07-25-2013 05:48 AM - edited 03-07-2019 02:35 PM
Hello,
I have a route-map configured and binded to one of my VLAN interface to route all VLAN traffic to a particular destiantion IP.
We have matched an access list in sequence 10 where in we permit & and deny a few IPs.There is no match for sequence 20 however we have huge packets hitting this. I would like to know what is the role of sequence 20 in this route map & whether there will be any impact if we removet his sequence?
route-map SWG-PROXY, permit, sequence 10
Match clauses:
ip address (access-lists): SWG-PROXY-TRAFFIC
Set clauses:
ip next-hop 10.226.32.74
Policy routing matches: 6815244 packets, 644209072 bytes
route-map SWG-PROXY, permit, sequence 20
Match clauses:
Set clauses:
Policy routing matches: 254379497 packets, 771322447 bytes
Thanks
Soumya
07-25-2013 06:13 AM
Hi,
Sequence 20 is an empty permit clause, which allows all other routes that are not included in sequence 10 and the access list. So, you need sequence 20 to allow everything else.
HTH
07-25-2013 06:44 AM
Hi Reza,
in a PBR route-map you don't need an empty explicit route-map sequence because what in not matched in the first sequence will simply be routed by RIB. It's totally different from a route-map used in BGP for example.
I don't se the need for this entry then and debug ip policy would show us these traffics to be not policy-routed.
Regards
Alain
Don't forget to rate helpful posts.
07-25-2013 06:50 AM
Hi Alain and Gabriel,
Appreciate the correction and clarification!
Reza
07-25-2013 06:32 AM
Hello Soumya,
I think I am going to disagree with Reza on this.
If your using this route-map for pure PBR purposes (no route redistribution), then there is no need for a default permit statement at the end of your policy. Since there is no "set" statement, the IOS will be using the routing table for the routing decisions. You will not see any impact if you remove the last sequence.
I have the following route-map on a 6500:
route-map SA permit 10
match ip address 100
set ip next-hop 192.168.x.x
I have nothing other than sequence 10. The traffic that doesn't match access list 100, gets sent to the routing table.
- Gabriel
07-25-2013 07:36 AM
Thank you all , Will it cause any CPU utilization issue?
07-25-2013 07:40 AM
Hello Soumya,
No, by removing that sequence you should not see additional CPU usage.
- Gabriel
07-25-2013 07:57 AM
Hello Gabriel,
Sorry, looks like my question was not clear. If i keep this sequence with no match, will it cause any CPU issue? I can see huge packets hitting this.
Thanks
soumya
07-25-2013 08:00 AM
In a 6500 This configuration can cause a HARD_BRIDGE_RESULT to be programmed in the TCAM, causing every packet that doesn’t match the policy to punted to the MSFC resulting in possible high cpu. The amount of increase in the CPU would depend on the rate of the traffic hitting the empty route map. I assume other hardware can have similar issues.
In my experience, it is best not to have the empty sequence.
07-25-2013 08:07 AM
Hello Gabriel,
Thanks for the clarification.I will remove this sequence from route-map. I was confused whether it was permitting other traffic which doesnt match with the first access list included in sequence 10.
Soumya
07-25-2013 10:47 AM
HI Gabriel,
What you said regarding the HARD_BRIDGE_RESULT sounds really interesting, do you have any reference documents that would explain this more please.
Regards
Umesh Shetty
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide