Match statement in PBR

Mehdi Talei · ‎05-18-2012

I am trying to implement PBR in order to route certain trafic to a specific destination, but it seems that match statement in route-map is not working as I would like to! The topology is in attachment and router configs are as below:

Router1:

interface GigabitEthernet0

ip address 10.8.20.30 255.255.255.0

ip virtual-reassembly

ip tcp adjust-mss 1200

ip policy route-map PBR1

duplex auto

speed auto

standby 20 ip 10.8.20.15

standby 20 priority 120

standby 20 preempt

!

route-map PBR1 permit 10

match ip address ACL1

set tag 180

!

route-map PBR1 permit 15

match tag 181

!

route-map PBR1 permit 20

match ip address ACL2

set ip next-hop 10.8.20.40

!

ip access-list extended ACL1

permit ip A.A.A.A 0.0.0.255 C.C.C.C 0.0.0.255

!

ip access-list extended ACL2

permit ip B.B.B.B 0.0.0.255 C.C.C.C 0.0.0.255

Router2:

interface GigabitEthernet0

ip address 10.8.20.40 255.255.255.0

ip tcp adjust-mss 1200

ip policy route-map PBR2

duplex auto

speed auto

standby 20 ip 10.8.20.15

standby 20 preempt

!

route-map PBR2 permit 5

match ip address ACL2

set tag 181

!

route-map PBR2 permit 10

match tag 180

!

route-map PBR2 permit 20

match ip address ACL1

set ip next-hop 10.8.20.30

!

ip access-list extended ACL1

permit ip A.A.A.A 0.0.0.255 C.C.C.C 0.0.0.255

!

ip access-list extended ACL2

permit ip B.B.B.B 0.0.0.255 C.C.C.C 0.0.0.255

Here is the situation, Router1 is active in HSRP, so it receives all the packets no matter what the source is! When it receives a packet from network B.B.B.B destined to network C.C.C.C, it is supposed to send it to Router2 because of statement 20 of PBR1, but instead of doing that, statement 20 of PBR1 accept the packet and route it via Router1!

Basically Tag 181 is when the packet is from ACL2 and has already entered Router2, while the packet source from network B.B.B.B never entered Router2, so it is not tagged 181 to be routed by statement 20 of PBR1.

Your help is most appreciated that I understand what's going on here :-)

Kishore Chennupati · ‎05-18-2012

ok are you sure that the source ip address is B.B.B.B that is entering the interface on the R1? because I can see there is a FW in the middle. Is it not doing any NAT or anything. Essentialy what I am saying is that the source ip address needs to be intact when it hits R1. If this is a test lab or something you can do a debug ip packet with a condition and see what is the source ip address coming into the R1 router. PBR would only kick in if it sees B.B.B.B as the source.

HTH

Kishore

kunalgandhi · ‎05-19-2012

Try to change the route map sequence as shown below on Router R1 & share the result.

route-map PBR1 permit 10

match ip address ACL1

set tag 180

!

route-map PBR1 permit 15

match ip address ACL2

set ip next-hop 10.8.20.40

!

route-map PBR1 permit 20

match tag 181

Regards,

Kunal

Mehdi Talei · ‎05-21-2012

@Kishore, no NAT is used in this scenario! All addresses are real.

@Kunal, great hint! The problem with this solution is that, when the connection of Router2 to the destination C.C.C.C is down, the default route will be on Router1, then all the trafic no matter the source wil go via Router1.

So the statement 15 of PBR1 sends the packet to Router2, Router2 has no route to reach the network C.C.C.C and send the packet back to Router1 and Router1 will send back the packet to Router2 because of the same statement 15 of PBR1 and a loop will be generated! I put "match tag 181" the second statement to avoid this loop actually!

cadet alain · ‎05-21-2012

Hi,

As far as I know, the match tag and set tag statement are not supported in PBR and I think that's the reason why it is not working.

Regards.

Alain

Don't forget to rate helpful posts.

Mehdi Talei · ‎05-22-2012

I lost 3 days on something which exist but not supported! Not really brilliant but typical Cisco!

Thanks Alain for the hint! Do you know any other alternative to replace tagging within PBR?

Sergey Fer · ‎05-22-2012

Tagging is for route-tagging. Routing protocol packets can carry tags, not IP packets themselves. If you wish to "color" your IP packets, you might use IP Precedense or DSCP. It is not for that task, of course, but you can use them. But be carefull - you also can't set IPP/DSCP with route-map. You need to use policy-map for that

Mehdi Talei · ‎05-23-2012

Thanks for clarification Sergey.

As you mentioned I won't be able to use policy-map in this context! Is there any other alternative?

Sergey Fer · ‎05-24-2012

Please, let me know why do not you simply put

match ACL

set ip next-hop

in your route-maps (it is 20th permits in your current route-maps)?

Mehdi Talei · ‎05-24-2012

Because when the connection of Router2 to the destination C.C.C.C is down, the default route will be on Router1, then all the trafic no matter the source wil go via Router1.

So the statement 15 of PBR1 sends the packet to Router2, Router2 has no route to reach the network C.C.C.C and send the packet back to Router1 and Router1 will send back the packet to Router2 because of the same statement 15 of PBR1 and a loop will be generated! I put "match tag 181" the second statement to avoid this loop actually!

Kishore Chennupati · ‎05-24-2012

Hi Mehdi,

Can you modify your route-map to the below and test.

route-map PBR1 permit 10

match ip address ACL2

set ip next-hop 10.8.20.40

HTH

Kishore