Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Match statement in PBR

I am trying to implement PBR in order to route certain trafic to a specific destination, but it seems that match statement in route-map is not working as I would like to! The topology is in attachment and router configs are as below:

Router1:

interface GigabitEthernet0

ip address 10.8.20.30 255.255.255.0

ip virtual-reassembly

ip tcp adjust-mss 1200

ip policy route-map PBR1

duplex auto

speed auto

standby 20 ip 10.8.20.15

standby 20 priority 120

standby 20 preempt

!

route-map PBR1 permit 10

match ip address ACL1

set tag 180

!

route-map PBR1 permit 15

match tag 181

!

route-map PBR1 permit 20

match ip address ACL2

set ip next-hop 10.8.20.40

!

ip access-list extended ACL1

permit ip A.A.A.A 0.0.0.255 C.C.C.C 0.0.0.255

!

ip access-list extended ACL2

permit ip B.B.B.B 0.0.0.255 C.C.C.C 0.0.0.255

Router2:

interface GigabitEthernet0

ip address 10.8.20.40 255.255.255.0

ip tcp adjust-mss 1200

ip policy route-map PBR2

duplex auto

speed auto

standby 20 ip 10.8.20.15

standby 20 preempt

!

route-map PBR2 permit 5

match ip address ACL2

set tag 181

!

route-map PBR2 permit 10

match tag 180

!

route-map PBR2 permit 20

match ip address ACL1

set ip next-hop 10.8.20.30

!

ip access-list extended ACL1

permit ip A.A.A.A 0.0.0.255 C.C.C.C 0.0.0.255

!

ip access-list extended ACL2

permit ip B.B.B.B 0.0.0.255 C.C.C.C 0.0.0.255

Here is the situation, Router1 is active in HSRP, so it receives all the packets no matter what the source is! When it receives a packet from network B.B.B.B destined to network C.C.C.C, it is supposed to send it to Router2 because of statement 20 of PBR1, but instead of doing that, statement 20 of PBR1 accept the packet and route it via Router1!

Basically Tag 181 is when the packet is from ACL2 and has already entered Router2, while the packet source from network B.B.B.B never entered Router2, so it is not tagged 181 to be routed by statement 20 of PBR1.

Your help is most appreciated that I understand what's going on here :-)

Everyone's tags (4)
10 REPLIES

Match statement in PBR

ok are you sure that the source ip address is B.B.B.B that is entering the interface on the R1? because I can see there is a FW in the middle. Is it not doing any NAT or anything. Essentialy what I am saying is that the source ip address needs to be intact when it hits R1. If this is a test lab or something you can do a debug ip packet with a condition and see what is the source ip address coming into the R1 router.  PBR would only kick in if it sees B.B.B.B as the source.

HTH

Kishore

New Member

Match statement in PBR

Try to change the route map sequence as shown below on Router R1 & share the result.

route-map PBR1 permit 10

match ip address ACL1

set tag 180

!

route-map PBR1 permit 15

match ip address ACL2

set ip next-hop 10.8.20.40

!

route-map PBR1 permit 20

match tag 181

Regards,

Kunal

New Member

Match statement in PBR

@Kishore, no NAT is used in this scenario! All addresses are real.

@Kunal, great hint! The problem with this solution is that, when the connection of Router2 to the destination C.C.C.C is down, the default route will be on Router1, then all the trafic no matter the source wil go via Router1.

So the statement 15 of PBR1 sends the packet to Router2, Router2 has no route to reach the network C.C.C.C and send the packet back to Router1 and Router1 will send back the packet to Router2 because of the same statement 15 of PBR1 and a loop will be generated! I put "match tag 181" the second statement to avoid this loop actually!

Purple

Match statement in PBR

Hi,

As far as I know, the match tag and set tag statement are not supported in PBR and I think that's the reason why it is not working.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Match statement in PBR

I lost 3 days on something which exist but not supported! Not really brilliant but typical Cisco!

Thanks Alain for the hint! Do you know any other alternative to replace tagging within PBR?

Bronze

Match statement in PBR

Tagging is for route-tagging. Routing protocol packets can carry tags, not IP packets themselves. If you wish to "color" your IP packets, you might use IP Precedense or DSCP. It is not for that task, of course, but you can use them. But be carefull - you also can't set IPP/DSCP with route-map. You need to use policy-map for that

New Member

Match statement in PBR

Thanks for clarification Sergey.

As you mentioned I won't be able to use policy-map in this context! Is there any other alternative?

Bronze

Match statement in PBR

Please, let me know why do not you simply put

match ACL

set ip next-hop

in your route-maps (it is 20th permits in your current route-maps)?

New Member

Match statement in PBR

Because when the connection of Router2 to the destination C.C.C.C is down,  the default route will be on Router1, then all the trafic no matter the  source wil go via Router1.

So the statement 15 of PBR1 sends the  packet to Router2, Router2 has no route to reach the network C.C.C.C and  send the packet back to Router1 and Router1 will send back the packet  to Router2 because of the same statement 15 of PBR1 and a loop will be  generated! I put "match tag 181" the second statement to avoid this loop  actually!

Match statement in PBR

Hi Mehdi,

Can you modify your route-map to the below and test.

route-map PBR1 permit 10

match ip address ACL2

set ip next-hop 10.8.20.40

HTH

Kishore

1018
Views
10
Helpful
10
Replies
CreatePlease to create content