[nsp] policy-routing GRE tunnel packets

Luan Nguyen uulmnguyen at hotmail.com
Wed Aug 20 12:36:53 EDT 2003

Policy routing the tunnel packets should be very possible.  Do it like Steve 
suggested:  put the ip policy route-map local-policy - and use ip 
route-cache flow or ip route-cache policy for Enable fast-switching policy 
cache for outgoing packets.  cisco web does have a good article on policy 
base routing.
the place where i see policy base routing happens is when you have a VPN and 
  you need to policy route your spokes networks to the central firewall at 
the hub - while allowing spoke-hub communication just go through - then you 
need to put the policy base stuffs on the tunnel interfaces.  Since packets 
come in from outside the router and get encapsulated with GRE header - not 
really locally generated...maybe except for GRE keep alive.


>From: Alexander Bochmann <bochmann at FreiNet.de>
>To: cisco-nsp at puck.nether.net
>Subject: Re: [nsp] policy-routing GRE tunnel packets
>Date: Wed, 20 Aug 2003 15:55:26 +0200
>...on Tue, Aug 19, 2003 at 05:47:00PM +0200, Alexander Bochmann wrote:
>  > Theoretically, Tunnel1 packets should be subject to
>  > the local policy route-map and be sent out via fa0/1 -
>  > but, in policy routing debugging, nothing is showing
>  > up right now
>I've come to the conclusion that policy-routing the
>GRE encapsulated Tunnel packets is not possible.
>Obviously, the GRE encapsulation happens at some place
>in the system where policy-routing doesn't have any
>Other locally generated packets are policy-routed fine,
>that that it should work in principle - but not the
>GRE packets, although they have a source address that
>should be subject to policy-routing when leaving the
>So, there's probably no other way than host-routing
>the Tunnel destionations via the appropriate gateway,
>as some people suggested...
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>archive at http://puck.nether.net/pipermail/cisco-nsp/

<b>Get MSN 8</b> and help protect your children with advanced parental 
controls.  http://join.msn.com/?page=features/parental

More information about the cisco-nsp mailing list