this
is my scenario on my cisco WS-C3560X-48P-S
Vlan
3 connects to internet router.
Vlan
4 Users, range 192.168.4.0/24
Vlan
5 Users, range 192.168.5.0/24
Vlan
7 Servers, range 192.168.7.0/24
Can
i apply a policy route on Vlan 3 so traffic from end users goes to the internet
through another route?
Basically
I want to filter and limit users access to the internet.
I
would apply in on the inbound interface. By applying it on the outbound
interface I would imagine the Router would already have done a routing table
lookup bypassing PBR.
ip
access-list extended ACL-PBR
permit
ip 10.10.10 .0 0.0.0.255 any
!
route-map
RM-PBR permit 10
match
ip address ACL-PBR
Next
I wanted to apply the route-map to the correct interface, but that resultant in
the following syslog message.
%PLATFORM_PBR-4-SDM_MISMATCH:
PBR requires sdm template routing
Looking
at the internet for a PBR example on a Cisco Catalyst 3560, I found that I had
to change the SDM (Switch Database Management) template. The SDM manages the
layer 2 and layer 3 switching information that is maintained in the Ternary
Content Addressable Memory (TCAM). The TCAM is used for forwarding lookups.
Looking
at the default configuration the switch had the following SDM configuration.
SW01-L3(config)#do
sh sdm prefer
The
current template is “desktop default” template.
The
selected template optimizes the resources in
the
switch to support this level of features for
8
routed interfaces and 1024 VLANs.
number
of unicast mac addresses: 6K
number
of IPv4 IGMP groups + multicast routes:
1K
number
of IPv4 unicast routes:
8K
number
of directly-connected IPv4 hosts:
6K
number
of indirect IPv4 routes:
2K
number
of IPv4 policy based routing aces:
0
number
of IPv4/MAC qos aces:
0.75K
number
of IPv4/MAC security aces:
1K
Looking
at the output, there is no memory configured for IPv4 policy based routing
aces. This means that I have to change the SDM template to routing. This is
achieved be entering the global configuration command:
sdm
prefer routing
The
execution of the command requires a switch reboot. After the reboot I checked
the SDM configuration and noticed that memory is allocated for PBR, like
displayed below:
SW01-L3(config)#do
sh sdm prefer
The
current template is “desktop routing” template.
The
selected template optimizes the resources in
the
switch to support this level of features for
8
routed interfaces and 1024 VLANs.
number
of unicast mac addresses:
3K
number
of IPv4 IGMP groups + multicast routes:
1K
number
of IPv4 unicast routes:
11K
number
of directly-connected IPv4 hosts:
3K
number
of indirect IPv4 routes:
8K
number
of IPv4 policy based routing aces:
0.5K
number
of IPv4/MAC qos aces:
0.75K
number
of IPv4/MAC security aces:
1K
So
I try to apply the route-map to the specific interface, but this resulted in
another syslog message.
%PLATFORM_PBR-3-UNSUPPORTED_RMAP:
Route-map RM-PBR not supported for Policy-Based Routing
Seems
that the PBR configuration is not supported on the switch. At least some
commands are not supported. Checking the internet again, I found a document
with Unsupported Route Map Commands for a Catalyst WS-C3560X-48T-L
I
had to change the next-hop configuration. I replaced the route-map with the
following commands.
route-map
RM-PBR permit 10
match
ip address ACL-PBR
set
ip next-hop 10.10.10 .253
没有评论:
发表评论