Route Map issue

Unanswered Question
Sep 5th, 2008
User Badges:

I have 2 Internet connections, I want my branches (which have many more users) to use the HS link. The slower link one is connected to my core. The higher-speed one is 2 hops away. I have created a route map:


access-list 180 permit icmp any <--for testing purposes ONLY

access-list 180 permit tcp any any eq www

access-list 180 permit tcp any any eq 443


route-map webtraffic permit 1

match ip address 180

set interface GigabitEthernet7/1 <-- port on my core to other core device where HS Link connects

set ip next-hop <--DGW I want to use


I have this route-map applied to both interfaces on my core where my 2 branches connect from their routers. The ACL is racking up "hits" but the traffic is STILL going out my slower speed link. Here is some debug info:

Sep 5 09:48:48.654 CST: IP: s= (GigabitEthernet3/47), d=, len 40, FIB policy match

Sep 5 09:48:48.654 CST: CEF-IP-POLICY: fib for address is with flag 32

Sep 5 09:48:48.654 CST: IP: s= (GigabitEthernet3/47), d=, len 40, FIB policy rejected - normal forwarding

Any ideas? TIA,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jpoplawski Fri, 09/05/2008 - 07:40
User Badges:
  • Bronze, 100 points or more

Is the route-map configured in your NAT statement? Is it possible to post a config?



lhoyle Fri, 09/05/2008 - 09:07
User Badges:

We NAT on the actual Internet routers. The traffic never seems to get to the correct router to be NAT'd.



paul.matthews Fri, 09/05/2008 - 07:40
User Badges:
  • Silver, 250 points or more

First thoughts - you don't normally need to set interface *and* next hop, I would just do the next hop.

Secondly, The access list seems to be purely HTTP and HTTPS along with any ICMP traffic ending in three zeros.

The debug does not say what that traffic is, other than IP addresses.

lhoyle Fri, 09/05/2008 - 07:49
User Badges:

I initially had just the next-hop, but added the set interface when it did not work initially. The traffic I am try to redirect is from my branch offices, which are quite a bit larger than the HQ. Here is where I applied the RM. These are ports on the core that directly connect to the routers to the branches (I have 2 routes to each branch).


interface GigabitEthernet3/46

description CE-CEA-INTRT-3845-02

ip address

ip policy route-map webtraffic

service-policy output QOS-OUT


interface GigabitEthernet3/47

description CE-CEA-INTRT-3845-01

ip address

ip policy route-map webtraffic

service-policy output QOS-OUT


A tracert from a w/s at a branch looks like this...

Tracing route to []

over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms

2 <1 ms <1 ms <1 ms

3 3 ms 3 ms 3 ms <--- FWSM in the core router

4 3 ms 3 ms 3 ms <---core router port from the branch

5 4 ms 4 ms 4 ms <--my slower Internet connection

6 369 ms 150 ms 221 ms

7 249 ms 350 ms 333 ms []

8 376 ms 281 ms 355 ms []

9 * 553 ms 580 ms []

10 reports: Destination net unreachable.



Giuseppe Larosa Fri, 09/05/2008 - 13:42
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Lee,

you say that "The higher-speed one is 2 hops away"

the ip address <--DGW I want to use

is the ip address two hops away ?

you need to set the ip next-hop to the other core router in the route-map.

the next-hop must be reachable via a connected interface (it should have an ARP entry if it is a LAN interface).

Then you do the same on the second core router if routing does not choice the HS link as outgoing interface towards internet.

Hope to help


lhoyle Fri, 09/05/2008 - 13:53
User Badges:

Thank you for the insight. Earlier today, the admin for the next hop gave me that IP address, and sadly, I get the same results.


This Discussion