09-26-2007 08:35 AM - edited 03-03-2019 06:55 PM
Hi Folks... I have a GRE tunnel over ipsec set up for certain networks. However, I have one specific source that I want to take a different interface to reach the networks normally routed via the GRE tunnel. I have set up policy routing accordingly, and there are packets matching on the route-map, but the packets I need policy routed are still sent into the tunnel. Anyone know if this is a bug, or am I missing something?
P.S. When I shut the tunnel down, the packets go where they should...
access-list 101 permit ip x.x.x.x 0.0.255.255 any
route-map bla permit 10
match ip address 101
set ip next-hop x.x.x.x
09-26-2007 10:21 AM
James
A bit more information would be helpful. Is the traffic that you want to policy route transit traffic being routed through the router or is it traffic generated by the router itself? You do not how where you have configured the ip policy command. Where is it configured?
Could you also provide some information about the topology. Where does the GRE tunnel go? Where is the next-hop x.x.x.x and how do you get to it?
HTH
Rick
09-26-2007 10:53 AM
Thanks for the reply, Rick. I thought that would be enough info to ring a bell with someone...
The traffic is transiting through the router. The ip policy command is placed on the interface where traffic from that source i want to policy route is coming from, i.e. ingress int.
The tunnel goes from this router to a remote router across an mpls backbone. There is eigrp routing across these tunnels (hence the packets going this way).
The next hop i want to policy route to is directly connected to a fa int.
Everything seems ok as there are packets matching the route map, but a trace shows the packets still traversing the tunnel :(
James
09-26-2007 04:11 PM
James, question, is the destination host you are tracing reachable through the fa int? it may be that it is not reachable through that interface thus taking the gre tunnel, but
it seems you follow the policy right since you are indicating packets are seen but your
trace proves otherwise, you could try forcing the route not take gre path by blocking
that network outbound the gre tunnel interface.
e.g
access-list 102 deny ip any x.x.x.x 0.0.255.255
under gre tunnel apply ip access-group acl 102 out
do a trace and see if traffic still goes via gre or through fa int.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide