I have an issue where we have two links (ipsec tunnels) going to the same destination.
What I am trying to do is split traffic on these two links based on the source address. (For example splitting staff and student subnets - one down each of the two links - going to the same destination address at the remote end).
I tried adding multiple static routes based on the destination address, however this doesn't seem to have worked. Can anyone shed some light on how this can be achieved?
If you want your traffic to be routed on the basis of source address or subnets, the best way is to use PBR.
create an acl to match the traffic, & set it to either the interface or next-hop.
you may refer these links for configuration help & further reading if interested.
Thanks for your response
I created an acl, a route-map and applied it to the incoming interface on the router. It is matching packets correctly however it is not routing them.
If I add a static route to one interface it works, then if I remove this static route and create another pointing to the second interface that also works. When you remove all static routes and let the route-map handle it, it doesn't work.
I am having the same issue. "debug ip policy" shows the traffic being "policy routed" but traffic still goes to EIGRP-designated next hop.
I have attached the 3550 configuration, wan router configurations (combinded into one file) and the output from the debug statement
You may or may not be aware of the following, however I thought I would mention it none the less.
There are certain restriction with regards to configuring the 3550 with PBR which I discovered. Review your logs to verify whether you see any errors such as this:-
%L3TCAM-3-SIZE_CONFLICT: PBR requires enabling extended routing
This was the problem in my case, and may not necessarily apply to yours.
Review the following link regarding configuring PBR on a 3550.
Yes, I received this error early in the process, and added "sdm prefer extended-match" to the config, saved and reloaded the switch. After that, I was able to successfully apply the policy map to the VLAN20 interface. "debug ip policy" shows the proper traffic making a "policy match", and then shows the traffic "policy routed" to the desired next hop, however a traceroute shows that the traffic is actually going to the other router. "debug ip icmp" on each router confirms the traffic is using the EIGRP-selected next hop, not the "policy routed" next hop. (see attachments)
In other words, it says it's policy routing but it's not... very confusing.
If a packet matches your match statements as in this instance, and there is specific route in the routing table, which would have taken precedent then you need to configure 'set ip next-hop xxx.xxx.xxx'.
However, if a route-map matches and there is no explicit route to the destination, then you should configure 'set ip default next-hop xxx.xxx.xxx'.
Can you post the routing table from the 3550.
I am already using the "set ip next-hop xxx.xxx.xxx" command in my route-map. I cannot post the routing table, as I had to decommission the lab, but the only route in the table for the destination network was learned via EIGRP, and this is the route I want "non-matching" traffic to use... I will try using the "set ip default next-hop xxx.xxx.xxx" when I can recreate the lab again next Monday.
Thanks for the suggestions
I have the same issue. I have attached my 2851 router config.
It matches packets with the access-list, and the route-map is also matching packets, but not directing them to the Dialer2 interface.
Can anyone shed light on this?