35-97
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
OL-9639-06
Chapter 35 Configuring IP Unicast Routing Configuring Protocol-Independent Features
You can define a maximum of 512 access control entries (ACEs) for PBR on the switch.
When configuring match criteria in a route map, follow these guidelines:
Do not match ACLs that permit packets destined for a local address. PBR would forward these
packets, which could cause ping or Telnet failure or route protocol flapping.
Do not match ACLs with deny ACEs. Packets that match a deny ACE are sent to the CPU, which
could cause high CPU utilization.
To use PBR, you must first enable the default template by using the sdm prefer default global
configuration command. PBR is not supported with the Layer 2 template. For more information on
the SDM templates, see Chapter 6, “Configuring SDM Templates.”
VRF and PBR are mutually-exclusive on a switch interface. You cannot enable VRF when PBR is
enabled on an interface. In contrast, you cannot enable PBR when VRF is enabled on an interface.
The number of TCAM entries used by PBR depends on the route map itself, the ACLs used, and the
order of the ACLs and route-map entries.
Policy-based routing based on packet length, IP precedence and TOS, set interface, set default next
hop, or set default interface are not supported. Policy maps with no valid set actions or with set
action set to Don’t Fragment are not supported.
Enabling PBR
By default, PBR is disabled on the switch. To enable PBR, you must create a route map that specifies
the match criteria and the resulting action if all of the match clauses are met. Then, you must enable PBR
for that route map on an interface. All packets arriving on the specified interface matching the match
clauses are subject to PBR.
PBR can be fast-switched or implemented at speeds that do not slow down the switch. Fast-switched
PBR supports most match and set commands. PBR must be enabled before you enable fast-switched
PBR. Fast-switched PBR is disabled by default.
Packets that are generated by the switch, or local packets, are not normally policy-routed. When you
globally enable local PBR on the switch, all packets that originate on the switch are subject to local PBR.
Local PBR is disabled by default.