PBR based on BGP reverse path?

Unanswered Question
Aug 27th, 2007

I think I'm just missing the right "ciscoese" jargon to find the docs for what I want to do.

I need to install a policy-based source-address route map, but instead of using a static access list as the source-address match, I need to match any packets coming from an ISP which source from networks that are advertised to me from a specific BGP AS.

Basically we need to split ingress traffic from the ISP onto two different interfaces so that traffic that the ISP advertises on one AS can be filtered by a layer 4 shaper, and traffic coming from a different AS goes to a different physical link. The AS is the only way we have to tell these two traffic classes apart, since all the packets come in untagged on the same link.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
sdoremus33 Mon, 08/27/2007 - 18:06

Have u triedAS-Prepending on the first interface(Basically we need to split ingress traffic from the ISP onto two different interfaces so that traffic that the ISP advertises on one AS can be filtered by a layer 4 shaper).Then use the original AS Path from the Other link will only use its own prepend info

Ingress Traffic:Makes use of AS-Prepending where Egress traffic relies on Med to determine which AS is chosen.HTH



b.julin Tue, 08/28/2007 - 06:52

I think maybe I was not clear...

We have one and only one link from the ISP. Traffic from the ISP comes in two flavors. The ISP will be setting us up a BGP peer so that we know which global networks are which flavor, but the ISP will not be using that BGP process to route back to us, just a static route for our one network. (I am sure they use BGP internally but that doesn't matter to us.)

Getting traffic to split on the way out of our network is no problem, it is just normal routing. We send traffic from the distribution router to one AS down one link and traffic to the other AS down another link, based on weighting of routes. Then on the border router the traffic is all combined and sent to the ISP to do with as they please.

On the way back in, though, we need to flip the BGP tables on the border router to use them as an source-address access-list for PBR. Traffic from either AS will be going to the same destination, so this is not a case of trying to combine separate networks using the same equipment.

From what I read AS-prepending is used when you have multiple links from an ISP, or when you are trying to merge two old networks without changing the AS. This is not the case -- we only have one address space, and traffic will be going to and from our network and both ASs.

mheusing Tue, 08/28/2007 - 07:07


Never tried it, but QoS Policy Propagation through BGP might be helpful. You can set IP precedence or QoS group based on BGP attributes like AS path. Have a look at "Configuring QoS Policy Propagation via Border Gateway Protocol"


You might either try to set the next hop as well or use the Precedence value as input for PBR.

Just an idea, yet to be tested.

Hope this helps!

Regards, Martin

b.julin Tue, 08/28/2007 - 09:36

That's the closest I've seen...

...and it just might work. But you never know what features are going to work in combination with what other features until you have it up and running.

I can't count the number of times I've wished a PBR feature would work for QoS or visa versa, or where I've wished one of the route-map commands that only applies to route redistribution was available for payload traffic.

Thanks, I'll have to see how far I can get with that.

b.julin Wed, 08/29/2007 - 12:51

OK, well I decided to kick the tires on this feature with an old 3550 we have kicking around and a quagga bgpd to inject routes.

I have:

router bgp 1887

table-map MarkI2

route-map MarkI2 permit 10

description scribble on I2 packets

match as-path 1

set ip precedence flash-override

route-map MarkI2 permit 20

set ip precedence routine

ip as-path access-list 1 permit _1337_

ip as-path access-list 1 permit _1887_

...and that gives me this:

Switch#show ip route

Routing entry for

Known via "bgp 1887", distance 20, metric 0

Tag 1337, precedence flash-override (4), type external

Last update from 00:03:56 ago

Routing Descriptor Blocks:

*, from, 00:03:56 ago

Route metric is 0, traffic share count is 1

AS Hops 1

Route tag 1337

...so the ip precedence is getting into the route table.

Then I have:

interface FastEthernet0/1

bgp-policy source ip-prec-map

and just in case:

interface FastEthernet0/2

bgp-policy source ip-prec-map

...however packets leaving fa0/2 keep the same tos they had when they entered fa0/1, regardless of whether the source address is 10.4.10.x or not.

I think I got everything in the instructions... anyone ever done this?

Danilo Dy Tue, 08/28/2007 - 07:13

I think I know what you mean, I was looking for this as well and I know people/organization who also looking for this. I wish IOS have this feature that instead of using static ACL in a PBR you can use the AS of a specific ISP so that whenever that ISP change the prefix in their AS its transparent to you. I started calling it ASCL (Autonomous System Control List) instead of ACL (Access Control List) :)

No I did't find it and I don't think IOS supports it for now. Majority still struggling with the traditional Community which is not appropriate in some scenarios.

Good luck!


This Discussion