3 Replies Latest reply: Sep 4, 2011 8:20 AM by Brian RSS

    route map with access list

    Matt

      I need some help being the brain of a router, as i am struggling with this concept

       

      I have read lots of posts on this forum and cisco white papers. I took this section out of a white paper

       

      Route-maps can have permit and deny clauses. In route-map ospf-to-eigrp, there is one deny clause (with sequence number 10) and two permit clauses. The deny clause rejects route matches from redistribution. Therefore, these rules apply:

      • If you use an ACL in a route-map permit clause, routes that are permitted by the ACL are redistributed.
      • If you use an ACL in a route-map deny clause, routes that are permitted by the ACL are not redistributed.
      • If you use an ACL in a route-map permit or deny clause, and the ACL denies a route, then the route-map clause match is not found and the next route-map clause is evaluated.

       

       

      route map permit +  acl permit = route map executes statement and stops parsing the entire route map

      route map deny   +  acl permit = route map executes statement and stops parsing the entire route map

       

      route map permit + acl deny   = route map doesnt find a match for the acl so it skips to the next route map sequence number and so on until it finds a match

      route map deny   + acl deny   = route map doesnt find a match for the acl so it skips to the next route map sequence number and so on until it finds a match

       

      if no match found then it hits implicit deny.

       

      the OCG has this in it

       

      The match command can reference an ACL or prefix list, but doing so does introduce the

      possibility of confusion. The confusing part is that the decision to filter a route or allow

      the route through is based on the deny or permit in the route-map command, and not the

      deny or permit in the ACL or prefix list. When referencing an ACL or prefix list from a

      route map, the ACL or prefix list simply matches all routes permitted by the ACL or prefix

      list. Routes that are denied by the ACL or prefix list simply do not match that match command’s

      logic, making IOS then consider the next route-map command.

       

      ok.. so that makes a little bit more sense.

       

      But why are some things a match and some not.

       

      like a route map deny and an acl deny.. seems like a match to deny it to me, and not even worry about continuing further on down the route map

       

      so if you have

       

      ip access-list standard 1

      deny 192.168.10.0 0.0.0.255

       

      route-map TEST deny 1

      match ip address 1

       

      the router thinks to itself..

       

      "ok so you told me the range of ip addresses that you wanted to use were 192.168.10.0 - 192.168.10.255 and you wanted to deny those

       

      i get lost from this point on.

       

      if any one could explain it a little simpler then i would be very grateful thanks

        • 1. Re: route map with access list
          Brian

          Basically when you use a route-map, it is the route map that either allows (permits) or filters (deny) the routes, and not the ACL or prefix-list.  When using route-maps and calling either an ACL or PL, the ACL or PL should always use a "permit" statement so as to "match" the routes.  Then depending on the use of "deny" or "permit" in the route-map, the appropriate action is taken.  For example, You want to filter a route to 192.168.1.0/24, but allow the 192.168.0.0/24, 192.168.2.0/24 and 192.168.3.0/24.

           

          ip access-list 1

          permit 192.168.1.0 0.0.0.255

          !

          route-map FILTER-1 deny 10

          match ip address 1

          route-map FILTER-1 permit 20

          !

           

          The above route-map filters (deny) the route to 192.168.1.0/24. The second route-map entry allows all remaining routes, because there is no "match" statement and hence the route-map matches everything and allows (permits) the routes.

           

          The key is to remember the route-map decides the action to take either filter (deny) or allow (permit) the routes.  The ACL or PL is just used to identify the routes.

           

          Hope this helps.

           

          Brian

           

          • 2. Re: route map with access list
            Matt

            ah i see so the ACL or PL should always be permit because otherwise if it is deny then if its denying the routes then how can something match if there is nothing to match to ? ( or another way to put it like u said at the end - if you deny 192.168.1.0 0.0.0.255 then you're identifying basically nothing ? given there is implicit deny at the end of every access-list......so once again youre not really matching anything with that command..

             

             

            vs the permit where you are permiting 192.168.1.0 0.0.0.255 - so you are allowing these to be matched when it comes to the big boss route map function which ultimately decides the fate of the action to take.

             

            i think you answered that well i guess i was just trying to find out what the matching logic actually is and how to decribe it best.  but thanks Brian you are the best

            • 3. Re: route map with access list
              Brian

              Thank you for the kind words.  Here is a little PDF summarizing the use of the distribute-list command when used to filter routes in EIGRP.

               

              https://learningnetwork.cisco.com/docs/DOC-10454

               

              Brian