We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 581 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)


295 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!


Forum Replies

  1. Hi Alfredo,

    The interfaces on a router are "routed ports", each interface requires an IP address in a unique subnet. is in the same subnet as your first interface and it's also a broadcast address. You'll have to use a larger subnet, /30 only offers you two IP addresses. A /29 would work.

    Somehow you need to add the interfaces of the two firewalls and the router in a single broadcast domain. You can't turn the routed ports into switchports so a switch module is not a bad idea...or create a VLAN on a switch and connect the firewall + router interfaces to it.

    Technically you might be able to bridge the two router interfaces and use a BVI interface but that's not something I would recommend:

    bridge irb
    brige 1 protocol ieee
    int gi0/1
    bridge-group 1
    int gi0/2
    bridge-group 1
    interface bvi 1
    ip address

    This bridges the two gigabit interfaces together, the BVI interface is the "routed" port.

    Hope this helps...


  2. Hi Rene,

    How would the router treat the matching packets, if the specified next-hop in the PBR is unreachable? Will the packets be dropped or the routing table will be used?

  3. Hi,

    I have a question that I have a good guess on but would like to confirm.

    I see when you create your access list for the Policy Based routing that you only add the one permit statement to the access-list. Its been knocked into my head that there is always a implicit deny statement at the end of all access-list. So would not best practice be putting a statement at the end that says permit ip any any??

    Now my guess is that since you are not applying this access list to say an interface or other entity of that form that its not required. indeed we are just using the access-list as a trigger for when an event happens (the flow of certain network ect…)

    So nothing is really being permitted or denied in the physical realm so it does not matter.

    I just wanted to confirm my thinking is correct on this as I immediately started looking for the permit all other traffic but then logically saw that it was not really needed in this case.

    Just trying to feel out my box and rules on this.


  4. Hello Brian.

    You are essentially correct. Access lists when used in conjunction with Policy Based Routing are used for matching specific criteria. If you add permit ip any any at the end, then you would essentially be saying “match everything”.

    I hope this has been helpful!


  5. Thanks for confirming and also thinks for that added bit at the end about would match everything.

    I was almost thinking just to conform with best practice it would be good to add the permit everything just to conform with best practices but did not think from that perspective that it would then include that as well. You might have saved me from a possible booboo!

19 more replies! Ask a question or join the discussion by visiting our Community Forum