My posts about issues concerning Linux OS and network administration

Policy-based routing with Catalyst 3560

Wanted to setup PBR routing on our two Cisco catalyst 3650 boxes I was searching for some more information how to achieve that.
I found this page describing how to setup PBR in few steps. After reading some about PBR functionality from official Cisco documents I was playing a bit with it but I couldn’t get it working.

After deeper investigation I found out what the problem was…

Let’s say I have a client 10.0.1.1 from 10.0.1.0/24 subnet. Client’s default gateway is set to 10.0.1.253 (which is catalyst).
The traffic destined to 10.2.0.0/16 is supposed to route further to gateway 10.0.1.254 from here being driven by PBR policies. As you can see – client, catalyst and final GW are placed all in same subnet.

For this reason Catalyst decides to send an ICMP redirect packet back to client to suggest it to change its routing table and use 10.0.1.254 for packets destined for 10.2.0.0/16 from now on.

The problem was there were no ICMP packets allowed to be sent out of the Catalyst VLAN.

Here is a summary what had to be done to make PBR working for me:

  1. upgrade IOS to C3560-IPSERVICESK9-M version which enables dynamic routing features including PBR capability


    switch#show version
    Switch Ports Model SW Version SW Image
    ------ ----- ----- ---------- ----------
    * 1 28 WS-C3560G-24TS 12.2(55)SE4 C3560-IPSERVICESK9-M

  2. change SDM template to routing which allocates some memory for policy-based policies. You need to reload the switch to make it work first. You can check out whether you really have some free space for PBR. See number of IPv4 policy based routing aces line

    switch(config)# sdm prefer routing
    switch(config)# do reload
    switch(config)# show sdm prefer
    Load for five secs: 7%/0%; one minute: 9%; five minutes: 8%
    Time source is NTP, 16:59:20.235 CEST Thu Sep 29 2011

    The current template is "desktop routing" template.
    The selected template optimizes the resources in
    the switch to support this level of features for
    8 routed interfaces and 1024 VLANs.

    number of unicast mac addresses: 3K
    number of IPv4 IGMP groups + multicast routes: 1K
    number of IPv4 unicast routes: 11K
    number of directly-connected IPv4 hosts: 3K
    number of indirect IPv4 routes: 8K
    number of IPv4 policy based routing aces: 0.5K
    number of IPv4/MAC qos aces: 0.5K
    number of IPv4/MAC security aces: 1K

  3. create ACL to catch the traffic

    ip access-list extended PBR_VPN
    remark Match all packets from clients destined to VPN
    permit ip 10.0.1.0 0.0.0.255 10.2.0.0 0.0.255.255
  4. create route map which is pretty straight

    route-map PBR permit
    description Redirect all packets to VPN endpoints to appropriate interface on VPN concentrator
    match ip address PBR_VPN
    set ip next-hop 10.0.1.254
  5. enable ICMP redirect packet to be sent: ip redirects. Although this is enabled by default make sure you haven’t change it due to potential security risk.

Posted in Catalyst 3560, Cisco devices configuration


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Bad Behavior has blocked 592 access attempts in the last 7 days.