PBR with as-path

kongkong25155 · ‎08-24-2021

hi,

i'm trying to route specific source(internal-192.168.1.65/29) subnet to match ASN(YYYY) and route it out to ASN(yyyy) gateway.

if 192.168.1.65/29 match ASN(yyyy) nexthop ASN(yyyy) gateway

else

follow routing table/bgp table

i setup a PBR with below criteria;

match source ip

match as-path 1

set ip next hop x.x.x.x

ip as-path access-list 1 permit ^yyyy$

i've tested and seems like all my traffic will routed to x.x.x.x even i go to as zzzz

below is my config;

interface TenGigabitEthernet0/0/0
description *** to Internal ***
mtu 9216
ip address 1.1.1.1 255.255.255.252
ip policy route-map PBR-VOICE

interface GigabitEthernet1/1/2
description *** To ISP-A ***
ip address 2.2.2.2 255.255.255.252

Standard IP access list VOICE
10 permit 192.168.1.64 0.0.0.7

ip as-path access-list 1 permit ^yyyy$

route-map PBR-VOICE permit 10
match ip address VOICE

match as-path 1

set ip next-hop 2.2.2.1

Richard Burts · ‎08-24-2021

I have several comments about your post:

- why do you hide what you are specifying for as path

match as-path xx

xx is mostly used to disguise sensitive information. What is sensitive about the name of the access list? And then you post the as path access list showing that it is 1. Why obscure one and put the other into the post plainly?

- I am also wondering about this line

match source ip

it is not clear what you are matching here.

- I am surprised to see one entry (as-path) and a second entry (source ip) combined in a route map. Matching as-path implies that you are trying to control routing updates, but match ip implies that you are trying to control forwarding of user traffic. What are you really trying to accomplish here?

HTH

Rick

kongkong25155 · ‎08-24-2021

Thanks for replying.

i've edited my 1st post.

Richard Burts · ‎08-25-2021

I have read your edited post and am still confused about what you are trying to accomplish. PBR is generally applied on an interface where traffic enters the router/switch. It uses a route map to select traffic and specify an alternate forwarding decision. It is fairly straightforward to say match subnet 192.168.1.64/29 and send it to next hop w.x.y.z. It is also common to use route maps in conjunction with BGP routing and where you might want to match on AS number. You seem to be putting them together.

if 192.168.1.65/29 match ASN(yyyy) nexthop ASN(yyyy) gateway

What is the relationship between 192.168.1.64 and ASN(yyyy)?

HTH

Rick

Giuseppe Larosa · ‎08-25-2021

Hello @kongkong25155 ,

I agree with @Richard Burts a route-map used for PBR is used to examine user traffic flows so invoking a match as-path is misleading and it is likely not supported correctly.

If you match on source IP address on your internal interface how can that prefix match an as-path list that contains an AS number ? How can the source address be learned in eBGP from ISP A when coming from your internal network ? unless there is a spoofing attack it should not happen.

I would understand if you were trying to match the destination address, that may match your AS path access-list but the source should not be able to match in any case.

I think that match is ignored in the route-map used for PBR and this explains what you see.

Hope to help

Giuseppe

Harold Ritter · ‎08-25-2021

Hi @kongkong25155 ,

The list of match commands that can be used for PBR is fairly limited. You can use the following commands:

match length
match ip address

Please refer to the ffollowing documentation page:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/15-mt/iri-15-mt-book/iri-pbr.html#GUID-EE6D291D-C8E0-493A-B7E7-71FB4D606186

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México