Solved: Understanding a route map

r.gasper · ‎04-29-2014

Hi All,

I have just taken over supporting a network, and have come accross a route map, that I don't really understand. The route-map is copied below. Can anyone please tell me step by step how its processed, and what the outcome is?

route-map test permit 5

match ip address prefix-list path_one_prefer

!

route-map test permit 10

match as-path 3

!

route-map test permit 20

match ip address prefix-list route-filter

set as-path prepend 65100

ip prefix-list path_one_prefer seq 5 permit 10.10.0.0/16

ip as-path access-list 3 permit _65000_

ip prefix-list route-filter seq 10 deny 172.130.1.0/28

ip prefix-list route-filter seq 15 deny 172.131.1.248/29

ip prefix-list route-filter seq 20 deny 172.200.128.0/27

The route map is applied outbound towards an ebgp peer

Many Thanks

Russ

Bilal Nawaz · ‎05-01-2014

Hello Russ,

Yes that is indeed the case.

route-map test permit 20

match ip address prefix-list route-filter

set as-path prepend 65100

!

ip prefix-list route-filter seq 10 deny 172.130.1.0/28

ip prefix-list route-filter seq 15 deny 172.131.1.248/29

ip prefix-list route-filter seq 20 deny 172.200.128.0/27

In the route-map lines 20 - it is set to "match ip address prefix-list route-filter"

Since the deny is in place in the prefix list, take it as "Not these ones"

Everything else is permitted and AS-Path prepended.

After line 20 there is no other - ACL logic - explicit deny - so if there is no match, its a deny, so the prefix's in the prefix-list "route-filter" are not advertised.

This line 20 seems to be the "catch all" other routes except for these ones i.e. that prefix list, and prepend them.

Check the routes you are advertising them as I stated in my first post with "show ip bgp neigh x.x.x.x advertised-routes" which should correlate with the route-map applied to your BGP peer.

Hope this makes it clear.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

Bilal Nawaz · ‎04-30-2014

Hello Russ,

It seems like the route-map is controlling which routes to be advertised to its peer. You can see which routes are being advertised with "show ip bgp neighbors 1.1.1.1 advertised-routes"

Route-map test permit 5 calls to match a specific prefix - 10.10.0.0/16 this seems to be permitted

Route-map test permit 10 calls an AS path of _65000_ anything that transits AS 65000 (I think)

Route-map test permit 20 calls on a prefix list route-filter which sets the AS path prepend which is permited. This route-map prepends all other prefix's with 65100 except for the prefix's in the route filter one (which are deny statements - so the logic is "not these prefix's") - which may not even be advertised.

Depending on your routing table, if you have the relevant routes and with the show command above you should be able to see things match and correlate with the filtering policy if configured correctly.

hth

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

paul driver · ‎04-30-2014

Hello Bial

Route-map test permit 10 calls an AS path of _65000_ anything that transits AS 65000 (I think)

This is incorrect mate - stanza 10 is set to match on as-path attribute 3 -

route-map test permit 10

match as-path 3

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Bilal Nawaz · ‎04-30-2014

Hi Paul,

I re-read, and am bit puzzled as to what is wrong with the statement? It match's the AS path - the Reg Expression has _65000_

What does that mean then?

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

paul driver · ‎04-30-2014

Hello

route-map test permit 5

match ip address prefix-list path_one_prefer

!

route-map test permit 10

match as-path 3

!

route-map test permit 20

match ip address prefix-list route-filter

set as-path prepend 65100

Route maps are read sequentially so a route will pass down this list until a match is made on that stanza then the action is processed by the set command ( if any is specified). and the route-map will not be read any further, unless you use the continue command, then even if an match and action is made.the route map will continue to process.

so in this case of stanza 5 -10 if a match is made and then the default action without a set command is to permit

You stated that stanza 10 is to match "an AS path of _65000_ anything that transits AS 65000 (I think)"

This is incorrect mate - stanza 10 is set to match on as-path attribute 3

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Bilal Nawaz · ‎04-30-2014

I don't get your point?

You said:

This is incorrect mate - stanza 10 is set to match on as-path attribute 3 -

route-map test permit 10

match as-path 3

Which you said was incorrect.

I said:

Route-map test permit 10 calls an AS path of _65000_ anything that transits AS 65000 (I think)

So.... the AS-Path ACL is:

ip as-path access-list 3 permit _65000_

So to me, in my mind this reads

route-map 10 to permit

Anything that matches the AS path _65000_

And that's exactly what I said here... Is my understanding of this wrong?

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

paul driver · ‎04-30-2014

Helo

You are correct- I am misreading the posting- stanza 10 is indeed referring the _6500_ for the attribute aspath 3

I am looking at the dam prefix list not the as-path list -

Apologies Bilal

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Bilal Nawaz · ‎04-30-2014

Hi, thanks for pointing that out - probably typing quicker than I could think. (Its Bilal btw, not Bial or mate) :)

Ta

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

paul driver · ‎04-30-2014

Hello

Anything that matches the first stanza 5 = advertise and DONT proceed to check any further down the route-map

Anything that doesn't match 5 but stanza 10 with as path of 3 = advertise and DONT proceed to check any further down the route-map

Anything that doesn't match 5 or 10 will match stanza 20 and filter on those routes and prepend as path 6500 once to any prefix that has traverse the 6500 AS and as this in its as path attribute

I don't see a catch all statement at the end so everything else is denied

Res Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

r.gasper · ‎04-30-2014

Hi Guys

Thanks for all of your help with this question. Are you sure if a 'match' is found without a 'set' then the router will not proceed any further?

Anything that doesn't match 5 or 10 will match stanza 20 and filter on those routes and prepend as path 6500 once to any prefix that has traverse the 6500 AS and as this in its as path attribute

I don't understand the above... not all routes will match stanza 20. Are you also saying that only routes that have 6500 in the path will be prepended with 6500?

Thanks

Russ

Bilal Nawaz · ‎05-01-2014

Hello Russ, The logic is like an ACL, if it doesn't match, move on to the next one... If it does match then it may be denied or permitted depending on the route-map statement. Because you can have...

route-map xxxxxx permit or

route-map xxxxxx deny

so.....

Route-map test permit 5 calls to match a specific prefix - 10.10.0.0/16 this seems to be permitted

if no match found move to next line (10)

Route-map test permit 10 calls an AS path of _65000_ anything that transits AS 65000 to be permitted

if no match found move to next line (20)

Route-map test permit 20 calls on a prefix list route-filter which sets the AS path prepend which is permited.

This route-map prepends all other prefix's with 65100 except for the prefix's in the route filter one (which are deny statements - so the logic is "not these prefix's") - which may not even be advertised.

Everything else will be denied (although line 20 is like your catch all by the looks of it)

So everything apart from the prefix's in route-filter set an AS-PATH prepend of 65100 to anything else.

Hope this makes it more clear.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

r.gasper · ‎05-01-2014

Thanks Bilal..

last question, does this mean that 10.10.0.0/16 subnets and everything that transits AS65000 also gets its AS path prepended with 65100 as well ?

Thanks

Bilal Nawaz · ‎05-01-2014

Hello Russ,

No, so to explain this - anything that match prefix line 5 and 10 are permitted without anything being done to the routes. (there is no set commands for line 5 and 10)

If I wanted to change the AS-Path for the 10.10.0.0/16 subnet I would have done it in line 5 like this:

route-map test permit 5

match ip address prefix-list path_one_prefer

set as-path prepend xxxx

But this isn't the case and therefor the normal prefix is just matched and permitted.

Route map 20 however, denies the prefix in the prefix list "route-filter" from being set an as-path prepend, BUT all other routes are set with this.

So everything that matches the above statements, without a "set" command, nothing happens to them - they are just simply permitted or denied, its only set that changes/modifies the attributes in the BGP prefix being advertised or in other cases learnt.

Hope this answers your question.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

r.gasper · ‎05-01-2014

Thanks :).. Does route map 20 also deny the networks in the prefix list from being advertised?

Cheers

Russ

Bilal Nawaz · ‎05-01-2014

Hello Russ,

Yes that is indeed the case.

route-map test permit 20

match ip address prefix-list route-filter

set as-path prepend 65100

!

ip prefix-list route-filter seq 10 deny 172.130.1.0/28

ip prefix-list route-filter seq 15 deny 172.131.1.248/29

ip prefix-list route-filter seq 20 deny 172.200.128.0/27

In the route-map lines 20 - it is set to "match ip address prefix-list route-filter"

Since the deny is in place in the prefix list, take it as "Not these ones"

Everything else is permitted and AS-Path prepended.

After line 20 there is no other - ACL logic - explicit deny - so if there is no match, its a deny, so the prefix's in the prefix-list "route-filter" are not advertised.

This line 20 seems to be the "catch all" other routes except for these ones i.e. that prefix list, and prepend them.

Check the routes you are advertising them as I stated in my first post with "show ip bgp neigh x.x.x.x advertised-routes" which should correlate with the route-map applied to your BGP peer.

Hope this makes it clear.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.