Cisco

How to fix the speed drop when using PBR on a CISCO L3 switch (continued)?

Continuing the topic:
How to configure routing for subnets to different gateways using the CISCO 3750 L3 switch, taking into account local routing (continuation of the topic)?
Implemented the network diagram.

By default, everyone went to the Internet through Gate1 (192.168.0.1/30, the corresponding route is registered on CISCO 3750)
I made a list:
ip access-list extended VLAN40-50_Gate2
deny ip any 192.168.1.64 0.0.0.63
deny ip any 192.168.1.128 0.0. 0.63
deny ip any 192.168.1.192 0.0.0.63
permit ip 192.168.1.128 0.0.0.63 any
permit ip 192.168.1.192 0.0.0.63 any
Made a map:
route-map VLAN40-50_Gate2 permit 10
match ip address VLAN40-50_Gate2
set ip next 192.168.0.5
On the virtual interfaces VLAN40 and VLAN50, respectively, hung:
interface VLAN 40
ip address 192.168.1.129 255.255.255.192
ip policy route-map VLAN40-50_Gate2 interface
VLAN 50
ip address 192.168.1.193 255.255.255.192
ip policy route-map VLAN40-50
between VLAN30-VLAN40 and VLAN30-VLAN50 networks, the speed does not exceed 40 Mbps.
The processor load on the CISCO 3750, even when transferring data from only one computer from VLAN 40 or 50 to a computer from VLAN 30, or vice versa, rises to 40%.
VLAN40 and 50 go to the Internet at speeds up to 200 Mbps.
If I remove the use of a route map from the VLAN40 and 50 interfaces (ip policy route-map VLAN40-50_Gate2), the speed rises to the network speed (up to 1 Gb / s) (CPU load on the CISCO 3750 does not rise above 10%), but then Gate1 becomes a gateway for everyone. And accordingly the scheme does not work.
Please help the community to resolve this issue.
While crawling around the Internet, I came across a mention of the article:
https://www.cisco.com/c/en/us/td/docs/switches/lan...
which actually refers to the use of the "deny" key in the ACL in PBR:
When configuring match criteria in a route map, follow these guidelines:
– Do not match ACLs that permit packets destined for a local address. PBR would forward these packets, which could cause ping or Telnet failure or route protocol flappping.
– Do not match ACLs with deny ACEs. Packets that match a deny ACE are sent to the CPU, which could cause high CPU utilization.
In short, you need, on the advice of Strabbo, to use VRF. But the problem is that there is not much information on VRF. And in most cases, either unrelated VRFs or a VRF + VRF connection are considered. I need to make a bunch of VRF + GRT, because. VLAN30 already exists (it is large and it is not possible to make changes to it). It is necessary to reduce its size by isolating specific machines and separating others into segments transferred to VRF with access through another gateway.