10-08-2009 10:20 AM - edited 03-06-2019 08:02 AM
Hi all,
I need to do a PBR on a 3750.
My question is, can the 3750 handle the following config-sample (CPU):
Only the internet traffic should match the PBR (the permit in ACL). The local-routing should be handle as usual (the deny in ACL)
ip address extended ACL-TEST
deny ip any 10.0.0.0 0.255.255.255.255
deny ip any 172.16.0.0 0.0.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any
route-map PBR permit 10
match ip address ACL-TEST
set ip next-hop <new firewall IP>
int vlan 10
ip policy route-map PBR
Can the deny entry in the ACL be handled by the 3750?
Thanks an greets,
NA
10-08-2009 10:39 AM
I've done some research an found this:
http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a00807213f5.shtml#pbr
High CPU Due to Policy Based Routing
Policy Based Routing (PBR) implementation in Cisco Catalyst 3750 switches has some limitations. If these restrictions are not followed, it can cause high CPU utilization.
*
You can enable PBR on a routed port or an SVI.
*
The switch does not support route-map deny statements for PBR.
*
Multicast traffic is not policy-routed. PBR applies only to unicast traffic.
*
Do not match ACLs that permit packets destined for a local address. PBR forwards these packets, which can cause ping or Telnet failure or route protocol flapping.
*
Do not match ACLs with deny ACEs. Packets that match a deny ACE are sent to the CPU, which can cause high CPU utilization.
*
In order to use PBR, you must first enable the routing template with the sdm prefer routing global configuration command. PBR is not supported with the VLAN or default template.
Can somebody confirm this?
10-08-2009 10:53 AM
Need to check
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide