08-24-2021 08:30 PM - edited 08-24-2021 10:42 PM
hi,
i'm trying to route specific source(internal-192.168.1.65/29) subnet to match ASN(YYYY) and route it out to ASN(yyyy) gateway.
if 192.168.1.65/29 match ASN(yyyy) nexthop ASN(yyyy) gateway
else
follow routing table/bgp table
i setup a PBR with below criteria;
match source ip
match as-path 1
set ip next hop x.x.x.x
ip as-path access-list 1 permit ^yyyy$
i've tested and seems like all my traffic will routed to x.x.x.x even i go to as zzzz
below is my config;
interface TenGigabitEthernet0/0/0
description *** to Internal ***
mtu 9216
ip address 1.1.1.1 255.255.255.252
ip policy route-map PBR-VOICE
interface GigabitEthernet1/1/2
description *** To ISP-A ***
ip address 2.2.2.2 255.255.255.252
Standard IP access list VOICE
10 permit 192.168.1.64 0.0.0.7
ip as-path access-list 1 permit ^yyyy$
route-map PBR-VOICE permit 10
match ip address VOICE
match as-path 1
set ip next-hop 2.2.2.1
08-24-2021 10:14 PM
I have several comments about your post:
- why do you hide what you are specifying for as path
match as-path xx
xx is mostly used to disguise sensitive information. What is sensitive about the name of the access list? And then you post the as path access list showing that it is 1. Why obscure one and put the other into the post plainly?
- I am also wondering about this line
match source ip
it is not clear what you are matching here.
- I am surprised to see one entry (as-path) and a second entry (source ip) combined in a route map. Matching as-path implies that you are trying to control routing updates, but match ip implies that you are trying to control forwarding of user traffic. What are you really trying to accomplish here?
08-24-2021 10:43 PM
Thanks for replying.
i've edited my 1st post.
08-25-2021 12:40 PM
I have read your edited post and am still confused about what you are trying to accomplish. PBR is generally applied on an interface where traffic enters the router/switch. It uses a route map to select traffic and specify an alternate forwarding decision. It is fairly straightforward to say match subnet 192.168.1.64/29 and send it to next hop w.x.y.z. It is also common to use route maps in conjunction with BGP routing and where you might want to match on AS number. You seem to be putting them together.
if 192.168.1.65/29 match ASN(yyyy) nexthop ASN(yyyy) gateway
What is the relationship between 192.168.1.64 and ASN(yyyy)?
08-25-2021 01:40 AM
Hello @kongkong25155 ,
I agree with @Richard Burts a route-map used for PBR is used to examine user traffic flows so invoking a match as-path is misleading and it is likely not supported correctly.
If you match on source IP address on your internal interface how can that prefix match an as-path list that contains an AS number ? How can the source address be learned in eBGP from ISP A when coming from your internal network ? unless there is a spoofing attack it should not happen.
I would understand if you were trying to match the destination address, that may match your AS path access-list but the source should not be able to match in any case.
I think that match is ignored in the route-map used for PBR and this explains what you see.
Hope to help
Giuseppe
08-25-2021 01:38 PM
Hi @kongkong25155 ,
The list of match commands that can be used for PBR is fairly limited. You can use the following commands:
Please refer to the ffollowing documentation page:
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide