We've recently purchased 3 ME3800s to use as core/aggregation switches
and I'm in the process of labbing up and starting to apply
configuration, in what at the moment is an isolated environment.
One of the features we need to use for a small number of customers in
order to do some basic URL filtering, is Policy Based Routing. We only
need to policy route port 80 traffic from a select number and range of
IP addresses.
This feature is new in 15.2(4)S on this platform. We've got the
MetroAggrServices license on all three units - the license that in
theory has "the works".
Reading the release notes, I'm struggling to find out definitely how
this feature works on the ME3600/ME3800. Not so much the actual policy
routing itself, but more so the licensing.
http://www.cisco.com/en/US/docs/switches/metro/me3600x_3800x/software/release/15.2_4_S/configuration/guide/swpbr.html
Firstly, this feature apparently requires simply an SDM change on the
ME3600. That's easy enough to do. However the documentation states
that on the ME3800 we need to purchase a SCALED license. For those who
haven't looked this up, it isn't a cheap line item, it's something like
AUD$14,000 RRP on top of existing licenses, per unit (less a reseller
discount). Ouch.
Secondly, despite not having a SCALED license and with the default SDM
template, the ME3800 actually allows me to configure PBR. Is this
intentional or is it going to collapse in a smouldering heap of process
switched goup when I start pushing larger amounts of data through it?
The default SDM looks like this:
----
sw1#show sdm prefer current
The current License is MetroAggrServices
The current template is "default" template.
Template values:
number of mac table entries = 128000
number of ipv4 routes = 24000
number of ipv6 routes = 12000
number of routing groups = 2000
number of multicast groups = 2000
number of bridge domains = 4096
number of acl entries = 4000
number of MDT mroutes = 1000
number of ipv6 acl entries = 1000
number of ipv4 pbr entries = 2000
-----------
[Note the 2000 PBR entries, which suggests that hw resources are
allocated, so it looks like it could work?!?!]
Thirdly, if I enable the evaluation of the SCALED license and reload, a
new default SDM template is applied automatically, which removes all of
my PBR TCAM:
sw2#show sdm prefer current
The current License is ScaledMetroAggrServices
The current template is "default" template.
Template values:
number of mac table entries = 256000
number of ipv4 routes = 32000
number of ipv6 routes = 16000
number of routing groups = 4000
number of multicast groups = 4000
number of bridge domains = 8192
number of acl entries = 16000
number of MDT mroutes = 1000
number of ipv6 acl entries = 1000
number of ipv4 pbr entries = 0
Then I have to set one of the VPNv4-only OR VPNv4-v6 SDMs to get any PBR
space allocated again. So it looks to me like enabling the SCALED
license actually removes PBR capability from the default SDM, not adds them.
Fourthly, is the PBR VRF-aware? It looks like not, but....
And lastly, are the restrictions in regards to PBR (the lack of
route-map deny and by the looks of it, the lack of deny support in ACEs
relating to PBR) likely to be removed in the future? Compared to the
7609-S we're moving away from, this is a step backwards.
I'm confused, and the questions have been raised internally as to why we
seem to need to spend yet more money on top of the existing hardware and
licenses, just in order to enable PBR. We don't otherwise need the
SCALED license on this platform and we had figured previously that the
most advanced license covered every -feature- we'd need.
To add insult to injury, it's actually going to work out very
significantly cheaper to purchase a 3560-X floor switch or even another
ME3600X just to do PBR. But to do that just seems really silly. I'd
really like a bit more clarity on how this works on the ME3800 so we
don't need to go down that path...
Reuben
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
