Sorry, my  mistake was in writing. The problem is that by removing the ACL, users of  the vlan 110 (172.22.248.0/23, 172.22.247.0/24, 172.22. 243.0/24) lose  network connection ...

thanks!

The normal behavior when removing statements in an ACL referenced by PBR is to match all packets so all traffic is routed using PBR. Your route-map sequence is to permit, and the ACL is a match criteria. When you removed the ACL, there is no match criteria anymore, so all traffic is matched. This is same behavior we would get configuring the following:

!
route-map PBR permit 10
set ip next-hop 1.1.1.1
!

The above statement matches all traffic (by design).

HTH,

jerry

The  problem is that I have seen that from another range  (10.192.130.160/27) I had network conectivity ... then, no matches all  traffic?

Without seeing your other routing configuration and topology, I can't comment on why 10.192.130.160/27 has network connectivity.

If you can supply more info, I would be happy to help.

Regards,

jerry

hello,
thanks for your  time and help, I attach the show ip route of the device.

What address are you sourcing the traffic from and what address you are trying to get to when after you'd removed the ACL?

Hi,

I am connected to the network 10.192.130.160/27, and this traffic, when the destine is 10.81.39.180-181-182 must go through 10.192.130.160 instead 10.192.130.140. When I remove the ACL I can access Internet (via 10.192.130.194)

users of the vlan 110: 172.22.247.0/24, 172.22.243.0/24, 172.22.248.0/24  when I delete the ACL, they can not go outside (internet browsing) pej: 10.192.130.194

I think that this behavior does not make sense?

regards!

This is want I am seeing based on your routing table and assuming there is only one PBR configured.

When the ACL doesn't exist, traffic from 10.192.130.160/27 going to 10.81.39.180-181-182

10.192.130.160 ->10.192.130.136(Vlan15) -> 10.192.130.196 ->

based on

S       10.192.130.160/27 [1/0] via 10.192.130.136

route-map mail-web permit 10
  match ip address 160 <- assuming empty ACL

  set ip  next-hop 10.192.130.196

When Vlan110 going to 10.81.39.180-181-182

Vl110 ->10.192.12.137(Vlan20)

based on

S       10.81.39.0/24 [1/0] via 10.192.12.137

C       10.192.12.128/28 is directly connected, Vlan20

I am only seeing traffic going through the 6500 but not the return traffic, which I cannot determine if there are any asymmetric route issue.

Regards,

jerry

Hi!

I don't understand the first explanation:

When the ACL doesn't exist, traffic from 10.192.130.160/27 going to 10.81.39.180-181-182

10.192.130.160 ->10.192.130.136(Vlan15) -> 10.192.130.196 ->
based on

S       10.192.130.160/27 [1/0] via 10.192.130.136

The ACL 260 was created to prevent asymmetric routing: without the ACL, the requests do not pass through the firewall but the answers yes, that is why we created this ACL for accessing voice servers pass through the firewall.
(When ACL doesn't exist, traffic to 10.81.39.0/24 must go trough 10.192.12.137, when the ACL exist and the traffic matches this ACL, the next-hop change to 10.192.130.196)

Now we needed to include another range of IPs that also access the voice server, this new range is in 172.20.247.x, and was when adding new lines that this new IPs could not access the voice server, so eliminating the ACL, whole range of IPs vlan 110 lost Internet connection.

By eliminating the ACL160 that only affects devices from the vlan 260 (10.192.130.160/27) was cut off communication network vlan 110 but not 10.192.130.160/27 network.