Solved: 4948e software switching packets on pbr

Sergiy Pyvovaroff · ‎10-24-2016

Hello Community.

I have a catalyst WS-C4948E-F switch. I was installed as upgrade to catalyst 3560G. I need to upgrade 3560G to have more routing in hardware and 10G port. I’m using a Policy Based Routing, and my configuration does not work without PBR. After I’m enabling PBR on heavy loaded vlan, CPU grow from 5% to 80%. Packets starts to forward in software, command "sh platform health".

My PBR configuration is very simple, it is doc based http://www9.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/15-02SG/configuration/guide/config/pbroute.pdf

ip access-list extended LAN-PBR-ACL

permit ip any 10.0.0.0 0.255.255.255

permit ip any 192.168.0.0 0.0.255.255

!

ip access-list extended No-Local-AS-PBR-ACL

permit ip any X.Y.X.0 0.0.0.255

!

route-map Anti-DDOS-RMAP deny 10

match ip address LAN-PBR-ACL

route-map Anti-DDOS-RMAP deny 20

match ip address No-Local-AS-PBR-ACL

route-map Anti-DDOS-RMAP permit 30

set ip next-hop D.DoS.Cleaner.IP

interface Vlan55

ip address X.Y.Z.H

ip policy route-map Anti-DDOS-RMAP

!

sh ver

Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-ENTSERVICESK9-M), Version 15.2(2)E3, RELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Compiled Wed 26-Aug-15 07:47 by prod_rel_team

ROM: 12.2(44r)SG11

Backbone-SW1 uptime is 3 days, 1 hour, 32 minutes

System returned to ROM by power-on

System restarted at 11:49:08 UTC Fri Oct 21 2016

System image file is "bootflash:cat4500e-entservicesk9-mz.152-2.E3.bin"

Hobgoblin Revision 21, Fortooine Revision 1.40

Last reload reason: power-on

cisco WS-C4948E-F (MPC8548) processor (revision 8) with 1048576K bytes of memory.

.

My question is: is there a HARDWARE base PBR on hi end WS-C4948E-F? Low and 3560G have it in hardware.

Thanks for the help

Palani Mohan · ‎10-24-2016

Hi Serhii

"K5CpuMan Review" is the process associated with high-CPU. This indicates that the CPU is involved with the pkt forwarding (You already knew this!) Problem appears to be a software issue, possibly a bug in IOS. If you are open to loading cat4500e-entservicesk9-mz.152-2.E5a.bin and observe, please consider doing so.

If you would like this problem to be further investigated, my recommendation is to consider engaging Cisco via a TAC case. If you need help with opening a TAC case, I will be happy to help.

If you opt to open a TAC case on your own, please provide the following information along with the TAC case:

term exec prompt timestamp
term len 0
show tech
show platform health
show platform hardware ip route detail
debug platform packet all receive buffer
show platform cpu packet buffered
show platform cpu packet statistics all
undebug all

Sincerely .... Palani

View solution in original post

Palani Mohan · ‎10-24-2016

Hi Sergiy

Objective seem to be to

route pkts matching LAN-PBR-ACL and No-Local-AS-PBR-ACL normally, using the default IP routing table.
For pkts that do not match either of the ACLs, set ip next-hop D.DoS.Cleaner.IP

Is this correct?

Is the next-hop D.DoS.Cleaner.IP reachable? Do you see a complete ARP entry for this next-hop?

If the next-hop is reachable, please share the output of

term exec prompt timestamp
term len 0
show platform health
show platform hardware ip route detail

Don't expect to see any response for the first two cmds. The above output will give us a deeper idea into where the CPU cycles are spent.

The hw upgrade for 4948E would be WS-X45-SUP7-E or WS-X45-SUP7L-E or WS-C4500X (Fixed chassis).

Kind regards .... Palani

Sergiy Pyvovaroff · ‎10-24-2016

Your have understand routing 100% correct.

I have a valid arp/mac of next DDOS-Filter IP.

Yesterday I had the chassis ‘ws-c3560g-48’. Today I have more powerful platform ‘ws-c4948e-f’ 4x10G, 57k routes, 17.5 Mb buffer, dual P/s, PBR available by datasheet. Therefore, I expect that all options will be available, and 3560G config will work fine.

Command OUT in attach

I have found workaround with moving DDOS protected VLAN to different VRF, and leaking routes to each other, but I do not want to leave it forever. I have posted this config alsow, but want to stap back to easy PBR.

Kind regards, Serhii

Palani Mohan · ‎10-24-2016

Hi Serhii

"K5CpuMan Review" is the process associated with high-CPU. This indicates that the CPU is involved with the pkt forwarding (You already knew this!) Problem appears to be a software issue, possibly a bug in IOS. If you are open to loading cat4500e-entservicesk9-mz.152-2.E5a.bin and observe, please consider doing so.

If you would like this problem to be further investigated, my recommendation is to consider engaging Cisco via a TAC case. If you need help with opening a TAC case, I will be happy to help.

If you opt to open a TAC case on your own, please provide the following information along with the TAC case:

term exec prompt timestamp
term len 0
show tech
show platform health
show platform hardware ip route detail
debug platform packet all receive buffer
show platform cpu packet buffered
show platform cpu packet statistics all
undebug all

Sincerely .... Palani

Sergiy Pyvovaroff · ‎06-09-2017

Hello!

IOS upgrade solved the problem.

Regards Serhii.