I'm attempting to use PBR on a 3560 switch. Everything seems to be working OK but we have some periodic CPU interupt spikes that are effecting performance.
I have three vlans
vlan 1 - 172.19.142.0/24
vlan 2 - 172.20.142.0/24
vlan 3 - 22.214.171.124/24
route-map PBR permit 10
match ip address 140
set ip next-hop 192.168.250.2
I'm trying to policy route all www and ssl traffic
ip access-list 140 permit tcp any any eq www
ip access-list 140 permit tcp any any eq 443
However I have two problems
1)I have internal web services, so I need www traffic from 172.23.142.0/24 ro route to 172.19.142.0/24 and this policy sends all www traffic out next hop of 192.168.250.2
2)When I add to acl 140
ip access-list 140 deny tcp 172.23.142.0 0.0.0.255 172.19.142.0 0.0.0.255 www
The policy works as expected but CPU starts to spike.
If I try to use 'set ip default next-hop XXXX' or change to 'route-map PBR deny 10' (for internal routed) the ip policy route-map pbr statement disappears from the vlan interface and cannot be re-added. No errors are displayed, it's just like the command is ignored.
I've looked at:
•Do not match ACLs that permit packets destined for a local address
•Do not match ACLs with deny ACEs
I'm looking for a way to impliment PBR for selective traffic (www and 443), but keep the internal routing intact using the same protocols (www and 443).
Any suggestions would be appreciated.