Right now from 192.168.7.55 traceroute towards 192.168.1.180 I get ;

192.168.7.1

10.0.2.1

10.0.2.2

192.168.1.180

I assume actual data xfer would take the same path, thus dropping from 10G on Switch to 1G on ISR then back to Switch. 

Hmm, not what I expected.

I see if I can create a similar PBR using CML, tomorrow, if I have the time.

Morning

Yeah I am a little baffled myself. In playing around I removed the PBR directing x.7.0/24 to 10.0.2.1 but then it simply routes nowhere because naturally it will try try the ip route 10.0.1.1 which has no place for it. 

I see what we are changing, but not seeing how that change makes it work? Was going extended to standard really all there was to it??

I now have 2 hops. Thank you.

---

@TheGoob wrote:

I see what we are changing, but not seeing how that change makes it work? Was going extended to standard really all there was to it??

I now have 2 hops. Thank you.

---

Then all's well now, correct?

No, changing the ACL to a standard ACL was actually inconsequential.  I only did that to make it a bit clearer that only the source IP is being used by (this case instance of) PBR.  (BTW, an extended ACL might still be used for other PBR matching purposes, such as port numbers or ToS tags, etc.  It's just appears that it ignores the destination IP.  I suspect, this goes back to some design reason; like possibly as "normal" routing uses destination IP, we [PBR] don't need to consider it.)

Anyway, what's the critical change is:  not using the set next-hop, as was done previously, because that (again because destination IP was ignored) applied to traffic we wished to ignore.  Adding the "default" keyword, limits the policy to only apply it if the traffic being redirected would need to use the default route, as used for sending non-local traffic to 10.0.0.1.  If traffic sourced from 192.168.7.0/24 would use the default route, the new replacement policy, for just that particular traffic, uses a new default route, 10.0.2.1.

BTW, it's been multiple decades since I've played with PBR, and I vaguely recall not particularly liking it, because of its complexity dealing with failures.  Like, right now, if your new second path goes down, logically, you would want to redirect VLAN 8 traffic back to the original default.  Likewise, if the other default path fails, you might want its external traffic to use the new second path.   What I've provided, doesn't deal with such situations, but I believe it's possible using its own tracking capabilities, but this is how PBR complexity rapidly develops

Also, BTW, I spent quite a few hours last night, working in CML, to resolve this.  It was only when I noticed, "gee it seems to be ignoring the destination IPs in ACL ACEs" (also wondered, a bug?), and doing more specific Internet searches, that my browser's AI summary, noted it had references that mentioned PBR ignores destination IPs.  (My Internet searching also found other "quirks" with PBR, most related to using "deny", either not working, or processed in software, very slowly.  [Did I mention, my having vague memories of not liking PBR?  Laugh.])  (Oh, there's also even a PBR caching feature, but I don't know whether it offers any major benefit since CEF was introduced.)

Lastly, in a case like yours, what I would generally do is route across both paths, and if certain traffic needed better service, I would use QoS.  (Additionally, what could be done with Cisco's OER/PfR, if available, was, I thought, amazing!)

Morning

Yes it all works the way we expect it to now. I would never have imagine the default addition to the route-map was the key difference on how it routes. I can not say that I clearly understand how it would differ aside from seeing the difference and I kind of understand your explanation, but in time I am sure it will click.

I hope you were fine with spending so much time trying to recreate the scenario, that is crazy it was hours long, I am thankful to you for doing so. 

In truth I did not purposely select PBR but was not sure how to route in my scenario being I can not figure out how to add a 2nd ISP to my FTD that currently hosts my ISP1 where I could use 1 route back for all vlans to the router so I opted for a 2 router config, so that is the PBR reasoning. My only other reasoning to use extended acls would be for an incoming connection on ISP 2 to connect to a service on ISP1, but really that would just be vlan 8 accessing vlan 2 for a service, but that's another project later. Also another reason I did not want to do load balancing or failover scenario was ISP2 is my wifes and ISP1 was mine, I did not want anything I do to slow hers down... so I sort of stepped back from that approach. But will continue to focus on 2 ISP on 1 FDM approach.

I will continue to look this over to where it starts to click and as far as other options which currently seem unclear to me;

QoS,OER/PfR.

But you got me working and I really appreciate it. 

Matt

Yes it all works the way we expect it to now.

Yea!

I would never have imagine the default addition to the route-map was the key difference on how it routes.

Well, in the original PBR policy, an attempt was made to distinguish between allowing VLAN 8 to route between it and the other local VLANs/subnets normally, and only direct its non local network (Internet) traffic to the new link.

Part of the key to understanding, the replacement PBR policy, its "default next-hop" basically applies to just overriding the default route.  This is exactly what we wanted.  We didn't want all VLAN 8 traffic directed to the new external path.

In truth I did not purposely select PBR but was not sure how to route in my scenario . . .

Yea, that's normally a problem, because you selectively want some specific traffic (based on source and destination) to flow along one path, and other some specific traffic (also based on source and destination) to flow across another path  (Actually, if you had your own public Internet IP, and two ISPs, you could direct your outbound traffic to an ISP of your choice [much as we're doing now] but the return traffic might flow back on either ISP without your preference of which is used.  (Since you're not using your own public IP, i.e. it's ISP specific, traffic will flow back across the same ISP it went outbound upon.)

Also another reason I did not want to do load balancing or failover scenario was ISP2 is my wifes and ISP1 was mine, I did not want anything I do to slow hers down...

Laugh!  I understand, high level, executive policy decisions, which can, from time to time, preempt specific technical (better?, optimal?, robust?) approaches.  ; )

I hope you were fine with spending so much time trying to recreate the scenario, that is crazy it was hours long, I am thankful to you for doing so. 

Rest assured, I am fine with the time I spent. It was very much a learning experience for me.  Laugh, one of my niche services, during my career, was working on solving issues that no one else could.  Didn't always succeed, but succeeded enough which is why I would be assigned such cases.

In this case, one of the reasons it took me so long, because, at first glance, what you were trying to do looked okay to me.  Further, the other replies you received earlier, thought the same.  I.e. @Enes Simnica and @elwin-berrar thought what you had was fine.

As how the PBR policy should work, was sort of locked into my mine, i.e. the destination IP, in an ACL's ACE, should be considered, I was looking for some other reason why the PBR policy wasn't working.  So, I ran lots of various tests trying to identify where the failure was.   Heck, I even try testing with number ACLs rather than your named ACLs, because way back when, I recalled when named ACLs were introduced, some features that used ACLs, wouldn't process them.  I also wondered, whether the original PBR policy would work as we all thought it should (i.e. even if destination IPs not ignored).

I.e. given:

ip access-list extended SL
 10 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
 20 permit ip 192.168.7.0 0.0.0.255 any

route-map SL permit 10 
 match ip address access-list SL
 set ip next-hop 10.0.2.1

Does the ACE 10  cause the PBR match to not match, or does that fact the ACE does match, i.e. you didn't hit the bottom of the ACL, count as a PBR "match"?

So I also tested something like:

ip access-list extended SL1
 10 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

ip access-list extended SL2
 20 permit ip 192.168.7.0 0.0.0.255 any

route-map SL deny 10 
 match ip address access-list SL1
route-map SL permit 20
 match ip address access-list SL2
 set ip next-hop 10.0.2.1

The above didn't work either, again (as I later figured out) because the destination IP was being ignored.

With the above, I also enable policy debugging, but it's output was somewhat unclear, but seemed to show, ACL SL1 was matching undesired traffic (basically, same result as if it changed ACE 10 to "permit ip192.168.0.0 0.0.255.255 any".

With that, and more focused Internet questions, I finally saw mention of ACE destination IPs being ignored when using PBR.

Also, in my "research" of using PBR, I didn't find a matching example case like yours.

Anyway, with the understanding of the destination IP being ignored, I then had to figure out if there was a way to do it using PBR.  I found the "default next-hop" option, with it cryptic explanation, for what it does, and tested it.  Eureka!

Also anyway, part of my time also was taken in considering if what you described was a bug.  Even though I was able to obtain the same result in CML (all my devices were routers, i.e. no switches, no PC hosts), I wondered how like CML might be like Packet Tracer, which often works incorrectly doing "complex" things.  Yet, as I did get the same results, I figured, hmm, maybe we're just missing something "basic".

So, all the above took some time.  But, again, a good learning experience for me.

Fascinating.

I am glad it was beneficial for you to assist me too, and truly it was a learning experience for me as well. Would this possibly be a legitimate link to explain the scenario to a point https://www.cisco.com/c/en/us/support/docs/ip/ip-routed-protocols/47121-pbr-cmds-ce.html.

(Actually, if you had your own public Internet IP, and two ISPs, you could direct your outbound traffic to an ISP of your choice [much as we're doing now] but the return traffic might flow back on either ISP without your preference of which is used.  (Since you're not using your own public IP, i.e. it's ISP specific, traffic will flow back across the same ISP it went outbound upon.)

Actually funny thing is, that is one reason we have 2 ISP’s as I do own a block of 8 (6 Usable) IP’s and do not want to lose them as I host my own web servers and email servers and I know ISP’s selling blocks of statics is a rarity these days. 

Also, in my "research" of using PBR, I didn't find a matching example case like yours.

I will tell you this. The several years I have been on here I would say 90% of my ideas are non-conventional and quite possibly not well thought out or efficient, but I want what I want

Would this possibly be a legitimate link to explain the scenario to a point https://www.cisco.com/c/en/us/support/docs/ip/ip-routed-protocols/47121-pbr-cmds-ce.html.

Case 1 is similar, although it shows an extended ACL 100s with their single ACE also using an IP destination!  It would work, but I believe, not limited to just the destination host in the ACEs.

This case, though, uses PBR as a backstop if the expected known route is lost.

Actually funny thing is, that is one reason we have 2 ISP’s as I do own a block of 8 (6 Usable) IP’s and do not want to lose them as I host my own web servers and email servers and I know ISP’s selling blocks of statics is a rarity these days.

Hmm, possibly you misunderstand your "ownership".  Possibly, that subnet is actually allocated to one of your ISPs.  True public "ownership" of an IP subnet, you would be independent of any ISP, and, I believe, it would need to be at least a /24.

The several years I have been on here I would say 90% of my ideas are non-conventional and quite possibly not well thought out or efficient, but I want what I want

Laugh.  Well, I've been consider the "mad scientist" at some places I've work, for also being, ah, also, somewhat unconventional.