Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11977
Views
10
Helpful
4
Replies

Route map - empty clause

Go to solution
Roel Reyes
Level 1
Level 1

‎09-11-2017 09:58 AM - edited ‎03-05-2019 09:07 AM

Hi all, 

 

i have a question with config below:

 

Scenario 1:

 

ip access-list standard Outbound_to_ISP1

(empty)

 

route-map ISPLocalPref, permit, sequence 20
Match clauses:
ip address (access-lists): Outbound_to_ISP1
Set clauses:
local-preference 110

route-map ISPLocalPref, permit, sequence 30
Match clauses:
Set clauses:

the result is,  local pref is applied. 

 

question 1: 

Does this mean, having ang empty ACL will match any ip address? 

 

Scenario 2:

 

ip access-list standard Outbound_to_ISP1

  permit 172.16.0.0/16

 

route-map ISPLocalPref, permit, sequence 20
Match clauses:
ip address (access-lists): Outbound_to_ISP1
Set clauses:
local-preference 110

route-map ISPLocalPref, permit, sequence 30
Match clauses:
Set clauses:

 

question 2: 

the book said, emply cluase at the end of the route map simply passes all other routes unchanged. Every route map ends with implicit deny all, so if not included prefixes that doesnt match the first clause will be drop. 

 

Doest that mean, "routes unchanged" they will be keep on their default local preference value? and "prefix not match will be drop" meaning they will be literaly drop? no prefix will be entered ?  

 

Thanks all, 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni
In response to Roel Reyes

‎09-11-2017 06:37 PM - edited ‎09-13-2017 05:45 AM

Hi Roel,

About the question 1, it could be because it is being applied for everything because there is no a valid match, if you type:

ip access-list standard Outbound_to_ISP1  (empty)

So it will apply local-preference 110 to everything. 

 

Now about the question 2, by default there is an implicit deny at the end of the route-maps. The route-maps can be used for many tasks, but there are cases where you can be manipulating traffic for a specific network or host, but if you don´t configure an empty the rest of the traffic (where you are not matching or applying anything) will be denied. It can be seen during redistribution with route-maps. 

 

This link can be useful

https://supportforums.cisco.com/t5/wan-routing-and-switching/route-map-implicit-deny/td-p/2779768

 

:-)

 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

0 Helpful

Go to solution
paul driver
VIP
VIP

‎09-12-2017 02:43 AM - edited ‎09-12-2017 02:44 AM

Hello

An empty acl being matched in route-map PERMIT clause will be matched all routes.

 

Scenario 1:
ISPLocalPref 20 <-- Will match on all route and apply LP 110
ISPLocalPref 30 <--  Catch all that isnt matched by Stanza 20 so this case nothing to catch

Scenario 2
ISPLocalPref 20 <-- Will match on the subnet specifed in acl 172.16.0.0/16 and apply LP 110
ISPLocalPref 30 <--  Catch all other routes that isnt matched by Stanza 20 so this case everythin other than subnet 172.16.0.0/16

res
Paul


 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

4 Replies 4

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni

‎09-11-2017 10:21 AM - edited ‎09-11-2017 10:49 AM

Hi

 

For the question 1, to be honest I  have not configured a route-map with an empty ACL before but my logic says it should not apply no changes to the traffic because an empty ACL will not be included on the configuration so the route-map will consider it as empty. 

I tested it with the following config and nothing happened, the traffic was flowing as normal. 

 

router eigrp 1
distribute-list route-map test in
network 10.0.0.2 0.0.0.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
route-map test permit 5
match ip address 110

 

 

About question 2

The Route-map uses sequence, by default there is an implicit deny at the bottom of the sequences, for exampe:

access-list 100 permit tcp host 1.1.1.1 any eq http

 

route-map TEST permit 5

match ip address 100

set ip next-hop 10.0.0.1

 

-->nothing else<--

 

it will manipulate the http traffic for the source 1.1.1.1 the rest of the traffic will be denied. So you need to configure an empty route-map at the bottom, so no changes will be applied to the rest of the traffic and it will flow as normal. 

 

access-list 100 permit tcp host 1.1.1.1 any eq http

 

route-map TEST permit 5

match ip address 100

set ip next-hop 10.0.0.1

 

route-map TEST permit 100

 

For your example, all the networks or hosts included on the ACL Outbound_to_ISP1 will be applied a local-preference 110, the rest of the traffic will be passing as normal, no changes or arguments applied 

 

route-map ISPLocalPref, permit, sequence 20
Match clauses:
ip address (access-lists): Outbound_to_ISP1
Set clauses:
local-preference 110

route-map ISPLocalPref, permit, sequence 30
Match clauses:
Set clauses:

 

 

 

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Go to solution
Roel Reyes
Level 1
Level 1
In response to Julio E. Moisa

‎09-11-2017 06:22 PM

Hi Thanks Julio, 

 

For question 1 im not sure why it is accepted on my side. 

Capture.PNG

 

For question 2, what do you mean by " the rest of the traffic will be denied" traffic Http will be dropped or will not pass on my router right? unlike having an empty clause at the end it causes http traffic to pass as normal if did not match any?

0 Helpful

Go to solution
Julio E. Moisa
VIP Alumni
VIP Alumni
In response to Roel Reyes

‎09-11-2017 06:37 PM - edited ‎09-13-2017 05:45 AM

Hi Roel,

About the question 1, it could be because it is being applied for everything because there is no a valid match, if you type:

ip access-list standard Outbound_to_ISP1  (empty)

So it will apply local-preference 110 to everything. 

 

Now about the question 2, by default there is an implicit deny at the end of the route-maps. The route-maps can be used for many tasks, but there are cases where you can be manipulating traffic for a specific network or host, but if you don´t configure an empty the rest of the traffic (where you are not matching or applying anything) will be denied. It can be seen during redistribution with route-maps. 

 

This link can be useful

https://supportforums.cisco.com/t5/wan-routing-and-switching/route-map-implicit-deny/td-p/2779768

 

:-)

 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
paul driver
VIP
VIP

‎09-12-2017 02:43 AM - edited ‎09-12-2017 02:44 AM

Hello

An empty acl being matched in route-map PERMIT clause will be matched all routes.

 

Scenario 1:
ISPLocalPref 20 <-- Will match on all route and apply LP 110
ISPLocalPref 30 <--  Catch all that isnt matched by Stanza 20 so this case nothing to catch

Scenario 2
ISPLocalPref 20 <-- Will match on the subnet specifed in acl 172.16.0.0/16 and apply LP 110
ISPLocalPref 30 <--  Catch all other routes that isnt matched by Stanza 20 so this case everythin other than subnet 172.16.0.0/16

res
Paul


 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Customers Also Viewed These Support Documents