08-06-2020 04:43 PM - edited 08-06-2020 04:52 PM
I was messing around with route-maps and came across something that raised a question for me.
I got BGP set up and was able to ping all of R1's loopbacks from R2. Then, I went into R2 and configured the following:
access-list 1 permit 20.20.0.0 0.0.255.255
route-map BLOCK deny 10
match ip address 1
!
route-map BLOCK permit 20
After doing this, I was still able to ping all of the loopbacks in the 10.x.x.x address space and was not able to ping any of the loopbacks in the 20.20.x.x address space (as expected).
Next, I deleted ACL 1 in R2. After doing this, I could no longer ping any of the 10.x.x.x loopbacks in R1. Why does a match statement with a non-existent ACL block everything? I was expecting it to allow everything (both the 10.x.x.x IPs and 20.x.x.x IPs).
Regards,
Tom
08-06-2020 10:12 PM
Hello
route-map BLOCK deny 10
Next, I deleted ACL 1 in R2. After doing this, I could no longer ping any of the 10.x.x.x loopbacks in R1. Why does a match statement with a non-existent ACL block everything? I was expecting it to allow everything (both the 10.x.x.x IPs and 20.x.x.x IPs).
An route-map statement with no match clasue will match on everything (catch all) so as your statement is denying it will deny everything
08-07-2020 06:12 AM
I didn't think that through, did I? LOL :( Thanks for your reply.
08-07-2020 03:20 AM
Hi,
Let's explain in simple words:
access-list 1 permit 20.20.0.0 0.0.255.255
route-map BLOCK deny 10
match ip address 1
!
route-map BLOCK permit 20
here, the ACL "Permit" statement is not a final action. ACL with route map required more understanding of the action of ACL.
access-list 1 permit 20.20.0.0 0.0.255.255 <--------- This is interesting traffic which forwarded to route-map for final action.
route-map BLOCK permit 20 <-------- here ACL 1 traffic is allowed/permitted.
Why your reset of 10.x.x.x traffic also allowed?
Because in the new version of IOS (not sure onward version) the default action at the end of the route map also allows meaning rest everything allows. This no need to configure.
What's happened after deleting ACL but ACL number still in the route-map?
As mentioned: An route-map statement with no match clause will match on everything (catch-all) so as your statement is denying it will deny everything
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: