Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1233
Views
0
Helpful
3
Replies

Route-map operation when ACL is missing

TomElgin49285
Level 1
Level 1

‎08-06-2020 04:43 PM - edited ‎08-06-2020 04:52 PM

I was messing around with route-maps and came across something that raised a question for me.

Capture.JPG

I got BGP set up and was able to ping all of R1's loopbacks from R2. Then, I went into R2 and configured the following:

 

access-list 1 permit 20.20.0.0 0.0.255.255

route-map BLOCK deny 10
match ip address 1
!
route-map BLOCK permit 20

 

After doing this, I was still able to ping all of the loopbacks in the 10.x.x.x address space and was not able to ping any of the loopbacks in the 20.20.x.x address space (as expected).

 

Next, I deleted ACL 1 in R2. After doing this, I could no longer ping any of the 10.x.x.x loopbacks in R1. Why does a match statement with a non-existent ACL block everything? I was expecting it to allow everything (both the 10.x.x.x  IPs and 20.x.x.x IPs).

Regards,

Tom

 

 

 

 

Labels:
0 Helpful
3 Replies 3

paul driver
VIP
VIP

‎08-06-2020 10:12 PM

Hello

 

route-map BLOCK deny 10

Next, I deleted ACL 1 in R2. After doing this, I could no longer ping any of the 10.x.x.x loopbacks in R1. Why does a match statement with a non-existent ACL block everything? I was expecting it to allow everything (both the 10.x.x.x  IPs and 20.x.x.x IPs).

 

An route-map statement with no match clasue will match on everything (catch all) so as your statement is denying it will deny everything


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

TomElgin49285
Level 1
Level 1
In response to paul driver

‎08-07-2020 06:12 AM

I didn't think that through, did I? LOL :(  Thanks for your reply.

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎08-07-2020 03:20 AM

Hi,

Let's explain in simple words:

access-list 1 permit 20.20.0.0 0.0.255.255

route-map BLOCK deny 10
match ip address 1
!
route-map BLOCK permit 20

 

here, the ACL "Permit" statement is not a final action. ACL with route map required more understanding of the action of ACL. 

 

access-list 1 permit 20.20.0.0 0.0.255.255  <--------- This is interesting traffic which forwarded to route-map for final action.

 

route-map BLOCK permit 20 <-------- here ACL 1 traffic is allowed/permitted.

 

Why your reset of 10.x.x.x traffic also allowed?

Because in the new version of IOS (not sure onward version) the default action at the end of the route map also allows meaning rest everything allows. This no need to configure.

 

What's happened after deleting ACL but ACL number still in the route-map?

As mentioned: An route-map statement with no match clause will match on everything (catch-all) so as your statement is denying it will deny everything

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card