Policy routing and GRE

Unanswered Question
Sep 26th, 2007

Hi Folks... I have a GRE tunnel over ipsec set up for certain networks. However, I have one specific source that I want to take a different interface to reach the networks normally routed via the GRE tunnel. I have set up policy routing accordingly, and there are packets matching on the route-map, but the packets I need policy routed are still sent into the tunnel. Anyone know if this is a bug, or am I missing something?

P.S. When I shut the tunnel down, the packets go where they should...

access-list 101 permit ip x.x.x.x 0.0.255.255 any

route-map bla permit 10

match ip address 101

set ip next-hop x.x.x.x

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Wed, 09/26/2007 - 10:21

James

A bit more information would be helpful. Is the traffic that you want to policy route transit traffic being routed through the router or is it traffic generated by the router itself? You do not how where you have configured the ip policy command. Where is it configured?

Could you also provide some information about the topology. Where does the GRE tunnel go? Where is the next-hop x.x.x.x and how do you get to it?

HTH

Rick

james4627 Wed, 09/26/2007 - 10:53

Thanks for the reply, Rick. I thought that would be enough info to ring a bell with someone...

The traffic is transiting through the router. The ip policy command is placed on the interface where traffic from that source i want to policy route is coming from, i.e. ingress int.

The tunnel goes from this router to a remote router across an mpls backbone. There is eigrp routing across these tunnels (hence the packets going this way).

The next hop i want to policy route to is directly connected to a fa int.

Everything seems ok as there are packets matching the route map, but a trace shows the packets still traversing the tunnel :(

James

JORGE RODRIGUEZ Wed, 09/26/2007 - 16:11

James, question, is the destination host you are tracing reachable through the fa int? it may be that it is not reachable through that interface thus taking the gre tunnel, but

it seems you follow the policy right since you are indicating packets are seen but your

trace proves otherwise, you could try forcing the route not take gre path by blocking

that network outbound the gre tunnel interface.

e.g

access-list 102 deny ip any x.x.x.x 0.0.255.255

under gre tunnel apply ip access-group acl 102 out

do a trace and see if traffic still goes via gre or through fa int.

Actions

This Discussion