02-07-2013 09:37 PM - edited 03-07-2019 11:35 AM
Hello,
I have an issue whereby I have a Cisco 3750 stack and multiple gateways coming off this stack. Particular VLANs should use certain gateway so for this I have configured PBR and applied to the VLANs. When doing this though I have seen that inter-vlan routing stopped working as I was sending all traffic to the gateway using an (any). So to prevent this I applied a 'deny' for the subnet to iteslelf which has rectified the inter-vlan routing however it means all packets are now processed by the CPU causing issues.
Snippet of configuration looks like this:
interface Vlan150
description CUSTOMER_Management
ip address 10.150.10.254 255.255.255.0
ip access-group RESTRICT-ACCESS-TO-CUSTOMER in
ip policy route-map INTERNAL-to-GATEWAY-ASA-CUSTOMER
!
interface Vlan151
description CUSTOMER_Server
ip address 10.150.20.254 255.255.255.0
ip policy route-map INTERNAL-to-GATEWAY-ASA-CUSTOMER
!
interface Vlan152
description CUSTOMER_Workstation
ip address 10.150.40.254 255.255.255.0
ip helper-address 10.150.20.10
ip policy route-map INTERNAL-to-GATEWAY-ASA-CUSTOMER
!
ip access-list extended INTERNAL-to-FIREWALL-CUSTOMER-ACL
deny ip 10.150.0.0 0.0.255.255 10.150.0.0 0.0.255.255***[ISSUE LINE]***
permit ip 10.150.0.0 0.0.255.255 any
!
route-map INTERNAL-to-GATEWAY-ASA-CUSTOMER permit 10
match ip address INTERNAL-to-FIREWALL-CUSTOMER-ACL
set ip next-hop 10.150.100.1
interface Vlan150
description CUSTOMER_Management
ip address 10.150.10.254 255.255.255.0
ip access-group RESTRICT-ACCESS-TO-CUSTOMER in
ip policy route-map INTERNAL-to-GATEWAY-ASA-CUSTOMER
!
interface Vlan151
description CUSTOMER_Server
ip address 10.150.20.254 255.255.255.0
ip policy route-map INTERNAL-to-GATEWAY-ASA-CUSTOMER
!
interface Vlan152
description CUSTOMER_Workstation
ip address 10.150.40.254 255.255.255.0
ip helper-address 10.150.20.10
ip policy route-map INTERNAL-to-GATEWAY-ASA-CUSTOMER
!
ip access-list extended INTERNAL-to-FIREWALL-CUSTOMER-ACL
deny ip 10.150.0.0 0.0.255.255 10.150.0.0 0.0.255.255***[ISSUE LINE]***
permit ip 10.150.0.0 0.0.255.255 any
!
route-map INTERNAL-to-GATEWAY-ASA-CUSTOMER permit 10
match ip address INTERNAL-to-FIREWALL-CUSTOMER-ACL
set ip next-hop 10.150.100.1
Any assistance would be greatly appreciated.
Regards,
Ben
02-08-2013 08:11 PM
Hello Ben,
Could you please attach the followign outputs.
show proc cpu sort | ex 0.00
show proc cpu hist
show int vlan 150 switching
Cheers,
AB
02-08-2013 11:32 PM
Hi AB,
Show proc cpu sorted | ex 0.0
CPU utilization for five seconds: 45%/28%; one minute: 37%; five minutes: 20%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
82 6122929 78343095 78 9.74% 6.91% 2.64% 0 HLFM address lea
221 5251164 34922310 150 0.63% 0.38% 0.26% 0 Spanning Tree
9 6426258 7680065 836 0.47% 0.24% 0.22% 0 ARP Input
156 3617574 3171953 1140 0.31% 0.16% 0.12% 0 HRPC qos request
325 1278 3311 385 0.15% 0.34% 0.19% 1 Virtual Exec
#sh int vlan 150 swit
% Vl150 is not a switchable port
Thank you,
Ben
02-08-2013 11:33 PM
Apparently the way around this issue is to add all internet routes to the ACL only as follows, this seems to be working:
ip access-list extended INTERNAL-to-FIREWALL-CUSTOMER-ACL
permit ip 10.150.0.0 0.0.255.255 1.0.0.0 0.255.255.255
permit ip 10.150.0.0 0.0.255.255 2.0.0.0 1.255.255.255
permit ip 10.150.0.0 0.0.255.255 4.0.0.0 3.255.255.255
permit ip 10.150.0.0 0.0.255.255 8.0.0.0 1.255.255.255
permit ip 10.150.0.0 0.0.255.255 11.0.0.0 0.255.255.255
permit ip 10.150.0.0 0.0.255.255 12.0.0.0 3.255.255.255
permit ip 10.150.0.0 0.0.255.255 16.0.0.0 15.255.255.255
permit ip 10.150.0.0 0.0.255.255 32.0.0.0 31.255.255.255
permit ip 10.150.0.0 0.0.255.255 64.0.0.0 63.255.255.255
permit ip 10.150.0.0 0.0.255.255 128.0.0.0 31.255.255.255
permit ip 10.150.0.0 0.0.255.255 160.0.0.0 7.255.255.255
permit ip 10.150.0.0 0.0.255.255 168.0.0.0 3.255.255.255
permit ip 10.150.0.0 0.0.255.255 172.0.0.0 0.255.255.255
permit ip 10.150.0.0 0.0.255.255 173.0.0.0 0.255.255.255
permit ip 10.150.0.0 0.0.255.255 174.0.0.0 1.255.255.255
permit ip 10.150.0.0 0.0.255.255 176.0.0.0 15.255.255.255
permit ip 10.150.0.0 0.0.255.255 192.0.0.0 0.127.255.255
permit ip 10.150.0.0 0.0.255.255 192.128.0.0 0.31.255.255
permit ip 10.150.0.0 0.0.255.255 192.160.0.0 0.7.255.255
permit ip 10.150.0.0 0.0.255.255 192.169.0.0 0.0.255.255
permit ip 10.150.0.0 0.0.255.255 192.170.0.0 0.1.255.255
permit ip 10.150.0.0 0.0.255.255 192.172.0.0 0.3.255.255
permit ip 10.150.0.0 0.0.255.255 192.176.0.0 0.15.255.255
permit ip 10.150.0.0 0.0.255.255 192.192.0.0 0.63.255.255
permit ip 10.150.0.0 0.0.255.255 193.0.0.0 0.255.255.255
permit ip 10.150.0.0 0.0.255.255 194.0.0.0 1.255.255.255
permit ip 10.150.0.0 0.0.255.255 196.0.0.0 3.255.255.255
permit ip 10.150.0.0 0.0.255.255 200.0.0.0 7.255.255.255
permit ip 10.150.0.0 0.0.255.255 208.0.0.0 15.255.255.255
02-08-2013 11:35 PM
Hi,
Can you please check whether you have configured any static route pointing to any interface instead of IP.
Thanks
02-09-2013 02:49 AM
Hi Frnd...can u pls tel me how many routes are there in the routing table..As the 3750 on desktop ruting template will support maximum up to 8K routes. If the routes are more than 7K it will show high CPU...more than this you can check the TCAM table..
Now as you rae using policy based routing, can cause high CPU utilization
02-09-2013 02:55 AM
Hi Frnd...
82 6122929 78343095 78 9.74% 6.91% 2.64% 0 HLFM address lea
HLFM the ip forwarding manager process this utilization is due to PBR configured..try to reduce the entries in the ACL by summarising it
02-18-2013 09:03 PM
Hi All,
The solution was to add the full Internet range to the PBR, this leaving no deny statements.
Regards,
Ben
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide