Policy based routing issue

Answered Question
Nov 3rd, 2008


I want to assign a new gateway for a quarantainenet vlan. The gateway is located in another subnet. This subnet is only available via routing.

When i set a new gateway via policy based routing. I receive an error policy based routing rejected - normal routing.

I include an config and network drawing in the ticket.

Is it possible to assign a new gateway via policy based routing. How can i solve this issue?

Best regards

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 11 months ago


I thought that might be the case. If you want to use PBR the only way to resolve this with the 3750 is to ensure that the next-hop ie. the server is on a directly connected subnet to the 3750 so you may need to think about altering your topology.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.7 (3 ratings)
guruprasadr Mon, 11/03/2008 - 01:50

HI Jorg, [Pls RATE if HELPS]

The details are not clear, but:

The set ip next-hop command verifies the existence of the next hop specified, and…

>> if the next hop exists in the routing table, then the command policy routes the packet to the next hop.

>> if the next hop does not exist in the routing table, the command uses the normal routing table to forward the packet.

Does your Routers knows, the next hop ?

Also, use the "debug ip policy" to see the outputs.

Hope I am Informative.


Best Regards,

Guru Prasad R

jorg.ramakers Mon, 11/03/2008 - 02:28

Hi Jon,

No, the next hop is the quarantianeserver. So the next hop is not directly connected. And the route to is going over the default route.

Is het possible to do this via pbr?

francisco_1 Mon, 11/03/2008 - 02:37

If you set an "ip default next-hop" with a route map, that next-hop will be used ONLY if an explicit path to the destination network is not present in the routing table. An extended ACL must be used here, since a source and destination must be defined.


R2(config)#access-list 150 permit ip host

R2(config)#route-map DEFAULT_NEXT_HOP permit

R2(config-route-map)#match ip address 150

R2(config-route-map)#set ip default next-hop

R2(config)#interface e0

R2(config-if)#ip policy route-map DEFAULT_NEXT_HOP

When a packet comes into ethernet0 with a source IP of and is destined for any host on the network, the next-hop address will be set to IF there is no entry in the routing table for that network.

jorg.ramakers Mon, 11/03/2008 - 03:05


Thanks, that is what i'm looking for. But is the next hop not neccessary to directly connected in the ip default next-hop command ?



francisco_1 Mon, 11/03/2008 - 03:46


I'm not the expert here but to be more clear about the next hop commands which can be confusing sometimes, the "set ip next-hop" and "set ip default next-hop commands are similar but function differently. the "set ip next-hop" causes the router to use policy routing first and then use the routing table. the "set ip default next-hop" command uses the route table first and then policy route to the specified default next hop.

set ip next-hop: next-hop adresses must be in a connected subnet maybe someone else can shed more light on this discussion.


Jon Marshall Mon, 11/03/2008 - 05:15


Dod you have a read of the link i posted. Normally with PBR the next-hop must be on a directly connected subnet. But with recursive PBR the next-hop does not have to be directly connected but it must be reachable ie. can you ping the next-hop from the L3 device you want to apply PBR to.

So you should be able to achieve what you want if i am understanding correctly. What device are you running this on as we need to check that PBR recursive is supported on that device.


jorg.ramakers Mon, 11/03/2008 - 06:28

Hi jon,

Yes, i read it. The device i'm using is a c3750 with ip services (both routers in the drawing are)

Best regards


Jon Marshall Mon, 11/03/2008 - 06:42


Doesn't mention it as supported in Feature Navigator. Quickest way to check is on 3750

3750(config)# route-map test

then try "set ip next-hop ?"

if the keyword "recursive" is an option then let me know.


jorg.ramakers Mon, 11/03/2008 - 22:54

Hi Jon,

Will try to make a vpn connection to the clients network today.

The feature navigator is telling me that policy based routing is included in the ios. But not telling if the option is already included.



jorg.ramakers Tue, 11/04/2008 - 02:56

Hi Jon,

The options i get are.

nwrt-sw250003(config-route-map)#set ip next-hop ?

A.B.C.D IP address of next hop

peer-address Use peer address (for BGP only)

verify-availability Verify if nexthop is reachable

Any way how i can resolve this?

Correct Answer
Jon Marshall Tue, 11/04/2008 - 03:03


I thought that might be the case. If you want to use PBR the only way to resolve this with the 3750 is to ensure that the next-hop ie. the server is on a directly connected subnet to the 3750 so you may need to think about altering your topology.


jorg.ramakers Tue, 11/04/2008 - 03:06

Hi Jon,

Thanks a lot. that was something i was affraid to. I guess the only way to resolve this is to hardware and create an xwire connection between the sites.

Best regards

Jorg Ramakers


This Discussion