....R B (B/1)----------R A

B/3 /. .\ B/2

.../......\

../.........\

RC. .. RD

this's router B configuration:

interface Loopback0

description Dummy LAN segment 1

ip address 172.17.2.5 255.255.255.248

!

interface Loopback1

description Dummy LAN segment 2

ip address 172.17.2.9 255.255.255.252

!

interface FastEthernet0/0 (B/1)

description Link TSAP networks

ip address 172.17.2.97 255.255.255.240

ip policy route-map TSAP_TELNET

duplex auto

speed auto

!

!

interface Serial0/0

description Normal routed traffic primary link to Dallas

bandwidth 2000

ip address 192.168.1.17 255.255.255.248

ip access-group not_TSAP_USERS out

encapsulation frame-relay

no fair-queue

frame-relay map ip 192.168.1.18 100 broadcast

no frame-relay inverse-arp

frame-relay lmi-type ansi

frame-relay intf-type dce

!

!

interface Serial0/1

description Frame relay link to Atlanta

no ip address

encapsulation frame-relay

frame-relay intf-type dce

!

!

interface Serial0/1.201 point-to-point (B/2)

bandwidth 1000

ip address 192.168.1.41 255.255.255.248

ip access-group TSAP_USERS out

frame-relay interface-dlci 201

!

router eigrp 100

redistribute connected

redistribute static

network 172.17.0.0

network 192.168.1.16 0.0.0.7

no auto-summary

no eigrp log-neighbor-changes

!

ip classless

ip route 172.17.2.144 255.255.255.240 172.17.2.98

ip http server

!

!

ip access-list extended TSAP_USERS

permit tcp 172.17.2.96 0.0.0.15 host 172.18.2.98 eq telnet

permit icmp 172.17.2.96 0.0.0.15 host 172.18.2.98 echo

remark Identify traffic for route-map TSAP_TELNET

remark Identify traffic for route-map TSAP_TELNET

ip access-list extended not_TSAP_USERS

deny tcp 172.17.2.96 0.0.0.15 host 172.18.2.98 eq telnet

deny icmp 172.17.2.96 0.0.0.15 host 172.18.2.98 echo

permit ip any any

route-map TSAP_TELNET permit 10

description Policy route-map for TSAP users to Orlando

description Policy route-map for TSAP users to Orlando

match ip address TSAP_USERS

set interface Serial0/1.201 Null0

!

!

line con 0

exec-timeout 180 0

privilege level 15

line aux 0

thank you

Thanks for the info. According to the config., I can't find the problem. And if the packet is PBR to the B/2, it will not flow to B/3, so B/3 will not deny it. Doesn't it make sense ?

Could you advise your concern ? It is not a local-sharing link that the traffic will only route via one path, once the PBR is working, the traffic will follow the PBR to route and not use the routing table.

Hope this clarify. Please correct me if I overlook something.

thank you for your help

#sh ip rou ei

172.18.0.0/16 is variably subnetted, 8 subnets, 3 masks

D 172.18.2.224/29 [90/2432000] via 192.168.1.18, 00:01:51, Serial0/0

D 172.18.2.208/28 [90/2306560] via 192.168.1.18, 00:01:51, Serial0/0

D 172.18.2.44/30 [90/2432000] via 192.168.1.18, 00:01:51, Serial0/0

D 172.18.2.40/30 [90/2432000] via 192.168.1.18, 00:01:51, Serial0/0

D 172.18.2.8/29 [90/1920000] via 192.168.1.18, 00:01:53, Serial0/0

D 172.18.2.4/30 [90/1920000] via 192.168.1.18, 00:01:53, Serial0/0

D 172.18.2.112/28 [90/1920000] via 192.168.1.18, 00:01:53, Serial0/0

D 172.18.2.96/30 [90/1794560] via 192.168.1.18, 00:01:53, Serial0/0

D 197.197.5.0/24 [90/2304000] via 192.168.1.18, 00:01:53, Serial0/0

In the router B route table, go to the network 172.18.2.98 ,router B direct to next add 192.168.1.18(router C),however the PBR send traffic (destination is 172.18.1.98) to router B port B/2. if using the PBR these traffic will pass B/3 , it seems that the acl don't deny these traffic, why not acl work? if no PBR , acl deny the traffic.I'm perplexed.

I found the PBR changed the origintal packte's destination output interface from d=172.18.2.98 (Serial0/0) to d=172.18.2.98 (Serial0/1.201); it maybe not match the acl 'not_TSAP_USERS' on port B/3,so taffic passed, Does the access control entry include output interface inform ?

I think the router treats PBR traffic like local traffic. Local traffic from the router are not affected by access-list configuration on the interface.

You could also try to enable Fast switching PBR and see if it makes a difference. ip route-cache policy on the interface

i opened the ip route-cache policy on int f0/0 but no any affected.

i tried to modify the pbr from set interface s0/1.201 to set int s0/1 or set int f0/1 , the telnet and echo-reply traffic all are droped by s0/1 and f0/1 ,not redirected to s0/0.

Please check the ACL counter to determine the traffic match ACL or not.

Sorry, I am confused. Can you advise is the PBR working ? If it is working the ACL traffic should not pass through B/3, because it forwarded to B/2. If the router forward the ACL traffic to B/3, it means the PBR not working, i.e. ACL not matched.

Please clarify.

sorry maybe i did't describe expressly.

if I configure the pbr on port f0/0,then traffic is sent to port s0/1.201 by pbr and redirected to port s0/0 by route table ,router forward the traffic .

if i don't configure pbr on f0/0, traffic is sent to s0/0 ,router deny the traffic according to the acl on s0/0.

If the PBR is working, it should redirect the traffic to s0/1.201 and forward to the remote end. Why it redirected to s0/0 ? Could you please provide the trace route result.

Moreover, why you add null0 in the route-map for PBR ?

when i modified the pbr set interface s0/1.201 to set ip next 192.168.1.41 ,using debug ip policy ,i observed there is some

different :

1 using set inter s0/0.201

*Mar 1 00:57:06.887: IP: s=172.17.2.98 (FastEthernet0/0), d=172.18.2.98, len 100, policy match

*Mar 1 00:57:06.891: IP: route map test, item 10, permit

*Mar 1 00:57:06.891: IP: s=172.17.2.98 (FastEthernet0/0), d=172.18.2.98 (Serial0/1.201), len 100, policy routed

*Mar 1 00:57:06.891: IP: FastEthernet0/0 to Serial0/1.201 172.18.2.98

2 using set ip next 192.168.1.41

Mar 1 00:53:36.215: IP: s=172.17.2.98 (FastEthernet0/0), d=172.18.2.98, len 100, policy match

*Mar 1 00:53:36.215: IP: route map test, item 10, permit

*Mar 1 00:53:36.215: IP: s=172.17.2.98 (FastEthernet0/0), d=172.18.2.98 (Serial0/1.201), len 100, policy routed

*Mar 1 00:53:36.215: IP: FastEthernet0/0 to Serial0/1.201 192.168.1.41

the condition 1 router used the route table send packet to port s0/0

the condition 2 router sent packet to port s0/1.201 and drop them

the other question is that why the acl not_TSAP_USERS not deny telnet and echo-rely packets

thank you for help

The ip next-hop should set to the remote IP and not the local interface IP. Please try again.

Please check the ACL counter for not_TSAP_USRES to determine it matched w/ the ACL or not. If there is no increament of the counter then the ACL may be incorrect.Double check the source & destination IP address.

But I still think, once the PBR is working, the traffic of TSAP_USERS will be redirected to s 0/1.201 then there should be such traffic go through s0/0, so the ACL of not_TSAP_USRES should not increase. And the user of FE 0/0 should not access the server via S0/0. Do you mean if the PBR is not work, e.g. S0/1.201 down, then the user will access the server via S0/0 and you have to block it ?

If yes, did you try to disable the PBR and test the access and function of ACL in S0/0 ?