Route map configuration

Answered Question
Feb 2nd, 2010
User Badges:

I am creating a route map to enable us to specify the direction of outoing traffic on our router with 2 BGP sessions to our providers.  Basically I want to direct our voice traffic out provider A and the rest of our traffic out provider B.  Our voice is basically coming from 2 subnets and I'm using an ACL based on that to direct it out that provider.  I just want to make sure I have the route map configured in a way to direct "everything else" out provider B.  Currently I have the route map setup to match based on ACLs and send traffic out providers A and B based on those ACLs, however, I need to change it to match an ACL, send it to provider A, and then send everything else out provider B.  I'm thinking I can just change my ACL 130 to match 0.0.0.0 255.255.255.255 since that will match everything after the 120 ACL.  I just want to make sure I have this setup correctly before I put this into production since I don't want any trial and error.  Here is what I have:


interface GigabitEthernet0/3
description Primary LAN Interface
ip policy route-map outbound

!

access-list 120 remark Filter for outbound to A
access-list 120 permit ip X.X.176.0 0.0.1.255 any
access-list 120 permit ip X.X.184.0 0.0.1.255 any
access-list 130 remark Filter for outbound to B
access-list 130 permit ip 0.0.0.0 255.255.255.255 any
!

route-map outbound permit 10
description force traffic to A
match ip address 120
set ip next-hop A.A.A.A
!
route-map outbound permit 20
description force traffic to B
match ip address 130
set ip next-hop B.B.B.B
!


Thanks in advance for any help.

Correct Answer by Jon Marshall about 7 years 1 month ago

johnny.schultz wrote:


I am creating a route map to enable us to specify the direction of outoing traffic on our router with 2 BGP sessions to our providers.  Basically I want to direct our voice traffic out provider A and the rest of our traffic out provider B.  Our voice is basically coming from 2 subnets and I'm using an ACL based on that to direct it out that provider.  I just want to make sure I have the route map configured in a way to direct "everything else" out provider B.  Currently I have the route map setup to match based on ACLs and send traffic out providers A and B based on those ACLs, however, I need to change it to match an ACL, send it to provider A, and then send everything else out provider B.  I'm thinking I can just change my ACL 130 to match 0.0.0.0 255.255.255.255 since that will match everything after the 120 ACL.  I just want to make sure I have this setup correctly before I put this into production since I don't want any trial and error.  Here is what I have:


interface GigabitEthernet0/3
description Primary LAN Interface
ip policy route-map outbound

!

access-list 120 remark Filter for outbound to A
access-list 120 permit ip X.X.176.0 0.0.1.255 any
access-list 120 permit ip X.X.184.0 0.0.1.255 any
access-list 130 remark Filter for outbound to B
access-list 130 permit ip 0.0.0.0 255.255.255.255 any
!

route-map outbound permit 10
description force traffic to A
match ip address 120
set ip next-hop A.A.A.A
!
route-map outbound permit 20
description force traffic to B
match ip address 130
set ip next-hop B.B.B.B
!


Thanks in advance for any help.


Johnny


Bear in mind that if there is no match in the acl attached to the route-map then the traffic is routed normally by consulting the routing table. So if all traffic is to go to provider B except voice the easiest thing to do is -


1) have a default static route pointing to provider B ie.


ip route 0.0.0.0 0.0.0.0


2) then just have the first entry for your route-map ie.


access-list 120 remark Filter for outbound to A
access-list 120 permit ip X.X.176.0 0.0.1.255 any
access-list 120 permit ip X.X.184.0 0.0.1.255 any


route-map outbound permit 10
description force traffic to A
match ip address 120
set ip next-hop A.A.A.A


Jon

Correct Answer by Giuseppe Larosa about 7 years 1 month ago

Hello Johnny,


you can remove the match ip address 130 in second route-map block it is not needed


or you can write a correct ACL like

access-list 130 permit ip any any


you could even remove the whole second block if you give preference to ISPB in BGP


router bgp yourASN


neigh ISPB-ipaddress weight 5000


Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Giuseppe Larosa Tue, 02/02/2010 - 08:20
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Johnny,


you can remove the match ip address 130 in second route-map block it is not needed


or you can write a correct ACL like

access-list 130 permit ip any any


you could even remove the whole second block if you give preference to ISPB in BGP


router bgp yourASN


neigh ISPB-ipaddress weight 5000


Hope to help

Giuseppe

Correct Answer
Jon Marshall Tue, 02/02/2010 - 08:21
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

johnny.schultz wrote:


I am creating a route map to enable us to specify the direction of outoing traffic on our router with 2 BGP sessions to our providers.  Basically I want to direct our voice traffic out provider A and the rest of our traffic out provider B.  Our voice is basically coming from 2 subnets and I'm using an ACL based on that to direct it out that provider.  I just want to make sure I have the route map configured in a way to direct "everything else" out provider B.  Currently I have the route map setup to match based on ACLs and send traffic out providers A and B based on those ACLs, however, I need to change it to match an ACL, send it to provider A, and then send everything else out provider B.  I'm thinking I can just change my ACL 130 to match 0.0.0.0 255.255.255.255 since that will match everything after the 120 ACL.  I just want to make sure I have this setup correctly before I put this into production since I don't want any trial and error.  Here is what I have:


interface GigabitEthernet0/3
description Primary LAN Interface
ip policy route-map outbound

!

access-list 120 remark Filter for outbound to A
access-list 120 permit ip X.X.176.0 0.0.1.255 any
access-list 120 permit ip X.X.184.0 0.0.1.255 any
access-list 130 remark Filter for outbound to B
access-list 130 permit ip 0.0.0.0 255.255.255.255 any
!

route-map outbound permit 10
description force traffic to A
match ip address 120
set ip next-hop A.A.A.A
!
route-map outbound permit 20
description force traffic to B
match ip address 130
set ip next-hop B.B.B.B
!


Thanks in advance for any help.


Johnny


Bear in mind that if there is no match in the acl attached to the route-map then the traffic is routed normally by consulting the routing table. So if all traffic is to go to provider B except voice the easiest thing to do is -


1) have a default static route pointing to provider B ie.


ip route 0.0.0.0 0.0.0.0


2) then just have the first entry for your route-map ie.


access-list 120 remark Filter for outbound to A
access-list 120 permit ip X.X.176.0 0.0.1.255 any
access-list 120 permit ip X.X.184.0 0.0.1.255 any


route-map outbound permit 10
description force traffic to A
match ip address 120
set ip next-hop A.A.A.A


Jon

johnny.schultz Tue, 02/02/2010 - 08:27
User Badges:

Jon:

The only issue with falling back to the routing table is that there are routes to both providers in the routing table if the traffic does not match the ACL.  We want *all* traffic to go to B if it is not matched in the route map for provider A.  Do I still need to use the route map to get the remainder of the traffic to provider B?  I know this kind of doesn't make sense since we are overrididing the BGP routes, but this is what I am being asked to do.  Thanks for your help.

Jon Marshall Tue, 02/02/2010 - 08:30
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

johnny.schultz wrote:


Jon:

The only issue with falling back to the routing table is that there are routes to both providers in the routing table if the traffic does not match the ACL.  We want *all* traffic to go to B if it is not matched in the route map for provider A.  Do I still need to use the route map to get the remainder of the traffic to provider B?  I know this kind of doesn't make sense since we are overrididing the BGP routes, but this is what I am being asked to do.  Thanks for your help.


Johnny


If you need to override the routing table for provider B traffic as well then yes you will need that second acl to match all the other traffic, as Giuseppe mentioned a "permit ip any any" will do the trick.


Jon

Giuseppe Larosa Tue, 02/02/2010 - 08:33
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Johny,Jon

increasing the neighbor weight under BGP could be an alternate solution ?


probably not if provider A provides specific routes that are not provided by ISPB, that is a case of partial BGP tables.


if so using the second route-map block is needed to satisfy this requirement


I understand management they want to send voip traffic on one path and data on the other one.

And the return path?



Hope to help

Giuseppe

johnny.schultz Tue, 02/02/2010 - 08:46
User Badges:

The return path is provided by advertising the prefixes to the 2 providers.


I was also thinking instead about putting a route map on the outgoing interface of the voice provider, matching the voice, setting something like IP precedence to 5, then making a second statement to set the next-hop to the data provider.  That would work just as well right?


-Johnny

Giuseppe Larosa Tue, 02/02/2010 - 08:51
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Johnny,

you can add the set ip precedence 5 in the same PBR route-map in the first block


marking VoIP traffic is right and helps provider in providing QoS.


Hope to help

Giuseppe

Jon Marshall Tue, 02/02/2010 - 08:51
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

johnny.schultz wrote:


The return path is provided by advertising the prefixes to the 2 providers.


I was also thinking instead about putting a route map on the outgoing interface of the voice provider, matching the voice, setting something like IP precedence to 5, then making a second statement to set the next-hop to the data provider.  That would work just as well right?


-Johnny


Johnny


You can't apply PBR to an outgoing interface, it has to be on an ingress interface.


Jon

johnny.schultz Tue, 02/02/2010 - 10:18
User Badges:

Thank you to John and Guislar for your responses, you both have helped me to resolve my issue.


-Johnny

johnny.schultz Wed, 02/03/2010 - 05:23
User Badges:

I have created the route map with the default route, however packets are still taking the BGP routes that are in the system.  What is the best way to override the BGP routes so that packets will take the route specified in the default route and route map?

Giuseppe Larosa Wed, 02/03/2010 - 12:43
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Johnny,

if you have implemented the second block in the route-map with set ip next-hop B.B.B.B it should work.


if with moderate traffic you can use

debug ip policy


to see why the PBR is not triggered


note:

without second block most specific routes are used first and default route towards B.B.B.B is used only if no specific route exists for packet destination.


Hope to help

Giuseppe

Actions

This Discussion