Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
447
Views
0
Helpful
1
Replies

PBR match issue

michaelbl
Level 1
Level 1

‎03-16-2012 06:11 AM - edited ‎03-04-2019 03:41 PM

HI,

I am trying to get PBR to work and be scalable. 

I have this situation (example):

I want to policy route packets with a source of 192.168.1.0 /24 and a destination of 172.16.8.0 /24 to 10.10.1.1

so I can do this:

ip access-list 199 permit ip 192.168.1.0 0.0.0.255 172.16.8.0 0.0.0.255

route-map TEST1 permit 10

match ip address 199

set ip next-hop 10.10.1.1

and this works.

But I would like to setup a way so I don't have tons of these kinds of access lists.  What I'd like to be able to do is to specify one access list for the source and another for the destination.  The docs say that I should be able to put multiple match statements in and they work as an AND and both must be true for the match to occur.  However, when I do this, the first match occurs and the route map uses the set command whether or not the 2nd match is there. 

so:

ip access-list 190 permit ip 192.168.1.0 0.0.0.255 any

ip access-list 191 permit ip any 172.16.8.0 0.0.0.255

route-map TEST1 permit 10

match ip address 190

match ip address 191

set ip next-hop 10.10.1.1

This matches everything with a source of 192.168.1.0 /24 regardless of the destination. 

Does anyone understand what I am doing wrong?

thanks.

Labels:
0 Helpful
1 Reply 1

Stephane Bonnet
Level 1
Level 1

‎03-16-2012 08:18 AM

Hi michael,

You match the first entry then you execute the "set" statement.

You can try to chain with the "continue" statement to do what you want, try like that:

ip access-list 190 permit ip 192.168.1.0 0.0.0.255 any

ip access-list 191 permit ip any 172.16.8.0 0.0.0.255

route-map TEST1 permit 10

     match ip address 190

     continue 20

route-map TEST1 permit 20

     match ip address 191

     set ip next-hop 10.10.1.1

Cisco Doc extract:

---------------------------

Match Operations with Continue Clauses

If a match clause does not exist in the route-map entry but a continue  clause does, the continue clause will be automatically executed and go  to the specified route-map entry. If a match clause exists in a  route-map entry, the continue clause is executed only when a successful  match occurs. When a successful match occurs and a continue clause  exists, the route map executes the set clauses and then goes to the  specified route-map entry. If the next route map contains a continue  clause, the route map will execute the continue clause if a successful  match occurs. If a continue clause does not exist in the next route map,  the route map will be evaluated normally. If a continue clause exists  in the next route map but a match does not occur, the route map will not  continue and will "fall through" to the next sequence number if one  exists.

---------------------------

HTH

Stephane

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card