Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
644
Views
5
Helpful
6
Replies

C3064 PBR

blackmetal
Level 1
Level 1

‎01-16-2021 03:33 AM

Helo,

I have an N3K-C3064PQ-10GX and a 4500X-32SFP i have around 400-500x SVI on both switches and also they are in a different location, sometimes I need to set PBR for some SVIs and prefixes, and they in different VLAN IDs, for example, we are advertising 192.168.1.0/24 to our IP transits and we have assign 192.168.1.1/27 to vlan id 50 then 192.168.1.32/27 to vlan id 67 then 192.168.1.64/30 to vlan id 254 ,.... in this case if we want to find which SVI has 192.168.1.0/24 subnet its so much hard, we have decided to add "ip policy route-map MYPBR" to whole SVIs (assign "ip policy route-map MYPBR" to interface vlan id 1,2,3,4,...,500) and keep MYPBR access-list empty so it will not match any prefixes but when i need to change 192.168.1.0/24 next-hop to another gateway i can add 192.168.1./24 to MYPBR access list and those SVIs has 192.168.1.0/24 will match and choose my new next-hop gateway, but i am worry if this cause high cpu usages for my switch because i want to assign "ip policy route-map MYPBR" to whole SVIs, thus my questions are :

  1. if MYPBR access-lists will be empty then nothing has been checked for whole SVIs and it does not impact on switch cpu , right?
  2. if i have added 192.168.1./24 to MYPBR access-lists then whole 500x SVIs should check if they have 192.168.1/24 , then does it impact on CPU usages? Thank you.
Labels:
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎01-16-2021 05:10 AM

PBR is common to use case for steering the traffic based on the route you like to choose, i do not see any issue here., but every use case different, so you always need to deploy/monitor/signoff - so we always need to monitor the impact of CPU.

 

Technically that is the way we do it in normal use case most of the time, configuring wrong has other impacts and look at the guidelines - may be a different switch but most of the nexus works as same.

 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/unicast/configuration/guide/l3_cli_nxos/l3_pbr.html#16098

 

Still have a concern, what is the current CPU usage, provide examples of routes and PBR you planning example config, so we can understand and advise if we can where possible.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

blackmetal
Level 1
Level 1

‎01-16-2021 05:25 AM

Here is my pbr config :

ip access-list pbr-tun
  10 permit ip a/24 any
  
ip access-list pbr-tun-deny
  10 permit ip any x/21
  20 permit ip any y/21
  30 permit ip any z/22
  40 permit ip any t/22
  50 permit ip any b/22
  60 permit ip any a/22
  
  
  route-map pbr-tun deny 5
  match ip address pbr-tun-deny
route-map pbr-tun permit 10
  match ip address pbr-tun
  set ip next-hop 172.x.x.191

i have around 1-2k routes in my route table and 500x svi and each svi has different subnet for example here is example of one my SVIs ;

interface Vlan414
  description xxxxxxxxx
  no shutdown
  no ip redirects
  ip address a/28
  ip address b/29 secondary
  ip address c/29 secondary
  ip address d/29 secondary
  ip address e/30 secondary
  ip policy route-map pbr-tun

in this case i want to add "ip policy route-map pbr-tun" under whole 500x SVI and when i want to change a.a.a.a/24 next-hop just add a.a.a.a/24 in "ip access-list pbr-tun" , so is it ok ? and it does not impact on cpu usages because 500x svi has ip policy route-map pbr-tun ?

my normal cpu usages is around %20-30 but sometimes they spike at %60-70 due to snmp for 15-20minutes.

thanks,

0 Helpful

blackmetal
Level 1
Level 1

‎01-17-2021 09:46 AM

any update?

0 Helpful

paul driver
VIP
VIP

‎01-17-2021 11:28 AM

Hello
Adding PBR to a SVI will policy route traffic that originates from that interface, Adding an route-map without any acl  or with an empty acl will PBR all traffic from that interface.

Adding PBR for over 500 svi interfaces i have no doubt incurr cpu resource however it will be very resource intensive if those route-map's don't have any set clause (ip next hop) applied to them, then all packets will be be punted to the cpu for ip routing and this will be bad especially if you have 500 svi's


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

blackmetal
Level 1
Level 1

‎01-17-2021 11:35 AM

actually i have ip next hop for my pbr and i have 192.168.1.0/24 in my pbr acl, in this case if i putit under whole 500x SVI do you think it iwill impact cpu?

0 Helpful

paul driver
VIP
VIP
In response to blackmetal

‎01-17-2021 01:19 PM - edited ‎01-17-2021 01:19 PM

Hello

It will have some impact but not as much if you didn’t have any set statement

looking at your pbr acls their is no need for the deny acl just the permit acl will be applicable matching  on the source subnet 192.168.1.0/24 however appending the pbr to over 500 svi is a bit drastic surely you can find where that subnet resides?

Do you have a host ip/mac address in that subnet you can trace on!

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card