"Do not match ACLs with deny ACEs. Packets  that match a deny ACE are sent to the CPU, which could cause high CPU  utilization" is mentioned in the document http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_58_se/configuration/guide/swiprout.html.

But in my setup how to access the other VLAN's when PBR is  enabled? Because if don't specify DENY statement, while i try to access  a workstation from VLAN 10 to VLAN 20, it doesn't access since it takes  a default path towards the policy route-map statement & hits  internet. Below is my config. Any suggestion is most welcome as i am  slightly seeing CPU utilization when DENY statement is used

ip routing

interface vlan 10

ip address 172.16.0.254 255.255.255.0

ip policy route-map SERVER

interface vlan 20

ip address 172.16.3.254 255.255.255.0

ip policy route-map WORKSTATION

route-map SERVER permit 10
match ip address SERVER
set ip next-hop 172.16.254.2

route-map WORKSTATION permit 10
match ip address SERVER
set ip next-hop 172.16.254.2

ip access-list extended SERVER
deny   ip 172.16.0.0 0.0.0.255 172.16.3.0 0.0.0.255
permit ip 172.16.0.0 0.0.0.255 any

ip access-list extended WORKSTATION
deny   ip 172.16.3.0 0.0.0.255 172.16.0.0 0.0.0.255
permit ip 172.16.3.0 0.0.0.255 any

CORE-SWITCH#sh sdm prefer
The current template is "desktop routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.

  number of unicast mac addresses:                  3K
  number of IPv4 IGMP groups + multicast routes:    1K
  number of IPv4 unicast routes:                    11K
    number of directly-connected IPv4 hosts:        3K
    number of indirect IPv4 routes:                 8K
  number of IPv4 policy based routing aces:         0.5K
  number of IPv4/MAC qos aces:                      0.5K
  number of IPv4/MAC security aces:                 1K