coincidentally, I opened up Doyle as part of my research into the question.
As I understand things, the ip local policy command and process is for packets that the router originates, such as routing protocol advertisements, hellos, pings, etc. As such, ip local policy is for traffic originated by the router itself, and outbound. OTOH, ip policy is for inbound traffic on an interface that ( and here is the point of clarification required ) is routed. My question is essentially, if the packet destination is on a directly connected network, does that mean it is not "routed" and therefore is not "policy routed" either. Does that make sense? In solution to my particular problem, I rewrote my nat list on the external router such that I referenced a route map: ! access-list 101 determines which source addresses are allowed onto the CCC network ! access-list 101 permit ip 192.168.1.0 0.0.0.255 host 10.1.1.1 ! business partner extranet server access-list 101 permit ip 192.168.1.0 0.0.0.255 host 172.31.2.1 ! shared e-mail services server access-list 101 deny ip 192.168.1.0 0.0.0.255 172.31.0.0 0.0.255.255 ! other organization subnets that are forbidden access-list 101 permit ip 192.168.1.0 0.0.0.255 any ! shared internet access ! INSIDE_NET CCC, DPH, OR INTERNET ! used with nat pool construct ! ip nat pool cccnat 172.31.10.25 172.31.10.250 netmask 255.255.255.0 ip nat inside source route-map CCC pool cccnat ! route-map CCC permit 10 match ip address 101 route-map CCC deny 20 ! probably unnecessary the neat thing about this construct is that only those packets with the appropriate source AND destination addresses get out onto the network, NAT or otherwise. Packets that are not NAT'ed can't be routed because there is no gateway of last resort on the edge/NAT routers, nor does policy routing on the central router permit anything other than packets with a source that was created by the NAT process. Chuck ""Daniel Cotts"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Check out page 819 of Doyle Vol 1. "ip local policy route-map" > HTH > > > -----Original Message----- > > From: Chuck [mailto:[EMAIL PROTECTED]] > > Sent: Sunday, June 02, 2002 12:36 PM > > To: [EMAIL PROTECTED] > > Subject: Policy routing - directly connected interfaces [7:45628] > > > > > > Continued policy routing testing of a customer network > > simulation in my lab > > has revealed something of interest to me. Can't find a > > revelation in the > > config and command references on CCO. > > > > I have a policy set up such that packets with a particular > > source address > > and a particular destination address are treated in various manners. > > > > debug ip policy is showing me that the policy is doing > > exactly what I want > > it to do EXCEPT when the destination address is a directly connected > > network. > > > > that is, if the destination is a network on some other > > router, with a route > > in the routing table, everything is fine. the next hop is set > > appropriately, > > and the debug shows that policy is applied properly. > > > > however, when the destination is a directly connected network > > ( either a > > loopback or a LAN interface ) policy routing is not engaged. > > > > true? experience? reference? as I said, can't find anything in the > > documentation on CCO. > > > > Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45704&t=45628 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]