Hello Rick,

Thanks for the feedback. Yes, the PBR do not match the GRE generated traffic. However, if you try trace or extended ping it matches the traffic and you can see the PBR matching and policing the traffic. However, the GRE packets are still going through the unwanted ISP interface. Below you can find the config

route-map ISP1 permit 10

match ip address ISP1

set ip next-hop x.x.x.254

ip access-list extended ISP1

permit ip x.x.x.x 0.0.0.15 any

ip local policy route-map ISP1

Regards,

I guess I figure out the problem. I changed the route-map to set default next-hop and it is now matching traffic.

Regards,

Nope problem not solved still packets going to the default route. I set the route-map to use ip next hop.

Regards,

This is the expected behavior. Local policy is intended for packets generated by the router, and despite the fact that GRE packets are stamped with the tunnel source, for this purpose are still considered 'forwarded' packets.

You can however use a host route (/32) to the second tunnel destination over the interface that does not have the default route. This should achieve the same result.

Mohamad

This is part of what I asked for but does not go quite far enough. In the access list ISP1 the "permit x.x.x.x 0.0.0.15 any" what addresses is it matching? Is it matching the original source address of the IP packet which is encapsulated in GRE or is it matching the address that is the source for the GRE packet?

It might also help if you could help us understand how you select which traffic goes into which tunnel.

HTH

Rick

hello Rick,

IT is matching the source address of the GRE tunnel. My selection is based on the source address. If the packet come from Tunnel 1 source address it has to go to ISP1 and if the packet comes from Tunnel2 source address it has to go to tunnel 2.

Let me know your feedback,

Hello Rick,

IT is matching the source address of the GRE tunnel. My selection is based on the source address. If the packet come from Tunnel 1 source address it has to go to ISP1 and if the packet comes from Tunnel2 source address it has to go to ISP 2.

Let me know your feedback,

Should the traffic be as below arrangment ?

If the source address matched w/ the traffic within the tunnel 1 then go to tunnel 1's GRE address. And apply the policy map to your LAN interface.

What I believe you want to redirect the traffic before tunnel to the GRE and will go through specify GRE tunnel. Right ?

Sorry I don't have equipment on hand and prove it.

Hello All,

Thanks for the feedbacks. Using the hostbased route is not what I want to achieve. This is because I have two tunnels with two different source IPs and the destination is one. Therefore, doing hostbased routing is not what i want.

Tunnel 1 has source IP from ISP1 Global subnet and the destination is remote global IP.

Tunnel 2 has source IP from ISP2 global subnet and the destination is the SAME remote global IP.

THe intension is to failover between the two tunnels + dyanmic routing.

THe issue now is that I need that the router to pass taffic generated from tunnel 1 source IP to ISP1 and traffic generated from Tunnel 2 source IP to ISP 2.

Therefore it is source based routing. As I mentioned before and as you confirmed that GRE packets are not matched using ip local policy command.

Thanks in advance,

Oh I see.

Well local-policy will not do that.

Oscar