Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!
Jason Flory

Issues with policy based routing (ACL not identifing traffic correctly)

Hello Everyone

We just started doing policy based routing on our network.  We just purchased a layer 2 point to point for replication traffic to offload our MPLS.   I have configured policy based routing on both sides.  Currently we have multiple ACLs identifying multiple types of traffic but only one ACL seems to be working at a time.

Site one

access-list 151 permit tcp eq 8080
access-list 152 permit tcp any host eq 4214
access-list 153 permit tcp host host eq 12547
access-list 154 permit tcp eq 64327
access-list 155 permit ip host host
access-list 156 permit tcp host host range 5022 5026 
access-list 156 permit tcp host host range 5022 5026

route-map alt_route_dc permit 10
 match ip address 155 151 152 153 154 156
 set ip next-hop

Policy then assigned to each vlan that is the servers are on.

On site 2 we have exactly the reverse configuration.

The only traffic I see working correctly is from this ACL

access-list 156 permit tcp host host range 5022 5026

All the others have worked when we did them individually

Cisco Freak

Can you please share the output of 'sh route-map alt_route_dc'

Let's verify if all the ACL are matching in the route-map.


Here is the route map

route-map alt_route_dc, permit, sequence 10
  Match clauses:
    ip address (access-lists): 155 151 152 153 154 156
  Set clauses:
    ip next-hop
  Policy routing matches: 152238 packets, 18882217 bytes


Had a quick look at last post and it looks like you are using 3850s which have had bugs in PBR in the past.

Is there are a specific reason for using multiple acls because you are applying the same route map to all the SVIs ?

It shouldn't make a difference but as each acl worked individually perhaps it is something to do with the way the switch is handling multiple acls in the match statement.


We did try and combine everything into one ACL and it did not work then moved to individual.  The other thing we tried with no success was named access lists which is supposed to worked but could not get these to work.  

It is possible that the reason the combined ACLs was related to some other config error.  Let me try combining again.


I just figured out to do a named acl.  Apparently you cannot type the whole thing out you have to enter into access list then add your entries.  This seems like a better way because you can actually edit them without removing them.


Wanted to point out that we did move to IP named access lists but kept them separate.   We may combine later but for now everything is working and always was working.

Jason Flory


I ended up doing a packet capture on interface and all traffic was being identified correctly.  This was do to SolarWinds netflow not showing the correct traffic.  Had me chasing my tail for a bit.