Showing results for 
Search instead for 
Did you mean: 

Tricky PBR

Level 1
Level 1

I have PBR need that I am a little stumped on. Here is the scenario:

I have a host on the LAN that I would like to route all internet bound traffic to a "new" internet circuit, and all LAN bound traffic to be routed via LAN routing methods. No other hosts on the subnet, just this one host.


gateway for LAN:

Gateway for Internet:

All other LAN subnets: 10/8

So I am stumped on how to change his defualt route to something other and route all 10/8 traffic to his LAN GW.

Thank you for any assistance with this.

17 Replies 17

Level 10
Level 10


Post the PBR - and we can have a look at it?


Level 1
Level 1

Hi Chuck, little schematic of your network will help us to recommend the right solution.


Thanks guys,

Here is a logical of the environment, I basically need to change the default route for this one user to the new NAT firewall to go to the new internet, and make sure he can still get to the corporate network.

You can create PBR, and attach it to the interface,

in the PBR,


permit any

Then next hop to the NAT firewall..



So the PBR would do the deny or the ACL? I would deny to all 10/8, then the next hop to the NAT firewall?

This statement makes sure the traffic is routed (that's why "deny" is there) to your 10/8 and policy routed (permit any) to the new internet. Should work fine.


OK, here is exactly what I have, and it is not working at the moment:


10 deny ip host

20 permit ip host any


route-map Chuck permit 10

match ip address Chuck

set ip next-hop


did you apply this map to the router interface where your host is connected?


yes, had to ask though right!

interface Vlan100

ip address

ip helper-address

no ip redirects

ip policy route-map Chuck

standby 1 ip

standby 1 priority 110

standby 1 preempt


And your acl is named "Chuck" ?

do you see any hits on the acl?

The name of the acl is Chuck, and it is very strange, I see 3 hits on the deny, and none on the permit.

There should be many hits on the acl is why it is strange.

So you generating traffic to the internet and see no hits on permit? can you check your new firewall if the traffic makes there and it allows that host to go out?

can you connect to 10/8 network?

what switch you using?

can you debug pbr ?

keep in mind for certain switch types (3750 for example) you can not use deny statementd in PBR ACLs... in this case you have to do an explicit route map statement and forward traffic to your 10/8 vlan interface.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card