12-30-2003 08:42 PM - edited 03-02-2019 12:37 PM
AS1----------AS2------------AS3
Topology:
AS1 is our local AS
AS2 is our connected AS
AS3 is another AS connected to AS2
Objective:
At AS1 Accept all the routes present in AS2 except
default route (default is generated by AS2)
and any routes passed through or generated at AS3.
Here is how I am trying to acheive this.
At AS1 I am using a route-map IN for peering with AS2 as follows
route-map test deny 10
match access-list 1
route-map test permit 20
match as-path 2
access-list 1 permit 0.0.0.0 0.0.0.0
ip as-path access-list 2 deny _3_
ip as-path access-list 2 permit .*
Explanation:
Seq 10 (deny)of route map calls access list 1 which permit 0/0, so 0/0 is be matched and will be denied in the route map, all other routes will be passed to next sequential route map statement. Permit 20 calls ip as path list 2. first statement of ip as path list 2 denies any routes that haved passed through or are originated in AS3 . Second statement permits all other routes so all routes expect AS3 ones will be matched here for permit 20 in route map.
Then there is an implicit deny at the end of route map which will cause AS3 routes to be dropped.
Questions:
1. Is my understanding of route-map functionality is correct ?
2. Do I also need to define an IP access-list 2 as ip as-path statement has access-list 2 referenced in it ? OR is " Number 2" is an as path list number ?
3. Is there a better way to acheive same results
Thanks
IQ
12-31-2003 02:04 AM
Yes 2 is the as-path access list number, you don't need a separate ip access list.
Your approach looks fine. Personally I would do it as follows:
route-map test deny 10
match access-list 1
route-map test deny 20
match as-path 2
route-map test permit 30
access-list 1 permit 0.0.0.0 0.0.0.0
ip as-path access-list 2 permit _3_
12-31-2003 02:04 AM
Hi,
Your understanding abt route maps is correct. And "match as-path 2" corresponds to only AS Path ACL 2 which you have created, so no need for ACL 2.
Instead of ACL, you can go for prefix lists which are easy to edit. That solution will be scalable if you want to deny more than 0.0.0.0/0 in future.
Thanks and regards..
Ashok.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide