Skip navigation
Cisco Learning Home > Certifications > Routing & Switching (CCNP) > Discussions

_Communities

1586 Views 3 Replies Latest reply: Sep 4, 2011 8:20 AM by Brian RSS

Currently Being Moderated

route map with access list

Sep 4, 2011 12:24 AM

Matt 138 posts since
Jan 1, 2011

I need some help being the brain of a router, as i am struggling with this concept

 

I have read lots of posts on this forum and cisco white papers. I took this section out of a white paper

 

Route-maps can have permit and deny clauses. In route-map ospf-to-eigrp, there is one deny clause (with sequence number 10) and two permit clauses. The deny clause rejects route matches from redistribution. Therefore, these rules apply:

  • If you use an ACL in a route-map permit clause, routes that are permitted by the ACL are redistributed.
  • If you use an ACL in a route-map deny clause, routes that are permitted by the ACL are not redistributed.
  • If you use an ACL in a route-map permit or deny clause, and the ACL denies a route, then the route-map clause match is not found and the next route-map clause is evaluated.

 

 

route map permit +  acl permit = route map executes statement and stops parsing the entire route map

route map deny   +  acl permit = route map executes statement and stops parsing the entire route map

 

route map permit + acl deny   = route map doesnt find a match for the acl so it skips to the next route map sequence number and so on until it finds a match

route map deny   + acl deny   = route map doesnt find a match for the acl so it skips to the next route map sequence number and so on until it finds a match

 

if no match found then it hits implicit deny.

 

the OCG has this in it

 

The match command can reference an ACL or prefix list, but doing so does introduce the

possibility of confusion. The confusing part is that the decision to filter a route or allow

the route through is based on the deny or permit in the route-map command, and not the

deny or permit in the ACL or prefix list. When referencing an ACL or prefix list from a

route map, the ACL or prefix list simply matches all routes permitted by the ACL or prefix

list. Routes that are denied by the ACL or prefix list simply do not match that match command’s

logic, making IOS then consider the next route-map command.

 

ok.. so that makes a little bit more sense.

 

But why are some things a match and some not.

 

like a route map deny and an acl deny.. seems like a match to deny it to me, and not even worry about continuing further on down the route map

 

so if you have

 

ip access-list standard 1

deny 192.168.10.0 0.0.0.255

 

route-map TEST deny 1

match ip address 1

 

the router thinks to itself..

 

"ok so you told me the range of ip addresses that you wanted to use were 192.168.10.0 - 192.168.10.255 and you wanted to deny those

 

i get lost from this point on.

 

if any one could explain it a little simpler then i would be very grateful thanks

  • Brian 2,971 posts since
    Aug 17, 2009
    Currently Being Moderated
    1. Sep 4, 2011 12:50 AM (in response to Matt)
    Re: route map with access list

    Basically when you use a route-map, it is the route map that either allows (permits) or filters (deny) the routes, and not the ACL or prefix-list.  When using route-maps and calling either an ACL or PL, the ACL or PL should always use a "permit" statement so as to "match" the routes.  Then depending on the use of "deny" or "permit" in the route-map, the appropriate action is taken.  For example, You want to filter a route to 192.168.1.0/24, but allow the 192.168.0.0/24, 192.168.2.0/24 and 192.168.3.0/24.

     

    ip access-list 1

    permit 192.168.1.0 0.0.0.255

    !

    route-map FILTER-1 deny 10

    match ip address 1

    route-map FILTER-1 permit 20

    !

     

    The above route-map filters (deny) the route to 192.168.1.0/24. The second route-map entry allows all remaining routes, because there is no "match" statement and hence the route-map matches everything and allows (permits) the routes.

     

    The key is to remember the route-map decides the action to take either filter (deny) or allow (permit) the routes.  The ACL or PL is just used to identify the routes.

     

    Hope this helps.

     

    Brian

  • Brian 2,971 posts since
    Aug 17, 2009
    Currently Being Moderated
    3. Sep 4, 2011 8:20 AM (in response to Matt)
    Re: route map with access list

    Thank you for the kind words.  Here is a little PDF summarizing the use of the distribute-list command when used to filter routes in EIGRP.

     

    https://learningnetwork.cisco.com/docs/DOC-10454

     

    Brian

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)