10-24-2016 06:34 AM - edited 03-10-2019 01:10 PM
Hello Community.
I have a catalyst WS-C4948E-F switch. I was installed as upgrade to catalyst 3560G. I need to upgrade 3560G to have more routing in hardware and 10G port. I’m using a Policy Based Routing, and my configuration does not work without PBR. After I’m enabling PBR on heavy loaded vlan, CPU grow from 5% to 80%. Packets starts to forward in software, command "sh platform health".
My PBR configuration is very simple, it is doc based http://www9.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/15-02SG/configuration/guide/config/pbroute.pdf
ip access-list extended LAN-PBR-ACL
permit ip any 10.0.0.0 0.255.255.255
permit ip any 192.168.0.0 0.0.255.255
!
ip access-list extended No-Local-AS-PBR-ACL
permit ip any X.Y.X.0 0.0.0.255
!
route-map Anti-DDOS-RMAP deny 10
match ip address LAN-PBR-ACL
route-map Anti-DDOS-RMAP deny 20
match ip address No-Local-AS-PBR-ACL
route-map Anti-DDOS-RMAP permit 30
set ip next-hop D.DoS.Cleaner.IP
interface Vlan55
ip address X.Y.Z.H
ip policy route-map Anti-DDOS-RMAP
!
sh ver
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-ENTSERVICESK9-M), Version 15.2(2)E3, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Wed 26-Aug-15 07:47 by prod_rel_team
ROM: 12.2(44r)SG11
Backbone-SW1 uptime is 3 days, 1 hour, 32 minutes
System returned to ROM by power-on
System restarted at 11:49:08 UTC Fri Oct 21 2016
System image file is "bootflash:cat4500e-entservicesk9-mz.152-2.E3.bin"
Hobgoblin Revision 21, Fortooine Revision 1.40
Last reload reason: power-on
cisco WS-C4948E-F (MPC8548) processor (revision 8) with 1048576K bytes of memory.
.
My question is: is there a HARDWARE base PBR on hi end WS-C4948E-F? Low and 3560G have it in hardware.
Thanks for the help
Solved! Go to Solution.
10-24-2016 03:21 PM
Hi Serhii
"K5CpuMan Review" is the process associated with high-CPU. This indicates that the CPU is involved with the pkt forwarding (You already knew this!) Problem appears to be a software issue, possibly a bug in IOS. If you are open to loading cat4500e-entservicesk9-mz.152-2.E5a.bin and observe, please consider doing so.
If you would like this problem to be further investigated, my recommendation is to consider engaging Cisco via a TAC case. If you need help with opening a TAC case, I will be happy to help.
If you opt to open a TAC case on your own, please provide the following information along with the TAC case:
Sincerely .... Palani
10-24-2016 11:35 AM
Hi Sergiy
Objective seem to be to
Is this correct?
Is the next-hop D.DoS.Cleaner.IP reachable? Do you see a complete ARP entry for this next-hop?
If the next-hop is reachable, please share the output of
Don't expect to see any response for the first two cmds. The above output will give us a deeper idea into where the CPU cycles are spent.
The hw upgrade for 4948E would be WS-X45-SUP7-E or WS-X45-SUP7L-E or WS-C4500X (Fixed chassis).
Kind regards .... Palani
10-24-2016 01:40 PM
Your have understand routing 100% correct.
I have a valid arp/mac of next DDOS-Filter IP.
Yesterday I had the chassis ‘ws-c3560g-48’. Today I have more powerful platform ‘ws-c4948e-f’ 4x10G, 57k routes, 17.5 Mb buffer, dual P/s, PBR available by datasheet. Therefore, I expect that all options will be available, and 3560G config will work fine.
Command OUT in attach
I have found workaround with moving DDOS protected VLAN to different VRF, and leaking routes to each other, but I do not want to leave it forever. I have posted this config alsow, but want to stap back to easy PBR.
Kind regards, Serhii
10-24-2016 03:21 PM
Hi Serhii
"K5CpuMan Review" is the process associated with high-CPU. This indicates that the CPU is involved with the pkt forwarding (You already knew this!) Problem appears to be a software issue, possibly a bug in IOS. If you are open to loading cat4500e-entservicesk9-mz.152-2.E5a.bin and observe, please consider doing so.
If you would like this problem to be further investigated, my recommendation is to consider engaging Cisco via a TAC case. If you need help with opening a TAC case, I will be happy to help.
If you opt to open a TAC case on your own, please provide the following information along with the TAC case:
Sincerely .... Palani
06-09-2017 12:07 AM
Hello!
IOS upgrade solved the problem.
Regards Serhii.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: