GE0/1 is indeed on the public side. I have an interface, GE0/2, on the private side. 

I will definitely give that a try and let you know what I come up with.

Thanks.

Hello

---

@ElishaDean5574 wrote:
I would like web traffic coming in from my public side to be routed to my IPS and all other traffic to be routed to my other CSR.

---

Just to confirm your default traffic is already being routed the the other csr and the web traffic is to be policy routed to the IDS device reachable via the next-hop specified?

That is correct, yes.

Hello,

can you remove the match statement from the route map (which means all traffic is matched) and check if any traffic is matched at all (show ip cache policy) ?

route-map Map_Web_IPS permit 100

--> no match ip address Web_To_IPS

set ip next-hop xxx.xxx.xxx.xxx (IPS Address)

Hello

Can you post the running config of the router, its route table and indicate the IDS address within that route table please?.

Hello,

with the proposed ACL all traffic coming from web servers port www or from https servers port 443 should be redirected to the IPS because:

ge1 is the interface to the public internet

the PBR is applied inbound

the new ACL takes in account the direction of traffic (see above)

and the IPS is reachable out another interface.

May I ask you what is the normal routing next-hop for internal networks ?

It is an IP address out of ge2 ?

Is the IPS reachable out of ge2 too ?

if both natural next-hop and IPS are out of ge2 , you should be able to detect how much traffic is sent to the IPS MAC address  with ip accounting or with an IP ACL using the log-input  option (this option may be available or not in your platform if available you can see how many packets are sent to IPS MAC address)

There are some debug commands that could be used related to PBR like debug ip policing, however you should try to use it in combination with an ACL to limit the debug output to avoid execessive load on the router.

Hope to help

Giuseppe