Route Map Processing Question

rtannertwc · ‎07-13-2012

What I am needing to do is control what I advertise into BGP. Specifically, I have two groups of connected networks, one cannot be advertised, the other group needs to be advertised. My question is how route maps are processed. One of the members in my team (who honestly is more experienced and smarter than me) is concerned that my first prefix list will also deny the network I am trying to advertise because of the implicit deny all at the end of a prefix list that contains any terms. My contention is that each route-map is processed separately and in order (like firewall filter terms). Here is simplified version of how I am proposing to run this:

(BGP configuration)

redistribute connected route-map CONNECTED

route-map CONNECTED deny 10

match ip address prefix-list DENY

route-map CONNECTED permit 20

match ip address prefix-list allow

ip prefix-list DENY seq 10 deny 192.168.0.0/24

ip prefix-list ALLOW seq 10 permit 192.168.1.0/24

Can anyone definitivly solve this argument. I am having trouble finding any route map examples or explinations that use more than one sequence.

Thanks in advance

smehrnia · ‎07-13-2012

Hi There,

for your goal, you have to PERMIT the prefix in the prefix-list. then DENY the prefix that u dont want to be advertised, in the route-map.

basically, when u permit a prefix in a prefix-list, you are allowing a match condition to be met. then for that match (here 192.168.0.0/24) you deny it in the route-map.

redistribute connected route-map CONNECTED

route-map CONNECTED deny 10

match ip address prefix-list DENY

route-map CONNECTED permit 20

match ip address prefix-list allow

ip prefix-list DENY seq 10 permit 192.168.0.0/24

ip prefix-list ALLOW seq 10 permit 192.168.1.0/24

ADDED:

in this particular case, its good to know that whatever prefix that is allowed in the prefix-list to be matched (permit) will participate in the route map's rule (permit or deny), it means that if u permit a Net ID in the prefix list and includ it in a route map with a deny rule. it will be denied there.

but if u deny a prefix in a prefix list and include it in a route map with either permit or deny rule, the route-map wouldnt consider that prefix as a match!

Hope it Helps,

Soroush.

Hope it Helps!

Soroush.

ananth234 · ‎07-13-2012

Hi

Please correct this typo too

route-map CONNECTED permit 20

match ip address prefix-list allow

"allow" is in lower case but in the prefix list you have defined it is in uppercase

So change it to

route-map CONNECTED permit 20

match ip address prefix-list ALLOW

Giuseppe Larosa · ‎07-14-2012

Hello Rtannertwc,

when invoking an ACL or a prefix list within a route-map clause, only a match with a permit statement in the invoked filter is considered a true match and the IP prefix that has matched is treated accordingly to the permit/deny action of the route-map clause itself.

A deny statement in the invoked prefix-list and the implicit deny any at the end of the prefix-list are not considered a match at route-map clause level.

This is done to allow the necessary modularity in writing the route-maps: otherwise the first invoked prefix-list or ACL would not allow the following route-map clauses to be evaluated making them useless.

About this you can read the following document:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008047915d.shtml

To be noted in your case you could easily achieve the same results with network commands in the BGP router process:

router bgp

network 192.168.1.0

by omitting network statements for the connected routes you do not want to advertise you achieve the same result.

Edit:

there is a limit to the number of network statements that can be configured (it was 200 some time ago) so if the number of involved IP subnets is high, redistribution of connected with a route-map is the only way to achieve this.

Hope to help

Giuseppe