PBR - is the return path the same as the destination path?

lon21 · April 2012

I am just learning PBR with Cisco routers, while I have got this to work via a access-list and route-maps. My understanding is each packet is checked with the PBR and then the routing table.

If the above is true, then I believe PBR should be implement to both ends of the router where the path connects, as having only one PBR provide routes for packet which are destined but the return packets i.e. in tcp would take another route.

I am correct, I am missing something?

Thank you.

pogue · April 2012

lon21 wrote: »

I am just learning PBR with Cisco routers, while I have got this to work via a access-list and route-maps.My understanding is each packet is checked with the PBR and then the routing table.

The bolded part I believe is only true if you use the "default" keyword in the PBR commands.

If the above is true, then I believe PBR should be implement to both ends of the router where the path connects, as having only one PBR provide routes for packet which are destined but the return packets i.e. in tcp would take another route.

One common use for PBR is to choose which of two ISPs to route outbound traffic to. PBR gives you no control over how the internet routes traffic back to your network.

Not sure what you mean by "both ends of the router". Do you mean the LAN side and the WAN side?

You seem to be saying that PBR "should be used" in a certain way.. PBR is just a tool that allows you to match a certain condition or conditions, and then to take a certain action afterwards.

Please give us a little bit more info on what you are actually trying to accomplish with PBR, and we can let you know if you are looking at things with the right mindset.

Russ

vinbuck · April 2012

PBR only applies to ingress traffic on an interface (in other words, you are catching it as it comes into an interface and sending it somewhere else). Return traffic will take the best path back to the source IP.

PBR can be used for more than changing the next-hop but I guessing this is all you're referring to.

lon21 · April 2012

pogue wrote: »

The bolded part I believe is only true if you use the "default" keyword in the PBR commands.

One common use for PBR is to choose which of two ISPs to route outbound traffic to. PBR gives you no control over how the internet routes traffic back to your network.

Not sure what you mean by "both ends of the router". Do you mean the LAN side and the WAN side?

You seem to be saying that PBR "should be used" in a certain way.. PBR is just a tool that allows you to match a certain condition or conditions, and then to take a certain action afterwards.

Please give us a little bit more info on what you are actually trying to accomplish with PBR, and we can let you know if you are looking at things with the right mindset.

Russ

Hi Russ,

I have a network which has three routers A, B & C in an triangle. Routers B and C can both access 192.168.20.0/24. When I try to connect from router A to 20.0 network the path which is taken is via router B which is implemented via route-maps. My concern is as the route-map is only applied on the inside interface of router A the packets which are returned from 20.0 are taking a different path on which the packet destined had taken.

Not sure what you mean by "both ends of the router". Do you mean the LAN side and the WAN side?

Would be LAN side i.e. packets which enter the router.

thanks

vinbuck · April 2012

Diagrams or configs would be helpful

Everyone has a different take on what is inside and outside. Bottom line is that PBR will only change the next hop on traffic coming into an interface. It won't change the return.

BGP, however, can do that

deth1k · April 2012

PBR breakes routing, so no, it will not do route lookup and just forward traffic to your specified next hop. Do you care about return traffic? If you do then don't use PBR :P

Agent6376 · April 2012

Ion, if you are going to use PBR in the scenario you have laid out, then yes you would want to configure it on both ends to avoid asymmetric routing, exactly as you suspected. I've worked in networks where clients would load balance Citrix traffic over an MPLS link, and then send printer and web traffic over a protected GRE tunnel with failover either way. PBR was used on both sides to classify traffic accordingly so that destination and return traffic took the same routes.

I hope this answers your question.

pogue · April 2012

Agent6376 wrote: »

Ion, if you are going to use PBR in the scenario you have laid out, then yes you would want to configure it on both ends to avoid asymmetric routing, exactly as you suspected. I've worked in networks where clients would load balance Citrix traffic over an MPLS link, and then send printer and web traffic over a protected GRE tunnel with failover either way. PBR was used on both sides to classify traffic accordingly so that destination and return traffic took the same routes.

I hope this answers your question.

This sounds like a site-to-site VPN.

Not sure that the OP ever mentioned anything that could even remotely be considered similar.

Sounded like the OP mentioned applying PBR in both directions on a single router, which I don't think is possible.

Again, it sounds like you are talking about some sort of VPN where sites are connected over Layer 2, which is not what the OP is referring to.

Russ

Agent6376 · April 2012

pogue wrote: »

This sounds like a site-to-site VPN.

Not sure that the OP ever mentioned anything that could even remotely be considered similar.

Sounded like the OP mentioned applying PBR in both directions on a single router, which I don't think is possible.

Again, it sounds like you are talking about some sort of VPN where sites are connected over Layer 2, which is not what the OP is referring to.

Russ

Ah! Yep I'm referring to having PBR on two routers - one on each ingress LAN interface for each respective subnet.

Edit: To the OP:
1. Add a 4th router to your lab.
2. Place the 192.168.20.x network behind it
3. Put router B and C as whatever transit subnets you want to use
4. Apply your PBR configuration at the ingress of router A and router D.
5. Review

Good luck!

lon21 · April 2012

Guys, thanks for your input.

Sorry for the late reply.

I've designed a similar network to what I am trying to achieve, I understand that PBR need to be on both ends. But what about is I don't have control the other end of the router.

In my example the router on the right, I don't have access to but we have both agreed to run EIGRP. I would like the links going to the right side to use the link with the 10 MB speed and any other traffic to use the 100 Mb link.

I don't have access to the other router, is this any way possible?

mattau · April 2012

-I was thinking with eigrp how about go on one of the ISP2 routers and make a high offset value for 192.168.10.0. That way when R1 calculates its sucessor path you could manipulate the offset to make the path via ISP1 better. Then on your end on Router0 could could do a similar thing with making the 100mb link appear a higher metric ( this still doesnt help with sending all other traffic down the 100mb link that doesnt flow over the 10mb link given like everyone said you'd still have to be able to put a route map in the ingress interface to match and set criteria.

BGP could be quite handy if the other router had certain community values configured so you could tell it to route certain traffic this way or that way. But that is probably getting abit too crazy for this. : )

PBR - is the return path the same as the destination path?

Comments