I have a route-map configured and binded to one of my VLAN interface to route all VLAN traffic to a particular destiantion IP.
We have matched an access list in sequence 10 where in we permit & and deny a few IPs.There is no match for sequence 20 however we have huge packets hitting this. I would like to know what is the role of sequence 20 in this route map & whether there will be any impact if we removet his sequence?
route-map SWG-PROXY, permit, sequence 10
ip address (access-lists): SWG-PROXY-TRAFFIC
ip next-hop 10.226.32.74
Policy routing matches: 6815244 packets, 644209072 bytes
route-map SWG-PROXY, permit, sequence 20
Policy routing matches: 254379497 packets, 771322447 bytes
Sequence 20 is an empty permit clause, which allows all other routes that are not included in sequence 10 and the access list. So, you need sequence 20 to allow everything else.
in a PBR route-map you don't need an empty explicit route-map sequence because what in not matched in the first sequence will simply be routed by RIB. It's totally different from a route-map used in BGP for example.
I don't se the need for this entry then and debug ip policy would show us these traffics to be not policy-routed.
Don't forget to rate helpful posts.
I think I am going to disagree with Reza on this.
If your using this route-map for pure PBR purposes (no route redistribution), then there is no need for a default permit statement at the end of your policy. Since there is no "set" statement, the IOS will be using the routing table for the routing decisions. You will not see any impact if you remove the last sequence.
I have the following route-map on a 6500:
route-map SA permit 10
match ip address 100
set ip next-hop 192.168.x.x
I have nothing other than sequence 10. The traffic that doesn't match access list 100, gets sent to the routing table.
Sorry, looks like my question was not clear. If i keep this sequence with no match, will it cause any CPU issue? I can see huge packets hitting this.
In a 6500 This configuration can cause a HARD_BRIDGE_RESULT to be programmed in the TCAM, causing every packet that doesn’t match the policy to punted to the MSFC resulting in possible high cpu. The amount of increase in the CPU would depend on the rate of the traffic hitting the empty route map. I assume other hardware can have similar issues.
In my experience, it is best not to have the empty sequence.
Thanks for the clarification.I will remove this sequence from route-map. I was confused whether it was permitting other traffic which doesnt match with the first access list included in sequence 10.
What you said regarding the HARD_BRIDGE_RESULT sounds really interesting, do you have any reference documents that would explain this more please.