
When preforming [Policy Based Routing (PBR)](/pbr-policy-based-routing), the use of a deny statement in a [route-map](/route-map) or an [ACL](/acl) referenced by a route-map has no meaning.  Cisco documentation states that such deny statements are unsupported, however, the issue is not so much one of support, as it is of logic.

The issue isn’t so much if a deny statement is supported or not, but if, logically, it has any place in a PBR implementation. Remember, PBR **doesn’t filter traffic** and this is the most important thing to keep in mind here. Deny statements are used in situations where filtering is necessary.

As a result, it doesn’t make sense to apply a deny statement in either a route map or an ACL used for PBR:

**Route-Map Statements**: Route maps in Cisco devices are used to define the conditions for PBR. Each route-map statement can have a permit or deny action. In the context of PBR, **only the permit statements are effective**. This is because PBR uses route maps to determine how to forward traffic, not to filter it.

**ACLs in Route Maps**: Within a route map used for PBR, you can reference ACLs to match specific types of traffic. The deny statements in these ACLs **are effectively ignored in the context of PBR**. This means that when a packet matches a ‘deny’ statement in an ACL referenced by a route map for PBR, it is not actively denied; rather, it is not matched by the PBR policy and thus is processed using the regular routing table, not the PBR-defined path.

In essence, when applying PBR using route maps, the router **only pays attention to the criteria that are set to permit.** Anything set to deny in either the route map itself or in the ACLs referenced by the route map is not used to redirect traffic and instead falls back to the default routing behavior.

Indeed, according to some Cisco documentation:

> If the statement is marked as a deny, the packets meeting the match criteria are sent back through the normal forwarding channels (destination-based routing).

Links:

https://forum.networklessons.com/t/how-to-configure-policy-based-routing/945/98?u=lagapides

https://www.cisco.com/c/en/us/td/docs/switches/lan/cisco_ie3X00/software/17_3/b_ip_routing_17-3_iot_switch_cg/m_configuring-ipv4-policy-based-routing.pdf

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus7000/sw/qos/config/cisco_nexus7000_qos_config_guide_8x/configuring_local_policy_based_routing.pdf

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_44_se/configuration/guide/scg/swiprout.html#wp1210866

PBR - route-map and ACL deny statements not supported

OSPF Troubleshooting

OSPF Type 4 LSA

OSPF Type 5 LSA

OSPF Type 7 LSA

OSPF Why it is not suitable for use on the Internet

OSPF advertising loopback network

OSPF area inactive

OSPF area notation

OSPF area type mismatch

OSPF backbone area 0

OSPF default metric values

OSPF design - when to create a new area

OSPF does not redistribute default route

OSPF downheap LSA

OSPF duplicate router IDs

OSPF extent of reconvergence process

OSPF immediate hello packet

OSPF in a GRE multipoint environment

OSPF loop prevention

OSPF master slave election

OSPF message options field

OSPF metric sum of outgoing interface costs

OSPF modifying the router ID

OSPF network command

OSPF network types

OSPF non directly connected neighbor adjacencies

OSPF packet types

OSPF point to point network type for Ethernet

OSPF requirements for forming adjacency

OSPF router ID in an IPv6 environment

OSPF router ID

OSPF sham-link cost

OSPF sham-link

OSPF virtual link and ABRs

OSPF where do you configure a virtual link

OSPF why is a backbone area 0 necessary

OSPF within what area is an OSPF router considered to be

OSPF

OSPFv2 and OSPFv3 comparison

OSPFv3 - router ospfv3 command

OSPFv3 communication between routers and next hop addresses

OSPFv3 instance ID

Offset-list

PAT (overloading) maximum number of translations per inside global address

PAgP

PBR - Policy Based Routing

PBR - Transport Layer port number

PBR - load balancing

PBR - matching prefix lists

PBR - set interface command

PBR next hop recursive

PBR next hop verify availability

PBR next-hop and default next-hop

PPPoE

PSTN

PTP - Best Master Clock Algorithm

PTP - Clock Types

PTP - Interface Roles

PTP - Offset and Delay times

PTP - Precision Time Protocol

Passive interface

Physical layer - Copper medium

Physical layer - Optical fiber medium

Physical layer - Wireless medium

Physical layer - carrier wave

Physical layer - encoding

Physical layer - media

Physical layer - modem

Physical layer - modulation

Ping - Specify ToS

Ping - common reasons for failure

Ping - debug commands

Ping - possible ping responses

Ping - sweep range of sizes

Ping - troubleshooting concepts

Ping

PoE - Understanding Maximum Power

PoE Passive

PoE Standards-based

PoE over Gigabit Ethernet

PoE power sourcing equipment (PSE)

PoE powered device (PD)

PoE what is it

Point-to-Point Protocol (PPP)

Policy Based Routing acts on incoming traffic

Prefix Lists - Operators

Prefix Lists

Private VLANs - across a trunk

Private VLANs - non-operational type

Private WAN

Protocol Data Unit (PDU)

Protocol Independent Multicast (PIM)

Protocols with LFA support

Pseudowire

Public Key Certificate

Python - Parsing output of show commands

Python - viewing code using trinket.io

Python Paramiko SSH

Python stdin, stdout, stderr