Daniel,

route-map PBR permit 10
match ip address WWW-142
set interface vlan 1

how about leaving out the set statement entirely? If I remember correctly, the normal routing table will be used then but I'm not quite sure.

Regards

Rolf

[EDIT]:

Seems like my brain works even on a saturday morning ;-)

https://supportforums.cisco.com/message/4056398

So this should work as required:

ip access-list extended WWW-142

permit tcp 172.23.142.0 0.0.0.255 172.19.142.0 0.0.0.255 eq www

!

ip access-list extended WWW-SSL

permit tcp any any eq www

permit tcp any any eq 443

!

route-map PBR permit 10

description Internal Web-Servers => RIB

match ip address WWW-142

! no set needed

route-map PBR permit 20

description External WWW/SSL => PBR

match ip address WWW-SSL

set ip next-hop 192.168.250.2

One more note:

- Do not match ACLs that permit packets destined for a local address. PBR forwards these packets, which can cause ping or Telnet failure or route protocol flapping. 

I think "local address" here means control-plane traffic destined to a SVI. Shouldn't be an issue here as we don't change the next-hop for such packets.

Nice one Rolf!

So that definitely seems like the best option when you want to have a broad ACL but still do some forwarding according to RIB.

Daniel Dib
CCIE #37149

Thank you all for your for your suggestions.

But unfortunately it looks like a locally connected subnet cannot be listing in an ACL:

My interupts jump to 4% with only one connection from 172.19.142.124 to 172.23.142.11

Rolf, I think the "local address" is a locally connected subnet, but thanks.

CPU utilization for five seconds: 10%/4%; one minute: 9%; five minutes: 9%

Then it jumps to 6% for a file transfer:

CPU utilization for five seconds: 13%/6%; one minute: 10%; five minutes: 9%

using:

route-map PBR permit 10

match ip address 198

!

route-map PBR permit 20

match ip address 199

set ip next-hop 192.168.250.2

ACL 198 matches the directly connected subnets.

permit ip 172.23.142.0 0.0.0.255 172.19.142.0 0.0.0.255 (1016 matches)

ACL 199

is everything above.

It was in the high 20% range yesterday and TAC believes that is what the issue is.

I did run thru a TAC ticket with the routing team last night and they had this same solution, but the issue remained.

They say it's the interupts: CPU utilization for five seconds: 10%/4%; that are causing the performance issue. Turns it into a software switch??

They did not have any other solutions or recommendations to try.

I was setting this up as a temporary solution while we changed our internet facing device (2811 router to a Fortinet device), and was thinking of leaving it as a failover/DR solution in case something happened with the Fortinet.  But it looks like this may not work.

I really appreciate the suggestions and am hopful there may be another suggestion here.

Thanks again for everyone's time.

I'm not entirely sure this will work but it is worth a try. if you can't use local subnets then you need to specify all possible internet addresses. The acl below uses wildcard masks to specify every possible internet address. Due to the way wildcard masks work all traffic between 172.16.x.x and 172.31.x subnets do not match the acl. if you wanted to be more specific to your subnets you could be but it would make the acl considerably longer. But as this whole range is private addressing it doesn't really matter or shouldn't.

Also to keep the acl short it does allow traffic to the other private address ranges ie. 10.x.x.x and 192.168.x.x  but then so did your original acl. So you only need one permit statement in your route map with sets the next hop to 192.168.250.2.

I have assumed that you do not have any http/https traffic between internal subnets that you actually want to policy route. If you do this acl would not match and therefore they would be routed using the normal routing table.

permit tcp any 0.0.0.0 127.255.255.255  eq www   - covers all class A networks
permit tcp any 0.0.0.0 127.255.255.255  eq ssl
permit tcp any 128.0.0.0 31.255.255.255 eq www  -  128.0.0.0 -> 159.255.255.255
permit tcp any 128.0.0.0 31.255.255.255 eq ssl
permit tcp any 160.0.0.0 7.255.255.255 eq www -  160.0.0.0 -> 167.255.255.255
permit tcp any 160.0.0.0 7.255.255.255 eq ssl
permit tcp any 168.0.0.0 3.255.255.255 eq www    - 168.0.0.0 -> 171.255.255.255
permit tcp any 168.0.0.0 3.255.255.255 eq ssl
permit tcp any 172.0.0.0 0.15.255.255 eq www  - 172.0.0.0 -> 172.15.255.255
permit tcp any 172.0.0.0 0.15.255.255 eq ssl
permit tcp any 172.32.0.0 0.31.255.255 eq www - 172.32.0.0 -> 172.63.255.255
permit tcp any 172.32.0.0 0.31.255.255 eq ssl
permit tcp any 172.64.0.0 0.63.255.255 eq www - 172.64.0.0 -> 172.127.255.255
permit tcp any 172.64.0.0 0.63.255.255 eq ssl
permit tcp any 172.128.0.0 0.127.255.255 eq www  - 172.128.0.0 172.255.255.255
permit tcp any 172.128.0.0 0.127.255.255 eq ssl
permit tcp any 173.0.0.0 0.255.255.255 eq www - 173.0.0.0 -> 173.255.255.255
permit tcp any 173.0.0.0 0.255.255.255 eq ssl
permit tcp any 174.0.0.0 1.255.255.255 eq www  - 174.0.0.0 -> 175.255.255.255
permit tcp any 174.0.0.0 1.255.255.255 eq ssl
permit tcp any 176.0.0.0 15.255.255.255 eq www - 176.0.0.0 -> 191.255.255.255
permit tcp any 176.0.0.0 15.255.255.255 eq ssl
permit tcp any 192.0.0.0 31.255.255.255 eq www  - 192.0.0.0 -> 223.255.255.255
permit tcp any 192.0.0.0 31.255.255.255 eq ssl

Like i say no guarantees and i have no idea of what this will do to the switch in terms of CPU etc. but probably worth a try.

 
Jon

Thank you all for your suggestions.  I had to abandon this path as it was causing too much of a performance issue.

It we just had one subnet, I believe everything would have been fine, but whe we tried to route across subnets the CPU would spike and we would experience extremely high latency and voice calls were getting dropped.

Appenty this is a limitation of the 3560 and 3750 switches and intra-vlan routing.

Thanks again for your time and input, I appreciate it.

Tom