enclosed the network config. we have three networks behind the BGP router. We let the BGP to find the best route for outbound traffice in router 1 (bgp router gateway).
however, we must force one server always goes to "ISP A". the R1 config is following:
inter fastether 0/0
descript connect to ISP A
ip address 150.x.x.1 255.255.255.252
inter fastether 0/1
descript connect to ISP B
ip address 160.x.x.1 255.255.255.252
inter fastether 0/3
descript connect to DMZ
ip address 170.x.x.1 255.255.255.0
ip policy route-map GO_IPSA
access-list 20 permit host 220.127.116.11
route-map GO_ISPA permit 10
match ip address 20
set ip next-hop 150.x.x.1
route-map GO_ISPA permit 20
! --- end ---
base one about config,
- the 18.104.22.168 server always go to ISPA even the ISPA link down
- the "route-map GO_ISPA permit 20" will do nothing. the network2, network3 can enjoy the BGP feature to find the best routes to outside internet for them (200.x.x.x/24 and 201.x.x.x/24). they will not be affected by the policy base routing "GO_ISPA".
If we do not put "route-map GO_ISPA permit 20". All networks cannot go to internet because route-map deny it.
Is it correct? please advice
I am not sure that I agree with Edison that this is correct in all counts. When you configure PBR and do set next-hop the router will do policy routing as long as it believes the next hop is reachable. In practical terms this means as long as the outbound interface toward the next hop is not down the router will attempt to policy route. In terms of the list I agree that items 4, 5, 6, and 7 will prevent policy routing using set next-hop. But 1, 2, and 3 will still be policy routed using the configuration that you show. Traditional PBR (which is what you have configured) does not actually check the reachability of the next hop.
In part this is a result of how processing is done on Ethernet interfaces. Cisco has introduced a feature in fairly recent code in PBR to verify reachability. I think that you might want to look into this feature.
I believe that there is another part of the issue that needs some clarification. In the event that PBR is not used (because of interface problems, or verify reachability, or whatever) then the router will use its normal routing table (in your case the BGP routing table). This may result in traffic from the server going to the other ISP. If you really want the router to not forward traffic from that server to the other ISP then I suggest that you configure an outbound access list on the interface to the other ISP. In the access list you should deny traffic with a source address of that server and permit other traffic.
I also note one small problem in your configuration of PBR. You have the next hop in this way:
set ip next-hop 150.x.x.1
but this address is the interface address of the router. The next hop is probably 150.x.x.2.
Correct in all counts.