[c-nsp] PBR on 6500

Darius L darius4cisco at gmail.com
Thu Jul 10 15:25:11 EDT 2008


Hello All,

I have a question about policy based routing on Cat6500. I want to
split HTTP traffic and route it through proxy and route rest of the
traffic straight to the internet.  The only thing that worries me is
will 6500 with sup720 be powerful enough to route 1-10Gbps of traffic
with PBR. I know that sup720 does PBR in hardware (PFC) but I want to
mach with acl on destination port so it will be L4 decision and I'm
not sure will it forward in hardware or will fallback to process
switching.  My configuration would look like this:

Access-list 123 permit tcp any any eq 80
Access-list 123 permit tcp any any eq 443
Access-list 123 permit tcp any any eq ftp
!
Route-map WEB permit 10
 Match ip address 123
 Set ip netx-hop 1.2.3.4
!
Interface vlan123
 Ip vrf TESTS1
 Ip address 2.3.4.5 255.255.255.0
 Ip policy route-map WEB
 Ip route-cache policy
!
I thought I would add another VRF in front of FWSM in 6500 and will
put PBR on it.

My physical design looks like this:
IP Cloud) <=>(Cisco SCE2020) <=>
(Cat6513Sup720<->FWSM<->VRF<->ACE<->(OUT VRF)[rt import/export](VRF
Intenet))<=>ASA55xx

Maybe it's worth to mark "interesting" traffic on SCE with DSCP or
something but I checked that on Cat6500 I can only do mach in
route-map on access-list …
All suggestions appreciated.

Regards,
Darius


More information about the cisco-nsp mailing list