thanks. forgot to mention the gi 2/3 is a layer 3 port. how about to use the following piece ( supposed there are routing entries for private IP ranges ): ip access-list extended RFC1918_ACL 1 permit ip any 10.0.0.0 0.255.255.255 2 permit ip any 192.168.0.0 0.0.255.255 3 permit ip any 172.16.0.0 0.15.255.255 ip access-list extended nonRFC1918_ACL 10 permit ip 10.100.0.0 0.0.255.255 any ! route-map test deny 10 match ip address RFC1918_ACL route-map test permit 20 match ip address nonRFC1918_ACL set ip next-hop 63.53.x.y ! interface GigabitEthernet4/4 ! this is used as a L3 port ip policy route-map test
... View more
Environment/Situation: The cat4500 with supervisor V-10G is used inside an Internet DMZ, running 12.2(32). It has about 100 entries in routing table, mostly are 10.x.x.x, or 192.168.x.x, use default network to point back to Internet. Now a load balancer is used and connected to this c4500. For users in subnet 10.100.0.0/16 is to use load balancer to reach Internet, while others do not need to go through load balancer. Subnet 10.100.0.0/16 is connected to Gi 2/3. So suppose the following PBR can be used: ip access-list extended nonRFC1918_ACL 1 deny ip any 10.0.0.0 0.255.255.255 2 deny ip any 192.168.0.0 0.0.255.255 3 deny ip any 172.16.0.0 0.15.255.255 10 permit ip 10.100.0.0 0.0.255.255 any ! route-map test permit 10 match ip address nonRFC1918_ACL set ip next-hop 63.53.x.y ! interface GigabitEthernet2/3 ip policy route-map test My question is: With this supervisor V-10G, what can be expected regarding the PBR performance? In configuration guide, it reads: The Catalyst 4500 switching engine supports matching a "set next-hop" route-map action with a packet on a permit ACL. All other route-map actions, as well as matches of deny ACLs, are supported by a flow switching model. In this model, the first packet on a flow that matches a route-map is delivered to the software for forwarding. Software determines the correct destination for the packet and installs an entry into the TCAM so that future packets on that flow are switched in hardware. The Catalyst 4500 switching engine supports a maximum of 4096 flows. Will the above PBR with ACL "nonRFC1918_ACL" be supported by a flow switching model? What is timeouts for the flows? What will happen if there are more than 4096 flows with source IP from 10.100/16? Thanks much.
... View more