Policy Based Routing based on next-hop and precedence

deschete · ‎02-11-2008

Hello all,

I'm trying to configure a route-map that uses two match statements. I would like the set command to be issued only if both of them are true.

The first match is on next-hop IP. If the next-hop IP matches an IP I set in a standard ACL, I want it then to check for precedence critical. If that is also true, I want to set the next hop to take another path.

Unfortunately, when the router is evaluating my match statements, it issues the 'set' command as soon as one of the statements is true. It doesn't move on to the second one. This directly is in conflict with the following exerpt from Cisco's web site:

"Policy Route Maps

Each entry in a route map statement contains a combination of match and set clauses/commands. The match clauses define the criteria for whether appropriate packets meet the particular policy (that is, the conditions to be met). The set clauses than explain how the packets should be routed once they have met the match criteria.

For each combination of match and set commands in a route map statement, all sequential match clauses must be met simultaneously by the packet for the set clauses to be applied. There may be multiple sets of combinations of match and set commands in a full route map statement."

http://www.cisco.com/warp/public/732/Tech/plicy_wp.htm

Now, unfortunately, the document seems to contradict itself in the next section:

"Match Clauses---Defining the Criteria

The IP standard or extended ACLs can be used to establish the match criteria. The standard IP access lists can be used to specify the match criteria for source address; extended access lists can be used to specify the match criteria based on application, protocol type, TOS, and precedence.

The match clause feature has been extended to include matching packet length between specified minimum and maximum values. The network administrator can then use the match length as the criterion that distinguishes between interactive and bulk traffic (bulk traffic usually has larger packet sizes).

The policy routing process proceeds through the route map until a match is found. If no match is found in the route map, or the route map entry is made a deny instead of a permit, then normal destination-based routing of the traffic ensues."

Basically I need to ensure that both match statements are true, based on next-hop and prededence, before issuing my set command. Does anyone know how to accomplish this?

Thanks,

Daniel

s.arunkumar · ‎02-11-2008

Hi Daniel,

As far as i know multiple match statement inside a route-map uses logical AND.Hence all the statement should match for the set to be execute..

ref :: http://books.google.com/books?id=_9YIqk4Vde0C&pg=PA686&lpg=PA686&dq=%22route+map%22+multiple+match+statement&source=web&ots=E5NW40OUX-&sig=iHaGGTYQapf4G4OxTVw9sLSGgaM

I dont know what happening in ur case.Can u just post ur config..

Regarding the document u read..On the second part that u mentioned

""The policy routing process proceeds through the route map until a match is found. If no match is found in the route map, or the route map entry is made a deny instead of a permit, then normal destination-based routing of the traffic ensues""

I think its not mentioning about multiple match statement,it is generally saying about all the route-map statements..,ie,if no match is found for all the route map statements then destination based routing is performed..

arun

deschete · ‎02-11-2008

Okay, in my situation, there are two data centers with 7206 routers. There are multiple T1 connections from various locations to both routers, and then both routers are connected together via two high capacity links.

The problem that comes in is now every one of those T1's is technically a "point of entry" to the router. I need to judge based on "next hop" (192.168.0.73) to determine if the traffic is going to travel down the backbone to the other side. Then I need to judge based on "precedence critical" to determine if the traffic is priority and should take the priority path (192.168.0.77.)

It should be noted that OSPF is configured on 192.168.0.73's network but there is NO routing protocol on 192.168.0.77's network.

If I don't match on next hop, then everything with priority critical would go over the 192.168.0.77 connection to another city - only to have to return immediatly to go out of another interface of the router!

Here are my route map and ACL configurations:

!

ip access-list standard video-next-hop

permit 192.168.0.73

!

ip access-list extended video-precedence

permit ip any any precedence critical

!

route-map video-over-ds3 permit 10

match ip address video-precedence

match ip next-hop video-next-hop

set ip next-hop 192.168.0.77

To me, if Cisco is correct, all packets with precedenc critical would be inspected to see if their next hop is 192.168.0.73. If both of these are true, then the packet would be passed to 192.168.0.77. Otherwise, normal routing rules would apply.

Instead, I'm seeing all precedence critical traffic being routed over this connection (even if it is just coming in one T1 interface and would need to route out another T1 interface as a shorter path.) It seems like the "next hop" statement is not being evaluated.

aravindhs · ‎02-12-2008

Hi

All the matches in the route-map clause must pass for the set to be executed. Or else, the next clause will be evaluated. What does your show ip route for the specific traffic show ?

Arav

Mohamed Sobair · ‎02-12-2008

Hi Daniel,

(Route-map) is one of the filtering methods used by routing protocols, and in fact it filter routes before it gets into the rip database, unlike (distribute-lists) method.

(This is a Route-filtering used by any routing protocol).

route-maps with PBR is a method used a gainst Packet forwarding.

(Route-map) has two configurable logics:

1- AND Logic

2- OR Logic

The logic of (AND) is when you match and set at the same sequence number.

The logic of (OR) is when you match and set at different sequence numbers.

The priority that Router takes is for PBR, if there is no matching criteria, then packet forwarded based on normal routing table decision.

Your criteria requires using the logic of (OR) in order to acheive the desired approach.

configuring Two match statment with the set command on two different sequence number should be sufficient.

HTH,

Mohamed

deschete · ‎02-12-2008

Mohamed,

Do you have a link to any documentation that goes into greater detail what you're explaining? It sounds like it will resolve my problem.

Thanks,

Daniel

aravindhs · ‎02-12-2008

Hi Daniel

Your requirement is to have both the matches met for the set command to take effect.

Match commands within a sequence number operate on the AND logic basis. Both the match commands must pass for the set command to effect. Different sequence numbers won't help your scenario.

Cheers

Arav

Mohamed Sobair · ‎02-12-2008

Daniel,

There are multiple resources for route-maps (understanding) & Configuration Guide,

Check bellow some of them:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080457b9c.html

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_pbr.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/13ew/configuration/guide/pbroute.html

Regards,

Mohamed

deschete · ‎02-12-2008

Okay, after doing a lot of reading and testing and thinking, it appears that this will not work the way I am proposing...

Because route maps are placed on the incoming interface, a routing decision has not been made yet. The match statement that involves next hop has no "answer" to determine if it is true because the route map is analyzed before the routing table.

Therefore, my question should be changed to read, "Does anyone know how to make a change to routing based on destination interface and precedence AFTER the intial routing decision is made, i.e. on the way out of the router?"