[c-nsp] policy based routing on ES20+ card

Tony td_miles at yahoo.com
Thu Nov 6 07:50:34 EST 2014 

Hi all,

I am trying to do something fairly simple that we've done plenty of in the past, but running into issues doing it on ES20+ cards. This is in a 7609 running 12.2(33)SRD4.

The config we have is fairly simple and looks something like this:

=====
ip access-list extended to-vrf-other
 deny   ip 192.168.20.0 0.0.0.255 any
 permit ip any 192.168.117.0 0.0.0.255

route-map vrfset permit 10
 match ip address to-vrf-other
 set vrf xyz

interface GigabitEthernet4/18.193
 encapsulation dot1Q 193
 ip vrf forwarding abc
 ip address 10.1.10.65 255.255.255.252
 ip policy route-map vrfset
=====

The basic idea being that if the inbound traffic matches the ACL it gets switched into a different VRF and has a different journey.

When I apply this to the interface as above, it seems to work initially, but then once there is some volume of traffic it starts to bog down and drop packets. This isn't at a very high rate either, in the order of 2mbps and I start to see 2-3% packet loss. If keep trying to push more through, packet loss gets progressively worse.

I have been trying to find documentation that says policy based routing either is or is not supported on these cards and can't find anything. I've also looked for example of PBR on these cards and can't find any in the doco. This doesn't mean it's not supported, but possibly just that there is no reason to have an example of this feature as it's no different to using it on anything else ?

It kind of seems that it's getting punted to CPU or something, with the way the packet loss increases with throughput, but I can't see how/why that would happen on the ES20+ cards.

I have tried changing the "set" command to be either a different VRF or a specific next-hop IP address and the result is the same with the packet loss.

We have the exact same configuration working in the same box on a SIP400/SPA-5GE combination and I was expecting it to work exactly the same on the ES20+ interface but unfortunately it isn't.

Any thoughts/suggestions ?


Thanks,
Tony.

More information about the cisco-nsp mailing list