BGP and PBR

Answered Question
Aug 12th, 2007
User Badges:

Hi,


enclosed the network config. we have three networks behind the BGP router. We let the BGP to find the best route for outbound traffice in router 1 (bgp router gateway).


however, we must force one server always goes to "ISP A". the R1 config is following:


!

! R1

!

inter fastether 0/0

descript connect to ISP A

ip address 150.x.x.1 255.255.255.252


inter fastether 0/1

descript connect to ISP B

ip address 160.x.x.1 255.255.255.252


inter fastether 0/3

descript connect to DMZ

ip address 170.x.x.1 255.255.255.0

ip policy route-map GO_IPSA


access-list 20 permit host 202.1.1.50


route-map GO_ISPA permit 10

match ip address 20

set ip next-hop 150.x.x.1


route-map GO_ISPA permit 20

!

! --- end ---


base one about config,

- the 202.1.1.50 server always go to ISPA even the ISPA link down

- the "route-map GO_ISPA permit 20" will do nothing. the network2, network3 can enjoy the BGP feature to find the best routes to outside internet for them (200.x.x.x/24 and 201.x.x.x/24). they will not be affected by the policy base routing "GO_ISPA".


If we do not put "route-map GO_ISPA permit 20". All networks cannot go to internet because route-map deny it.


Is it correct? please advice


Best regards



Attachment: 
Correct Answer by Richard Burts about 9 years 9 months ago

I am not sure that I agree with Edison that this is correct in all counts. When you configure PBR and do set next-hop the router will do policy routing as long as it believes the next hop is reachable. In practical terms this means as long as the outbound interface toward the next hop is not down the router will attempt to policy route. In terms of the list I agree that items 4, 5, 6, and 7 will prevent policy routing using set next-hop. But 1, 2, and 3 will still be policy routed using the configuration that you show. Traditional PBR (which is what you have configured) does not actually check the reachability of the next hop.


In part this is a result of how processing is done on Ethernet interfaces. Cisco has introduced a feature in fairly recent code in PBR to verify reachability. I think that you might want to look into this feature.


I believe that there is another part of the issue that needs some clarification. In the event that PBR is not used (because of interface problems, or verify reachability, or whatever) then the router will use its normal routing table (in your case the BGP routing table). This may result in traffic from the server going to the other ISP. If you really want the router to not forward traffic from that server to the other ISP then I suggest that you configure an outbound access list on the interface to the other ISP. In the access list you should deny traffic with a source address of that server and permit other traffic.


I also note one small problem in your configuration of PBR. You have the next hop in this way:

set ip next-hop 150.x.x.1

but this address is the interface address of the router. The next hop is probably 150.x.x.2.


HTH


Rick

Correct Answer by Edison Ortiz about 9 years 9 months ago

Correct in all counts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Edison Ortiz Sun, 08/12/2007 - 07:24
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

> - the 202.1.1.50 server always go to ISPA even the ISPA link down


______________________


If depends. If Fa0/0 is down/down, the packet will be routed normally to the other links by following the internal routing table.


If Fa0/0 is up/up but a downstream connection is down, the packet will be policy routed.


__________________________


>- the "route-map GO_ISPA permit 20" will do nothing. the network2, network3 can enjoy the BGP feature to find the best > routes to outside internet for them (200.x.x.x/24 and 201.x.x.x/24). they will not be affected by the policy base routing

> "GO_ISPA"


_____________________________


That is correct. In your ACL, you only specified the host IP, not the whole network.

No need for another route-map statement.




leungcm Sun, 08/12/2007 - 07:51
User Badges:

Hi,


Sorry that I cannot catch your idea of following:


---

If depends. If Fa0/0 is down/down, the packet will be routed normally to the other links by following the internal routing table.


>> if we implement the PBR on Fa 0/2, the packet will not go another link if fa0/0 is down. am I right?



If Fa0/0 is up/up but a downstream connection is down, the packet will be policy routed.


>> cannot catch you idea. could you tell more?

----


bets regards



Edison Ortiz Sun, 08/12/2007 - 08:18
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

When you configure PBR with the 'set ip next-hop' option, the packet will be policy routed first and if it fails to find the next hop, it will be routed normally by using the router's routing table.


In other words, the next hop has to be reachable for the PBR to work.


With that said, if you use 'set ip default next-hop' the packet will check the routing table first and then police route the packets with the specified next-hop.


It's explained here

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hirp_c/ch20/piconfig.htm#wp1001398


___________________________________


If Fa0/0 is up/up but a downstream connection is down, the packet will be policy routed.


>> cannot catch you idea. could you tell more?


____________________________________


If a downstream connection is down and the next-hop is up, the packet still will be policy-routed since it met the criteria.



leungcm Sun, 08/12/2007 - 08:28
User Badges:

Hi,


---

If a downstream connection is down and the next-hop is up, the packet still will be policy-routed since it met the criteria.

---


you mentioned "downstream connect" to be the 202.1.1.0/24, isn't it? if so, the 202.1.1.0/24 is down, there is no traffic to R1. why it met the criteria? please advice


Best regards


Edison Ortiz Sun, 08/12/2007 - 08:32
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

For instance, you have PBR enable in your core router but your core router connects to a FW before heading out to the internet.


The FW will be your next-hop device in the PBR, you follow me ?


If the FW loses connection to the internet, the PBR will still send the packets to the FW since the connection was lost between the FW and the internet.


However, if the connection is lost between the FW and the router, PBR won't work.


Hope that's clear.


leungcm Sun, 08/12/2007 - 08:57
User Badges:

Hi,


I see, you mention the "down stream" should be the FW inbetween "ISP A" and core router. Is it right?


If so, the router does not know the link down of ISPA which connect to FW. The PBR is working but packets cannot go out to insternet because the ISPA link down.


Is it ring?


regarding the "ip next-hop",


---

Configuring the set ip next-hop command causes the system to use policy routing first and then use the routing table

----


The routing tables means the "BGP routing table" in muycase. is it right?


---

When you configure PBR with the 'set ip next-hop' option, the packet will be policy routed first and if it fails to find the next hop, it will be routed normally by using the router's routing table.

---


"it fails to find the next hop", does it inculde following criteria:

1. the next hop is unreachable or

2. the next hop does not exist or

3. the next hop is no respond

4. the related interafce (next hop) is shutdown manually or

5. the related interface (next hop) is out of order (hardware fault) or

6. the physical link of cable is disconnected

etc

7. the interface (next hop) is line up and protocol down.

etc


Best regards


Correct Answer
Edison Ortiz Sun, 08/12/2007 - 11:04
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Correct in all counts.

Correct Answer
Richard Burts Sun, 08/12/2007 - 14:37
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

I am not sure that I agree with Edison that this is correct in all counts. When you configure PBR and do set next-hop the router will do policy routing as long as it believes the next hop is reachable. In practical terms this means as long as the outbound interface toward the next hop is not down the router will attempt to policy route. In terms of the list I agree that items 4, 5, 6, and 7 will prevent policy routing using set next-hop. But 1, 2, and 3 will still be policy routed using the configuration that you show. Traditional PBR (which is what you have configured) does not actually check the reachability of the next hop.


In part this is a result of how processing is done on Ethernet interfaces. Cisco has introduced a feature in fairly recent code in PBR to verify reachability. I think that you might want to look into this feature.


I believe that there is another part of the issue that needs some clarification. In the event that PBR is not used (because of interface problems, or verify reachability, or whatever) then the router will use its normal routing table (in your case the BGP routing table). This may result in traffic from the server going to the other ISP. If you really want the router to not forward traffic from that server to the other ISP then I suggest that you configure an outbound access list on the interface to the other ISP. In the access list you should deny traffic with a source address of that server and permit other traffic.


I also note one small problem in your configuration of PBR. You have the next hop in this way:

set ip next-hop 150.x.x.1

but this address is the interface address of the router. The next hop is probably 150.x.x.2.


HTH


Rick

leungcm Mon, 08/13/2007 - 09:39
User Badges:

Hi,


yes, you are right, the next hop is x.x.2.


BTW, if we config x.x.1 as "next hop", the next hop is reachable, but the router cannot send out any packet. Also, it will not go to BGP routing table because PBR is valid. So, base on above setting, the traffic cannot go out to internet. Is it right?


Best regards

Richard Burts Mon, 08/13/2007 - 10:00
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

In this case where you have configured set ip next-hop with the interface address of the router, then PBR will work and will treat the next hop as reachable. It will not go to the BGP routing table. And since the configured next hop is on the router itself the practical effect is that these packets can not be forwarded to any other device. So it will not go to the internet. That is right.


HTH


Rick

Actions

This Discussion