ACL with route map

Unanswered Question
Jun 23rd, 2010

I have a Catalyst 6509 with an ACL that includes a range of IPS with a route-map that work properly.

When you try to add more sentences to this ACL including another IP range, we have seen that new IPs do not work correctly, then removing the ACL in order to restore the initial situation, another IP range not including in ACL lost network connection.

The ACL with the route map defined is:

access-list 160 permit ip host
access-list 160 permit ip host
access-list 160 permit ip host
route-map mail-web permit 10
  match ip address 160
  set ip next-hop

and the interface to which you apply this policy is:

interface Vlan15
description CON_CPD
ip address
ip policy route-map mail-web
standby 1 ip
standby 1 priority 200
standby 1 preempt
standby 1 authentication d3n1a

But eliminating the ACL160 that only affects users on vlan 260 (, cut communication with networks of users in vlan 110:,, 172.22. 243.0/24

The sentences I've added to the ACL are:
access-list 160 permit ip host
access-list 160 permit ip host
access-list 160 permit ip host

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jerry Ye Wed, 06/23/2010 - 08:10

I am not sure what you are trying to add is wrong, it should be which cover

Is that what you need?



sdurn Wed, 06/23/2010 - 08:30

Sorry, my  mistake was in writing. The problem is that by removing the ACL, users of  the vlan 110 (,, 172.22. 243.0/24) lose  network connection ...


Jerry Ye Wed, 06/23/2010 - 09:17

The normal behavior when removing statements in an ACL referenced by PBR is to match all packets so all traffic is routed using PBR. Your route-map sequence is to permit, and the ACL is a match criteria. When you removed the ACL, there is no match criteria anymore, so all traffic is matched. This is same behavior we would get configuring the following:

route-map PBR permit 10
set ip next-hop

The above statement matches all traffic (by design).



sdurn Thu, 06/24/2010 - 04:07

The  problem is that I have seen that from another range  ( I had network conectivity ... then, no matches all  traffic?

Jerry Ye Thu, 06/24/2010 - 06:21

Without seeing your other routing configuration and topology, I can't comment on why has network connectivity.

If you can supply more info, I would be happy to help.



Jerry Ye Thu, 06/24/2010 - 15:57

What address are you sourcing the traffic from and what address you are trying to get to when after you'd removed the ACL?

sdurn Fri, 06/25/2010 - 04:11


I am connected to the network, and this traffic, when the destine is must go through instead When I remove the ACL I can access Internet (via

users of the vlan 110:,,  when I delete the ACL, they can not go outside (internet browsing) pej:

I think that this behavior does not make sense?


Jerry Ye Fri, 06/25/2010 - 06:50

This is want I am seeing based on your routing table and assuming there is only one PBR configured.

When the ACL doesn't exist, traffic from going to -> -> ->

based on

S [1/0] via

route-map mail-web permit 10
  match ip address 160 <- assuming empty ACL

  set ip  next-hop

When Vlan110 going to

Vl110 ->

based on

S [1/0] via

C is directly connected, Vlan20

I am only seeing traffic going through the 6500 but not the return traffic, which I cannot determine if there are any asymmetric route issue.



sdurn Mon, 06/28/2010 - 02:51


I don't understand the first explanation:

When the ACL doesn't exist, traffic from going to -> -> ->
based on

S [1/0] via

The ACL 260 was created to prevent asymmetric routing: without the ACL, the requests do not pass through the firewall but the answers yes, that is why we created this ACL for accessing voice servers pass through the firewall.
(When ACL doesn't exist, traffic to must go trough, when the ACL exist and the traffic matches this ACL, the next-hop change to

Now we needed to include another range of IPs that also access the voice server, this new range is in 172.20.247.x, and was when adding new lines that this new IPs could not access the voice server, so eliminating the ACL, whole range of IPs vlan 110 lost Internet connection.

By eliminating the ACL160 that only affects devices from the vlan 260 ( was cut off communication network vlan 110 but not network.


This Discussion