PBR on 3750 with ACL deny entry

alig.norbert · ‎10-08-2009

Hi all,

I need to do a PBR on a 3750.

My question is, can the 3750 handle the following config-sample (CPU):

Only the internet traffic should match the PBR (the permit in ACL). The local-routing should be handle as usual (the deny in ACL)

ip address extended ACL-TEST

deny ip any 10.0.0.0 0.255.255.255.255

deny ip any 172.16.0.0 0.0.255.255

deny ip any 192.168.0.0 0.0.255.255

permit ip any any

route-map PBR permit 10

match ip address ACL-TEST

set ip next-hop <new firewall IP>

int vlan 10

ip policy route-map PBR

Can the deny entry in the ACL be handled by the 3750?

Thanks an greets,

NA

alig.norbert · ‎10-08-2009

I've done some research an found this:

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a00807213f5.shtml#pbr

High CPU Due to Policy Based Routing

Policy Based Routing (PBR) implementation in Cisco Catalyst 3750 switches has some limitations. If these restrictions are not followed, it can cause high CPU utilization.

*

You can enable PBR on a routed port or an SVI.

*

The switch does not support route-map deny statements for PBR.

*

Multicast traffic is not policy-routed. PBR applies only to unicast traffic.

*

Do not match ACLs that permit packets destined for a local address. PBR forwards these packets, which can cause ping or Telnet failure or route protocol flapping.

*

Do not match ACLs with deny ACEs. Packets that match a deny ACE are sent to the CPU, which can cause high CPU utilization.

*

In order to use PBR, you must first enable the routing template with the sdm prefer routing global configuration command. PBR is not supported with the VLAN or default template.

Can somebody confirm this?

Hitesh Vinzoda · ‎10-08-2009

Need to check