https://community.cisco.com/t5/network-security/policy-based-routing-q/m-p/1788186#M922351 <HTML><HEAD></HEAD><BODY><P> In the Policy based Routing , i would like to know , what packets are denied by the access list " Deny ip any any " statement ? ; pls help me&nbsp; and when i implement this the access list is blocking some lan to lan packets why ?</P><P></P><P></P><P>ip access-list extended SECONDARY_TRAFFIC<BR /> permit tcp any host 172.255.55.89 eq 3333<BR /> permit udp any host 172.255.55.89 eq 3333<BR /> deny&nbsp;&nbsp; ip any any log</P><P></P><P>route-map LINK_2 permit 10<BR /> match ip address SECONDARY_TRAFFIC<BR /> set interface Tunnel901<BR />!<BR />interface GigabitEthernet0/0<BR /> description&nbsp; LAN INTERFACE<BR /> ip address 172.7.1.10 255.255.255.0<BR /> ip policy route-map LINK_2<BR /> duplex auto<BR /> speed auto</P></BODY></HTML> Mon, 12 Sep 2011 12:50:32 GMT dpugalendi.d 2011-09-12T12:50:32Z https://community.cisco.com/t5/network-security/policy-based-routing-q/m-p/1788185#M922350 <P></P><P>&nbsp;</P><P></P><P><BR /><BR /></P><TABLE border="0" cellpadding="0" cellspacing="0" style="WIDTH: 474px; BORDER-COLLAPSE: collapse"><TBODY></TBODY></TABLE><P>&lt;TR style="HEIGHT: 15.6pt" <U>mce</U>style="height: 15.6pt;"&gt;</P><P>&lt;TD style="PADDING-BOTTOM: 0cm; PADDING-LEFT: 5.4pt; WIDTH: 284.1pt; PADDING-RIGHT: 5.4pt; HEIGHT: 15.6pt; PADDING-TOP: 0cm" vAlign=bottom width=474 noWrap <U>mce</U>style="padding-bottom: 0cm; padding-left: 5.4pt; width: 284.1pt; padding-right: 5.4pt; height: 15.6pt; padding-top: 0cm;"&gt;</P><P></P><P><STRONG>ip access-list extended SECONDARY_TRAFFIC</STRONG></P><P></P><TABLE></TABLE><P>&lt;TR style="HEIGHT: 15.6pt" <U>mce</U>style="height: 15.6pt;"&gt;</P><P>&lt;TD style="PADDING-BOTTOM: 0cm; PADDING-LEFT: 5.4pt; WIDTH: 284.1pt; PADDING-RIGHT: 5.4pt; HEIGHT: 15.6pt; PADDING-TOP: 0cm" vAlign=bottom width=474 noWrap <U>mce</U>style="padding-bottom: 0cm; padding-left: 5.4pt; width: 284.1pt; padding-right: 5.4pt; height: 15.6pt; padding-top: 0cm;"&gt;</P><P></P><P><STRONG>&nbsp;permit tcp any host 172.255.5.89 eq 3128</STRONG></P><P></P><TABLE></TABLE><P>&lt;TR style="HEIGHT: 15.6pt" <U>mce</U>style="height: 15.6pt;"&gt;</P><P>&lt;TD style="PADDING-BOTTOM: 0cm; PADDING-LEFT: 5.4pt; WIDTH: 284.1pt; PADDING-RIGHT: 5.4pt; HEIGHT: 15.6pt; PADDING-TOP: 0cm" vAlign=bottom width=474 noWrap <U>mce</U>style="padding-bottom: 0cm; padding-left: 5.4pt; width: 284.1pt; padding-right: 5.4pt; height: 15.6pt; padding-top: 0cm;"&gt;</P><P></P><P><STRONG>&nbsp;permit udp any host 172.255.5.89 eq 3128</STRONG></P><P></P><TABLE></TABLE><P>&lt;TR style="HEIGHT: 14.4pt" <U>mce</U>style="height: 14.4pt;"&gt;</P><P>&lt;TD style="PADDING-BOTTOM: 0cm; PADDING-LEFT: 5.4pt; WIDTH: 284.1pt; PADDING-RIGHT: 5.4pt; HEIGHT: 14.4pt; PADDING-TOP: 0cm" vAlign=bottom width=474 noWrap <U>mce</U>style="padding-bottom: 0cm; padding-left: 5.4pt; width: 284.1pt; padding-right: 5.4pt; height: 14.4pt; padding-top: 0cm;"&gt;</P><P></P><P><STRONG>&nbsp;deny&nbsp;&nbsp; ip any any log</STRONG></P><P></P><TABLE></TABLE><P>&lt;TR style="HEIGHT: 14.4pt" <U>mce</U>style="height: 14.4pt;"&gt;</P><P>&lt;TD style="PADDING-BOTTOM: 0cm; PADDING-LEFT: 5.4pt; WIDTH: 284.1pt; PADDING-RIGHT: 5.4pt; HEIGHT: 14.4pt; PADDING-TOP: 0cm" vAlign=bottom width=474 noWrap <U>mce</U>style="padding-bottom: 0cm; padding-left: 5.4pt; width: 284.1pt; padding-right: 5.4pt; height: 14.4pt; padding-top: 0cm;"&gt;&lt;/TD&gt;&lt;/TR&gt;</P><P>&lt;TR style="HEIGHT: 16.45pt" <U>mce</U>style="height: 16.45pt;"&gt;</P><P>&lt;TD style="PADDING-BOTTOM: 0cm; PADDING-LEFT: 5.4pt; WIDTH: 284.1pt; PADDING-RIGHT: 5.4pt; HEIGHT: 16.45pt; PADDING-TOP: 0cm" vAlign=bottom width=474 noWrap <U>mce</U>style="padding-bottom: 0cm; padding-left: 5.4pt; width: 284.1pt; padding-right: 5.4pt; height: 16.45pt; padding-top: 0cm;"&gt;</P><P></P><P><STRONG>route-map LINK_2 permit 10</STRONG></P><P></P><TABLE></TABLE><P>&lt;TR style="HEIGHT: 21pt" <U>mce</U>style="height: 21pt;"&gt;</P><P>&lt;TD style="PADDING-BOTTOM: 0cm; PADDING-LEFT: 5.4pt; WIDTH: 284.1pt; PADDING-RIGHT: 5.4pt; HEIGHT: 21pt; PADDING-TOP: 0cm" vAlign=bottom width=474 noWrap <U>mce</U>style="padding-bottom: 0cm; padding-left: 5.4pt; width: 284.1pt; padding-right: 5.4pt; height: 21pt; padding-top: 0cm;"&gt;</P><P></P><P><STRONG>&nbsp;match ip address SECONDARY_TRAFFIC</STRONG></P><P></P><TABLE></TABLE><P>&lt;TR style="HEIGHT: 15.6pt" <U>mce</U>style="height: 15.6pt;"&gt;</P><P>&lt;TD style="PADDING-BOTTOM: 0cm; PADDING-LEFT: 5.4pt; WIDTH: 284.1pt; PADDING-RIGHT: 5.4pt; HEIGHT: 15.6pt; PADDING-TOP: 0cm" vAlign=bottom width=474 noWrap <U>mce</U>style="padding-bottom: 0cm; padding-left: 5.4pt; width: 284.1pt; padding-right: 5.4pt; height: 15.6pt; padding-top: 0cm;"&gt;</P><P></P><P><STRONG>&nbsp;set interface Tunnel901</STRONG></P><P></P><TABLE></TABLE><P>&lt;TR style="HEIGHT: 16.2pt" <U>mce</U>style="height: 16.2pt;"&gt;</P><P>&lt;TD style="PADDING-BOTTOM: 0cm; PADDING-LEFT: 5.4pt; WIDTH: 284.1pt; PADDING-RIGHT: 5.4pt; HEIGHT: 16.2pt; PADDING-TOP: 0cm" vAlign=bottom width=474 noWrap <U>mce</U>style="padding-bottom: 0cm; padding-left: 5.4pt; width: 284.1pt; padding-right: 5.4pt; height: 16.2pt; padding-top: 0cm;"&gt;</P><P></P><P>!</P><P></P><TABLE></TABLE><P>&lt;TR style="HEIGHT: 16.2pt" <U>mce</U>style="height: 16.2pt;"&gt;</P><P>&lt;TD style="PADDING-BOTTOM: 0cm; PADDING-LEFT: 5.4pt; WIDTH: 284.1pt; PADDING-RIGHT: 5.4pt; HEIGHT: 16.2pt; PADDING-TOP: 0cm" vAlign=bottom width=474 noWrap <U>mce</U>style="padding-bottom: 0cm; padding-left: 5.4pt; width: 284.1pt; padding-right: 5.4pt; height: 16.2pt; padding-top: 0cm;"&gt;</P><P></P><P>interface GigabitEthernet0/0</P><P></P><TABLE></TABLE><P>&lt;TR style="HEIGHT: 16.2pt" <U>mce</U>style="height: 16.2pt;"&gt;</P><P>&lt;TD style="PADDING-BOTTOM: 0cm; PADDING-LEFT: 5.4pt; WIDTH: 284.1pt; PADDING-RIGHT: 5.4pt; HEIGHT: 16.2pt; PADDING-TOP: 0cm" vAlign=bottom width=474 noWrap <U>mce</U>style="padding-bottom: 0cm; padding-left: 5.4pt; width: 284.1pt; padding-right: 5.4pt; height: 16.2pt; padding-top: 0cm;"&gt;</P><P></P><P>&nbsp;description&nbsp;&nbsp; LAN INTERFACE</P><P></P><TABLE></TABLE><P>&lt;TR style="HEIGHT: 14.4pt" <U>mce</U>style="height: 14.4pt;"&gt;</P><P>&lt;TD style="PADDING-BOTTOM: 0cm; PADDING-LEFT: 5.4pt; WIDTH: 284.1pt; PADDING-RIGHT: 5.4pt; HEIGHT: 14.4pt; PADDING-TOP: 0cm" vAlign=bottom width=474 noWrap <U>mce</U>style="padding-bottom: 0cm; padding-left: 5.4pt; width: 284.1pt; padding-right: 5.4pt; height: 14.4pt; padding-top: 0cm;"&gt;</P><P></P><P>&nbsp;ip address 172.17.77.10 255.255.255.0</P><P></P><TABLE></TABLE><P>&lt;TR style="HEIGHT: 16.2pt" <U>mce</U>style="height: 16.2pt;"&gt;</P><P>&lt;TD style="PADDING-BOTTOM: 0cm; PADDING-LEFT: 5.4pt; WIDTH: 284.1pt; PADDING-RIGHT: 5.4pt; HEIGHT: 16.2pt; PADDING-TOP: 0cm" vAlign=bottom width=474 noWrap <U>mce</U>style="padding-bottom: 0cm; padding-left: 5.4pt; width: 284.1pt; padding-right: 5.4pt; height: 16.2pt; padding-top: 0cm;"&gt;</P><P></P><P><STRONG>&nbsp;ip policy route-map LINK_2</STRONG></P><P></P><TABLE></TABLE><P>&lt;TR style="HEIGHT: 16.2pt" <U>mce</U>style="height: 16.2pt;"&gt;</P><P>&lt;TD style="PADDING-BOTTOM: 0cm; PADDING-LEFT: 5.4pt; WIDTH: 284.1pt; PADDING-RIGHT: 5.4pt; HEIGHT: 16.2pt; PADDING-TOP: 0cm" vAlign=bottom width=474 noWrap <U>mce</U>style="padding-bottom: 0cm; padding-left: 5.4pt; width: 284.1pt; padding-right: 5.4pt; height: 16.2pt; padding-top: 0cm;"&gt;</P><P></P><P>&nbsp;duplex auto</P><P></P><TABLE></TABLE><P>&lt;TR style="HEIGHT: 14.4pt" <U>mce</U>style="height: 14.4pt;"&gt;</P><P>&lt;TD style="PADDING-BOTTOM: 0cm; PADDING-LEFT: 5.4pt; WIDTH: 284.1pt; PADDING-RIGHT: 5.4pt; HEIGHT: 14.4pt; PADDING-TOP: 0cm" vAlign=bottom width=474 noWrap <U>mce</U>style="padding-bottom: 0cm; padding-left: 5.4pt; width: 284.1pt; padding-right: 5.4pt; height: 14.4pt; padding-top: 0cm;"&gt;</P><P></P><P>&nbsp;speed auto</P><P></P><TABLE></TABLE><P><BR /></P><P></P><P>&lt;BR <U>moz</U>dirty type="_moz"&gt;&nbsp;<BR /><BR /><BR /></P><P></P><P>In the Policy based Routing , i would like to know , what packets are denied by the access list " Deny ip any any " statement ? ; pls help me</P><P></P><P></P> Fri, 21 Feb 2020 12:27:20 GMT https://community.cisco.com/t5/network-security/policy-based-routing-q/m-p/1788185#M922350 dpugalendi.d 2020-02-21T12:27:20Z https://community.cisco.com/t5/network-security/policy-based-routing-q/m-p/1788186#M922351 <HTML><HEAD></HEAD><BODY><P> In the Policy based Routing , i would like to know , what packets are denied by the access list " Deny ip any any " statement ? ; pls help me&nbsp; and when i implement this the access list is blocking some lan to lan packets why ?</P><P></P><P></P><P>ip access-list extended SECONDARY_TRAFFIC<BR /> permit tcp any host 172.255.55.89 eq 3333<BR /> permit udp any host 172.255.55.89 eq 3333<BR /> deny&nbsp;&nbsp; ip any any log</P><P></P><P>route-map LINK_2 permit 10<BR /> match ip address SECONDARY_TRAFFIC<BR /> set interface Tunnel901<BR />!<BR />interface GigabitEthernet0/0<BR /> description&nbsp; LAN INTERFACE<BR /> ip address 172.7.1.10 255.255.255.0<BR /> ip policy route-map LINK_2<BR /> duplex auto<BR /> speed auto</P></BODY></HTML> Mon, 12 Sep 2011 12:50:32 GMT https://community.cisco.com/t5/network-security/policy-based-routing-q/m-p/1788186#M922351 dpugalendi.d 2011-09-12T12:50:32Z https://community.cisco.com/t5/network-security/policy-based-routing-q/m-p/1788187#M922352 <HTML><HEAD></HEAD><BODY><P> The access list is pretty straight forward. It permits traffic to host 172.255.55.89 for port 3333 (both TCP and UDP) and it denies all other traffic.</P><P></P><P>Perhaps that sounds alarming - that only traffic that is port 3333 to host 172.255.55.89 is permitted and all other is denied. But bear in mind that the access list is not filtering traffic on the interface (as we tend to expect of access lists). In this case the access list is selecting traffic for Policy Based Routing. So it is saying that only port 3333 to host 172.255.55.89 will be subject to PBR. All other traffic should be forwarded normally.</P><P></P><P>I am not clear why implementing this access list is blocking some lan to lan traffic. Perhaps you can supply some additional information that would help us to identify the problem.</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Tue, 13 Sep 2011 18:03:22 GMT https://community.cisco.com/t5/network-security/policy-based-routing-q/m-p/1788187#M922352 Richard Burts 2011-09-13T18:03:22Z