ip policy route-map

Unanswered Question
Oct 28th, 2008

Please read attached graph..


1.) SMTP traffic is not forwarding to Barracda Spam Firewall.

2.) show access-list 180

Extended IP access list 180

10 permit tcp any host eq smtp (19999 matches) I see matches....

3.) What could be wrong?

S0/0 :

ip policy route-map SMTP_MAP


access-list 180 remark All_Traffic routed SMTP_MAP (RM 80)

access-list 180 permit tcp any host eq smtp

route-map SMTP_MAP permit 80

match ip address 180

set ip next-hop


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Richard Burts Tue, 10/28/2008 - 13:17


I believe that the essence of your problem is that the destination address of the packet is an address in a locally connected subnet. Your route map is setting a next hop address. And if the router were forwarding to another router/gateway device then I believe that your route map would be working. But when the router has the route map but the destination is a local address then I believe that it just does an ARP for the destination address and forwards directly to



guitarmajor Tue, 10/28/2008 - 14:05

Hi Rick,

I don't entirely understand your respond; but what you said about the ARP for the destination address and forwards directly to that's what is doing. SMTP traffic was somehow bypass and send directly to our CkPoint firewall.

1.) If all traffic are coming in thru the border router S0/0 intereface. Why can't I forward/capture it? I do see access-list 180 counter increasing packets but nothing is forwarded next-hop to Why?

What would you suggest a soultion to be?

Richard Burts Tue, 10/28/2008 - 15:03


Let me try to explain it this way: with PBR as the packet comes in the incoming interface PBR examines the packet and if it matches the access list then PBR makes its own routing decision. In your case your PBR will set the next hop (the next router or gateway address) as .123. But when the packet gets to the outbound interface the router realizes that the destination is a locally connected address. At that point it no longer uses the next hop address but looks for ARP to find the destination MAC address and forwards to the real destination.

If you want to have PBR work on this traffic then I suggest that you need a small re-design of the network to change the topology so that the Mail server address is not in the subnet of the LAN interface of the Internet facing router. If the outside router is forwarding to another router to reach the Mail server then PBR should work. Or perhaps you can change the topology of the network so that the Baracuda is in line as traffic is forwarded to the firewall and the Mail server.




This Discussion