Route-Map- Unused Sequence

sayast001 · ‎07-25-2013

Hello,

I have a route-map configured and binded to one of my VLAN interface to route all VLAN traffic to a particular destiantion IP.

We have matched an access list in sequence 10 where in we permit & and deny a few IPs.There is no match for sequence 20 however we have huge packets hitting this. I would like to know what is the role of sequence 20 in this route map & whether there will be any impact if we removet his sequence?

route-map SWG-PROXY, permit, sequence 10

Match clauses:

ip address (access-lists): SWG-PROXY-TRAFFIC

Set clauses:

ip next-hop 10.226.32.74

Policy routing matches: 6815244 packets, 644209072 bytes

route-map SWG-PROXY, permit, sequence 20

Match clauses:

Set clauses:

Policy routing matches: 254379497 packets, 771322447 bytes

Thanks

Soumya

Reza Sharifi · ‎07-25-2013

Hi,

Sequence 20 is an empty permit clause, which allows all other routes that are not included in sequence 10 and the access list. So, you need sequence 20 to allow everything else.

HTH

cadet alain · ‎07-25-2013

Hi Reza,

in a PBR route-map you don't need an empty explicit route-map sequence because what in not matched in the first sequence will simply be routed by RIB. It's totally different from a route-map used in BGP for example.

I don't se the need for this entry then and debug ip policy would show us these traffics to be not policy-routed.

Regards

Alain

Don't forget to rate helpful posts.

Reza Sharifi · ‎07-25-2013

Hi Alain and Gabriel,

Appreciate the correction and clarification!

Reza

Gabriel Hill · ‎07-25-2013

Hello Soumya,

I think I am going to disagree with Reza on this.

If your using this route-map for pure PBR purposes (no route redistribution), then there is no need for a default permit statement at the end of your policy. Since there is no "set" statement, the IOS will be using the routing table for the routing decisions. You will not see any impact if you remove the last sequence.

I have the following route-map on a 6500:

route-map SA permit 10

match ip address 100

set ip next-hop 192.168.x.x

I have nothing other than sequence 10. The traffic that doesn't match access list 100, gets sent to the routing table.

- Gabriel

sayast001 · ‎07-25-2013

Thank you all , Will it cause any CPU utilization issue?

Gabriel Hill · ‎07-25-2013

Hello Soumya,

No, by removing that sequence you should not see additional CPU usage.

- Gabriel

sayast001 · ‎07-25-2013

Hello Gabriel,

Sorry, looks like my question was not clear. If i keep this sequence with no match, will it cause any CPU issue? I can see huge packets hitting this.

Thanks

soumya

Gabriel Hill · ‎07-25-2013

In a 6500 This configuration can cause a HARD_BRIDGE_RESULT to be programmed in the TCAM, causing every packet that doesn’t match the policy to punted to the MSFC resulting in possible high cpu. The amount of increase in the CPU would depend on the rate of the traffic hitting the empty route map. I assume other hardware can have similar issues.

In my experience, it is best not to have the empty sequence.

sayast001 · ‎07-25-2013

Hello Gabriel,

Thanks for the clarification.I will remove this sequence from route-map. I was confused whether it was permitting other traffic which doesnt match with the first access list included in sequence 10.

Soumya

Umesh Shetty · ‎07-25-2013

HI Gabriel,

What you said regarding the HARD_BRIDGE_RESULT sounds really interesting, do you have any reference documents that would explain this more please.

Regards

Umesh Shetty