on an interface part of vrf ONE maybe this is casing the problem... ?
The diagram and configuration follows: Configuration:
c7604#sh run boot system flash disk0:c7600rsp72043-advipservicesk9-mz.122-33.SRE2.bin ! ip vrf one [Code]...
I've been implementing a setup where a remote office has a Cisco 1900 router. There are 2 GRE/ IP SEC tunnels to the headquarters, 1 over public internet, 1 over a private cloud. Because of some MTU issues we have to clear the DF bit for some of the traffic, but we also want to use PBR to send https traffic over the "public internet" tunnel and the rest of the traffic over the "private cloud" tunnel. I'm able to clear the DF bit and to do the PBR with route-maps, but I'm not able to implement both functionality at the same time.
We have a Catalyst 6509 switch, and we hope to use policy based routing to redirect http traffic to my proxy server, where I can find the configuration example?
I have 2 ISP connected to Router A and Router B.Both the routers are connected to the core 3750 switch.. I want to send the traffic from the switch that goes to router A to router B..[code]
I need to setup my 6509 with PBR going to two different Firewalls. The 6509 has vlans and multiple serial interfaces. What/where do I install the policy-maps? I want to direct one of the vlans to one firewall and the other vlans and wan subnets to the other firewall.
I want to implement port-based and MAC-based in these two switches: 2960 & 3560 (both of them have this IOS version: 12.2(55)SE1). And I haven't found a way to implement both of them at the same time. This is what I got:
ip dhcp use subscriber-id client-id ip dhcp subscriber-id interface-name ip dhcp excluded-address 192.168.0.0 192.168.0.2 ip dhcp excluded-address 192.168.0.251 192.168.0.255
[code]....
With this configuration I can use port-based, but not MAC based. If I remove the first two lines and change the last line for this one:
address 192.168.0.7 client-id 0112.ae1d.af58.60
Then, the computer with that MAC address got the correct IP, but then the port-based doesn't work. Also, I got this line in the interface what I want to use MAC-based:
I have two 3560s that i would like to upgrade. But first i would like to make -absolutely- sure i dont wind up in a situation where i have to roll back over a console connection.to the day i still cant understand why oh why someone removed (or chose not to implement it everywhere) tftpdnld from rommon ;)
I have made some test and i noticed that qos input policy does not classify the icmp packet based on their dscp.The "match dscp ef" or "match precedence 5" is not working only the "match protocol icmp" shows hits.
We need to classify the different icmp packets based on dscp ( TOS ) for measurement purpose.CISCO 7200, 12.4.25d and 12.4.20T have a same behavior.
i have 300 user in network in 2 building and firist buiding 5 flors.i use subnet /22.i have core switch 3500xl fiber and 8 swith 3560 and my network have 2 router one for adsl and other for mpls so i want upgrade it to make voip network and wireless so if i need replace switch what i model and how many?
I have setup a basic PBR config to route Http and Https out of a different interface (fa0/0/0) but for some reason http traffic is still going out of the Gi0/1 interface.
Config attached minus the crypto stuff and the publics have been changed.
Last night I had a crack at setting up PBR on my companies Cisco 1811.Joy, I thought, it's actually working. Alas I was wrong, the addresses were getting translated to our ADSLs external ip address but routed over our EFM.What I want to acheive is to send all HTTP(s) traffic from our workstations over the ADSL (FastEthernet1) whilst all other traffic and VPN goes out over our Bonded ADSL (FastEthernet0). There is also a minor failover in place for traffic routed to the ADSL in the route-map PBR_VLAN1. The servers are on IPs 200, 202, 204 and 240.
Anyway, I have re-written the configuration and xxx'd and x.a/b/c'd all the IP addresses I want to keep secret. Need to make sure that the PBR is correct, and will do what I want it to? I have a very small time-frame to get this correct and I dont want to fudge the bucket so to speak.
I have been using a route map to pick WAN exit points (PBR) on a 3725 router. This have been working fine with /24 networks. I am trying to pick the first /28 piece out of the 10.1.1.0 network and send it out a different exit from the rest of that network. I have tried the /28 entry at the start and end of the route map, although I thought the first match would stop any further route map processing. The entry does not seem to have any effect, as traffic from all addresses in the 10.1.1.0 /24 network exit per the "route-map 10-LAN permit 11" section.
access-list 5 remark Ten Dot 1 low 63 IPs access-list 5 remark SDM_ACL Category=2access-list 5 remark Ten Dot One Low 63 IPs access-list 5 permit 10.1.1.0 0.0.0.63 log [ code]....
I have an ASA 5505 at each of three locations. We have VPN tunnels set up between the three sites. I am currently using a single ISP to control the traffic between the sites. I am adding a new ISP to the mix. The goal is to have any internet traffic routed to ISP 2 and all internal traffic routed to ISP 1.The ASA does not do policy based routing (mostly because it is a firewall, not a router). I need to configure a router that will accept the output of the ASA and route it according to the above rule. All incoming routing will be done through ISP 1. Any suggestion on the device and the methodology to set it up? I am planning on doing this in each location.
Is it possible to establish PBR rules that set the ip next-hop to point directly to the inside interface of the ASA5550?Or, do I need to direct this PBR traffic first to a directly connected router interface and then default route to the ASA?At a high level, here's what we have:
ISP 1 - with /21 IP PrefixNo BGP Routing3845 Edge Router - Default Route to ISP 1PIX535 Firewalls (HA) - Default Route to Edge RouterLAN Core/Distribution - Default Route to PIX535 Inside InterfaceAll applications/services use this egress path for PAT/NAT/DMZ/VPN/Etc.
Here's what we are adding:
ISP 2 - with /24 IP PrefixNo BGP Routing3925E Edge Router - Default Route to ISP 2ASA5550 Firewalls (HA) - Default Route to Edge RouterSame connectivity to LAN Core/Distribution
Goals:Maintain ISP 1 for nowMigrate only end user Internet traffic to ISP 2No disruptions to applications/services using current DefGW to PIX535
Question: how to best use PBR to selectively direct traffic to the ASA inside interface?
I have 2 connections a single T1 for voip traffic only and a DSL line for data traffic.the dsl was migrated to a 2811 with out any issues now comes the time to move the T1 over.
on the T1 side I am able to ping the WAN router and the LAN router IP address but nothing behind it.
currently this is the only statment on the router: ip route 0.0.0.0 0.0.0.0 Dialer1
as a quick a dirty to remove the above i tried: no ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 66.55.110.0 255.255.255.0 Dialer1
but the DSL side dropped. we have a 66.55.110.152/29
for the T1 i would use the following statement.. we have a 209.98.53.192/27
I was trying to apply route-map in Cisco 3560 Switch (C3560-IPBASEK9-M), Version 12.2 (55)SE5, I am able to create route-map but I am not able to apply it on any interface.
When mutiple Policy based routing configured on 7600 routers, did the router performace degraded with the number of policy based routing rules?Also, did 7600 running 12.x use per-flow based routing or per packet based routing?
I want to send a particular data stream (source-A destination-B) through only one of two WAN routers to a remote site. The remote site also has two WAN routers. Traffic from source-A will travel through a core and distribution layer of 6500 L3 switches, running 12.2(33)SXH8, to the WAN routers which are two ASR1006s. The remote end is the same - two ASR1006 WAN routers to 6500 distribution and Core L3 switches. All 6500s are L3 uplinked to each other and to the WAN routers. All traffic from the local site to the remote site routes throuh only one of the two WAN routers. I want to move only traffic from source-A to source-B to the second WAN router to the remote site.
Would it be best to use policy-based routing or an offset list of some sort to accomplish this? I've done PBR before where you just hand off traffic described in an ACL to a particular outbound port and basically hand carry the traffic to a point in the network where EIGRP prefers the route you want.
I've one Cisco 3750G-12S with ip routing enable, the swtich is with IP Service firmware, with PRR support.Currently set my default static route 0.0.0.0 0.0.0.0 10.1.18.71 to my Firewall A Currently all of the VLAN for will be routed to 10.1.18.71
I've created a new VLAN 2 for my 10.1.2.0/24 network with the VLAN interface 2 ip address 10.1.2.10, my intention is to route 10.1.2.0/24 traffic to my 10.1.2.1 by creating the access list and route-map.
I've configure my test pc with a static ip and my gateway pointing to 10.1.2.10 (VLAN 2 gateway) , i'm not able to route to 10.1.2.1.
The last few days I've been exploring options in getting rid of some old routers accross a wan connections. I have a cat 3560 to play with and I thought I would try and use the no switchport command test out routing with switch. I've got some type of route issue and I tried a few things which I thought would fix the issue but had no effect. I'll post the config and a few commands so you can see what the basic setup is.
Here we can see in the arp that it knows about both 10.7.1.2 (PC unable to ping 10.3.3.254) as well as 10.3.3.254 (ASA).I tried adding in a ip route of 10.7.0.0 255.255.0.0 10.3.3.110 as well as 10.3.3.254. Neither produced the results I wanted allowing 10.7.1.2 (PC) to ping the ASA (10.3.3.254). [code]
