Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
670
Views
0
Helpful
4
Replies

Route-map with deny action

verma-rohit
Level 1
Level 1

‎12-10-2019 11:16 AM

Hi,

If there exists a route with community 100:1 100:2 100:3 100:4

 

route-map TEST deny 10

match policy-list POL_TEST

 

route-map TEST permit 20

 

ip policy-list POL_TEST permit

match community 10

 

ip community-list 10 deny  _100:1_

ip community-list 10 deny  _100:2_

ip community-list 10 permit  _100:4_

 

Processing logic:

1. As route-map and community for _100:1_  has deny statement resulting in the route being permitted and route-map processing comes to a standstill.

 

Is my logic right ?

Labels:
0 Helpful
4 Replies 4

Jaderson Pessoa
VIP Alumni
VIP Alumni

‎12-10-2019 11:33 AM

route-map TEST deny 10    

match policy-list POL_TEST    < will deny just _100:4_  

 

route-map TEST permit 20

 

ip policy-list POL_TEST permit

match community 10   < other community will be checked here, but not  _100:1_, _100:2_ and and _100:4_ ( that was denied from firsly statement)

 

ip community-list 10 deny  _100:1_      < will not checked by route-map 

ip community-list 10 deny  _100:2_      < will not checked by route-map

ip community-list 10 permit  _100:4_   < will checked by route-map

 

 

Processing logic:

1. As route-map and community for _100:1_  has deny statement resulting in the route being permitted and route-map processing comes to a standstill.

 

 

look here some exemple to policy community: https://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/nxos/commands/bgp/ip-community-list.html

Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

verma-rohit
Level 1
Level 1
In response to Jaderson Pessoa

‎12-10-2019 12:13 PM

So route-map with deny clause, as well as match with denying results in processing to move to the next sequence?  I was under the impression that route was denied to be denied hence permitted. 

0 Helpful

verma-rohit
Level 1
Level 1
In response to verma-rohit

‎12-10-2019 12:28 PM 

#show ip bgp 0.0.0.0
BGP routing table entry for 0.0.0.0/0, version 6
Paths: (1 available, best #1, table default)
  Advertised to update-groups:
     12        
  Refresh Epoch 3
  Local
    192.168.1.1 from 192.168.1.1 (33.3.3.3)
      Origin incomplete, metric 0, localpref 100, valid, internal, best
      Community: 163:17243 2002:35 2002:57 2002:1004
      rx pathid: 0, tx pathid: 0x0

vSC-A#show ip policy-list POL_TEST
policy-list POL_TEST permit
  Match clauses:
    community (community-list filter): 100 

#show ip community-list 100
Community (expanded) access list 100
     deny _2002:35_     (  don't do anything )
     deny _2002:57_     (  don't do anything )
     permit _163:17243_  ( match, as route-map is denied, prefix with 163:17243 is blocked )


route-map TEST, permit, sequence 20
  Match clauses:
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes

Permit everything but not _2002:35_ ,_2002:57_ and  _163:17243_, which was denied in previous sequence. I only have one route which is the default.
Apparently 0.0.0.0 still makes it to WAN peer.
0 Helpful

paul driver
VIP
VIP

‎12-10-2019 01:29 PM

Hello

My understanding is a route-map with deny action and acl ace deny results in the any prefix related to it is ignored


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card