Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1078
Views
0
Helpful
1
Replies

IP Policy Route-Map on L3 4506 Switch....

tyson.mock
Level 1
Level 1

‎07-19-2006 03:15 PM - edited ‎03-03-2019 04:08 AM

BACKGROUND:

We use a transparent proxy to filter content for our sites. I had a 2621 router configured as the default gateway for several sites connected via fiber (Ethernet int in router is 100Mbps) and it had ip policy route-map statement forwarding only web traffic to proxy content filter (server). This summer, I have overhauled our network, installed 2960G Layer 3 switches at our remote sites with Gigabit SFP modules. Eliminated use of 2621 router (due to 100Mbps bottleneck) and configured Layer 3 routing on a core 4506 switch. Now my sites are 1Gbps to core and I no longer use 2621 router (I'm only using RIP V2 routing).

PROBLEM:

My idea was to utilize ip policy route-map on vlan interface of 4506 switch. However, when I enable this, performance in my network slows to a crawl.

The following is configuration used to enable ip policy route-map:

Interface GigabitEthernet2/43

no switchport

ip address 10.100.254.1 255.255.0.0

ip policy route-map proxy-redirect

access-list 110 deny tcp any any neq www

access-list 110 deny tcp host 10.1.0.244 any

access-list 110 permit tcp any any

route-map proxy-redirect permit 10

match ip address 110

set ip next-hop 10.1.0.244

The following is software version:

IOS (tm) Catalyst 4000 L3 Switch Software (cat4000-I9K2S-M), Version 12.1(19)EW,

EARLY DEPLOYMENT RELEASE SOFTWARE (fc2)

The above statement worked just fine on 2621 router but negatively impacts network performance when applied to interface 2/43 on 4506 switch. This interface is directly connected to our ASA inside interface 0/1.

The policy should allow switch to intercept all web traffic except traffic from 10.1.0.244 (proxy) and forward client web requests to proxy which then inspects for appropriate content and would fulfill client web request. It does do this....its just painfully slow when more than a few clients hop on to surf away.

I've read that enabling this could impact performance due to the fact the switch now has to inspect each and every packet that it processes. Anyone have any ideas about what I might be doing wrong or possibly confirm that I can't use this statement without impacting performance? Thanks in advance.

Labels:
0 Helpful
1 Reply 1

thomas.chen
Level 6
Level 6

‎07-25-2006 10:17 AM

Normally the performance of 4506 is not impacted by Policy Router Map.Even the software doesnt seem to be a problem.No specific reason could be shown.In this case try to unconfigure and reconfigure the ACL.Switch can be reloaded after configuring IP Plicy Route Map.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents