Thank you, John. I had done that in the past (no trailing permit), but I got the impression from someone else that I needed it so that all unmatched traffic would pass - assuming there was an implicit deny, like an ACL has.

Hello aweise,

As John said, no trailing permit sequence is needed, if you think about it, it is logical, even if next-hop mentioned in route-map is not available, no traffic will be blackholed. It will be routed based on routing table.

Best Regards

Please rate helpful posts and close solved questions

When you're using it for pbr, you don't need the trailing permit. When you're using route-maps for routing (say bgp), then you need the trailing permit in order to catch all of the other routes so they don't get denied into the table. Otherwise, you should be good with what you have above.

For example, if you have 3 routes and you want to change the local-pref on a single route:

access-list 10 permit 192.168.1.0 0.0.0.255

route-map LocalPref permit 10

match ip address 10

set local-pref 150

router bgp 1

neighbor 1.1.1.1 route-map LocalPref in

If you didn't put the "route-map LocalPref permit 20", then you'd get the single route of 192.168.1.0 with a local-pref of 150, but you'd deny your other routes (192.168.2.0 and .3.0). That's where the implicit deny comes in.

HTH,
John

*** Please rate all useful posts ***

More to John's point, here is an excerpt from Cisco:

• Cisco recommends that you number clauses in intervals of 10, to reserve numbering space in case you need to insert clauses in the future.
• Route-maps can have permit and deny clauses. In route-map ospf-to-eigrp, there is one deny clause (with sequence number 10) and two permit clauses. The deny clause rejects route matches from redistribution. Therefore, these rules apply:
  • If you use an ACL in a route-map permit clause, routes that are permitted by the ACL are redistributed.
  • If you use an ACL in a route-map deny clause, routes that are permitted by the ACL are not redistributed.
  • If you use an ACL in a route-map permit or deny clause, and the ACL denies a route, then the route-map clause match is not found and the next route-map clause is evaluated.
• Each route-map clause has two types of commands:
  • match—Selects routes to which this clause should be applied.
  • set—Modifies information which will be redistributed into the target protocol.
  For each route that is being redistributed, the router first evaluates the match command of a clause in the route-map. If the match criteria succeeds, then the route is redistributed or rejected as dictated by the permit or deny clause, and some of its attributes might be modified by set commands. If the match criteria fails, then this clause is not applicable to the route, and Cisco IOS software proceeds to evaluate the route against the next clause in the route-map. Scan of the route-map continues until a clause is found whose match command(s) match the route or until the end of the route-map is reached.
• A match or set command in each clause can be missed or repeated several times, if one of these conditions exist:
  • If several match commands are present in a clause, all must succeed for a given route in order for that route to match the clause (in other words, the logical AND algorithm is applied for multiple match commands).
  • If a match command refers to several objects in one command, either of them should match (the logical OR algorithm is applied). For example, in the match ip address 101 121 command, a route is permitted if it is permitted by access list 101 or access list 121.
  • If a match command is not present, all routes match the clause. In the previous example, all routes that reach clause 30 match; therefore, the end of the route-map is never reached.
  • If a set command is not present in a route-map permit clause then the route is redistributed without modification of its current attributes.

Do not configure a set command in a deny route-map clause because the deny clause prohibits route redistribution—there is no information to modify.A route-map clause without a match or set command performs an action. An empty permit clause allows a redistribution of the remaining routes without modification. An empty deny clause does not allows a redistribution of other routes (this is the default action if a route-map is completely scanned but no explicit match is found).Based on the information in this section, the previous OSPF-to-EIGRP route-map example does this:

• Prohibits the redistribution of all Type-2 external OSPF routes with tag 6 set.
• Redistributes into EIGRP all routes which match the pfx prefix list, with five metric values—40000, 1000, 255, 1, and 1500.
• Redistributes all other routes and sets their tags to 8 (the default).

HTH!

-Chris