How to get traffic received over BGP to hit a PBR for specific egress routing?

If I want traffic that gets to my router over a BGP peering to hit a PBR, where does the PBR need to be applied?
In the example below I want traffic from 10.150.0.0/16 to hit PBR internet-pbr and then route to 10.18.9.24 .

router bgp 85858
router ID 10.10.10.1
 template peer foo-peering
remote-as 56565
  address-family ipv4 unicast
  prefix-list foo1-to-myfly in
  prefix-list myfly-to-foo1 out

neighbor 10.18.1.185
inherit peer foo-peering


ip access-list send-to-pbr
 10 permit 10.150.0.0/16 any

route-map internet-pbr permit
   match ip address send-to-pbr
   set ip next-hop 10.18.9.24
LVL 2
amigan_99Network EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

John MeggersNetwork ArchitectCommented:
What is happening that you don't believe this is working? Offhand, I can't think of any reason this shouldn't work. The two mechanisms (BGP peering and policy-based routing) should be completely independent of each other, so the fact the traffic arrived as  a result of a BGP-advertised route shouldn't make any difference. As long as the traffic source matches your ACL, I would expect this to work.
0
Craig BeckCommented:
PBR needs to be attached to an interface. Try...

interface <ISP-FACING-INT>
ip policy route-map internet-pbr
0
amigan_99Network EngineerAuthor Commented:
@jmeggers "route-map internet-pbr" is applied to interfaces connecting to internal leaf switches. So I think @Craig Beck may be right that it needs to be attached to the ISP-facing interface. The tricky thing will be that there are many BGP neighbors on this physical interface associated many AWS Direct Connect BGP peers. If it messes something up the impact will be broad. In my dreams I'd be able to apply the route map to the BGP peer template any only have potential impact on the single peer.

Thank you.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Ken BooneNetwork ConsultantCommented:
Yes Craig is correct.  The PBR always needs to be applied to the inbound interface of where the traffic you want to control is entering the router.
0
amigan_99Network EngineerAuthor Commented:
So I went to see if this was possible but the ip route-map doesn't appear available..

interface port-channel3.1112
core-router(config-subif)# ip policy ?
*** No matching command found in current mode, matching in (config) mode ***
  match  Match values

I was expecting to be able to enter ip policy route-map. ?
0
Ken BooneNetwork ConsultantCommented:
What platform are you doing this on and what version of code are you running?
0
amigan_99Network EngineerAuthor Commented:
NXOS: version 7.0(3)I5(2)
 cisco Nexus9000 C9508

I see "ip policy route-map" applied to interface Ethernet1/1.
0
Ken BooneNetwork ConsultantCommented:
Ok so just a thought.. is the port channel interface layer 2 or layer 3?  If it is layer 2 the policy map probably won't work because it s a layer 3 routing mechanism.
0
amigan_99Network EngineerAuthor Commented:
The port channel appears configured for L3 duty. ?

interface port-channel3.1112
  encapsulation dot1q 1112
  bfd interval 300 min_rx 300 multiplier 3
  no ip redirects
  ip address 10.18.1.170/31
  ip router ospf 1 area 0.0.0.0
no shutdown
0
Ken BooneNetwork ConsultantCommented:
agreed.. here is your problem:

Taken from this link:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/unicast/configuration/guide/l3_cli_nxos/l3pbr.html

Look down in the section Guidelines and Limitations:

Policy-based routing is not supported with Layer 3 port-channel subinterfaces.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
amigan_99Network EngineerAuthor Commented:
Thank you muchly!
0
John MeggersNetwork ArchitectCommented:
Just getting back to this. Yes, I agree PBR needs to be applied as an interface policy. Good catch on the subinterface restriction, though. I'm not sure I was aware of that.
1
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.