Policy based routing

Unanswered Question
Feb 20th, 2009


in our Lan network we are using Surfcontrol web filter to block certain iinternet access which is connected to (default gateway for internet) the packet going through the gateway was catured and blocked by the server

Since all service traffic is inspected by surf control i thought of differentiating the traffic by service like port 80 traffic should go via and all other service traffic should go via other gateway

i tried policy based routing in catalyst 6500 for that like below

#Access-list 101 permit ip any eq 80 any eq 80

# route-map access permit 10

#match address 101

#set ip nexthop

all other traffic will go to the default route

#ip route

is that right

please suggest me



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Tshi M Fri, 02/20/2009 - 12:00


Shouldn't your ACL allow TCP rather than IP? I mean:

access-list 101 permit tcp any any eq 80

JamesLuther Fri, 02/20/2009 - 12:03


Looks good apart from your access-list should be

access-list 101 permit tcp any any eq 80

You will also need to apply the PBR to the ingress interface of where the traffic is coming from, like below

interface Vlan 99

ip policy route-map MY_MAP

Or you can apply it globally like below

ip local policy route-map MY_MAP


vinoth.kumar Sat, 02/21/2009 - 04:41

sorry i have done the same also but still its not working

my doubt is whether we need to configure dummy route map pointing to null 0

why null0 is required

JamesLuther Sat, 02/21/2009 - 05:00


Where have you applied the route-map? Have you applied it to an interface or the global routing table (with "ip local" shown above).

Remember route-maps only apply to traffic coming IN to a layer 3 interface.

Make sure the traffic that you're trying to match is coming in the interface that you've applied the route-map (or apply to global routing table).


vinoth.kumar Sat, 02/21/2009 - 05:37

here is my config in 6500

interface Vlan195

ip address

ip policy route-map accesstoport80

interface Vlan211

ip address

ip policy route-map accesstoport80

access-list 101 permit tcp any any eq 80

route-map accesstoport80 permit 10

match ip address 111

set ip next-hop

ip route

suggest me were i went wrong

Richard Burts Sat, 02/21/2009 - 08:28


The obvious issue is the mismatch where you show us access list 101 but the route map is matching access list 111. Does access list 111 exist?




This Discussion