This document provides a sample configuration for policy routing on Catalyst 3550 series switches. Catalyst 3550 series switches have hardware based forwarding, thus forwarding information is programmed in Ternary Content Addressable Memory (TCAM). In order for the TCAM to support Policy Based Routing (PBR), it should be formatted by changing the Switch Database Management (SDM) template. You must modify the SDM template, such that it supports the 144-bit Layer 3 TCAM. Refer to Understand and Configure the Switching Database Manager on Catalyst 3550 Series Switches for more information about SDM.
Note: The Catalyst 3550 has limitations on the route-maps commands you can use.
Ensure that you are knowledgable of these areas before you attempt this configuration:
The information in this document is based on these software and hardware versions:
Cisco IOS® Software Release 12.1.19-EA1a
Cisco Catalyst 3550
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
In this section, you are presented with the information to configure the features described in this document.
Before you can enable policy routing, you must configure one of these commands in the global configuration mode, and then the configuration must be written and the switch reloaded:
sdm prefer extended-match
sdm prefer access extended-match
sdm prefer routing extended-match
CAT3550(config)# access-list 10 permit 220.127.116.11 0.0.0.255 CAT3550(config)# route-map pbr permit 10 CAT3550(config-route-map)# match ip address 10 CAT3550(config-route-map)# set ip next-hop 18.104.22.168 CAT3550(config)# int vlan 3 CAT3550(config-if)# ip policy route-map pbr CAT3550(config-if)# 06:12:31: %L3TCAM-3-SIZE_CONFLICT: PBR requires enabling extended routing CAT3550# show run int vlan 3 Building configuration... Current configuration : 60 bytes ! interface Vlan3 ip address 22.214.171.124 255.255.255.0 !--- Command not taken - you need to enable SDM. end CAT3550# conf t Enter configuration commands, one per line. End with CNTL/Z. CAT3550(config)# sdm prefer extended-match Changes to the running SDM preferences have been stored, but cannot take effect until the next reload. Use 'show sdm prefer' to see what SDM preference is currently active. CAT3550(config)# end CAT3550# write 06:14:11: %SYS-5-CONFIG_I: Configured from console by console Building configuration... [OK] ltd-1-2# reload Proceed with reload? [confirm]
You should be aware of unsupported commands—refer to Unsupported Route Map Commands if this configuration exists:
! access-list 10 permit 126.96.36.199 0.0.0.255 route-map pbr permit 10 match ip address 10 set ip default next-hop 188.8.131.52 !
An error message is generated if you try to configure the policy route map on the interface:
CAT3550(config)# int vlan 3 CAT3550(config-if)# ip policy route-map pbr CAT3550(config-if)# end CAT3550# 00:02:29: %PBR-3-UNSUPPORTED_RMAP: Route-map pbr not supported for Policy-Based Routing
This document uses this network setup:
This document uses this configuration:
The configuration takes traffic source from 20.20.20.X (access-list 10) and sends it to 184.108.40.206—the configuration overrides the default gateway set to 10.10.10.2.
|CAT3550 (Cisco Catalyst 3550)|
CAT3550# show running-config Building configuration... . . ! interface Vlan1 ip address 10.10.10.1 255.255.255.0 ! interface Vlan2 ip address 220.127.116.11 255.255.255.0 ip policy route-map pbr ! interface Vlan3 ip address 18.104.22.168 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 10.10.10.2 ip classless ip http server ! ! access-list 10 permit 22.214.171.124 0.0.0.255 route-map pbr permit 10 match ip address 10 set ip next-hop 126.96.36.199 ! . ! end
When the set ip next-hop command is put the matching traffic cannot be seen in the output and it is an expected behavior on a switch. This is because a switch works on hardware only, and the show commands only present the information that is handled in software. The set ip next-hop is working all the time in hardware, because the routing table and process never get checked by the switch. It receives a packet and if that falls into the route-map statements then it is sent directly to the next hop that you specified, without checking the routing table.
The set ip default next-hop command first checks the entire routing table to see if there is another route to the destination. If no route is found, then the default next-hop is used.
There is currently no verification procedure available for this configuration.
This section provides information you can use to troubleshoot your configuration.
Note: Refer to Important Information on Debug Commands before you use debug commands.
debug ip policy—Shows packets that are 'policy routed' or 'policy rejected'. An example of the debug ip policy command output is:
*Dec 5 13:33:23.607: IP: s=188.8.131.52 (Vlan2), d=184.108.40.206, len 100, policy match *Dec 5 13:33:23.607: IP: route map pbr, item 10, permit *Dec 5 13:33:23.607: IP: s=220.127.116.11 (Vlan2), d=18.104.22.168 (Vlan3),len 100, policy routed *Dec 5 13:33:23.607: IP: Vlan2 to Vlan3 22.214.171.124 *Dec 5 13:33:23.707: IP: s=126.96.36.199 (Vlan2), d=188.8.131.52, len 100, policy match *Dec 5 13:33:23.707: IP: route map pbr, item 10, permit *Dec 5 13:33:23.707: IP: s=184.108.40.206 (Vlan2), d=220.127.116.11 (Vlan3),len 100, policy routed *Dec 5 13:33:23.707: IP: Vlan2 to Vlan3 18.104.22.168 *Dec 5 13:33:23.847: IP: s=22.214.171.124 (Vlan2), d=126.96.36.199, len 100, policy match *Dec 5 13:33:23.847: IP: route map pbr, item 10, permit
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.