Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
846
Views
0
Helpful
3
Replies

High CPU on 3750 with PBR

Go to solution
nkillgore
Level 1
Level 1

‎07-09-2013 09:50 AM - edited ‎03-07-2019 02:18 PM

relevant config (i think)

interface Vlan2

description User Subnet

ip address 10.3.3.253 255.255.254.0

ip helper-address 192.168.42.12

no ip redirects

no ip proxy-arp

ip route-cache policy

no ip mroute-cache

ip policy route-map Hosted_Security

route-map Hosted_Security permit 10

match ip address Hosted_Security

set ip next-hop 192.168.42.10

ip access-list extended Hosted_Security

deny   ip host 10.3.2.85 192.168.42.0 0.0.1.255

deny   ip host 10.3.2.85 172.16.0.0 0.0.1.255

deny   ip host 10.3.2.85 10.0.0.0 0.255.255.255

permit ip host 10.3.2.85 any

If there is something else needed, please let me know. I am trying to send all non-internal traffice from this host to 192.168.42.10. As far as I can tell, this works fine; however, the CPU goes up to about 50% when I start sending traffic to a host in the 192.168.42.0 network.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
3 Replies 3

Go to solution
manish arora
Level 6
Level 6

‎07-09-2013 10:13 AM

Hi,

Here's couple helpful links for you :

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a00807213f5.shtml#pbr

Please read the pointer 5 in the above link, the Deny ACE hits are causing high cpu for you I think.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swiprout.html#wp1210866

Manish

0 Helpful

Go to solution
nkillgore
Level 1
Level 1
In response to manish arora

‎07-09-2013 10:17 AM

Any ideas for how to accomplish what I am trying to do if I can't use deny statements in the ACL?

0 Helpful

Go to solution
manish arora
Level 6
Level 6
In response to nkillgore

‎07-09-2013 10:27 AM

Not sure but you can always try ( Please use Mock test envoirment for this ) :

Make 2 different access list

ip access-list extended Hosted_Security_1

permit  ip host 10.3.2.85 192.168.42.0 0.0.1.255

permit ip host 10.3.2.85 172.16.0.0 0.0.1.255

permit  ip host 10.3.2.85 10.0.0.0 0.255.255.255

ip access-list extended Hosted_Security_2

permit  ip host 10.3.2.85 any

route-map Hosted_Security permit 10

match ip address Hosted_Security_1

set ip next-hop YOUR_Default_Gateway

route-map Hosted_Security permit 20

match ip address Hosted_Security_2

set ip next-hop 192.168.42.10

Test it out.

Manish

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card