Hi

i did do your mean :

SW3560-III#show interfaces vlan 15

Vlan15 is up, line protocol is up

  Hardware is EtherSVI, address is 001d.4500.374a (bia 001d.4500.374a)

  Internet address is 10.0.113.33/27

  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive not supported

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:00:00, output 00:00:00, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/24/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  30 second input rate 60000 bits/sec, 74 packets/sec

  30 second output rate 1000 bits/sec, 1 packets/sec

     47685052 packets input, 9135002381 bytes, 0 no buffer

     Received 0 broadcasts (1149 IP multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     10528919 packets output, 11268110056 bytes, 0 underruns

     0 output errors, 0 interface resets

     0 output buffer failures, 0 output buffers swapped out

SW3560-III#show run interfaces vlan 15

interface Vlan15

ip address 10.0.113.33 255.255.255.224

ip route-cache same-interface

ip route-cache policy

ip policy route-map proxy

load-interval 30

end

you would like to see output , pls help me

many thanks

Hi all

pls help me , when it issue slow traffic between intervlan , then cpu process about 42%

pls help me

many thanks

Can u post your policy map configuration? You may have an unsupported config causing traffic to be punted. Also what is your sdm template are u using?

Thanks Dale

Sent from Cisco Technical Support iPhone App

Hi

thanks for  your reply 

my route-map:

route-map proxy permit 10

match ip address Acl_Proxy

set ip next-hop 172.18.32.74

Extended IP access list Acl_Proxy

deny ip any x.x.x.x (x.x.x.x  network local)

permit ip any any ( go to internet)

SW3560-III#show sdm prefer
The current template is "desktop routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.

  number of unicast mac addresses:                  3K
  number of IPv4 IGMP groups + multicast routes:    1K
  number of IPv4 unicast routes:                    11K
    number of directly-connected IPv4 hosts:        3K
    number of indirect IPv4 routes:                 8K
  number of IPv4 policy based routing aces:         0.5K
  number of IPv4/MAC qos aces:                      0.75K
  number of IPv4/MAC security aces:                 1K

pls help me

many thanks

Pham,

Change your ACL. The 3750 will punt traffic hitting a deny ace in PBR. This can lead to high CPU and  slow performance. You will need to modify your permit statements to be more granular to get the behavior you want. Remember if it is not permited it is the same as a deny. Any packet not classified by the ACL will follow the route in the RIB instead of next-hop defined. You also cannot use deny statements in the Route-map itself and verify you have atleast IP services feature set.

Here is a link to the configuration guide that will give you all the gotchas

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/swiprout.html#wp1210866

Regards,

Dale

Dear Dale

thanks you reply

my switch 3560 have many interface vlan:

interface Vlan15

ip address 10.0.113.33 255.255.255.224

ip route-cache same-interface

ip route-cache policy

ip policy route-map proxy

load-interval 30

!

interface Vlan16

ip address 10.0.113.65 255.255.255.224

ip route-cache policy

ip policy route-map proxy

!

.....

my subnet local : 10.0.0.0/8 ,.....

The end user need access netlocal flow routing table in SW3560 , when access internet go to proxy via route-map , so

Extended IP access list Acl_Proxy

permit ip any any ( go to internet)

but with this ACL then anyaccess go to route-map , so i add "deny ip any x.x.x.x ( network local) " add in ACL to access network local . pls help me , about ACL your mean of previous reply .

many thanks

Pham,

Here are the guidelines and restrictions from the configuration guide. As you can see I have highlighted that the ACL in your route-map will lead to traffic being punted becuase you have a Deny ACE (deny ip any x.x.x.x). To restrict the traffic from the end user to the proxy specify the source of the traffic

Example:

route-map Internet permit 10

match ip address Acl_Proxy

set ip next-hop 172.18.32.74

Extended IP access list ACL_proxy

    10 permit tcp 10.0.0.0 0.255.255.255 any eq www

    20 permit tcp 10.0.0.0 0.255.255.255 any eq 443

Before configuring PBR, you should be aware of this information:

•To use PBR, you must have the IP services image installed on the stack master.

•Multicast traffic is not policy-routed. PBR applies to only to unicast traffic.

•You can enable PBR on a routed port or an SVI.

•The switch does not support route-map deny statements for PBR.

•You can apply a policy route map to an EtherChannel port channel in Layer 3 mode, but you cannot apply a policy route map to a physical interface that is a member of the EtherChannel. If you try to do so, the command is rejected. When a policy route map is applied to a physical interface, that interface cannot become a member of an EtherChannel.

•You can define a maximum of 246 IP policy route maps on the switch stack.

•You can define a maximum of 512 access control entries (ACEs) for PBR on the switch stack.

•When configuring match criteria in a route map, follow these guidelines:

–Do not match ACLs that permit packets destined for a local address. PBR would forward these packets, which could cause ping or Telnet failure or route protocol flapping.

–Do not match ACLs with deny ACEs. Packets that match a deny ACE are sent to the CPU, which could cause high CPU utilization.

•To use PBR, you must first enable the routing template by using the sdm prefer routing global configuration command. PBR is not supported with the VLAN or default template. For more information on the SDM templates, see Chapter 8, "Configuring SDM Templates."

•VRF and PBR are mutually exclusive on a switch interface. You cannot enable VRF when PBR is enabled on an interface. The reverse is also true, you cannot enable PBR when VRF is enabled on an interface.

•Web Cache Communication Protocol (WCCP) and PBR are mutually exclusive on a switch interface. You cannot enable WCCP when PBR is enabled on an interface. The reverse is also true, you cannot enable PBR when WCCP is enabled on an interface.

•The number of TCAM entries used by PBR depends on the route map itself, the ACLs used, and the order of the ACLs and route-map entries.

•Policy-based routing based on packet length, TOS, set interface, set default next hop, or set default interface are not supported. Policy maps with no valid set actions or with set action set to Don't Fragment are not supported.

•The switch supports quality of service (QoS) DSCP and IP precedence matching in PBR route maps, with these limitations:

–You cannot apply QoS DSCP mutation maps and PBR route maps to the same interface.

–You cannot configure DSCP transparency and PBR DSCP route maps on the same switch.

–When you configure PBR with QoS DSCP, you can set QoS to be enabled (by entering the mls qos global configuration command) or disabled (by entering the no mls qos command). When QoS is enabled, to ensure that the DSCP value of the traffic is unchanged, you should configure a DSCP trust state on the port where traffic enters the switch by entering the mls qos trust dscp interface configuration command. If the trust state is not DSCP, by default all nontrusted traffic would have the DSCP value marked as 0.

Pham,

Example must have same name my mistake.

Example:

route-map Internet permit 10

match ip address Acl_Proxy

set ip next-hop 172.18.32.74

Extended IP access list Acl_Proxy

    10 permit tcp 10.0.0.0 0.255.255.255 any eq www

    20 permit tcp 10.0.0.0 0.255.255.255 any eq 443

Regards,

Dale

Thanks Dale