We use a transparent proxy to filter content for our sites. I had a 2621 router configured as the default gateway for several sites connected via fiber (Ethernet int in router is 100Mbps) and it had ip policy route-map statement forwarding only web traffic to proxy content filter (server). This summer, I have overhauled our network, installed 2960G Layer 3 switches at our remote sites with Gigabit SFP modules. Eliminated use of 2621 router (due to 100Mbps bottleneck) and configured Layer 3 routing on a core 4506 switch. Now my sites are 1Gbps to core and I no longer use 2621 router (I'm only using RIP V2 routing).
My idea was to utilize ip policy route-map on vlan interface of 4506 switch. However, when I enable this, performance in my network slows to a crawl.
The following is configuration used to enable ip policy route-map:
ip address 10.100.254.1 255.255.0.0
ip policy route-map proxy-redirect
access-list 110 deny tcp any any neq www
access-list 110 deny tcp host 10.1.0.244 any
access-list 110 permit tcp any any
route-map proxy-redirect permit 10
match ip address 110
set ip next-hop 10.1.0.244
The following is software version:
IOS (tm) Catalyst 4000 L3 Switch Software (cat4000-I9K2S-M), Version 12.1(19)EW,
EARLY DEPLOYMENT RELEASE SOFTWARE (fc2)
The above statement worked just fine on 2621 router but negatively impacts network performance when applied to interface 2/43 on 4506 switch. This interface is directly connected to our ASA inside interface 0/1.
The policy should allow switch to intercept all web traffic except traffic from 10.1.0.244 (proxy) and forward client web requests to proxy which then inspects for appropriate content and would fulfill client web request. It does do this....its just painfully slow when more than a few clients hop on to surf away.
I've read that enabling this could impact performance due to the fact the switch now has to inspect each and every packet that it processes. Anyone have any ideas about what I might be doing wrong or possibly confirm that I can't use this statement without impacting performance? Thanks in advance.
Normally the performance of 4506 is not impacted by Policy Router Map.Even the software doesnt seem to be a problem.No specific reason could be shown.In this case try to unconfigure and reconfigure the ACL.Switch can be reloaded after configuring IP Plicy Route Map.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...