04-17-2012 08:55 PM - edited 03-04-2019 04:03 PM
i want to do PBR to match IP packet to set the next-hop ip.
i got 2 long list of ACL to match source and destination of the ip packet.
ip access-list extended ACL_DEST
permit ip any x.x.x.x y.y.y.y
ip access-list extended ACL_SOU
permit ip x.x.x.x y.y.y.y any
route-map PBR permit 10
match ip address ACL_DEST
match ip address ACL_SOU
set ip next-hop verify-availability x.x.x.x 1 track 1
!
route-map PBR permit 20
how do i set the route-map for AND logic to match both ACL like above?
Solved! Go to Solution.
04-18-2012 12:16 AM
Yes, no 40 and no 20.
The reason that I put 3, is that there is a case when the route-map will match the destination only and not the source - case in which you should not change the next-hop, so you will have to check once again the source in order to route it.
route-map PBR permit 1
match ip address SRC
continue
!
route-map PBR permit 2
match ip address DST
continue
!
route-map PBR permit 3
match ip address SRC
set ip next-hop ....
Dan
04-17-2012 09:55 PM
Hi,
Teoretically no, but I would try to use "continue" statement, I didn't tested :
route-map PBR permit 1
match ip address SRC
continue
!
route-map PBR permit 2
match ip address DST
continue
!
route-map PBR permit 3
match ip address SRC
set ip next-hop ....
The 3rd statement is in case the SRC does not match but the DST does and we verify once again the SRC and only then we set the next hop. Once again I did not test this.
Dan
04-17-2012 11:47 PM
my requirement is like this:
1) if the source ip match, it will continue to check on the destination ip.
2) if not souce not match, it will follow the default path, will not check for dest match or not
3) if both souce and dest not match, it will follow the default path
so my config is like this?
route-map PBR permit 10
match ip address SRC
continue 30
!
route-map PBR permit 20
!
route-map PBR permit 30
match ip address DST
set ip next-hop .......
!
route-map PBR permit 40
04-18-2012 12:01 AM
Jackie,
The route-map has a implicit deny , this means that the traffic that
if is matched by the route-map will be forwarded as in the route-map's statement
if is not match will be forwarded according to the routing table.
So there is no need for a blank statement
Dan
04-18-2012 12:07 AM
mean i not need to put "route-map PBR permit 40" ?
04-18-2012 12:16 AM
Yes, no 40 and no 20.
The reason that I put 3, is that there is a case when the route-map will match the destination only and not the source - case in which you should not change the next-hop, so you will have to check once again the source in order to route it.
route-map PBR permit 1
match ip address SRC
continue
!
route-map PBR permit 2
match ip address DST
continue
!
route-map PBR permit 3
match ip address SRC
set ip next-hop ....
Dan
04-17-2012 11:32 PM
Hi Jackie,
Why dont you try to create just an AL with the specific source/destination IPs?
e.g
ip access-list extended ACL_SOURC_DEST
permit ip z.z.z.z a.a.a.a.a x.x.x.x y.y.y.y
With the source/dest IP you described above.
Is this the same that you are trying to achieve?
I have never also tried the "continue" to the route maps described above
Hope that helps.
04-17-2012 11:47 PM
cos the acl is very long, if i write like this, the acl will be extremly long
04-18-2012 08:56 AM
The suggestion given by Dan is interesting but is overly complex. Actually what you had in your original post would produce AND logic. With this
route-map PBR permit 10
match ip address ACL_DEST
match ip address ACL_SOU
set ip next-hop verify-availability x.x.x.x 1 track 1
t
he result would be that it must match both access lists before it would set the next hop. Failure to match either access list results in following normal routing.
HTH
Rick
04-18-2012 09:43 AM
Hi Rick,
You are right, if you have 2 or more different match statement the logic is AND, but my undestanding on 2 or more match but the same ( for example 2 acl , eventhough are configured separatly ) the logic is OR.
"If a match command refers to several objects in one command, either of them should match (the logical OR algorithm is applied). For example, in the match ip address 101 121 command, a route is permitted if it is permitted by access list 101 or access list 121."
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008047915d.shtml
Do you think this is not the case ?
Regards
Dan
04-18-2012 10:36 AM
Dan
When I wrote my response I thought that they were different and that it would work to produce AND logic as I wrote it. But I have tested and found that I was mistaken
You are quite correct that even if it is input into config t as two separate match statements that IOS produces a single match statement with both access lists in that match statement which does operate OR logic.
My previous suggestion is in error and I withdraw it. Your suggestion is the one that would work.
+5 for you
HTH
Rick
04-18-2012 11:27 AM
Thank you Rick.
Dan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide