PBR - route-map and ACL deny statements not supported
When preforming Policy Based Routing (PBR), the use of a deny statement in a route-map or an ACL referenced by a route-map has no meaning. Cisco documentation states that such deny statements are unsupported, however, the issue is not so much one of support, as it is of logic.
The issue isn’t so much if a deny statement is supported or not, but if, logically, it has any place in a PBR implementation. Remember, PBR doesn’t filter traffic and this is the most important thing to keep in mind here. Deny statements are used in situations where filtering is necessary.
As a result, it doesn’t make sense to apply a deny statement in either a route map or an ACL used for PBR:
Route-Map Statements: Route maps in Cisco devices are used to define the conditions for PBR. Each route-map statement can have a permit or deny action. In the context of PBR, only the permit statements are effective. This is because PBR uses route maps to determine how to forward traffic, not to filter it.
ACLs in Route Maps: Within a route map used for PBR, you can reference ACLs to match specific types of traffic. The deny statements in these ACLs are effectively ignored in the context of PBR. This means that when a packet matches a ‘deny’ statement in an ACL referenced by a route map for PBR, it is not actively denied; rather, it is not matched by the PBR policy and thus is processed using the regular routing table, not the PBR-defined path.
In essence, when applying PBR using route maps, the router only pays attention to the criteria that are set to permit. Anything set to deny in either the route map itself or in the ACLs referenced by the route map is not used to redirect traffic and instead falls back to the default routing behavior.
Indeed, according to some Cisco documentation:
If the statement is marked as a deny, the packets meeting the match criteria are sent back through the normal forwarding channels (destination-based routing).