PBR on 3750 with ACL deny entry

Unanswered Question
Oct 8th, 2009
User Badges:

Hi all,


I need to do a PBR on a 3750.

My question is, can the 3750 handle the following config-sample (CPU):


Only the internet traffic should match the PBR (the permit in ACL). The local-routing should be handle as usual (the deny in ACL)


ip address extended ACL-TEST

deny ip any 10.0.0.0 0.255.255.255.255

deny ip any 172.16.0.0 0.0.255.255

deny ip any 192.168.0.0 0.0.255.255

permit ip any any


route-map PBR permit 10

match ip address ACL-TEST

set ip next-hop <new firewall IP>


int vlan 10

ip policy route-map PBR


Can the deny entry in the ACL be handled by the 3750?


Thanks an greets,

NA

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
alig.norbert Thu, 10/08/2009 - 10:39
User Badges:

I've done some research an found this:

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a00807213f5.shtml#pbr


High CPU Due to Policy Based Routing


Policy Based Routing (PBR) implementation in Cisco Catalyst 3750 switches has some limitations. If these restrictions are not followed, it can cause high CPU utilization.


*


You can enable PBR on a routed port or an SVI.

*


The switch does not support route-map deny statements for PBR.

*


Multicast traffic is not policy-routed. PBR applies only to unicast traffic.

*


Do not match ACLs that permit packets destined for a local address. PBR forwards these packets, which can cause ping or Telnet failure or route protocol flapping.

*


Do not match ACLs with deny ACEs. Packets that match a deny ACE are sent to the CPU, which can cause high CPU utilization.

*


In order to use PBR, you must first enable the routing template with the sdm prefer routing global configuration command. PBR is not supported with the VLAN or default template.


Can somebody confirm this?

Actions

This Discussion