cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2758
Views
23
Helpful
30
Replies

PBR using Route-map to Match only BGP Learned Routes

j.drosyk_2
Level 1
Level 1

I have a 7200VXR running static, eigrp, and ibgp/ebgp. This router has a LAN interface and two serial interfaces each attached to a DS3. I have a route-map that I believe should be using "AND" logic which must match all conditions for the route action to take place. The match conditions are an access-list and only routes that are learned via BGP. My goal is not to affect any routes that are connected, static or learned via eigrp. However, all TCP 80 traffic is somehow matching the route-map. Below is a sanitized config.

interface GigabitEthernet0/1

ip address 10.10.10.10 255.255.255.0

ip policy route-map TEST

interface Serial2/0

description DS3-1

ip address 20.20.20.20 255.255.255.0

interface Serial3/0

description DS3-2

ip address 30.30.30.30 255.255.255.0

ip access-list extended ROUTE_MAP

permit tcp any any eq www

route-map TEST permit 10

match ip address ROUTE_MAP

match source-protocol bgp 13979

set interface Serial3/0

As it is sits right now, all TCP 80 traffic is going out serial3/0. I want only TCP 80 traffic for remote routes learned via BGP to go out serial3/0 and all other traffic to route normally. Any help would be appreciated.

1 Accepted Solution

Accepted Solutions

John,

Since PBR can only act on the packets being forwarded you need to relate these packets to BGP somehow. One way to do that would be to use QOS Policy Propagation via BGP (QPPB) feature. This would allow you to set a given precedence to prefixes learned via BGP. You could then do a PBR match on an extended ACL with the proper precedence that has been set by QPPB.

int

ip policy route-map TEST

/* this will set the precedence to 2 for all destination previously set by the BGP table-map */

bgp-policy destination ip-prec-map

router bgp xxx

/* this will set ip precedence 2 to all cef entries for BGP learned prefixes */

table-map set_prec

route-map set_prec permit 10

set ip precedence immediate (2)

ip access-list extended ROUTE_MAP

permit tcp any any eq www precedence 2

route-map TEST permit 10

match ip address ROUTE_MAP

set interface Serial3/0

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

30 Replies 30

Jon Marshall
Hall of Fame
Hall of Fame

John

Once it matches the first "match" statement then it immediately jumps to the set clause and that's why all traffic is going via s3/0.

Try this instead

route-map TEST permit 10

match ip address ROUTE-MAP

continue 20

route-map TEST permit 20

match source-protocol bgp 13979

set interface s3/0

Jon

Jon,

Thanks. For some reason I thought if all match statements were on the same line of the route-map, it would use "AND" logic. I will try that this evening. I want to make sure though that the route-map you suggests will not match for all ip traffic from learned BGP routes.

Thanks

John

"I want to make sure though that the route-map you suggests will not match for all ip traffic from learned BGP routes."

That depends on what you have in the acl that you use in your route-map.

Jon

If the configuration is:

ip access-list extended ROUTE_MAP

permit tcp any any eq www

and

route-map TEST permit 10

match ip address ROUTE-MAP

continue 20

route-map TEST permit 20

match source-protocol bgp 13979

set interface s3/0

I want to make sure that the above configuration will only "match" if both scenarios are met. I do not want the set command to be active on traffic that is not TCP 80 going to BGP learned routes. Will the configuration above achieve this?

Thanks again for your assistance.

John

In the process of testing this and getting some odd results. Don't apply the config i posted as it seems to block other IP traffic.

Will update you after i've done some more testing.

Jon

Will do. I will also try to lab it up.

Thanks

John

Actually that's a good point. I will have to lab that up to test :-)

Jon

Harold Ritter
Cisco Employee
Cisco Employee

John,

"source-protocol" is not a valid match condition in the PBR context. PBR can only match against the packet being forwarded, not against the routing table. Please refer to the following document for a valid PBR match conditions. In short, you can match using a standard or extended ACL and with more recent versions you can also match on packet length.

http://www.cisco.com/en/US/products/ps6599/products_white_paper09186a00800a4409.shtml#wp14040

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Interesting. I guess the "source-protocol" match feature is limited to only routing protocol manipulation. I was hoping it would be able to match not only on ACL but how the routes were learned. I might have to rethink the route-map all together. Is there any other distinguishing characteristic of a BGP route over a static or eigrp?

John,

Since PBR can only act on the packets being forwarded you need to relate these packets to BGP somehow. One way to do that would be to use QOS Policy Propagation via BGP (QPPB) feature. This would allow you to set a given precedence to prefixes learned via BGP. You could then do a PBR match on an extended ACL with the proper precedence that has been set by QPPB.

int

ip policy route-map TEST

/* this will set the precedence to 2 for all destination previously set by the BGP table-map */

bgp-policy destination ip-prec-map

router bgp xxx

/* this will set ip precedence 2 to all cef entries for BGP learned prefixes */

table-map set_prec

route-map set_prec permit 10

set ip precedence immediate (2)

ip access-list extended ROUTE_MAP

permit tcp any any eq www precedence 2

route-map TEST permit 10

match ip address ROUTE_MAP

set interface Serial3/0

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Harold,

You sir have too much time on your hands ;). The solution you proposed totally resolved my issue. I gns3'ed a simulation network recreating my issue, then using your solution and it worked. I was worried that I might need the bgp-policy destination ip-prec-map, the table-map set_prec, and the route-map set_prec on every ibgp peer in my network, but I did not. I really appreciate the help. I also appreciate the help from Jon and anyone else who posted.

Thanks again.

John,

I know, I should get a life ;-) I am glad the proposed solution worked for you.

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Harold,

I found an issue with my lab that was giving me incorrect results for this solution. I fixed it and now I see an issue with your solution. It is not working on traffic originating on the host network going to the remote networks. However, traffic originating on a remote network traveling to the host network works great. I am only advertising network 0.0.0.0 to the remote sites, and they are advertising /24 networks back. Let me know what you think and again, I appreciate the help.

John,

Could you please help me understand the traffic flows that work and those that don't with a simple diagram.

Which networks do we learn via BGP?

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: