Can't apply policy route-map on C3750 stack vlan interface

Similar Messages

• Local policy route-map for policy route

  Hi 
  this is related my previous question:
  I want to set policy route on asr1004, that redirect vpn traffic. 
  my case is:
    asr1004 import a default route 0.0.0.0 from int 0 with bgp neibour address 10.100.100.100
  assume internal traffic 10.10.10.0/24 coming into asr1004 on int 1.
  assume vpn with ip address 10.2.2.2 is direct linked to asr1004 int 2, and int 2 ip address is 10.2.2.1
  assume taget network is 10.200.200.0/24
  I want internal traffic (10.10.10.0/24) go to target (10.200.200.0/24)  to be redirect to10.2.2.2 (vpn)  first, so I add  "ip route 10.200.200.0/24 10.2.2.2" on asr1004.
  Than, I want vpn (10.2.2.2) encrypt traffic and send it to one of ip in10.200.200.0/24 range again. at this point if I put local policy route-map below, is it will work?
  ip local policy route-map vpn-out
  access-list 100 permit ip 10.2.2.2 any
  route-map vpn-out permit 10
    match ip address 100
    set ip next-hop 10.100.100.100
  if not, do I have any change to do policy route for this case?
  any comment will be appreciated
  Thanks in advance
  Julxu

  hi Jon
  can I refresh the question again:
  my case is:
    asr1004 import a default route 0.0.0.0 from int 0 with bgp neibour address 10.100.100.100
  assume internal traffic 10.10.0.0/16 coming into asr1004 on int 1 with ip address 10.3.3.3
  assume vpn with ip address 10.10.2.2 is direct linked to asr1004 int 2, and int 2 ip address is 10.10.2.1
  assume taget network is 10.200.200.0/24
  I want internal traffic (10.10.0.0/16) go to target (10.200.200.0/24)  to be redirect to10.10.2.2 (vpn)  first, so I add  "ip route 10.200.200.0/24 10.10.2.2" on asr1004.
  Than, I want vpn (10.10.2.2) encrypt traffic and send it to one of ip in10.200.200.0/24 range again. at this point if I put local policy route-map below, is it will work?
  ip local policy route-map vpn-out
  access-list 100 permit ip 10.10.2.2 any
  route-map vpn-out permit 10
    match ip address 100
    set ip next-hop 10.100.100.100
  such as:
  interface TenGigabitEthernet0/0/0
   description bgp to get default
   ip address 10.100.100.100 255.255.255.252
   no ip redirects
   no ip unreachables
   no ip proxy-arp
  interface TenGigabitEthernet0/1/0
   description get internaltraffic
   ip address 10.3.3.3 255.255.255.0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
  interface GigabitEthernet0/2/1
   description vpn
   ip address 10.10.2.1 255.255.255.248
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   media-type rj45
   negotiation auto
  ip local policy route-map vpn-out
  access-list 100 permit ip 10.10.2.2 any
  route-map vpn-out permit 10
    match ip address 100
    set ip next-hop 10.100.100.100
  ip route 10.200.200.0/24 10.10.2.2
  Could you please advise if it is correct?

• Can Policy Routing be configured on the RPR interface?

  We have three 10720 routers connected via RPR ring. And we found the policy routing is not working, however the same config works on Ethernet interfaces.

  Are you applying the config on the DPT interface or the Ethernet interface? I'd be suprised if you could configure any policy routing on the DPT interface. Rather I would have thought it should be applied on the Ethernet interfaces involved in the connection. Bear in mind that the router function of the 10720 does not really see the DPT ring, but as logical point to point links.

• Route map does not applied on interface vlan

  Hi all,
  could you pls tell me why i can't apply a route-map on an interface vlan,
  belown my config:
  SWBBO(config-if)#ip policy route-map TEST
                             ^
  % Invalid input detected at '^' marker.
  Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.0(2)SE1, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2013 by Cisco Systems, Inc.
  Compiled Fri 04-Jan-13 01:38 by prod_rel_team
  ROM: Bootstrap program is C3750E boot loader
  BOOTLDR: C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(53r)SE2, RELEASE SOFTWARE (fc1)
  BBWMASALE01 uptime is 40 weeks, 1 day, 6 minutes
  System returned to ROM by power-on
  System restarted at 22:12:07 UTC Mon Feb 18 2013
  System image file is "flash:/c3750e-universalk9-mz.150-2.SE1.bin"
  Best regards,
  James

  Hi jon,
  belown the result of sh sdm prefer,so need i a licence ip service to apply the route-maap on the interface vlan,or just entrer the config"sdm prefer routing" and reboot the switch?
  SWBB0#sh sdm prefer
  The current template is "desktop default" template.
  The selected template optimizes the resources in
  the switch to support this level of features for
  8 routed interfaces and 1024 VLANs.
    number of unicast mac addresses:                  6K
    number of IPv4 IGMP groups + multicast routes:    1K
    number of IPv4 unicast routes:                    8K
      number of directly-connected IPv4 hosts:        6K
      number of indirect IPv4 routes:                 2K
    number of IPv6 multicast groups:                  64
    number of directly-connected IPv6 addresses:      74
    number of indirect IPv6 unicast routes:           32
    number of IPv4 policy based routing aces:         0
    number of IPv4/MAC qos aces:                      0.5K
    number of IPv4/MAC security aces:                 0.875k
    number of IPv6 policy based routing aces:         0
    number of IPv6 qos aces:                          0
    number of IPv6 security aces:                     60

• Route-Map not taken on 3850 IP Services

  Something odd I am seeing.
  Trying to use a 3850 L3 switch running IP Services, XE ver 03.03.03SE,   to do some policy routing on one of the VLAN interfaces.
  Interface VLAN 10
  ip address 208.x.y.z 255.255.255.0
  ip policy route-map Use_Route1
  It seems to take the command but when I look back with a show run interface vlan 10, it is not there.
  Also when I look at the show route policy it indicates that 0 packets have been processed.
  Is this a bug or am I missing something?

  Hi Richard,
  Cisco 3850 even running on full IP services image will not support verify-availability command to track with IP SLA.
  If you enable terminal monitor or configure the device using console you can see the syslog message when you try to configure the route-map with set ip next-hop verify-availability command
  %PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map <name> not supported for Policy-Based Routing
  You can see the route-map command showing up in the config BUT as soon as you try to apply to interface vlan10 the command will be not be applied and PBR will not work.
  I hope Cisco find way to fix this!!
  Workaround:
  You can use EEM Applet with IP SLA
  event manager applet internet_up
  event syslog pattern "%TRACKING-5-STATE: 1 ip sla 1 reachability Down->Up"
  action 2.0 cli command "enable"
  action 3.0 cli command "config t"
   action 3.2 cli command "interface Vlan10"
   action 3.3 cli command "ip policy router-map Use_Internet"
   action 3.4 cli command "exit"
  event manager applet internet_down
  event syslog pattern "%TRACKING-5-STATE: 1 ip sla 1 reachability Up->Down"
  action 2.0 cli command "enable"
  action 3.0 cli command "config t"
   action 3.2 cli command "interface Vlan10"
   action 3.3 cli command "no ip policy router-map Use_Internet"
   action 3.4 cli command "exit"
  repeat the same process for other IP SLA tracking you have
  hope this helps
  Santhosh

• Route Map Policy on SVI - Trunk from ESX

  Hi,
  I have a question regarding the following configuration.
  A route map matches traffic from a particular subnet, say on VLAN 10 (using an ACL).
  A route map policy is applied on this SVI (int vlan 10)
  A server on this subnet is running on ESX which is connected to the switch on a trunk port.
  The ESX host tags all frames from this server as VLAN 10.
  In this scenario, should the route map pick up the traffic from this server? I don't see why not, but in my testing it doesn't seem to be working :)
  Thanks for any help.

  Hi Alex,
  It's a 3750x (stack) with 12.2(55)SE5.
  I've already changed the SDM template to routing and rebooted the switch.
  I don't think the route map is working at all actually :) See config below, let me know if you can spot anything obvious but the networks on the ACL are definitely correct.
  Thanks again.
  Extended IP access list UPLINK2
      10 permit ip 192.168.1.0 0.0.0.255 any
      20 permit ip 192.168.4.0 0.0.1.255 any (305 matches)
  route-map ROUTE1 permit 10
   match ip address UPLINK2
   set ip next-hop 10.1.1.253
  interface Vlan10
   ip address 192.168.5.254 255.255.254.0
   ip policy route-map ROUTE1
  end

• Applying "route-map" in interfaces with encapsulation dot1q

  Hello,
  I would like to ask you if there were some trouble  in applying route-maps in a interface and its subinterfaces, as it is shown:
  interface GigabitEthernet0/2
   ip address 11.0.9.26 255.255.255.252
   ip policy route-map GestionRadios
  interface GigabitEthernet0/2.11
   encapsulation dot1Q 11
   ip address 11.0.9.18 255.255.255.252
   ip policy route-map RedOperativaA
  interface GigabitEthernet0/2.12
   encapsulation dot1Q 12
   ip address 11.0.9.22 255.255.255.252
   ip policy route-map RedOperativaB
  I am not sure if it is correct totally. Besides I get this informacion doing "show ip  policy" and it seems to be right.
  Router#show ip policy
  Interface      Route map
  Gi0/2          GestionRadios
  Gi0/2.11       RedOperativaA
  Gi0/2.12       RedOperativaB
  I would be very grateful for your help.
  Thanks in advance
  Regards,
  Sandro

  Sandro
  We do not have much to work with in your post so giving you really good answers is difficult. You do not tell us what type of device this is (I assume probably a router, but perhaps it is a layer 3 switch?) or what version of code it is running. These things make a difference sometimes in what is supported or is not supported. But since you get output in show ip policy then I assume that the device does support configuration of this feature.
  You show us the configuration of the interfaces but not the configuration of the route maps or the access lists which the route maps probably use. So we can not form an opinion of the validity of the route maps or the access lists.
  And you do not tell us whether the Policy Based Routing is working or not (and in fact you do not tell us for sure that you are doing PBR - though that is generally what route maps on the interfaces are doing) so we are not clear whether there is a problem here or not.
  But based on what you show us in this post I do not see any particular problems with the route maps and the way that you have applied them to interfaces (assuming that your goal is really to do PBR).
  HTH
  Rick

• Route map policy on Catalyst4500x

  Does anyone know about route map policy on Catalyst4500x ? Is it do on hardware or software ? I try to use policy route map to match and redirect traffic about 1 Gbps

  Hi Alex,
  It's a 3750x (stack) with 12.2(55)SE5.
  I've already changed the SDM template to routing and rebooted the switch.
  I don't think the route map is working at all actually :) See config below, let me know if you can spot anything obvious but the networks on the ACL are definitely correct.
  Thanks again.
  Extended IP access list UPLINK2
      10 permit ip 192.168.1.0 0.0.0.255 any
      20 permit ip 192.168.4.0 0.0.1.255 any (305 matches)
  route-map ROUTE1 permit 10
   match ip address UPLINK2
   set ip next-hop 10.1.1.253
  interface Vlan10
   ip address 192.168.5.254 255.255.254.0
   ip policy route-map ROUTE1
  end

• Policy based routing to host in same vlan/subnet

  Hello i have nexus 7k that i have a policy based routing setup as follows for 2 vlans, 802 and 803, to set default route out to a host in vlan 802. i have applied my policy to the vlans and everything works fine for a host in vlan 803, it routes over and out properly. However when im in vlan 802 my host traffic never gets to 172.21.1.237 when pointed at the gateway 172.21.1.1. I can see the pbr statistics incrementing indicating that i am initially hitting the policy but im not sure where my traffic goes after that. I can talk to .237 direct in the vlan but i would like this to work through pbr to utilize all of my other routes and default gateway.
  vlans 802
  172.21.1.1/24
  ip policy route-map West
  vlan 803
  172.21.17.1/24
  ip policy route-map West
  route-map West permit 10
    match vlan 802-803
    set ip default next-hop 172.21.1.237
  Im thinking there is some kind of hairpinning problem or maybe im creating some kind of blackhole.
  any help is appreciated.
  thanks, scott

  Scott
  If the destination IP is in the same subnet as source IP then it won't be routed it will be L2 switched so it would never use the default gateway ie.
  src IP 172.21.1.10 255.255.255.0
  dst IP 172.21.1.237 255.255.255.0
  src compares it's own IP with it's subnet mask and sees it is on the 172.21.1.x network. src then compares the destination IP with it's own subnet mask and sees it is also on the 172.21.1.x network so it simply arps out for that address and when it gets the mac address it sends it direct to the destination. It would only use the default gateway if the destination IP was on a different network.
  So i don't see how you will be able to do this and i'm not sure why you are seeing hits in your PBR acl for the host in the 172.21.1.x network.
  Edit - what exactly do you mean when you say -
  However when im in vlan 802 my host traffic never gets to 172.21.1.237 when pointed at the gateway 172.21.1.1.
  How are you doing this ie. pointing it to the default gateway because as i say it should always be able to communicate with 172.21.1.237 as it is in the same subnet.
  Jon

• Route-map, vlan routing

  I have a 6509 that I've setup with route-maps in order to route VLANs in different ways. For example, if we wanted some vlans to get out to the internet we would route them to a certain address. Then there is another vlan that we route to another internet gateway. It was all working pretty good until we swapped out another switch gateway in the network and every since things have been wonky. It seems as though the switch is routing packets that would normally stay on that switch out of the switch then back in, even though my access-list are set to deny the traffic. Here are the access-list and route-maps:
  access-list 10 permit 192.168.24.101
  access-list 10 permit 192.168.24.102
  access-list 100 permit tcp any 172.16.0.0 0.0.255.255 established
  access-list 100 permit tcp 192.168.4.0 0.0.3.255 host 172.16.1.10 eq www
  access-list 100 permit tcp 192.168.4.0 0.0.3.255 host 172.16.1.11 eq www
  access-list 104 permit ip host 172.16.4.11 host 65.54.150.19
  access-list 104 permit tcp host 172.16.4.20 any eq www
  ip access-list extended BITCENTRAL_INTERNET
   deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   permit ip host 172.16.1.170 any
   permit ip host 172.16.1.150 any
  ip access-list extended EDIT_BAYS
   deny   ip any 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 any
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   permit ip host 192.168.25.2 any
   permit ip host 192.168.26.80 any
   permit ip host 192.168.25.104 any
   permit ip host 192.168.25.3 any
   permit ip host 192.168.26.69 any
   permit ip host 192.168.26.71 any
   permit ip host 192.168.27.33 any
  ip access-list extended ENPS
   deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   permit ip host 192.168.24.101 any
   permit ip host 192.168.24.102 any
   permit ip host 192.168.24.103 any
  ip access-list extended ENTRIQ
   deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.24.0 0.0.3.255
   deny   ip 192.168.24.0 0.0.3.255 172.16.0.0 0.0.255.255
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   permit ip 172.16.8.0 0.0.0.255 any
  ip access-list extended MISC
   deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.24.0 0.0.3.255
   deny   ip 192.168.24.0 0.0.3.255 172.16.0.0 0.0.255.255
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   permit ip 172.16.11.0 0.0.0.255 any
  ip access-list extended Omneon
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
   deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
   permit ip host 172.16.2.11 any
   permit ip host 172.16.2.2 any
  ip access-list extended ROSS-VLAN
   deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
   deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.3.255
   deny   ip 192.168.4.0 0.0.3.255 172.16.0.0 0.0.255.255
   permit ip host 172.16.4.20 any
   permit ip host 172.16.4.32 any
   permit ip host 172.16.4.31 any
   permit ip host 172.16.4.29 any
   permit ip host 172.16.4.30 any
   permit ip host 172.16.4.28 any
  vlan internal allocation policy ascending
  vlan access-log ratelimit 2000
  interface Vlan1
   no ip address
   shutdown
  interface Vlan10
   ip address 172.16.1.1 255.255.255.0
   ip policy route-map BITCENTRAL
  interface Vlan20
   ip address 172.16.2.1 255.255.255.0
   ip policy route-map OMNEON
  interface Vlan30
   ip address 172.16.3.1 255.255.255.0
  interface Vlan40
   ip address 172.16.4.1 255.255.255.0
   ip policy route-map ROSS-VLAN
  interface Vlan50
   ip address 172.16.5.1 255.255.255.0
  interface Vlan60
   ip address 172.16.6.1 255.255.255.0
  interface Vlan70
   ip address 172.16.7.1 255.255.255.0
  interface Vlan80
   ip address 172.16.8.1 255.255.255.0
   ip policy route-map ENTRIQ
  interface Vlan100
   ip address 192.168.27.1 255.255.252.0
   ip helper-address 192.168.7.255
   ip policy route-map OMNIBUS-VLAN
  interface Vlan110
   ip address 172.16.11.1 255.255.255.0
   ip helper-address 192.168.27.200
   ip policy route-map MISC
  interface Vlan120
   ip address 172.16.10.1 255.255.255.240
   ip policy route-map EDIT_BAYS
  interface Vlan140
   ip address 192.168.4.15 255.255.255.0
   ip directed-broadcast 10
  interface Vlan500
   ip address 192.168.1.19 255.255.255.224
  ip classless
  ip route 172.22.0.0 255.255.255.248 192.168.4.1
  ip route 192.168.0.0 255.255.255.224 192.168.4.254
  ip route 192.168.5.0 255.255.255.0 192.168.4.1
  route-map BITCENTRAL permit 60
   match ip address BITCENTRAL_INTERNET
   set ip next-hop 192.168.4.1
  route-map EDIT_BAYS permit 50
   match ip address EDIT_BAYS
   set ip next-hop 192.168.4.1
  route-map ENTRIQ permit 80
   match ip address ENTRIQ
   set ip next-hop 172.16.8.254
  route-map MISC permit 40
   match ip address MISC
   set ip next-hop 192.168.4.1
  route-map MSN permit 10
   match ip address 104
   set ip next-hop 192.168.4.1
  route-map OMNEON permit 20
   match ip address Omneon
   set ip next-hop 192.168.4.1
  route-map OMNIBUS-VLAN permit 30
   match ip address EDIT_BAYS
   set ip next-hop 192.168.4.1
  route-map OMNIBUS-VLAN permit 40
   match ip address ENPS
   set ip next-hop 192.168.4.1
  route-map ROSS-VLAN permit 70
   match ip address ROSS-VLAN
   set ip next-hop 192.168.4.1
  route-map SEC-VLAN permit 30
   match ip address SEC-VLAN
   set ip next-hop 192.168.4.1
  Here is how we tested the system and found the error. We cut the connection to 192.168.4.1 router, and when we try to ping a host on the 100 VLAN with the ip address of 192.168.24.101 from the MISC vlan with a ip address of 172.168.11.9 the ping just fails. When we enable the connection to the 192.168.4.1 router the pings go through again.  What in my route-map is causing this, I thought I setup the deny rules pretty good?

  Hi Mike,
  Between you and me, this is a lengthy config you have there.
  Next don't forget that a route-map doesn't apply to traffic originated or destined to the self-device, unless you use ip local policy in which might work, but there I have seen some nasty bugs.
  So if you can shorten your config to one example, then do the tests :
   - sourced from device A (it can be the SVI of another switch)
   - through your 6509 
   - destined to device B (it also can be the SVI of another switch, or even simpler some loopback inteface).

• ASA 5585-X Route-Map

  Hi,
  how can apply  route-map rules to an interface ?
  i set up some rules but i cannot apply these rules any interface.
  Thanks a lot.

  Thank you Kanwal.
  in a cisco router you can apply your route-map by using command ip policy map ... İ didnt find any command like this. İ set up some match and set conditions but i do not apply any interface.
  can i use route-map to manipulate routing table İn asa 5585-x.?
  sincerely

• PBR - adding a route map to an interface

  Hello.
  I cannot add a route-map to an interface on a C3750 stack
  I have copied the switch details below
  #sho ver
  Cisco IOS Software, C3750 Software (C3750-IPSERVICES-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
  Copyright (c) 1986-2007 by Cisco Systems, Inc.
  Compiled Thu 19-Jul-07 19:15 by nachen
  Image text-base: 0x00003000, data-base: 0x01280000
  ROM: Bootstrap program is C3750 boot loader
  BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(25r)SEE3, RELEASE SOFTWARE (fc1)
  Pleidelsheim_V1B_Core uptime is 16 hours, 43 minutes
  System returned to ROM by power-on
  System restarted at 22:01:48 CET Wed Mar 3 2010
  System image file is "flash:/c3750-ipservices-mz.122-35.SE5.bin"
  cisco WS-C3750G-24TS (PowerPC405) processor (revision P0) with 118784K/12280K bytes of memory.
  Processor board ID CAT1130ZK5F
  Last reset from power-on
  9 Virtual Ethernet interfaces
  56 Gigabit Ethernet interfaces
  The password-recovery mechanism is enabled.
  512K bytes of flash-simulated non-volatile configuration memory.
  Base ethernet MAC Address       : 00:1D:46:8C:22:80
  Motherboard assembly number     : 73-7058-14
  Power supply part number        : 341-0045-01
  Motherboard serial number       : CAT113059LV
  Power supply serial number      : PHI1114L1PJ
  Model revision number           : P0
  Motherboard revision number     : A0
  Model number                    : WS-C3750G-24TS-E
  System serial number            : CAT1130ZK5F
  Top Assembly Part Number        : 800-22348-07
  Top Assembly Revision Number    : A0
  Version ID                      : V07
  CLEI Code Number                : COM7700ARA
  Hardware Board Revision Number  : 0x09
  Switch   Ports  Model              SW Version              SW Image
  *    1   28     WS-C3750G-24TS     12.2(35)SE5             C3750-IPSERVICES-M
       2   28     WS-C3750G-24TS     12.2(35)SE5             C3750-IPSERVICES-M
  Switch 02
  Switch Uptime                   : 16 hours, 43 minutes
  Base ethernet MAC Address       : 00:21:A1:2E:78:00
  Motherboard assembly number     : 73-7058-15
  Power supply part number        : 341-0045-01
  Motherboard serial number       : FDO121903D2
  Power supply serial number      : LIT121603VV
  Model revision number           : Q0
  Motherboard revision number     : A0
  Model number                    : WS-C3750G-24TS-E
  System serial number            : CAT1105RGN2
  Top assembly part number        : 800-22348-08
  Top assembly revision number    : A0
  Version ID                      : V08
  CLEI Code Number                : COMUJ10ARA
  Configuration register is 0xF
  #sho sdm prefer
  The current template is "desktop routing" template.
  The selected template optimizes the resources in
  the switch to support this level of features for
  8 routed interfaces and 1024 VLANs.
    number of unicast mac addresses:                  3K
    number of IPv4 IGMP groups + multicast routes:    1K
    number of IPv4 unicast routes:                    11K
      number of directly-connected IPv4 hosts:        3K
      number of indirect IPv4 routes:                 8K
    number of IPv4 policy based routing aces:         0.5K
    number of IPv4/MAC qos aces:                      0.5K
    number of IPv4/MAC security aces:                 1K
  When I try to add the route map
  interface Vlanx
  ip policy route-map xx
  %PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map xx not supported for Policy-Based Routing
  Can anyone see what could be wrong?

  Okay, just realised the route-map is not valid.
  The settings are okay.
  access-list 160 remark WIRELESS GUEST PBR FWD TRAFFIC
  access-list 160 permit tcp 172.16.168.128 0.0.0.63 any
  access-list 160 permit udp 172.16.168.128 0.0.0.63 any
  access-list 160 permit ip 172.16.168.128 0.0.0.63 any
  access-list 160 permit icmp 172.16.168.128 0.0.0.63 any
  route-map GUEST_VLAN-to-WEB permit 20
  description FWD REMAINING GUEST TRAFFIC TO PROXY
  match ip address 160
  set interface Null0
  Doesn't like the set interface Null0
  How else could I setup a black hole

• Policy routing via address ranges

  Is it possible to use policy routing based on ranges of a subnet? I want to have 192.168.1.1-100 go out e0 and 192.168.1.101-250 go out e1. From what I've read it only looks like policy routing works with route-maps using access lists

  You certainly can.. just use multiple lines in your ACLs to cover each range.
  For example,
  192.168.1.1-100 can be covered by:
  access-list 1 permit 192.168.1.0 0.0.0.63
  access-list 1 permit 192.168.1.64 0.0.0.31
  access-list 1 permit 192.168.1.96 0.0.0.3
  access-list 1 permit 192.168.1.100 0.0.0.0
  And use the following for everything else:
  access-list 1 permit 192.168.1.0 0.0.0.255
  So you can use the following:
  route-map PBR permit 10
  match ip address 1
  set interface e0
  route-map PBR permit 20
  match ip address 2
  set interface e1
  Hope that helps - pls rate the post if it does.
  Paresh

• Route map no match

  Hi,
  what is the reason for not having any match, in the acl for the route-map?
  Current configuration : 1731 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname R2
  boot-start-marker
  boot-end-marker
  no aaa new-model
  memory-size iomem 5
  ip cef
  interface Loopback0
   ip address 192.168.0.1 255.255.255.0
  interface Loopback1
   ip address 192.168.1.1 255.255.255.0
  interface Loopback200
   ip address 196.0.0.1 255.255.255.0
  interface FastEthernet0/0
   ip address 195.0.0.1 255.255.255.0
   ip policy route-map r_teste
   duplex auto
   speed auto
  interface FastEthernet0/1
   no ip address
   shutdown
   duplex auto
   speed auto
  interface Serial1/0
   ip address 10.0.0.2 255.255.255.252
   serial restart-delay 0
  interface Serial1/1
   ip address 172.16.0.2 255.255.255.252
   serial restart-delay 0
   clock rate 128000
  interface Serial1/2
   no ip address
   shutdown
   serial restart-delay 0
  interface Serial1/3
   no ip address
   shutdown
   serial restart-delay 0
  router bgp 100
   no synchronization
   bgp log-neighbor-changes
   network 192.168.0.0
   network 192.168.1.0
   neighbor 10.0.0.1 remote-as 200
   neighbor 172.16.0.1 remote-as 300
   no auto-summary
  ip http server
  no ip http secure-server
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 172.16.0.1
  access-list 40 permit any
  route-map anuncia1 permit 20
   match ip address 20
  route-map anuncia0 permit 10
   match ip address 10
  route-map r_teste permit 10
   match ip address 40
   set ip default next-hop 10.0.0.1
  control-plane
  line con 0
  line aux 0
  line vty 0 4
   login
  end
  R2#ping 192.168.55.1 source 195.0.0.1
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.55.1, timeout is 2 seconds:
  Packet sent with a source address of 195.0.0.1
  Success rate is 0 percent (0/5)
  R2#sh access-lists
  Standard IP access list 10
      10 permit 192.168.0.0, wildcard bits 0.0.0.255
  Standard IP access list 20
      10 permit 192.168.1.0, wildcard bits 0.0.0.255
  Standard IP access list 30
      10 permit 195.0.0.0, wildcard bits 0.0.0.255
  Standard IP access list 40
      10 permit any
  Extended IP access list 100
      10 permit ip any 192.168.55.0 0.0.0.255
  R2#
  is possible without changing the bgp?
  thanks

  Default PBR:
  All packets received on an interface (ingress) with PBR enabled are entertained, first they should match through ACL then forward to next hop. if a match is exist (through ACL) but not forward to next hop then do nothing this packet especially for ICMP packet. 
  I think you need  Local PBR:
  Packets that are generated by the router are not normally policy-routed. To enable local PBR for such packets, indicate which route map the router should use by using the following command in global configuration mode:
  ip local policy route-map TEST
  Regards,
  kazim

• Policy-routing on 3550 12T

  IOS used: c3550-i5q3l2-mz.121-22.EA3.bin
  I try to policy-route packets coming from a certain source (160.160.160.0/24)to a next-hop ip address:
  route-map from_server permit 10
  match ip address 160
  set ip next-hop 192.168.1.1
  access-list 160 permit ip 160.160.160.0 0.0.0.255 any
  interface GigabitEthernet0/1
  ip policy route-map from_server
  The next-hop IP is in the routing table, nevertheless the packets matched with ACL 160 are not policy-routed.
  What am I doing wrong? Any ideas?
  Thanks a lot
  Florian

  You probably need to do this to get PBR to work:
  You must modify the SDM template to enable the switch to support the 144-bit Layer 3 TCAM. Use
  the sdm prefer extended-match, sdm prefer access extended-match, or the sdm prefer routing
  extended-match global configuration commands to reformat the TCAM space allocated to unicast
  routing in the default, access, or routing template, respectively. Reformatting the unicast routing
  TCAM reduces by half the number of supported unicast routes in the template.
  This is from the configuration guide for the 3550.