Cisco Community
English
Register
We're here for you! LEARN about free offerings and business continuity best practices during the COVID-19 pandemic
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
3443
Views
0
Helpful
5
Replies
Highlighted
rakeshvelagala
Participant
Participant
‎02-24-2016 08:53 PM
‎02-24-2016 08:53 PM

Route-map Processing with Prefix-list

Hi All,

Please advise on the below

Say I have BGP peering between A and B

R2(10.1.23.1)------(10.1.23.2)R3

Question: In seq 10 of route-map I have matched the prefix-list which matches 153.153.153.0/24 and it has to be denied. But why is it still advertised to the peer R2???

When I remove the seq 20 of the route-map, it works as intended. But shouldn't the route-map stop processing for the route 153.153.153.0/24 once it matches the seq 10?? Please advise.

R3#sh run | s router
router bgp 3
bgp log-neighbor-changes
network 153.153.153.0 mask 255.255.255.0
network 153.153.154.0 mask 255.255.255.0
neighbor 10.1.23.1 remote-as 65001
neighbor 10.1.23.1 route-map R3_R4_PL out

R3#sh ip prefix-list
ip prefix-list R3_R4_PL: 2 entries
seq 5 deny 153.153.153.0/24
seq 10 permit 153.153.154.0/24

R3#sh route-map
route-map R3_R4_PL, permit, sequence 10
Match clauses:
ip address prefix-lists: R3_R4_PL
Set clauses:
Policy routing matches: 0 packets, 0 bytes

route-map R3_R4_PL, permit, sequence 20
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes

on R2:

R2#sh ip bgp | b RPKI
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
*> 153.153.153.0/24 10.1.23.2 0 0 3 i
*> 153.153.154.0/24 10.1.23.2 0 0 3 i

Labels:
Everyone's tags (1)
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Masoud Pourshabanian
Collaborator
Collaborator
‎02-24-2016 09:26 PM
‎02-24-2016 09:26 PM

Hello,

Hello,

Because it matches with route-map R3_R4_PL 20.

If a route matches with deny statement in the first route-map ,it will be checked with the same route-map with higher number(in your case 20)

Hope it help,

Masoud

View solution in original post

0 Helpful
Reply
5 REPLIES 5
Highlighted
Masoud Pourshabanian
Collaborator
Collaborator
‎02-24-2016 09:26 PM
‎02-24-2016 09:26 PM

Hello,

Hello,

Because it matches with route-map R3_R4_PL 20.

If a route matches with deny statement in the first route-map ,it will be checked with the same route-map with higher number(in your case 20)

Hope it help,

Masoud

View solution in original post

0 Helpful
Reply
Highlighted
rakeshvelagala
Participant
Participant
‎02-24-2016 09:38 PM
‎02-24-2016 09:38 PM

Hi Masoud,

Hi Masoud,

Thanks for your reply. My confusion is since the seq 10 is matched, why it still needs to go to seq 20? Please advise.

Route maps have many features in common with widely known ACLs. These are some of the traits common to both:

They are an ordered sequence of individual statements, each has a permit or deny result. Evaluation of ACL or route maps consists of a list scan, in a predetermined order, and an evaluation of the criteria of each statement that matches. A list scan is aborted once the first statement match is found and an action associated with the statement match is performed.

0 Helpful
Reply
Highlighted
rakeshvelagala
Participant
Participant
‎02-24-2016 09:46 PM
‎02-24-2016 09:46 PM

Hi Masoud,

Hi Masoud,

https://learningnetwork.cisco.com/thread/40264

Thanks. One of the blogs, Brian Answered

If a route-map's match commands refer to an ACL or prefix list, and the ACL or prefix list matches a route with the deny action, the route is not filtered.   Instead, it means the route does not match the match command logic, resulting in the Cisco IOS to consider the next route-map clause.

 

When using route-maps to call a ip prefix-list or ACL, the route-map decides the action (deny or permit).  The prefix-list or ACL should always use "permit" clauses.

 

The route-map command includes an implied “deny” all clause at the end; to configure a permit all, use the route-map command with a permit action, but

without a match command.

 

Brian

0 Helpful
Reply
Highlighted
Masoud Pourshabanian
Collaborator
Collaborator
‎02-24-2016 09:53 PM
‎02-24-2016 09:53 PM

That is what you did in your

That is what you did in your route-map. No match so everything is permitted.

0 Helpful
Reply
Highlighted
Masoud Pourshabanian
Collaborator
Collaborator
‎02-24-2016 09:50 PM
‎02-24-2016 09:50 PM

It is because of DENY

It is because of DENY property.

First consider  router map  [name]10 which has ACL. Scan starts from the first entry in ACL. If any match is found, scan is aborted. If it matches with permit, the scan is completely aborted but if it matches deny(ACL is aborted), it will be checked with the route-map with higher number.

Masoud

0 Helpful
Reply
Latest Contents
MST Configuration
Created by RS19 on 06-04-2020 11:19 PM
1
0
1
0
I have Cisco 2960 switch & I am going to use MST for spanning tree Below is the configuration spanning-tree mst configuration name TEST-MST revision 1 instance 1 vlan 101 instance 1 vlan 102 I have 2 VLANS & I wa... view more
Issues WS-C2960X-48FPD-L | some ports are not working
Created by hmc250000 on 06-04-2020 11:42 AM
7
0
7
0
We are having issues with  a WS-C2960X-48FPD-L running IOS 15.2(2)E7. Some ports  are simply not working. We had POE issues on some of the ports and decided to upgrade to hopefully resolve those issues but this has now become an even bigger issu... view more
Core switch replacement
Created by ffa1100 on 06-03-2020 03:17 AM
4
0
4
0
the scenario is :I'm replacing core Cisco switch 4506-E with switch 4507R-E. As I have one supervisor card on 4506-E and I'm going to take out all the card that I have in 4506-E and install it in the new 4507R-E. On the 4507R-E I have 2 slots for the supe... view more
SASE: the future of network and network security architectur...
Created by zied.turki on 06-02-2020 12:28 AM
0
0
0
0
Since its release in August of 2019, the SASE report released by Gartner has generated a lot of chatter regarding what SASE is all about. People are wondering whether it will be disruptive to the current network and network security designs and are curiou... view more
Establishing connection with a remote network not working
Created by zivx on 05-30-2020 02:56 PM
4
0
4
0
I tried to setup a virtual environment with 2960 switches and 2911 Router. In one part of the network where I connected PCs directly to the 2911 Router, I was able to communicate to the attached devices, having configured static route. In the th... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
Cisco Community April 2020 Spotlight Award Winners
Follow our Social Media Channels