05-10-2011 05:14 PM - edited 03-06-2019 04:59 PM
"Do not match ACLs with deny ACEs. Packets that match a deny ACE are sent to the CPU, which could cause high CPU utilization" is mentioned in the document http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_58_se/configuration/guide/swiprout.html.
But in my setup how to access the other VLAN's when PBR is enabled? Because if don't specify DENY statement, while i try to access a workstation from VLAN 10 to VLAN 20, it doesn't access since it takes a default path towards the policy route-map statement & hits internet. Below is my config. Any suggestion is most welcome as i am slightly seeing CPU utilization when DENY statement is used
ip routing
interface vlan 10
ip address 172.16.0.254 255.255.255.0
ip policy route-map SERVER
interface vlan 20
ip address 172.16.3.254 255.255.255.0
ip policy route-map WORKSTATION
route-map SERVER permit 10
match ip address SERVER
set ip next-hop 172.16.254.2
route-map WORKSTATION permit 10
match ip address SERVER
set ip next-hop 172.16.254.2
ip access-list extended SERVER
deny ip 172.16.0.0 0.0.0.255 172.16.3.0 0.0.0.255
permit ip 172.16.0.0 0.0.0.255 any
ip access-list extended WORKSTATION
deny ip 172.16.3.0 0.0.0.255 172.16.0.0 0.0.0.255
permit ip 172.16.3.0 0.0.0.255 any
CORE-SWITCH#sh sdm prefer
The current template is "desktop routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 3K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 11K
number of directly-connected IPv4 hosts: 3K
number of indirect IPv4 routes: 8K
number of IPv4 policy based routing aces: 0.5K
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 1K
05-11-2011 04:55 AM
Hi Anand,
I believe you will have to rewrite the whole access list to include all entries which may match.
If feasible in your setup, you may also be able to use the following:
=======================================
route-map SERVER permit 10
match ip address NOT-SERVER
set ip next-hop
route-map SERVER permit 20
match ip address SERVER
set ip next-hop 172.16.254.2
route-map WORKSTATION permit 10
match ip address NOT-WORKSTATION
setip next-hop
route-map WORKSTATION permit 20
match ip address WORKSTATION
set ip next-hop 172.16.254.2
ip access-list extended NOT-SERVER
permit ip 172.16.0.0 0.0.0.255 172.16.3.0 0.0.0.255
ip access-list extended SERVER
permit ip 172.16.0.0 0.0.0.255 any
ip access-list extended NOT-WORKSTATION
permit ip 172.16.3.0 0.0.0.255 172.16.0.0 0.0.0.255
ip access-list extended WORKSTATION
permit ip 172.16.3.0 0.0.0.255 any
=======================================
HTH,
Bert
05-11-2011 05:03 AM
You mean create 2 ROUTE MAP's with same name with different sequence numbers & 2 ACL's? Is it correct? Also what is the "next-hop from routing table"? what should that IP be?
05-11-2011 05:35 AM
When looking further, that second option would not be valid in your case due to the fact that the next hop would be directly connected.
Would it be possible to provide some clarification why you would require PBR in your scenario?
Do you have a default route pointing to some other next-hop?
If so, then the only way around this would be to make an ACE for every possible route which may be hit.
eg:
ip access-list extended SERVER
permit ip 172.16.0.0 0.0.0.255 0.0.0.0 127.255.255.255
permit ip 172.16.0.0 0.0.0.255 128.0.0.0 31.255.255.255
permit ip 172.16.0.0 0.0.0.255 160.0.0.0 7.255.255.255
permit ip 172.16.0.0 0.0.0.255 168.0.0.0 3.255.255.255
permit ip 172.16.0.0 0.0.0.255 172.0.0.0 0.15.255.255
permit ip 172.16.0.0 0.0.0.255 172.16.0.0 0.0.1.255
permit ip 172.16.0.0 0.0.0.255 172.16.2.0 0.0.0.255
permit ip 172.16.0.0 0.0.0.255 172.16.4.0 0.0.3.255
permit ip 172.16.0.0 0.0.0.255 172.16.8.0 0.0.7.255
permit ip 172.16.0.0 0.0.0.255 172.16.16.0 0.0.15.255
permit ip 172.16.0.0 0.0.0.255 172.16.32.0 0.0.31.255
etc...
Some entries may not be required due to that they would never be hit.
HTH,
Bert
05-11-2011 09:02 AM
i use 3 different firewalls for internet / vpn access like mentioned below
VLAN 10 will access internet through firewall-1
VLAN 20 will access internet through firewall-2
VLAN 10 / 20 will access the VPN through firewall-3
hence there is a need for a PBR configuration on my core switch
when you say ACE, does it mean Access Control Exception?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide