Solved: Policy Base Routing route-map AND OR logic

jackie_gx · ‎04-17-2012

i want to do PBR to match IP packet to set the next-hop ip.

i got 2 long list of ACL to match source and destination of the ip packet.

ip access-list extended ACL_DEST

permit ip any x.x.x.x y.y.y.y

ip access-list extended ACL_SOU

permit ip x.x.x.x y.y.y.y any

route-map PBR permit 10

match ip address ACL_DEST

match ip address ACL_SOU

set ip next-hop verify-availability x.x.x.x 1 track 1

!

route-map PBR permit 20

how do i set the route-map for AND logic to match both ACL like above?

Dan-Ciprian Cicioiu · ‎04-18-2012

Yes, no 40 and no 20.

The reason that I put 3, is that there is a case when the route-map will match the destination only and not the source - case in which you should not change the next-hop, so you will have to check once again the source in order to route it.

route-map PBR permit 1

match ip address SRC

continue

!

route-map PBR permit 2

match ip address DST

continue

!

route-map PBR permit 3

match ip address SRC

set ip next-hop ....

Dan

View solution in original post

Dan-Ciprian Cicioiu · ‎04-17-2012

Hi,

Teoretically no, but I would try to use "continue" statement, I didn't tested :

route-map PBR permit 1

match ip address SRC

continue

!

route-map PBR permit 2

match ip address DST

continue

!

route-map PBR permit 3

match ip address SRC

set ip next-hop ....

The 3rd statement is in case the SRC does not match but the DST does and we verify once again the SRC and only then we set the next hop. Once again I did not test this.

Dan

jackie_gx · ‎04-17-2012

my requirement is like this:

1) if the source ip match, it will continue to check on the destination ip.

2) if not souce not match, it will follow the default path, will not check for dest match or not

3) if both souce and dest not match, it will follow the default path

so my config is like this?

route-map PBR permit 10

match ip address SRC

continue 30

!

route-map PBR permit 20

!

route-map PBR permit 30

match ip address DST

set ip next-hop .......

!

route-map PBR permit 40

Dan-Ciprian Cicioiu · ‎04-18-2012

Jackie,

The route-map has a implicit deny , this means that the traffic that

if is matched by the route-map will be forwarded as in the route-map's statement

if is not match will be forwarded according to the routing table.

So there is no need for a blank statement

Dan

jackie_gx · ‎04-18-2012

mean i not need to put "route-map PBR permit 40" ?

Dan-Ciprian Cicioiu · ‎04-18-2012

Yes, no 40 and no 20.

The reason that I put 3, is that there is a case when the route-map will match the destination only and not the source - case in which you should not change the next-hop, so you will have to check once again the source in order to route it.

route-map PBR permit 1

match ip address SRC

continue

!

route-map PBR permit 2

match ip address DST

continue

!

route-map PBR permit 3

match ip address SRC

set ip next-hop ....

Dan

Vasileios Bouloukos MSc, ITIL, CCIE · ‎04-17-2012

Hi Jackie,

Why dont you try to create just an AL with the specific source/destination IPs?

e.g

ip access-list extended ACL_SOURC_DEST

permit ip z.z.z.z a.a.a.a.a x.x.x.x y.y.y.y

With the source/dest IP you described above.

Is this the same that you are trying to achieve?

I have never also tried the "continue" to the route maps described above

Hope that helps.

jackie_gx · ‎04-17-2012

cos the acl is very long, if i write like this, the acl will be extremly long

Richard Burts · ‎04-18-2012

The suggestion given by Dan is interesting but is overly complex. Actually what you had in your original post would produce AND logic. With this

route-map PBR permit 10

match ip address ACL_DEST

match ip address ACL_SOU

set ip next-hop verify-availability x.x.x.x 1 track 1

t

he result would be that it must match both access lists before it would set the next hop. Failure to match either access list results in following normal routing.

HTH

Rick

HTH

Rick

Dan-Ciprian Cicioiu · ‎04-18-2012

Hi Rick,

You are right, if you have 2 or more different match statement the logic is AND, but my undestanding on 2 or more match but the same ( for example 2 acl , eventhough are configured separatly ) the logic is OR.

"If a match command refers to several objects in one command, either of them should match (the logical OR algorithm is applied). For example, in the match ip address 101 121 command, a route is permitted if it is permitted by access list 101 or access list 121."

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008047915d.shtml

Do you think this is not the case ?

Regards

Dan

Richard Burts · ‎04-18-2012

Dan

When I wrote my response I thought that they were different and that it would work to produce AND logic as I wrote it. But I have tested and found that I was mistaken

You are quite correct that even if it is input into config t as two separate match statements that IOS produces a single match statement with both access lists in that match statement which does operate OR logic.

My previous suggestion is in error and I withdraw it. Your suggestion is the one that would work.

+5 for you

HTH

Rick

HTH

Rick

Dan-Ciprian Cicioiu · ‎04-18-2012

Thank you Rick.

Dan