02-24-2016 08:53 PM - edited 03-05-2019 03:25 AM
Hi All,
Please advise on the below
Say I have BGP peering between A and B
R2(10.1.23.1)------(10.1.23.2)R3
Question: In seq 10 of route-map I have matched the prefix-list which matches 153.153.153.0/24 and it has to be denied. But why is it still advertised to the peer R2???
When I remove the seq 20 of the route-map, it works as intended. But shouldn't the route-map stop processing for the route 153.153.153.0/24 once it matches the seq 10?? Please advise.
R3#sh run | s router
router bgp 3
bgp log-neighbor-changes
network 153.153.153.0 mask 255.255.255.0
network 153.153.154.0 mask 255.255.255.0
neighbor 10.1.23.1 remote-as 65001
neighbor 10.1.23.1 route-map R3_R4_PL out
R3#sh ip prefix-list
ip prefix-list R3_R4_PL: 2 entries
seq 5 deny 153.153.153.0/24
seq 10 permit 153.153.154.0/24
R3#sh route-map
route-map R3_R4_PL, permit, sequence 10
Match clauses:
ip address prefix-lists: R3_R4_PL
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map R3_R4_PL, permit, sequence 20
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes
on R2:
R2#sh ip bgp | b RPKI
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*> 153.153.153.0/24 10.1.23.2 0 0 3 i
*> 153.153.154.0/24 10.1.23.2 0 0 3 i
Solved! Go to Solution.
02-24-2016 09:26 PM
Hello,
Because it matches with route-map R3_R4_PL 20.
If a route matches with deny statement in the first route-map ,it will be checked with the same route-map with higher number(in your case 20)
Hope it help,
Masoud
02-24-2016 09:26 PM
Hello,
Because it matches with route-map R3_R4_PL 20.
If a route matches with deny statement in the first route-map ,it will be checked with the same route-map with higher number(in your case 20)
Hope it help,
Masoud
02-24-2016 09:38 PM
Hi Masoud,
Thanks for your reply. My confusion is since the seq 10 is matched, why it still needs to go to seq 20? Please advise.
Route maps have many features in common with widely known ACLs. These are some of the traits common to both:
•They are an ordered sequence of individual statements, each has a permit or deny result. Evaluation of ACL or route maps consists of a list scan, in a predetermined order, and an evaluation of the criteria of each statement that matches. A list scan is aborted once the first statement match is found and an action associated with the statement match is performed.
02-24-2016 09:46 PM
Hi Masoud,
https://learningnetwork.cisco.com/thread/40264
Thanks. One of the blogs, Brian Answered
If a route-map's match commands refer to an ACL or prefix list, and the ACL or prefix list matches a route with the deny action, the route is not filtered. Instead, it means the route does not match the match command logic, resulting in the Cisco IOS to consider the next route-map clause.
When using route-maps to call a ip prefix-list or ACL, the route-map decides the action (deny or permit). The prefix-list or ACL should always use "permit" clauses.
The route-map command includes an implied “deny” all clause at the end; to configure a permit all, use the route-map command with a permit action, but
without a match command.
Brian
02-24-2016 09:53 PM
That is what you did in your route-map. No match so everything is permitted.
02-24-2016 09:50 PM
It is because of DENY property.
First consider router map [name]10 which has ACL. Scan starts from the first entry in ACL. If any match is found, scan is aborted. If it matches with permit, the scan is completely aborted but if it matches deny(ACL is aborted), it will be checked with the route-map with higher number.
Masoud
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide