12-10-2019 11:16 AM
Hi,
If there exists a route with community 100:1 100:2 100:3 100:4
route-map TEST deny 10
match policy-list POL_TEST
route-map TEST permit 20
ip policy-list POL_TEST permit
match community 10
ip community-list 10 deny _100:1_
ip community-list 10 deny _100:2_
ip community-list 10 permit _100:4_
Processing logic:
1. As route-map and community for _100:1_ has deny statement resulting in the route being permitted and route-map processing comes to a standstill.
Is my logic right ?
12-10-2019 11:33 AM
route-map TEST deny 10
match policy-list POL_TEST < will deny just _100:4_
route-map TEST permit 20
ip policy-list POL_TEST permit
match community 10 < other community will be checked here, but not _100:1_, _100:2_ and and _100:4_ ( that was denied from firsly statement)
ip community-list 10 deny _100:1_ < will not checked by route-map
ip community-list 10 deny _100:2_ < will not checked by route-map
ip community-list 10 permit _100:4_ < will checked by route-map
Processing logic:
1. As route-map and community for _100:1_ has deny statement resulting in the route being permitted and route-map processing comes to a standstill.
look here some exemple to policy community: https://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/nxos/commands/bgp/ip-community-list.html
12-10-2019 12:13 PM
So route-map with deny clause, as well as match with denying results in processing to move to the next sequence? I was under the impression that route was denied to be denied hence permitted.
12-10-2019 12:28 PM
#show ip bgp 0.0.0.0 BGP routing table entry for 0.0.0.0/0, version 6 Paths: (1 available, best #1, table default) Advertised to update-groups: 12 Refresh Epoch 3 Local 192.168.1.1 from 192.168.1.1 (33.3.3.3) Origin incomplete, metric 0, localpref 100, valid, internal, best Community: 163:17243 2002:35 2002:57 2002:1004 rx pathid: 0, tx pathid: 0x0 vSC-A#show ip policy-list POL_TEST policy-list POL_TEST permit Match clauses: community (community-list filter): 100
#show ip community-list 100 Community (expanded) access list 100 deny _2002:35_ ( don't do anything ) deny _2002:57_ ( don't do anything ) permit _163:17243_ ( match, as route-map is denied, prefix with 163:17243 is blocked ) route-map TEST, permit, sequence 20 Match clauses: Set clauses: Policy routing matches: 0 packets, 0 bytes Permit everything but not _2002:35_ ,_2002:57_ and _163:17243_, which was denied in previous sequence. I only have one route which is the default. Apparently 0.0.0.0 still makes it to WAN peer.
12-10-2019 01:29 PM
Hello
My understanding is a route-map with deny action and acl ace deny results in the any prefix related to it is ignored
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: