u1kumar2002 Sat, 08/14/2010 - 00:24
User Badges:


   Acl is used for filtering the traffic based on configured parameters. But it is a single statement. If it match then it will permitted or denied. But you get more flexibility in Route-maps. You can use the ACL as a match statement in Route map and same time you can set some attributes which will get attached to that prefix and it will be advertised in WAN with same to achieve some routing requirement.

As per my understanding its Route-map give me full flexiblity to route my traffic from where i want like interface, attach attribute, etc. Its a kind of programming i can see. Like for this match do this ...

Route-map are used in redistribution, BGP neighborship, etc

For more detailed information visit: http://startnetworks.blogspot.com/2010/08/cisco-acl-and-route-map.html

Hope this information will help you....



raymk1973 Fri, 05/24/2013 - 06:34
User Badges:

am currently experiencing and issue with a route map.

i believe the route-map to be configured correctly but the route map does not appear to be matching the acl

GigabitEthernet0/0 is up, line protocol is up

  Internet address is

interface GigabitEthernet0/0

ip address

ip route-cache flow

ip policy route-map EXC-DAG

route-map assigned to interface

show ip int gi0/0

Policy routing is enabled, using route map EXC-DAG

route-map EXC-DAG, permit, sequence 20

  Match clauses:

    ip address (access-lists): 150

  Set clauses:

    ip next-hop

  Policy routing matches: 0 packets, 0 bytes

Policy routing is enabled, using route map EXC-DAG

access-list 150 permit ip

show access-list 150

10 permit ip log (3 matches)

show route-map

route-map EXC-DAG, permit, sequence 20

  Match clauses:

    ip address (access-lists): 150

  Set clauses:

    ip next-hop

  Policy routing matches: 0 packets, 0 bytes <<<<

i dont think i am missing anything from the configuration

any ideas?

thanks in adviance.

paul driver Fri, 05/24/2013 - 06:54
User Badges:
  • Red, 2250 points or more


You can policy route via the data plane ( that is traffic traversing your router) or Control plane( traffic originating from the router) by specifying acls, protocol types and port numbers

For Data plane PBR you specify the policy on the interface from where the traffic is travesing from -

int xx

ip policy route-map TST

For Control plane you specify the policy globally on the router the traffic originates from -

conf t

ip local policy route-map TST

In your policy you are using acl 150 to specify traffic originating from  interface gig0/0 between to be routed out of the next hop interface of -

Is this what you want to happen?

Also you have no resiliency set in place, so if the next hop  interface is unreachable your present policy will still try to forward  traffic based on the match statements and start arping for the next hop  address.

apply set ip next-hp verify-availability into  the policy so in this way the router will do a cdp lookup for the  next-hop address before policy routing and if not found will instead  route normal.



Please don't forget to rate any posts that have been helpful.


Sindhu_kumar Fri, 05/24/2013 - 07:03
User Badges:

Can you disable CEF and check


Also in the ACL you have use log keyword can you remove that and check.

show access-list 150

10 permit ip log

Do not use the "log" key word on ACLs when using PBR.  Here is a note from Cisco.

"The log keyword should not be used with this command in policy-based routing (PBR) because logging is not supported at the interrupt level for ACLs."

Richard Burts Fri, 05/24/2013 - 11:52
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

I believe that there is a simple logic problem here that is causing PBR to not work as desired.

First notice the subnet configured on the interface where PBR is configured

interface GigabitEthernet0/0

ip address

Then notice the source address specified in the ACL used with PBR

access-list 150 permit ip

So my question is whether is really connected through interface Gig0/0? That is the only way that PBR configured like this will work.



raymk1973 Tue, 05/28/2013 - 04:05
User Badges:


And thanks for the speedy responses, your input has been very helpful.

i have since been able to  get it to work this morning.

the device connected on this interface Gi0/0  is a firewall that had a missing routing entry.

added the following static route   use   UG

route-map EXC-DAG, permit, sequence 20

  Match clauses:

    ip address (access-lists): 150

  Set clauses:

    ip next-hop

  Policy routing matches: 3075964 packets, 555386572 bytes

Thanks to you all for you imput, Apprecitated.

raymk1973 Tue, 05/28/2013 - 04:06
User Badges:


cant seem to rate your post. shame as it was very informative!




This Discussion