Home > CISCO, Network Design > Policy-Based Routing on IOS-XE Causes GRE Tunnel to drop

Policy-Based Routing on IOS-XE Causes GRE Tunnel to drop

June 25th, 2018

I wanted to use PBR on our DMVPN tunnels to set the next-hop address to a Layer 3 switch on the LAN.  We set it up and it seemed to work fine.  Then it was noticed that is a site went down even briefly and the tunnel dropped, the tunnel would never re-establish itself (The tunnel interface remained line up/protocol down).  We recreated the problem in our lab and it consistently failed.  We moved the tunnel to an IOS router and that wasn’t affected.

It was eventually revealed that apparently, PBR is handled differently in IOS-XE and IOS routers.

The problem occurs when a route-map is attached to an interface with only a “set” operation and no “match” (When there is no match specified there is an implicit “match any any”) OR when a match “any any” is used. 

What we had to do is create an ACL matching the remote LAN  (and ensuring that we excluded the tunnel and loopback interfaces).  In otyer words you need to match the remote LAN or LANs.  Thankfully you can summarize – you don’t need to match the LANs exactly.

A picture will more easily explain this so here is what I mean:

Categories: CISCO, Network Design Tags:
Comments are closed.