cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2702
Views
0
Helpful
7
Replies

High CPU with PBR and inter-vlan routing issue.

ben-sharpibm
Level 1
Level 1

Hello,

I have an issue whereby I have a Cisco 3750 stack and multiple gateways coming off this stack. Particular VLANs should use certain gateway so for this I have configured PBR and applied to the VLANs. When doing this though I have seen that inter-vlan routing stopped working as I was sending all traffic to the gateway using an (any). So to prevent this I applied a 'deny' for the subnet to iteslelf which has rectified the inter-vlan routing however it means all packets are now processed by the CPU causing issues.

Snippet of configuration looks like this:

interface Vlan150

description CUSTOMER_Management

ip address 10.150.10.254 255.255.255.0

ip access-group RESTRICT-ACCESS-TO-CUSTOMER in

ip policy route-map INTERNAL-to-GATEWAY-ASA-CUSTOMER

!

interface Vlan151

description CUSTOMER_Server

ip address 10.150.20.254 255.255.255.0

ip policy route-map INTERNAL-to-GATEWAY-ASA-CUSTOMER

!

interface Vlan152

description CUSTOMER_Workstation

ip address 10.150.40.254 255.255.255.0

ip helper-address 10.150.20.10

ip policy route-map INTERNAL-to-GATEWAY-ASA-CUSTOMER

!

ip access-list extended INTERNAL-to-FIREWALL-CUSTOMER-ACL

deny   ip 10.150.0.0 0.0.255.255 10.150.0.0 0.0.255.255***[ISSUE LINE]***

permit ip 10.150.0.0 0.0.255.255 any

!

route-map INTERNAL-to-GATEWAY-ASA-CUSTOMER permit 10

match ip address INTERNAL-to-FIREWALL-CUSTOMER-ACL

set ip next-hop 10.150.100.1

                  

interface Vlan150
description CUSTOMER_Management
ip address 10.150.10.254 255.255.255.0
ip access-group RESTRICT-ACCESS-TO-CUSTOMER in
ip policy route-map INTERNAL-to-GATEWAY-ASA-CUSTOMER
!
interface Vlan151
description CUSTOMER_Server
ip address 10.150.20.254 255.255.255.0
ip policy route-map INTERNAL-to-GATEWAY-ASA-CUSTOMER
!
interface Vlan152
description CUSTOMER_Workstation
ip address 10.150.40.254 255.255.255.0
ip helper-address 10.150.20.10
ip policy route-map INTERNAL-to-GATEWAY-ASA-CUSTOMER
!
ip access-list extended INTERNAL-to-FIREWALL-CUSTOMER-ACL
deny   ip 10.150.0.0 0.0.255.255 10.150.0.0 0.0.255.255***[ISSUE LINE]***
permit ip 10.150.0.0 0.0.255.255 any
!
route-map INTERNAL-to-GATEWAY-ASA-CUSTOMER permit 10
match ip address INTERNAL-to-FIREWALL-CUSTOMER-ACL
set ip next-hop 10.150.100.1

Any assistance would be greatly appreciated.

Regards,

Ben

7 Replies 7

Hello Ben,

Could you please attach the followign outputs.

show proc cpu sort | ex 0.00

show proc cpu hist

show int vlan 150 switching

Cheers,

AB

Hi AB,

Show proc cpu sorted | ex 0.0

CPU utilization for five seconds: 45%/28%; one minute: 37%; five minutes: 20%

PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process

  82     6122929  78343095         78  9.74%  6.91%  2.64%   0 HLFM address lea

221     5251164  34922310        150  0.63%  0.38%  0.26%   0 Spanning Tree

   9     6426258   7680065        836  0.47%  0.24%  0.22%   0 ARP Input

156     3617574   3171953       1140  0.31%  0.16%  0.12%   0 HRPC qos request

325        1278      3311        385  0.15%  0.34%  0.19%   1 Virtual Exec

#sh int vlan 150 swit

% Vl150 is not a switchable port

Thank you,

Ben

Apparently the way around this issue is to add all internet routes to the ACL only as follows, this seems to be working:

ip access-list extended INTERNAL-to-FIREWALL-CUSTOMER-ACL

permit ip 10.150.0.0 0.0.255.255  1.0.0.0 0.255.255.255

permit ip 10.150.0.0 0.0.255.255  2.0.0.0 1.255.255.255

permit ip 10.150.0.0 0.0.255.255  4.0.0.0 3.255.255.255

permit ip 10.150.0.0 0.0.255.255  8.0.0.0 1.255.255.255

permit ip 10.150.0.0 0.0.255.255  11.0.0.0 0.255.255.255

permit ip 10.150.0.0 0.0.255.255  12.0.0.0 3.255.255.255

permit ip 10.150.0.0 0.0.255.255  16.0.0.0 15.255.255.255

permit ip 10.150.0.0 0.0.255.255  32.0.0.0 31.255.255.255

permit ip 10.150.0.0 0.0.255.255  64.0.0.0 63.255.255.255

permit ip 10.150.0.0 0.0.255.255  128.0.0.0 31.255.255.255

permit ip 10.150.0.0 0.0.255.255  160.0.0.0 7.255.255.255

permit ip 10.150.0.0 0.0.255.255  168.0.0.0 3.255.255.255

permit ip 10.150.0.0 0.0.255.255  172.0.0.0 0.255.255.255

permit ip 10.150.0.0 0.0.255.255  173.0.0.0 0.255.255.255

permit ip 10.150.0.0 0.0.255.255  174.0.0.0 1.255.255.255

permit ip 10.150.0.0 0.0.255.255  176.0.0.0 15.255.255.255

permit ip 10.150.0.0 0.0.255.255  192.0.0.0 0.127.255.255

permit ip 10.150.0.0 0.0.255.255  192.128.0.0 0.31.255.255

permit ip 10.150.0.0 0.0.255.255  192.160.0.0 0.7.255.255

permit ip 10.150.0.0 0.0.255.255  192.169.0.0 0.0.255.255

permit ip 10.150.0.0 0.0.255.255  192.170.0.0 0.1.255.255

permit ip 10.150.0.0 0.0.255.255  192.172.0.0 0.3.255.255

permit ip 10.150.0.0 0.0.255.255  192.176.0.0 0.15.255.255

permit ip 10.150.0.0 0.0.255.255  192.192.0.0 0.63.255.255

permit ip 10.150.0.0 0.0.255.255  193.0.0.0 0.255.255.255

permit ip 10.150.0.0 0.0.255.255  194.0.0.0 1.255.255.255

permit ip 10.150.0.0 0.0.255.255  196.0.0.0 3.255.255.255

permit ip 10.150.0.0 0.0.255.255  200.0.0.0 7.255.255.255

permit ip 10.150.0.0 0.0.255.255  208.0.0.0 15.255.255.255

Hi,

Can you please check whether you have configured any static route pointing to any interface instead of IP.

Thanks

Bibin Paul
Level 1
Level 1

Hi Frnd...can u pls tel me how many routes are there in the routing table..As the 3750 on desktop ruting template will support maximum up to 8K routes. If the routes are more than 7K it will show high CPU...more than this you can check the TCAM table..

Now as you rae using policy based routing, can cause high CPU utilization

Hi Frnd...

  82     6122929  78343095         78  9.74%  6.91%  2.64%   0 HLFM address lea

HLFM  the ip forwarding manager process this utilization is due to PBR configured..try to reduce the entries in the ACL by summarising it

ben-sharpibm
Level 1
Level 1

Hi All,

The solution was to add the full Internet range to the PBR, this leaving no deny statements.

Regards,

Ben

Sent from Cisco Technical Support iPhone App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: