Solved: pbr route-map problems

petro-2005 · ‎02-14-2022

Hi everyone.

I have a route-map with pbr rules on my asr router. There is a need to process with "and" logic two different acls with one route-map rule. But when i try to configure two

match ip address

rules router processes it with "or" logic. Also "continue" key didn`t work right in my route-map chain when i tried to commit "go to" logic to skip some rules. Are there any solutions?

Richard Burts · ‎02-14-2022

It seems to me that what you are looking for might be object groups used in access lists. I hope this link has information that will be helpful

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3e/sec-data-acl-xe-3e-book/sec-data-acl-xe-3e-book_chapter_01011.html

HTH

Rick

View solution in original post

Georg Pauwen · ‎02-14-2022

Hello,

post the route map you have configured. Is this on XR ?

petro-2005 · ‎02-14-2022

Router cisco ASR1006 (RP2) with IOS XE

Cisco IOS XE Software, Version 03.16.08.S

Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.5(3)S8, RELEASE SOFTWARE (fc2)

For example, 2 different acls (because one has source addresses, second has destination. two acls A+B count of rules, one acl A*B count of rules):

ip access-list standard SOCIALSUBS
permit 192.168.0.0 0.0.0.255

permit 192.168.1.0 0.0.0.255

ip access-list extended SOCIALNETS

permit ip any 5.61.16.0 0.0.7.255
permit ip any 5.181.61.0 0.0.0.255
permit ip any 79.137.139.0 0.0.0.255
permit ip any 79.137.164.0 0.0.0.255
permit ip any 79.137.180.0 0.0.0.255
permit ip any 87.240.128.0 0.0.63.255
permit ip any 93.186.224.0 0.0.15.255
permit ip any 95.142.192.0 0.0.15.255
permit ip any 95.213.0.0 0.0.127.255
permit ip any 185.32.248.0 0.0.3.255
permit ip any 185.226.52.0 0.0.3.255
permit ip any 45.136.20.0 0.0.3.255
permit ip any 193.203.40.0 0.0.3.255
permit ip any 217.20.144.0 0.0.15.255
permit ip any 95.163.39.80 0.0.0.7
permit ip any 95.163.42.64 0.0.0.63




I want this route-map to redistribute route only if both conditions in two alcs are matched.




route-map LAN permit  10

match ip address SOCIALSUBS SOCIALNETS

set ip next-hop 10.10.5.2
route-map LAN permit 20
set interface Null0




doesn`t work (works with logic "OR", not "AND")




Second try with key "continue":




route-map LAN permit  10

match ip address SOCIALSUBS

continue 30

route-map LAN permit 20
set interface Null0

route-map LAN permit  30

match ip address SOCIALNETS

set ip next-hop 10.10.5.2

doesn`t work too (no matches in permit 30 sequence)

Georg Pauwen · ‎02-14-2022

Hello,

so basically, you want a logical AND to match both access lists. I don't think PBR lets you do that at all, as multiple ACLs always result in an OR.

--> A

match

command can match on length or multiple ACLs. A route map statement can contain multiple

 match

commands. Logical or algorithm function is performed across all the

match

commands to reach a permit or deny decision.

Meaning that the best you can do is:

route-map LAN permit 10
match ip address SOCIALSUBS
set ip next-hop 10.10.5.2
!
route-map LAN permit 20
match ip address SOCIALNETS
set ip next-hop 10.10.5.2
!
route-map LAN permit 20
set interface Null0

petro-2005 · ‎02-14-2022

This route-map will redirect all packets from source addresses from SOCIALSUBS acl and all packets to destination addresses from SOCIALNETS acl to next-hop 10.10.5.2

My purpose is to redirect packets ONLY from source addresses from SOCIALSUBS acl to destination addresses from SOCIALNETS acl to next-hop 10.10.5.2

paul driver · ‎02-14-2022

Hello

Can you elaborate on this please, if no match is match made on the first stanza then pbr logic will proceed to the next, maybe you just need to review your acl logic in relation to using PBR?

Can you post both the acl and pbr config please?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

petro-2005 · ‎02-14-2022

Hello, posted above your message

paul driver · ‎02-14-2022

Hello

From what you post you should only need to apply the SOCIALNETS acl to a single route-map the standard acl isn’t required

Then apply that pbr route-map to the L3svi of that particular subnet which hosts it and IF that L3svi has a large subnet range which incorporates both 192.168.0./24 and 192.168.1.0/24 then amend the extended acl to specify those particular subnets as source then that should do the trick!

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

petro-2005 · ‎02-14-2022

This is ASR router, not l3 switch, there are no l3svi interfaces. This router accepts subnets from other routers with OSPF process. Subnets 192.168.0.0/24 and 192.168.1.0/24 were mentioned as an example. In practice there are many single ip addresses from many different subnets in SOCIALSUBS acl.

paul driver · ‎02-14-2022

Hello
TBH its irrelevant if its a SVI or not, The route-map will be applied to a routed interface (switch/rtr) and the same logic applied.

Example: (192.168.0.0/24 & 192.168.1.0/24)

ip access-list extended SOCIALNETS
permit ip 192.168.0.0 0.0.1.255 5.61.16.0 0.0.7.255
permit ip 192.168.0.0 0.0.1.255 5.181.61.0 0.0.0.255

etc..

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

petro-2005 · ‎02-14-2022

I got it. You mean that I need to write one extended acl with all source and all destinations. But this acl will be very big. I mentioned about it above. acl with source ip address has 100 entries, acl with destination has 100 entries. If I use only one extended acl there will be 10000 entries in this acl. If I use two acls there will be total 200 entries. Big difference. And single acl will be increasing exponentially.

paul driver · ‎02-14-2022

Hello
At this point we were only discussing the acl and route-map logic, now you are mentioning the size of the acl , I take it then SOCIALNETS acl you posted was just snippet of the overall acl you currently have applied?
Obviously if you have a very large amount of access-control-entries (ACE) to go into a access-list then it would be an administrative burden to update it plus as you so rightly state the cpu/memory overhead of trawling through it, Although seems your rtr would support such long access-list I guess it isn't viable?

You could have other options, Such as:

Apply a deny PBR stanza instead to catch the “other” non in scope traffic not to be PBR’d and then permit all if the acl for that would be much smaller.
Utilize turbo access-lists (but I don’t think your rtr supports this feature)
Reverse the primary link on the router so all traffic default routes via this next hop and then PBR non inscope traffic via now the secondary (was primary) link, (this is a bit of a drastic approach but feasible)

May I ask why you need to PBR such a large amount of traffic

Edited: Just realized why would you have 10000 entries?
Are you NOT going to source/destination via the subnets like you are dong in the snippet from your OP?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

petro-2005 · ‎02-14-2022

I work in service provider, there are a lot of options on the router. Already configured several deny entries in route-map that passthrough packets to standart routing, several permit entries that redirect packets to servers. Unfortunately turbo acl not supported. Seems to be the only way to solve this problem is to redirect packets with one acl in that route-map to the server, make one more physical link from server to router, and add extended acl to new link on input direction.

About the edited part: ip addresses belong to different subscribers from different networks, can't process them as the whole network. Subs ip addresses are added to acls with billing system. Destination ip addresses are the addresses of different web sites that renew every day, must be added to acl automatically too.

Richard Burts · ‎02-14-2022

It seems to me that what you are looking for might be object groups used in access lists. I hope this link has information that will be helpful

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3e/sec-data-acl-xe-3e-book/sec-data-acl-xe-3e-book_chapter_01011.html

HTH

Rick

petro-2005 · ‎02-15-2022

You're genius!! It works! Thank you very much, spend a lot of time.

Next config works right:

route-map LAN permit 10
match ip address SOCIALOBJECT

set ip next-hop 10.10.5.2
!
route-map LAN permit 20
set interface Null0
!
ip access-list extended SOCIALOBJECT
permit object-group SOCIALPORT object-group SOCIALHOST object-group SOCIALNET
!
object-group service SOCIALPORT
ip
!
object-group network SOCIALHOST
host 10.20.10.5
host 10.30.10.5
!
object-group network SOCIALNET
109.207.0.0 255.255.240.0
host 87.250.250.242
!