Solved: Hi Masoud,

rakeshvelagala · ‎02-24-2016

Hi All,

Please advise on the below

Say I have BGP peering between A and B

R2(10.1.23.1)------(10.1.23.2)R3

Question: In seq 10 of route-map I have matched the prefix-list which matches 153.153.153.0/24 and it has to be denied. But why is it still advertised to the peer R2???

When I remove the seq 20 of the route-map, it works as intended. But shouldn't the route-map stop processing for the route 153.153.153.0/24 once it matches the seq 10?? Please advise.

R3#sh run | s router
router bgp 3
bgp log-neighbor-changes
network 153.153.153.0 mask 255.255.255.0
network 153.153.154.0 mask 255.255.255.0
neighbor 10.1.23.1 remote-as 65001
neighbor 10.1.23.1 route-map R3_R4_PL out

R3#sh ip prefix-list
ip prefix-list R3_R4_PL: 2 entries
seq 5 deny 153.153.153.0/24
seq 10 permit 153.153.154.0/24

R3#sh route-map
route-map R3_R4_PL, permit, sequence 10
Match clauses:
ip address prefix-lists: R3_R4_PL
Set clauses:
Policy routing matches: 0 packets, 0 bytes

route-map R3_R4_PL, permit, sequence 20
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes

on R2:

R2#sh ip bgp | b RPKI
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
*> 153.153.153.0/24 10.1.23.2 0 0 3 i
*> 153.153.154.0/24 10.1.23.2 0 0 3 i

Masoud Pourshabanian · ‎02-24-2016

Hello,

Because it matches with route-map R3_R4_PL 20.

If a route matches with deny statement in the first route-map ,it will be checked with the same route-map with higher number(in your case 20)

Hope it help,

Masoud

View solution in original post

Masoud Pourshabanian · ‎02-24-2016

Hello,

Because it matches with route-map R3_R4_PL 20.

If a route matches with deny statement in the first route-map ,it will be checked with the same route-map with higher number(in your case 20)

Hope it help,

Masoud

rakeshvelagala · ‎02-24-2016

Hi Masoud,

Thanks for your reply. My confusion is since the seq 10 is matched, why it still needs to go to seq 20? Please advise.

Route maps have many features in common with widely known ACLs. These are some of the traits common to both:

•They are an ordered sequence of individual statements, each has a permit or deny result. Evaluation of ACL or route maps consists of a list scan, in a predetermined order, and an evaluation of the criteria of each statement that matches. A list scan is aborted once the first statement match is found and an action associated with the statement match is performed.

rakeshvelagala · ‎02-24-2016

Hi Masoud,

https://learningnetwork.cisco.com/thread/40264

Thanks. One of the blogs, Brian Answered

If a route-map's match commands refer to an ACL or prefix list, and the ACL or prefix list matches a route with the deny action, the route is not filtered. Instead, it means the route does not match the match command logic, resulting in the Cisco IOS to consider the next route-map clause.

When using route-maps to call a ip prefix-list or ACL, the route-map decides the action (deny or permit). The prefix-list or ACL should always use "permit" clauses.

The route-map command includes an implied “deny” all clause at the end; to configure a permit all, use the route-map command with a permit action, but

without a match command.

Brian

Masoud Pourshabanian · ‎02-24-2016

That is what you did in your route-map. No match so everything is permitted.

Masoud Pourshabanian · ‎02-24-2016

It is because of DENY property.

First consider router map [name]10 which has ACL. Scan starts from the first entry in ACL. If any match is found, scan is aborted. If it matches with permit, the scan is completely aborted but if it matches deny(ACL is aborted), it will be checked with the route-map with higher number.

Masoud

Route-map Processing with Prefix-list