BGP and PBR

Answered Question
Aug 12th, 2007

Hi,

enclosed the network config. we have three networks behind the BGP router. We let the BGP to find the best route for outbound traffice in router 1 (bgp router gateway).

however, we must force one server always goes to "ISP A". the R1 config is following:

!

! R1

!

inter fastether 0/0

descript connect to ISP A

ip address 150.x.x.1 255.255.255.252

inter fastether 0/1

descript connect to ISP B

ip address 160.x.x.1 255.255.255.252

inter fastether 0/3

descript connect to DMZ

ip address 170.x.x.1 255.255.255.0

ip policy route-map GO_IPSA

access-list 20 permit host 202.1.1.50

route-map GO_ISPA permit 10

match ip address 20

set ip next-hop 150.x.x.1

route-map GO_ISPA permit 20

!

! --- end ---

base one about config,

- the 202.1.1.50 server always go to ISPA even the ISPA link down

- the "route-map GO_ISPA permit 20" will do nothing. the network2, network3 can enjoy the BGP feature to find the best routes to outside internet for them (200.x.x.x/24 and 201.x.x.x/24). they will not be affected by the policy base routing "GO_ISPA".

If we do not put "route-map GO_ISPA permit 20". All networks cannot go to internet because route-map deny it.

Is it correct? please advice

Best regards

Attachment: 
I have this problem too.
0 votes
Correct Answer by Richard Burts about 9 years 5 months ago

I am not sure that I agree with Edison that this is correct in all counts. When you configure PBR and do set next-hop the router will do policy routing as long as it believes the next hop is reachable. In practical terms this means as long as the outbound interface toward the next hop is not down the router will attempt to policy route. In terms of the list I agree that items 4, 5, 6, and 7 will prevent policy routing using set next-hop. But 1, 2, and 3 will still be policy routed using the configuration that you show. Traditional PBR (which is what you have configured) does not actually check the reachability of the next hop.

In part this is a result of how processing is done on Ethernet interfaces. Cisco has introduced a feature in fairly recent code in PBR to verify reachability. I think that you might want to look into this feature.

I believe that there is another part of the issue that needs some clarification. In the event that PBR is not used (because of interface problems, or verify reachability, or whatever) then the router will use its normal routing table (in your case the BGP routing table). This may result in traffic from the server going to the other ISP. If you really want the router to not forward traffic from that server to the other ISP then I suggest that you configure an outbound access list on the interface to the other ISP. In the access list you should deny traffic with a source address of that server and permit other traffic.

I also note one small problem in your configuration of PBR. You have the next hop in this way:

set ip next-hop 150.x.x.1

but this address is the interface address of the router. The next hop is probably 150.x.x.2.

HTH

Rick

Correct Answer by Edison Ortiz about 9 years 5 months ago

Correct in all counts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Edison Ortiz Sun, 08/12/2007 - 07:24

> - the 202.1.1.50 server always go to ISPA even the ISPA link down

______________________

If depends. If Fa0/0 is down/down, the packet will be routed normally to the other links by following the internal routing table.

If Fa0/0 is up/up but a downstream connection is down, the packet will be policy routed.

__________________________

>- the "route-map GO_ISPA permit 20" will do nothing. the network2, network3 can enjoy the BGP feature to find the best > routes to outside internet for them (200.x.x.x/24 and 201.x.x.x/24). they will not be affected by the policy base routing

> "GO_ISPA"

_____________________________

That is correct. In your ACL, you only specified the host IP, not the whole network.

No need for another route-map statement.

leungcm Sun, 08/12/2007 - 07:51

Hi,

Sorry that I cannot catch your idea of following:

---

If depends. If Fa0/0 is down/down, the packet will be routed normally to the other links by following the internal routing table.

>> if we implement the PBR on Fa 0/2, the packet will not go another link if fa0/0 is down. am I right?

If Fa0/0 is up/up but a downstream connection is down, the packet will be policy routed.

>> cannot catch you idea. could you tell more?

----

bets regards

Edison Ortiz Sun, 08/12/2007 - 08:18

When you configure PBR with the 'set ip next-hop' option, the packet will be policy routed first and if it fails to find the next hop, it will be routed normally by using the router's routing table.

In other words, the next hop has to be reachable for the PBR to work.

With that said, if you use 'set ip default next-hop' the packet will check the routing table first and then police route the packets with the specified next-hop.

It's explained here

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hirp_c/ch20/piconfig.htm#wp1001398

___________________________________

If Fa0/0 is up/up but a downstream connection is down, the packet will be policy routed.

>> cannot catch you idea. could you tell more?

____________________________________

If a downstream connection is down and the next-hop is up, the packet still will be policy-routed since it met the criteria.

leungcm Sun, 08/12/2007 - 08:28

Hi,

---

If a downstream connection is down and the next-hop is up, the packet still will be policy-routed since it met the criteria.

---

you mentioned "downstream connect" to be the 202.1.1.0/24, isn't it? if so, the 202.1.1.0/24 is down, there is no traffic to R1. why it met the criteria? please advice

Best regards

Edison Ortiz Sun, 08/12/2007 - 08:32

For instance, you have PBR enable in your core router but your core router connects to a FW before heading out to the internet.

The FW will be your next-hop device in the PBR, you follow me ?

If the FW loses connection to the internet, the PBR will still send the packets to the FW since the connection was lost between the FW and the internet.

However, if the connection is lost between the FW and the router, PBR won't work.

Hope that's clear.

leungcm Sun, 08/12/2007 - 08:57

Hi,

I see, you mention the "down stream" should be the FW inbetween "ISP A" and core router. Is it right?

If so, the router does not know the link down of ISPA which connect to FW. The PBR is working but packets cannot go out to insternet because the ISPA link down.

Is it ring?

regarding the "ip next-hop",

---

Configuring the set ip next-hop command causes the system to use policy routing first and then use the routing table

----

The routing tables means the "BGP routing table" in muycase. is it right?

---

When you configure PBR with the 'set ip next-hop' option, the packet will be policy routed first and if it fails to find the next hop, it will be routed normally by using the router's routing table.

---

"it fails to find the next hop", does it inculde following criteria:

1. the next hop is unreachable or

2. the next hop does not exist or

3. the next hop is no respond

4. the related interafce (next hop) is shutdown manually or

5. the related interface (next hop) is out of order (hardware fault) or

6. the physical link of cable is disconnected

etc

7. the interface (next hop) is line up and protocol down.

etc

Best regards

Correct Answer
Richard Burts Sun, 08/12/2007 - 14:37

I am not sure that I agree with Edison that this is correct in all counts. When you configure PBR and do set next-hop the router will do policy routing as long as it believes the next hop is reachable. In practical terms this means as long as the outbound interface toward the next hop is not down the router will attempt to policy route. In terms of the list I agree that items 4, 5, 6, and 7 will prevent policy routing using set next-hop. But 1, 2, and 3 will still be policy routed using the configuration that you show. Traditional PBR (which is what you have configured) does not actually check the reachability of the next hop.

In part this is a result of how processing is done on Ethernet interfaces. Cisco has introduced a feature in fairly recent code in PBR to verify reachability. I think that you might want to look into this feature.

I believe that there is another part of the issue that needs some clarification. In the event that PBR is not used (because of interface problems, or verify reachability, or whatever) then the router will use its normal routing table (in your case the BGP routing table). This may result in traffic from the server going to the other ISP. If you really want the router to not forward traffic from that server to the other ISP then I suggest that you configure an outbound access list on the interface to the other ISP. In the access list you should deny traffic with a source address of that server and permit other traffic.

I also note one small problem in your configuration of PBR. You have the next hop in this way:

set ip next-hop 150.x.x.1

but this address is the interface address of the router. The next hop is probably 150.x.x.2.

HTH

Rick

leungcm Mon, 08/13/2007 - 09:39

Hi,

yes, you are right, the next hop is x.x.2.

BTW, if we config x.x.1 as "next hop", the next hop is reachable, but the router cannot send out any packet. Also, it will not go to BGP routing table because PBR is valid. So, base on above setting, the traffic cannot go out to internet. Is it right?

Best regards

Richard Burts Mon, 08/13/2007 - 10:00

In this case where you have configured set ip next-hop with the interface address of the router, then PBR will work and will treat the next hop as reachable. It will not go to the BGP routing table. And since the configured next hop is on the router itself the practical effect is that these packets can not be forwarded to any other device. So it will not go to the internet. That is right.

HTH

Rick

Actions

This Discussion