Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
381
Views
2
Helpful
8
Replies

Weird Route Map Behavior

hfakoor222
Spotlight
Spotlight

‎02-11-2024 02:14 AM - edited ‎02-11-2024 02:18 AM

On R2 route map  in permit 20

it permits the route that was denied in deny 10:

!interface Ethernet0/3
no ip address
shutdown
!
!
router eigrp 1
distribute-list route-map FILTER_IN in
network 192.168.0.0 0.0.255.255
network 192.168.12.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list standard NET_1
deny 1.1.1.0 0.0.0.255
permit any
!
!
ip prefix-list SMALL_PREFIXES seq 5 permit 172.16.0.0/16 ge 26
no cdp log mismatch duplex
!
route-map FILTER_IN permit 10
match ip address NET_1
!
!
!
control-plane

logging synchronous
line vty 0 4
login
transport input all
!

 

with no Route Map permit 20 the 1.1.1.0 network not in table:

Now i do this;

route-map FILTER_IN permit 10
match ip address NET_1
!
route-map FILTER_IN permit 20   (I added this)
!
!

 

Now 1.1.1.0 in table

2023-06-01 22_44_15-Greenshot capture form.png

 

 

What is the logic behind this? Since 1.1.1.0 already denied in permit 10, even though permit 20 matches everything it's strange to me it is letting in     1.1.1.0....   Any one have insight as to if this is a design choice,  or simply because of the permit all for the permit 20  of the route map.. 

Labels:
0 Helpful
8 Replies 8

MHM Cisco World
VIP
VIP

‎02-11-2024 02:21 AM

It not issue of route-map it issue of acl.

Can you check show ip eigrp topolgy in router originate this prefix' what is the mask and subnet.

You need to use same mask and subnet.

And again friend' try avoiding using acl in filter prefix' use prefix-list.

MHM

hfakoor222
Spotlight
Spotlight
In response to MHM Cisco World

‎02-12-2024 03:12 AM

I deleted the lab, this was the only part bugging me, and I deleted it once finished

0 Helpful

Georg Pauwen
VIP
VIP

‎02-11-2024 04:01 AM

Hello,

it does not look logical indeed. Apparently the second 'catch-all' route map entry allows everything and overrides the 'deny' statement in the first route-map statement. In theory, the processing of the route map should stop after the first match.

Not sure if this is a bug or by design. The second route map statement is, obviously, redundant and not necessary...

hfakoor222
Spotlight
Spotlight
In response to Georg Pauwen

‎02-12-2024 03:20 AM

This was taken from networklessons EIGRP filtering lesson:

https://networklessons.com/eigrp/eigrp-route-map-filtering

 

It didn't look like a bug he seems to have done  it intentional ~  maybe I missed something along the way. MHM mentioned a good point it could have been related to the application of acl. However if this was the case why would it get blocked at permit 10.

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to hfakoor222

‎02-12-2024 03:34 AM

Actually I analyze this issue but forget to write answer'

images.png

Now 

First route-map without permit 20

The 1.0.0.0 is match acl but this acl is deny so the route-map dont do any action and it check next route-map line abd since here there is no more line the prefix no effect'

Note' the 1.0.0.0 hit the first acl line so it not check permit any in same acl

Second route-map with permit 20

Here as above since acl line is deny then route-map check next route-map line and here there is and any route-map permit without match meaning allow anything' so 1.0.0.0 is advertise

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎02-12-2024 03:36 AM

Solution if you still want to use acl is

Route-map mhm deny 10

Match ip address 10

Route-map mhm permit 20

!

Ip access-list standard 10

Permit 1.0.0.0 0.0.0.255

MHM

0 Helpful

Georg Pauwen
VIP
VIP
In response to hfakoor222

‎02-12-2024 03:56 AM

Hello,

in the Networklessons lab, they don't use the second 'catch-all' route map entry, but it shouldn't matter, in theory, whether you use it or not, because the route should have been caught and subsequently denied by the first entry.

I am not sure if you have a valid account for Networklessons, but if you do, maybe you can ask Rene why it works the way it works. I tried to debug the route maps, but nothing really showed up...if you get an answer, post it here, it would be interesting to see.

0 Helpful

paul driver
VIP
VIP

‎02-12-2024 03:05 PM

Hello
The logic I beleive is:
A route-map that permits and the ACL that denies the route-map match is not found as such the next route-map stanza is checked, However If you use a route-map with a deny clause,and with an ACL that permits then the route will be filtered

example:
access-list 1 permit  1.1.0.0 0.0.0.255

route-map FILTER_IN deny  10
match ip address 1

route-map FILTER_IN permit 100


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card