How to get traffic received over BGP to hit a PBR for specific egress routing?
If I want traffic that gets to my router over a BGP peering to hit a PBR, where does the PBR need to be applied?
In the example below I want traffic from 10.150.0.0/16 to hit PBR internet-pbr and then route to 10.18.9.24 .
router bgp 85858
router ID 10.10.10.1
template peer foo-peering
remote-as 56565
address-family ipv4 unicast
prefix-list foo1-to-myfly in
prefix-list myfly-to-foo1 out
neighbor 10.18.1.185
inherit peer foo-peering
ip access-list send-to-pbr
10 permit 10.150.0.0/16 any
route-map internet-pbr permit
match ip address send-to-pbr
set ip next-hop 10.18.9.24
In the example below I want traffic from 10.150.0.0/16 to hit PBR internet-pbr and then route to 10.18.9.24 .
router bgp 85858
router ID 10.10.10.1
template peer foo-peering
remote-as 56565
address-family ipv4 unicast
prefix-list foo1-to-myfly in
prefix-list myfly-to-foo1 out
neighbor 10.18.1.185
inherit peer foo-peering
ip access-list send-to-pbr
10 permit 10.150.0.0/16 any
route-map internet-pbr permit
match ip address send-to-pbr
set ip next-hop 10.18.9.24
John Meggers
What is happening that you don't believe this is working? Offhand, I can't think of any reason this shouldn't work. The two mechanisms (BGP peering and policy-based routing) should be completely independent of each other, so the fact the traffic arrived as a result of a BGP-advertised route shouldn't make any difference. As long as the traffic source matches your ACL, I would expect this to work.
PBR needs to be attached to an interface. Try...
interface <ISP-FACING-INT>
ip policy route-map internet-pbr
interface <ISP-FACING-INT>
ip policy route-map internet-pbr
ASKER
@jmeggers "route-map internet-pbr" is applied to interfaces connecting to internal leaf switches. So I think @Craig Beck may be right that it needs to be attached to the ISP-facing interface. The tricky thing will be that there are many BGP neighbors on this physical interface associated many AWS Direct Connect BGP peers. If it messes something up the impact will be broad. In my dreams I'd be able to apply the route map to the BGP peer template any only have potential impact on the single peer.
Thank you.
Thank you.
Yes Craig is correct. The PBR always needs to be applied to the inbound interface of where the traffic you want to control is entering the router.
ASKER
So I went to see if this was possible but the ip route-map doesn't appear available..
interface port-channel3.1112
core-router(config-subif)#
*** No matching command found in current mode, matching in (config) mode ***
match Match values
I was expecting to be able to enter ip policy route-map. ?
interface port-channel3.1112
core-router(config-subif)#
*** No matching command found in current mode, matching in (config) mode ***
match Match values
I was expecting to be able to enter ip policy route-map. ?
What platform are you doing this on and what version of code are you running?
ASKER
NXOS: version 7.0(3)I5(2)
cisco Nexus9000 C9508
I see "ip policy route-map" applied to interface Ethernet1/1.
cisco Nexus9000 C9508
I see "ip policy route-map" applied to interface Ethernet1/1.
Ok so just a thought.. is the port channel interface layer 2 or layer 3? If it is layer 2 the policy map probably won't work because it s a layer 3 routing mechanism.
ASKER
The port channel appears configured for L3 duty. ?
interface port-channel3.1112
encapsulation dot1q 1112
bfd interval 300 min_rx 300 multiplier 3
no ip redirects
ip address 10.18.1.170/31
ip router ospf 1 area 0.0.0.0
no shutdown
interface port-channel3.1112
encapsulation dot1q 1112
bfd interval 300 min_rx 300 multiplier 3
no ip redirects
ip address 10.18.1.170/31
ip router ospf 1 area 0.0.0.0
no shutdown
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you muchly!
Just getting back to this. Yes, I agree PBR needs to be applied as an interface policy. Good catch on the subinterface restriction, though. I'm not sure I was aware of that.