That makes total sense. After I read the section on route maps in general, it went into more depth and talked about optional actions such as modifying the next hop, or which interface the matched prefix should go to, so I figured it wouldnt make much sense to put in a Permit route map, then put a deny in your ACL haha Thanks so much!!!

Hi,

     When using route-maps, the decision should be done at the route-map level (deny/permit) and ACL's should contain only permit statements. The logic of the "deny" at the route-map level and the "deny" at the condition matching level is different.

     If when you you parse the route-map top-down, you match on a "permit" statement of the ACL used in route-map sequence number 100, you stop route-map processing (unless the continue action is used), and with the matched traffic you take the deny/permit action from the route-map level for sequence number 100. If the route-map was used for route-filtering, you permit the route or deny/filter the route, if the route-map was used for NAT/PBR, you permit or deny NAT/PBR to happen.

    If hen you parse the route-map top-down, you match on a explicit "deny" statement of the ACL used in route-map sequence-number 150, you exit the current current route-map sequence number and inspect the next route-map sequence number, and the next one and so on till you match on a "permit" action of the ACL used in that sequence-number, at which point you do the same as in previous example, you take the permit/deny action of the route-map.

I'm not saying that you shouldn't use "deny" statements in your match conditions. I'm saying that you can meet the same desired outcome by using just "permit" statements in your ACL/prefix-list in most cases, which makes things simpler, as the logic is simple, not mixed.

Regards,

Cristian Matei.

Regards,

Cristian Matei.