I have a hub and spoke topology. The hub site has two ISPs with two different global subnets. From the HUB I have two tunnels eached tunnel is sourced from one ISP. Therefore, one tunnel has source interface IP from ISP1 and the other tunnel has source interface IP from ISP2.
I need to policy route traffic comming from TUnnel 1 to go to ISP1 as for TUnnel two no need because the default route points to ISP2.
I know that to match router generated traffic you've got to use "ip local policy routemaptag" however this don't match the GRE traffic generated from the router.
Anybody has an idea how to PBR the GRE router's generated traffic.
Thanks in advanced,
I would have thought that ip local policy would be able to handle the GRE traffic. Can you give us specifics of the route map that you used to identify traffic and send it to the right ISP? It would also be useful to know how you select which traffic goes into each tunnel.
Thanks for the feedback. Yes, the PBR do not match the GRE generated traffic. However, if you try trace or extended ping it matches the traffic and you can see the PBR matching and policing the traffic. However, the GRE packets are still going through the unwanted ISP interface. Below you can find the config
route-map ISP1 permit 10
match ip address ISP1
set ip next-hop x.x.x.254
ip access-list extended ISP1
permit ip x.x.x.x 0.0.0.15 any
ip local policy route-map ISP1
This is the expected behavior. Local policy is intended for packets generated by the router, and despite the fact that GRE packets are stamped with the tunnel source, for this purpose are still considered 'forwarded' packets.
You can however use a host route (/32) to the second tunnel destination over the interface that does not have the default route. This should achieve the same result.
This is part of what I asked for but does not go quite far enough. In the access list ISP1 the "permit x.x.x.x 0.0.0.15 any" what addresses is it matching? Is it matching the original source address of the IP packet which is encapsulated in GRE or is it matching the address that is the source for the GRE packet?
It might also help if you could help us understand how you select which traffic goes into which tunnel.
IT is matching the source address of the GRE tunnel. My selection is based on the source address. If the packet come from Tunnel 1 source address it has to go to ISP1 and if the packet comes from Tunnel2 source address it has to go to tunnel 2.
Let me know your feedback,
IT is matching the source address of the GRE tunnel. My selection is based on the source address. If the packet come from Tunnel 1 source address it has to go to ISP1 and if the packet comes from Tunnel2 source address it has to go to ISP 2.
Let me know your feedback,
Should the traffic be as below arrangment ?
If the source address matched w/ the traffic within the tunnel 1 then go to tunnel 1's GRE address. And apply the policy map to your LAN interface.
What I believe you want to redirect the traffic before tunnel to the GRE and will go through specify GRE tunnel. Right ?
Sorry I don't have equipment on hand and prove it.