cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1036
Views
0
Helpful
3
Replies

question with pbr on cat4500 with V-10G

weiguo.kuang
Level 1
Level 1

Environment/Situation:

The cat4500 with supervisor V-10G is used inside an Internet DMZ, running 12.2(32). It has about 100 entries in routing table, mostly are 10.x.x.x, or 192.168.x.x, use default network to point back to Internet.

Now a load balancer is used and connected to this c4500. For users in subnet 10.100.0.0/16 is to use load balancer to reach Internet, while others do not need to go through load balancer. Subnet 10.100.0.0/16 is connected to Gi 2/3. So suppose the following PBR can be used:

ip access-list extended nonRFC1918_ACL
     1  deny ip any 10.0.0.0 0.255.255.255
     2  deny ip any 192.168.0.0 0.0.255.255
     3  deny ip any 172.16.0.0 0.15.255.255
     10 permit ip 10.100.0.0 0.0.255.255 any
!
route-map test permit 10
match ip address nonRFC1918_ACL
set ip next-hop 63.53.x.y
!
interface GigabitEthernet2/3
ip policy route-map test

My question is:

With this supervisor V-10G, what can be expected regarding the PBR performance?

In configuration guide, it reads:

The Catalyst 4500 switching engine supports matching a "set next-hop" route-map action with a packet on a permit ACL. All other route-map actions, as well as matches of deny ACLs, are supported by a flow switching model. In this model, the first packet on a flow that matches a route-map is delivered to the software for forwarding. Software determines the correct destination for the packet and installs an entry into the TCAM so that future packets on that flow are switched in hardware. The Catalyst 4500 switching engine supports a maximum of 4096 flows.

Will the above PBR with ACL "nonRFC1918_ACL" be supported by a flow switching model? What is timeouts for the flows? What will happen if there are more than 4096 flows with source IP from 10.100/16? Thanks much.

2 Accepted Solutions

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

As far as i know basically yes, it will use the flow model because you have deny statements in your acl. So as it says the first packet is sent to the main CPU for a forwarding decision.

The TCAM is a limited resource so if there are more than 4096 flows then some traffic won't be forwarded. But be aware that TCAM entries like this are not permanent so they will get reused and the TCAM is used for more than just PBR so you should be okay there.

The main issue when using deny statements is performance in terms of overhead on main CPU. You can only really see the effect by applying it and seeing what happens.

By the way is gi/23 a routed port or a L2 switchport. if it is a L2 switchport then you don't apply the PBR there but on the L3 vlan interface for that subnet.

Jon

View solution in original post

Yes, that would be a better way to do it as you now don't have any deny statements and it will all be done in hardware.

Jon

View solution in original post

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

As far as i know basically yes, it will use the flow model because you have deny statements in your acl. So as it says the first packet is sent to the main CPU for a forwarding decision.

The TCAM is a limited resource so if there are more than 4096 flows then some traffic won't be forwarded. But be aware that TCAM entries like this are not permanent so they will get reused and the TCAM is used for more than just PBR so you should be okay there.

The main issue when using deny statements is performance in terms of overhead on main CPU. You can only really see the effect by applying it and seeing what happens.

By the way is gi/23 a routed port or a L2 switchport. if it is a L2 switchport then you don't apply the PBR there but on the L3 vlan interface for that subnet.

Jon

thanks. forgot to mention the gi 2/3 is a layer 3 port.

how about to use the following piece ( supposed there are routing entries for private IP ranges ):

ip access-list extended RFC1918_ACL
     1  permit ip any 10.0.0.0 0.255.255.255
     2  permit ip any 192.168.0.0 0.0.255.255
     3  permit ip any 172.16.0.0 0.15.255.255
ip access-list extended nonRFC1918_ACL
     10 permit ip 10.100.0.0 0.0.255.255 any
!
route-map test deny 10
match ip address RFC1918_ACL
route-map test permit 20
match ip address nonRFC1918_ACL
set ip next-hop 63.53.x.y
!
interface GigabitEthernet4/4
! this is used as a L3 port
ip policy route-map test


Yes, that would be a better way to do it as you now don't have any deny statements and it will all be done in hardware.

Jon

Review Cisco Networking for a $25 gift card