I need some help being the brain of a router, as i am struggling with this concept
I have read lots of posts on this forum and cisco white papers. I took this section out of a white paper
Route-maps can have permit and deny clauses. In route-map ospf-to-eigrp, there is one deny clause (with sequence number 10) and two permit clauses. The deny clause rejects route matches from redistribution. Therefore, these rules apply:
route map permit + acl permit = route map executes statement and stops parsing the entire route map
route map deny + acl permit = route map executes statement and stops parsing the entire route map
route map permit + acl deny = route map doesnt find a match for the acl so it skips to the next route map sequence number and so on until it finds a match
route map deny + acl deny = route map doesnt find a match for the acl so it skips to the next route map sequence number and so on until it finds a match
if no match found then it hits implicit deny.
the OCG has this in it
The match command can reference an ACL or prefix list, but doing so does introduce the
possibility of confusion. The confusing part is that the decision to filter a route or allow
the route through is based on the deny or permit in the route-map command, and not the
deny or permit in the ACL or prefix list. When referencing an ACL or prefix list from a
route map, the ACL or prefix list simply matches all routes permitted by the ACL or prefix
list. Routes that are denied by the ACL or prefix list simply do not match that match command’s
logic, making IOS then consider the next route-map command.
ok.. so that makes a little bit more sense.
But why are some things a match and some not.
like a route map deny and an acl deny.. seems like a match to deny it to me, and not even worry about continuing further on down the route map
so if you have
ip access-list standard 1
deny 192.168.10.0 0.0.0.255
route-map TEST deny 1
match ip address 1
the router thinks to itself..
"ok so you told me the range of ip addresses that you wanted to use were 192.168.10.0 - 192.168.10.255 and you wanted to deny those
i get lost from this point on.
if any one could explain it a little simpler then i would be very grateful thanks
Basically when you use a route-map, it is the route map that either allows (permits) or filters (deny) the routes, and not the ACL or prefix-list. When using route-maps and calling either an ACL or PL, the ACL or PL should always use a "permit" statement so as to "match" the routes. Then depending on the use of "deny" or "permit" in the route-map, the appropriate action is taken. For example, You want to filter a route to 192.168.1.0/24, but allow the 192.168.0.0/24, 192.168.2.0/24 and 192.168.3.0/24.
ip access-list 1
permit 192.168.1.0 0.0.0.255
route-map FILTER-1 deny 10
match ip address 1
route-map FILTER-1 permit 20
The above route-map filters (deny) the route to 192.168.1.0/24. The second route-map entry allows all remaining routes, because there is no "match" statement and hence the route-map matches everything and allows (permits) the routes.
The key is to remember the route-map decides the action to take either filter (deny) or allow (permit) the routes. The ACL or PL is just used to identify the routes.
Hope this helps.
ah i see so the ACL or PL should always be permit because otherwise if it is deny then if its denying the routes then how can something match if there is nothing to match to ? ( or another way to put it like u said at the end - if you deny 192.168.1.0 0.0.0.255 then you're identifying basically nothing ? given there is implicit deny at the end of every access-list......so once again youre not really matching anything with that command..
vs the permit where you are permiting 192.168.1.0 0.0.0.255 - so you are allowing these to be matched when it comes to the big boss route map function which ultimately decides the fate of the action to take.
i think you answered that well i guess i was just trying to find out what the matching logic actually is and how to decribe it best. but thanks Brian you are the best
Thank you for the kind words. Here is a little PDF summarizing the use of the distribute-list command when used to filter routes in EIGRP.