Pbr on 2811 not working.... access-list issue

Unanswered Question
May 2nd, 2012

Thought this would be pretty simple but am failing here with the basics.  Trying to policy route internet traffic from a particular host ( via a dedicated internet link rather than via the corporate wan.  The access-list I am using for the route map just doesn't get any matches.  Other access-lists I have placed on the 2811 do not accumulate matches either so I am guessing this is the cause.  A show ip int g0/1.3 tells me pbr is enabled on the interface using my route-map.  Any clues most welcome.

router#sh access-l

Extended IP access list 151

    10 deny ip host

    20 deny ip host

    30 permit ip host any


Some snippets from the config bewlow:

interface GigabitEthernet0/1.3
description **** Services vLAN ****
encapsulation dot1Q 4
ip address
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip policy route-map reroute-dc-internet-traffic

access-list 151 deny   ip host

access-list 151 deny   ip host

access-list 151 permit ip host any

route-map reroute-dc-internet-traffic permit 10

match ip address 151

set ip next-hop reroute-dc-internet-traffic permit 10

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Andrew Cink Wed, 05/02/2012 - 23:24

What is the output from show route-map reroute-dc-internet-traffic?

If you traceroute to an internet host, what path does it show? Can you get out? You are testing from the device, correct? You can check which way you are going out by using a website like ipchicken.com.

Here is a good video on the subject:


Good luck!


DjDamo Wed, 05/02/2012 - 23:34


show routemap output:

route-map reroute-dc-internet-traffic, permit, sequence 10

  Match clauses:

    ip address (access-lists): 151

  Set clauses:

    ip next-hop

  Policy routing matches: 0 packets, 0 bytes

Trace from the host, shows the PBR not being applied:

Tracing route to over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms
  2    <1 ms     1 ms    <1 ms
  3   136 ms     7 ms    <1 ms
  4     1 ms     1 ms     1 ms
  5     2 ms     2 ms     2 ms
  6     3 ms    22 ms     3 ms
  7     3 ms     4 ms     2 ms
  8    19 ms    24 ms    23 ms
  9    17 ms    21 ms    25 ms
10    14 ms    14 ms    14 ms
11    17 ms    17 ms    16 ms
12    17 ms    17 ms    16 ms
13    17 ms    17 ms    17 ms
14    14 ms    14 ms    14 ms

Trace complete.

so gets back to my ACLs not being applied??

I will go take a look at the video.

Andrew Cink Wed, 05/02/2012 - 23:49

My next suggestion would be to make the access-list 151 permit ip host any and get rid of the deny lines, just to see if that helps.

If it doesn't help, my guess would be because it's a sub interface. Maybe try applying it to the base interface and not the sub interface? So just gig0/1? Maybe it's not catching it because of that...

I'm curious to know the answer, if it wasn't so late I'd fire up a router here at home to try it myself!


DjDamo Wed, 05/02/2012 - 23:57

Yeah this should be so simple it's really winding me up! I think I might be up late as well.....  Have just started tinkering more with the ACls.  This one for example isn't applied to anything but I shoulod still see matches right?  I have a persistent ping happening to from the host.  Still no matches.  It seems that no acl on this router gets a match!

cisco1921_FV#sh access-l 152

Extended IP access list 152

    10 permit icmp host host

John Blakley Thu, 05/03/2012 - 03:48


I'm going to go out on a limb here, but is the host that you're pinging from addressed as on the WAN side? If not, you'll need to source your ping in order for your PBR to work. For example:

WAN side:

LAN side:

If you're pinging from the above with just standard pings, the wan address will be used as the source and will never match your policy. If that's the case, try "ping source"



DjDamo Thu, 05/03/2012 - 04:48

John..... the ping is coming from the host.  It is on the LAN side.  The g0/1 interface has 6 sub interfaces servicing the 6 vlans on this site.  The next hop for the route map is on one of the vlans.  Other traffic exits via g0/0 into the corp wan.

I have created a few other test Acls and none of them get matches regardless of the host, vlan or traffic type.  Confused!



John Blakley Thu, 05/03/2012 - 07:09

I labbed this up and it works fine. Have you checked the IOS version to see if there are any bugs related?

DjDamo Wed, 05/09/2012 - 07:06

John.... Cheers.

Couldn't find any bug info but just upgraded from c1900-universalk9-mz.SPA.152-2.T to c1900-universalk9-mz.SPA.152-3.T (it was a 1921 BTW!) and everything dropped into place.  The image i replaced is still available for download!

Many thanks.



This Discussion

Related Content