Rick,

I've been reading about PBR and think that is the right solution,  I will give your suggection a try and let you know how it goes.

Thanks!

OK well that didn't work, so maybe I am missing something. So here is a little more info;

The site I am trying to route over the WAN instead of the public ISP port is a https site. The reason I want it to route over the WAN MPLS port is because we have a tunnel at our corporate site that routes that traffic out to an site. Not sure why this did not route properly I need to do a little more research on PBR.

Beckman

Thanks for the additional information about your environment. Unfortunately it does not shed much light on the use of PBR and what might cause it to not work. You are welcome to do more research on why PBR did not work, but you might also post here what you configured and perhaps we can identify the flaw.

In case it might help I offer these observations:

- the most common cause of problems in configuring PBR is not assigning the route map on the interface where the traffic is received.

- the second most common problem in configuring PBR is not having the access correctly identify the traffic that needs special routing.

- the third most common problem in configuring PBR is not correctly setting the next hop address.

- and in your case I would suggest the next thing to check is inconsistent implementation of PBR on both routers.

HTH

Rick

Here is an overview of the site:

Router 1 (R1) is set as the gateway router. Network for the site is 10.10.35.0/24. Here are the interfaces;

FE0/0 - IP 10.10.8.1 (Network) going to switch on LAN

FE0/1 - IP 192.168.3.1 (Voice LAN)

Ser0/1/0 - no IP (MPLS for Voice between sites)PPP encap.

Ser0/2/0 - no IP (MPLS for Data between sites)PPP encap.

Ser0/3/0 - 172.32.40.230/30 (IPS IP is 172.32.40.129/30) MPLS to corp cloud - This is the route that the https site needs to route. Traffic default routes set based on IP traffic, all LAN traffic route to Ser0/3/0 including the 0.0.0.0 0.0.0.0 Ser0/3/0

Router 2 (R2) is the router that is going to the internet, here is the interface config:

GIG0/0 - IP 68.111.44.221/29 (Interface going to ISP) ISP IP is 68.111.44.220/29

GIG0/1 - IP 10.10.8.10 (Network) going to switch on LAN

What I configured was:

access-list 102 permit ip host 172.16.3.2 any

route-map RM-SEC-WAN permit 10

match ip address 102

set ip next-hop 68.111.44.220

interface FE0/0

ip policy RM-SEC-WAN

can you please send this topology

Beckman

Thank you for the additional information.There are several things about it that I do not understand and hope that you can clarify.

- I am assuming that the route map is configured on R1, but your post is not specific about that. Is this correct?

- the access list is permitting host 172.16.3.2. Is that the server that you want to route differently? If so where is that server connected? It does not seem to be in the subnet associated with FE0/0.

- your original post indicates that you want to route this out the WAN port and not the Internet port. I can not understand from the information in this post which is the WAN port and which is the Internet port.

- your route map sets the next hop as 68.111.44.220 which is an address on R2. Does R1 know how to get to this address? If so, is this through the Internet path or the WAN path?

HTH

Rick

Thank you for sticking with me on this. The site I am trying to route over the WAN is the 127.16.3.2 which is at an off site location which is routed through a tunnel built in our corporate office, which is why I need it to route across the WAN. The WAN port is located on R1, the internet port is on R2. I made a mistake on the next-hop in my earlier port, it was acually set to 172.32.40.129 which is the next-hop on the WAN port. I did configure the route-map on R1. Would it be easier if I set up a route-map to route port 80 to R2 so that that traffic routes to the internet port versus routing that single HTTPS traffic through the WAN port?

Here is a basic view.

Beckman

The diagram helps - and it makes me wonder if I have mis-understood what you are trying to do. I had assumed that you were interested in different routing for traffic FROM the server, but the diagram suggests to me that you really are working on traffic TO the server. So now I am a bit confused. Can you clarify for me what you are trying to achieve?

HTH

Rick

William,

Looking at the diagram ,can I make the following assumptions.

1. the clients are attached to R1 route.

2. The traffic to Internet (http)  should be sent over to R2...

3. The traffic to server (secure site https) should be sent to the Corporate ISP?

4. I hope you have routes from R1 to R2 and Corporate ISP.

5. Assuming the secure site is 127.16.3.2

if that is the case, can we do something like this:

access-list 101 permit 10 any any eq https

route-map permit 10

match ip-address 101

set ip next-hop

and apply this policy to the incoming interface on R1.

-Vijay

The R1 and R2 are located in the remote site and their are the ones making the HTTPS requests to the far site where the HTTPS webserver is. R1 can be considered the core router, R2 is just for the internet access where we want all other www traffic to be routed.

Vijay, you have that information correct.

Rick you are correct, I was over thinking  it added the default route to the ISP router and the 172 route to Ser0/3/0 and it tested good. I was too focused on the "HTTPS" site. Thank you for your help..