{"id":2237,"date":"2018-06-25T12:39:08","date_gmt":"2018-06-25T11:39:08","guid":{"rendered":"http:\/\/darenmatthews.com\/blog\/?p=2237"},"modified":"2018-06-25T12:39:08","modified_gmt":"2018-06-25T11:39:08","slug":"policy-based-routing-on-ios-xe-causes-gre-tunnel-to-drop","status":"publish","type":"post","link":"http:\/\/darenmatthews.com\/blog\/?p=2237","title":{"rendered":"Policy-Based Routing on IOS-XE Causes GRE Tunnel to drop"},"content":{"rendered":"<p>I wanted to use PBR on our DMVPN tunnels to set the next-hop address to a Layer 3 switch on the LAN.\u00a0 We set it up and it seemed to work fine.\u00a0 Then it was noticed that is a site went down even briefly and the tunnel dropped, the tunnel would never re-establish itself (The tunnel interface remained line up\/protocol down).\u00a0 We recreated the problem in our lab and it consistently failed.\u00a0 We moved the tunnel to an IOS router and that wasn\u2019t affected.<\/p>\n<p>It was eventually revealed that apparently, PBR is handled differently in IOS-XE and IOS routers.<\/p>\n<p>The problem occurs when a route-map is attached to an interface with only a \u201cset\u201d operation and no \u201cmatch\u201d (When there is no match specified there is an implicit \u201cmatch any any\u201d) OR when a match \u201cany any\u201d is used.\u00a0<!--more--><\/p>\n<p>What we had to do is create an ACL matching the remote LAN\u00a0 (and ensuring that we excluded the tunnel and loopback interfaces).\u00a0 In otyer words you need to match the remote LAN or LANs.\u00a0 Thankfully you can summarize \u2013 you don\u2019t need to match the LANs exactly.<\/p>\n<p>A picture will more easily explain this so here is what I mean:<\/p>\n<p><img loading=\"lazy\" class=\"aligncenter size-full wp-image-2239\" src=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2018\/06\/PBR.jpg\" alt=\"\" width=\"799\" height=\"661\" srcset=\"http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2018\/06\/PBR.jpg 799w, http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2018\/06\/PBR-300x248.jpg 300w, http:\/\/darenmatthews.com\/blog\/wp-content\/uploads\/2018\/06\/PBR-768x635.jpg 768w\" sizes=\"(max-width: 799px) 100vw, 799px\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I wanted to use PBR on our DMVPN tunnels to set the next-hop address to a Layer 3 switch on the LAN.\u00a0 We set it up and it seemed to work fine.\u00a0 Then it was noticed that is a site went down even briefly and the tunnel dropped, the tunnel would never re-establish itself (The [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[83,27],"tags":[],"_links":{"self":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2237"}],"collection":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2237"}],"version-history":[{"count":1,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2237\/revisions"}],"predecessor-version":[{"id":2240,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2237\/revisions\/2240"}],"wp:attachment":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2237"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2237"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2237"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}