12-10-2019 11:16 AM
Hi,
If there exists a route with community 100:1 100:2 100:3 100:4
route-map TEST deny 10
match policy-list POL_TEST
route-map TEST permit 20
ip policy-list POL_TEST permit
match community 10
ip community-list 10 deny _100:1_
ip community-list 10 deny _100:2_
ip community-list 10 permit _100:4_
Processing logic:
1. As route-map and community for _100:1_ has deny statement resulting in the route being permitted and route-map processing comes to a standstill.
Is my logic right ?
12-10-2019 11:33 AM
route-map TEST deny 10
match policy-list POL_TEST < will deny just _100:4_
route-map TEST permit 20
ip policy-list POL_TEST permit
match community 10 < other community will be checked here, but not _100:1_, _100:2_ and and _100:4_ ( that was denied from firsly statement)
ip community-list 10 deny _100:1_ < will not checked by route-map
ip community-list 10 deny _100:2_ < will not checked by route-map
ip community-list 10 permit _100:4_ < will checked by route-map
Processing logic:
1. As route-map and community for _100:1_ has deny statement resulting in the route being permitted and route-map processing comes to a standstill.
look here some exemple to policy community: https://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/nxos/commands/bgp/ip-community-list.html
12-10-2019 12:13 PM
So route-map with deny clause, as well as match with denying results in processing to move to the next sequence? I was under the impression that route was denied to be denied hence permitted.
12-10-2019 12:28 PM
#show ip bgp 0.0.0.0 BGP routing table entry for 0.0.0.0/0, version 6 Paths: (1 available, best #1, table default) Advertised to update-groups: 12 Refresh Epoch 3 Local 192.168.1.1 from 192.168.1.1 (33.3.3.3) Origin incomplete, metric 0, localpref 100, valid, internal, best Community: 163:17243 2002:35 2002:57 2002:1004 rx pathid: 0, tx pathid: 0x0 vSC-A#show ip policy-list POL_TEST policy-list POL_TEST permit Match clauses: community (community-list filter): 100
#show ip community-list 100 Community (expanded) access list 100 deny _2002:35_ ( don't do anything ) deny _2002:57_ ( don't do anything ) permit _163:17243_ ( match, as route-map is denied, prefix with 163:17243 is blocked ) route-map TEST, permit, sequence 20 Match clauses: Set clauses: Policy routing matches: 0 packets, 0 bytes Permit everything but not _2002:35_ ,_2002:57_ and _163:17243_, which was denied in previous sequence. I only have one route which is the default. Apparently 0.0.0.0 still makes it to WAN peer.
12-10-2019 01:29 PM
Hello
My understanding is a route-map with deny action and acl ace deny results in the any prefix related to it is ignored
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide