• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 75
  • Last Modified:

How to get traffic received over BGP to hit a PBR for specific egress routing?

If I want traffic that gets to my router over a BGP peering to hit a PBR, where does the PBR need to be applied?
In the example below I want traffic from 10.150.0.0/16 to hit PBR internet-pbr and then route to 10.18.9.24 .

router bgp 85858
router ID 10.10.10.1
 template peer foo-peering
remote-as 56565
  address-family ipv4 unicast
  prefix-list foo1-to-myfly in
  prefix-list myfly-to-foo1 out

neighbor 10.18.1.185
inherit peer foo-peering


ip access-list send-to-pbr
 10 permit 10.150.0.0/16 any

route-map internet-pbr permit
   match ip address send-to-pbr
   set ip next-hop 10.18.9.24
0
amigan_99
Asked:
amigan_99
  • 5
  • 4
  • 2
  • +1
1 Solution
 
John MeggersNetwork ArchitectCommented:
What is happening that you don't believe this is working? Offhand, I can't think of any reason this shouldn't work. The two mechanisms (BGP peering and policy-based routing) should be completely independent of each other, so the fact the traffic arrived as  a result of a BGP-advertised route shouldn't make any difference. As long as the traffic source matches your ACL, I would expect this to work.
0
 
Craig BeckCommented:
PBR needs to be attached to an interface. Try...

interface <ISP-FACING-INT>
ip policy route-map internet-pbr
0
 
amigan_99Network EngineerAuthor Commented:
@jmeggers "route-map internet-pbr" is applied to interfaces connecting to internal leaf switches. So I think @Craig Beck may be right that it needs to be attached to the ISP-facing interface. The tricky thing will be that there are many BGP neighbors on this physical interface associated many AWS Direct Connect BGP peers. If it messes something up the impact will be broad. In my dreams I'd be able to apply the route map to the BGP peer template any only have potential impact on the single peer.

Thank you.
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

 
Ken BooneNetwork ConsultantCommented:
Yes Craig is correct.  The PBR always needs to be applied to the inbound interface of where the traffic you want to control is entering the router.
0
 
amigan_99Network EngineerAuthor Commented:
So I went to see if this was possible but the ip route-map doesn't appear available..

interface port-channel3.1112
core-router(config-subif)# ip policy ?
*** No matching command found in current mode, matching in (config) mode ***
  match  Match values

I was expecting to be able to enter ip policy route-map. ?
0
 
Ken BooneNetwork ConsultantCommented:
What platform are you doing this on and what version of code are you running?
0
 
amigan_99Network EngineerAuthor Commented:
NXOS: version 7.0(3)I5(2)
 cisco Nexus9000 C9508

I see "ip policy route-map" applied to interface Ethernet1/1.
0
 
Ken BooneNetwork ConsultantCommented:
Ok so just a thought.. is the port channel interface layer 2 or layer 3?  If it is layer 2 the policy map probably won't work because it s a layer 3 routing mechanism.
0
 
amigan_99Network EngineerAuthor Commented:
The port channel appears configured for L3 duty. ?

interface port-channel3.1112
  encapsulation dot1q 1112
  bfd interval 300 min_rx 300 multiplier 3
  no ip redirects
  ip address 10.18.1.170/31
  ip router ospf 1 area 0.0.0.0
no shutdown
0
 
Ken BooneNetwork ConsultantCommented:
agreed.. here is your problem:

Taken from this link:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/unicast/configuration/guide/l3_cli_nxos/l3pbr.html

Look down in the section Guidelines and Limitations:

Policy-based routing is not supported with Layer 3 port-channel subinterfaces.
0
 
amigan_99Network EngineerAuthor Commented:
Thank you muchly!
0
 
John MeggersNetwork ArchitectCommented:
Just getting back to this. Yes, I agree PBR needs to be applied as an interface policy. Good catch on the subinterface restriction, though. I'm not sure I was aware of that.
1
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 5
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now