What I am needing to do is control what I advertise into BGP. Specifically, I have two groups of connected networks, one cannot be advertised, the other group needs to be advertised. My question is how route maps are processed. One of the members in my team (who honestly is more experienced and smarter than me) is concerned that my first prefix list will also deny the network I am trying to advertise because of the implicit deny all at the end of a prefix list that contains any terms. My contention is that each route-map is processed separately and in order (like firewall filter terms). Here is simplified version of how I am proposing to run this:
redistribute connected route-map CONNECTED
route-map CONNECTED deny 10
match ip address prefix-list DENY
route-map CONNECTED permit 20
match ip address prefix-list allow
ip prefix-list DENY seq 10 deny 192.168.0.0/24
ip prefix-list ALLOW seq 10 permit 192.168.1.0/24
Can anyone definitivly solve this argument. I am having trouble finding any route map examples or explinations that use more than one sequence.
Thanks in advance
for your goal, you have to PERMIT the prefix in the prefix-list. then DENY the prefix that u dont want to be advertised, in the route-map.
basically, when u permit a prefix in a prefix-list, you are allowing a match condition to be met. then for that match (here 192.168.0.0/24) you deny it in the route-map.
in this particular case, its good to know that whatever prefix that is allowed in the prefix-list to be matched (permit) will participate in the route map's rule (permit or deny), it means that if u permit a Net ID in the prefix list and includ it in a route map with a deny rule. it will be denied there.
but if u deny a prefix in a prefix list and include it in a route map with either permit or deny rule, the route-map wouldnt consider that prefix as a match!
Hope it Helps,
when invoking an ACL or a prefix list within a route-map clause, only a match with a permit statement in the invoked filter is considered a true match and the IP prefix that has matched is treated accordingly to the permit/deny action of the route-map clause itself.
A deny statement in the invoked prefix-list and the implicit deny any at the end of the prefix-list are not considered a match at route-map clause level.
This is done to allow the necessary modularity in writing the route-maps: otherwise the first invoked prefix-list or ACL would not allow the following route-map clauses to be evaluated making them useless.
About this you can read the following document:
To be noted in your case you could easily achieve the same results with network commands in the BGP router process:
by omitting network statements for the connected routes you do not want to advertise you achieve the same result.
there is a limit to the number of network statements that can be configured (it was 200 some time ago) so if the number of involved IP subnets is high, redistribution of connected with a route-map is the only way to achieve this.
Hope to help