Hi, thanks - they'll be used for different tasks. The "ip policy route-map" will be used for policy based routing for inbound traffic, and the access-group would be used to stop certain traffic (eg from a loopback interface on the router itself) from leaving that interface. 

Do you know if the "access-group" interface command is evaluated before the "ip policy route-map" interface command?

John

In the inbound direction the acl is evaluated before the policy routing.

You should also be aware that as far as I know you cannot use an acl to filter traffic sourced by the router itself ie. the acls filter traffic going through the router only.

Jon

A present, we're using policy based routing to send Internet traffic for a particular host to a different gateway. That's working fine.

What I'd like to do is set up IP SLA with tracking using a loopback interface on the same router A to ping the interface on router B at a site in our network. If the favored path to router B goes down, I'm looking to have Router A send traffic to that site out a VPN connection on our firewall. I was intending on using the access-list on Router A to block traffic sourced from its loopback interface from going out the firewall, therein keeping the VPN connection up until the internal path was back up.

So is it true that the outbound ACL on Router A wouldn't block traffic sourced from one of the loopback interfaces on the Router A?

As far as I know an acl will not filter traffic sourced by the router.

Obvious question though, why not have the firewall block the traffic sourced from the loopback interface or have I misunderstood what you are saying ?

Jon

Hi John

The ACL will be evaluated first, it will be filtering the traffic and the the route-map will be setting allowed certain traffic. 

Edit - just noticed you said the PBR was inbound :)

Jon

Hi Jon,

I have implemented route-maps for outbound traffic to be more specific to set a different the next hop. For example when I want to manipulate the traffic to point to a different gateway.

Please correct me if I am understanding wrong your comment. Thanks. 

Hi Julio

We may be talking about different things here but what I meant was that you apply the route map to the interface where the traffic arrives at the L3 device so by definition it is inbound traffic.

So the original question was about an acl applied outbound ie. traffic leaving the router and policy routing in which case it doesn't matter which order they evaluated in because they are acting in different directions.

If the acl was applied inbound then yes the order of evaluation would be relevant.

Does the above make sense or have I got it all wrong :)

Jon

Perhaps I am missing something in this discussion. But it seems to me that the question in the original post has a fairly simple answer. The original post asks about using ip policy <route-map> on an interface and also using ip access-group out on that interface. ip policy <route-map> is used in processing traffic inbound on that interface, while ip access-group out is used in processing traffic outbound on that interface. So it seems pretty obvious that there would be no interaction between the two commands and no problem in using them on the same interface.

HTH

Rick