Policy Based Rouing problem over dual frame-relay circuits

Unanswered Question

I have a site that has two frame-relay DS1's built as point-point circuits. Both provide Internet access. I want to use PBR to send some user traffic over one T1 and some traffic over the other. I believe I've built the PBR correctly but it doesn't appear to be working. When I query the route-map I see policy routing matches. Both the packets and bytes counters are incrementing. However I am unable to resolve DNS or surf. When I put a default static route pointing out one of the interfaces I am able to surf. I have included a config. Any help would be appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
lamav Wed, 03/05/2008 - 11:23


The access lists on both serial interfaces -- ACL 101 and 102 -- are denying all traffic coming in from the firewall, except icmp.



lamav Wed, 03/05/2008 - 11:51


Not to be repetitive, but this is your interface configuration:

interface Serial0/3/0:0.1 point-to-point

description FW_OUTSIDE#1

ip address

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

frame-relay interface-dlci 500 IETF

And here is the access list...

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 deny ip any

access-list 101 deny ip any

access-list 101 permit icmp any host echo-reply

access-list 101 permit icmp any host time-exceeded

access-list 101 permit icmp any host unreachable

access-list 101 deny ip any

access-list 101 deny ip any

access-list 101 deny ip any

access-list 101 deny ip any

access-list 101 deny ip host any

access-list 101 deny ip host any

access-list 101 deny ip any any log

This access list denies everything but ICMP traffic coming in from the firewall. What am I missing?

Which interface did you point that static route to? ip route ?.?.?.?



lamav Wed, 03/05/2008 - 13:06

Oh, wait a minute...Im sorry! I just noticed the ip inspect commands in your configuration...

You're running an IOS with a firewall feature set, which means that it is stateful. So, all your internally-generated traffic is automatically allowed back in....

That explains the access list question, but that leaves your initial problem still unresolved....

Joseph W. Doherty Wed, 03/05/2008 - 19:52

Within route-map path-select, try setting "set default interface Serial0/3/0:0.1" and "set default interface Serial0/3/1:0.1" to "set ip next-hop x.x.x.x" where x.x.x.x is the appropriate external next hop address.

Joseph W. Doherty Thu, 03/06/2008 - 05:51

I had suspected PBR with "interface" wasn't NATing. Hopefully the "next-hop" would otherwise NAT. At this point, would need to activate debug and see what's going on.


What next hop addresses did you use?

Mohamed Sobair Thu, 03/06/2008 - 06:12


The (set default interface) has different concept than (set ip next-hop).

the first would perform PBR if it has exact matche in the routing table, and would therfore need (extended access-list).

therfore, the set ip next-hop would resolve

your issue , and you dont need a default route for this.

Make sure the next hop is reachable.



Ok, I've got it working. I changed my ACL's to extended ACL's (no change), set the route-map to set ip next-hop (no change) and then I put a default static route pointing to each of my T1's. The route-map would then send the packets out the correct interface. Does the router have to do a route lookup even if you have a route map pointing to the next hop address?

Edison Ortiz Thu, 03/06/2008 - 08:15

Does the router have to do a route lookup even if you have a route map pointing to the next hop address?

It depends on the set statement within the route-map.

If you use set ip next-hop address, the router will use PBR first and if it fails, it will use the routing table.

If you use set ip default next-hop address, the router will use the routing table first and then the next-hop specified in the route-map.

Please see:


for further understand on PBR features.




Ok, but if I dont have any static routes configured I am unable to route. I could ping the next-hop IP. With the static routes configured the route-map (set ip next-hop address) is sending my user traffic out the correct interfaces. No matter what method I used I would always show my ACL's matching interesting traffic and the route-map matching packets. Very odd behaviour!

Joseph W. Doherty Thu, 03/06/2008 - 14:14

If might help if you clarified what the next hop address your using with PBR and the specific statics which fixed the problem.

Since your original default route was using an interface, not a next hop, perhaps PBR doesn't "know" where the next hop is without a connected route or a static. I.e. your NAT pool is using 60.x.x.x but your physical link are 211.x.x.x. Or perhaps the issue is, without the statics, NAT doesn't see an inside to outside need for address translation.

Mohamed Sobair Thu, 03/06/2008 - 08:10


with PBR, Routing lookup is not perform, because u are forcing the router to match specific criteria.

The router would consult its arp table for the next hop configured in a route-map.



Mohamed Sobair Thu, 03/06/2008 - 08:38


We were taking about (set ip next-hop), if you refer to my previous post, you will see that I have explained what you typed already.



lamav Thu, 03/06/2008 - 11:54

Edison, MO:

Here is what I was thinking about this:

His PBR seems to be failing, which is why he can only route traffic if he has a static default configured.

I say this because we are dealing with 2 NAT interfaces, inside and outside. For both interfaces, the order of operations is such that policy routing comes first, then normal routing.

So, his PBR must be failing, otherwise it would not have to resort to a route table lookup. Thats what I couldnt figure out: what is wrong with his route map config? he says he is using the set ip next hop address command but it didnt work...

Tennis anyone? :-)



This Discussion