Solved: Access list and prefix list in the route-map

Gurbinder-Kabbay · ‎05-22-2025

Hi Experts

I need some help regarding clarity of mapping the access list instead of prefix list in the route-map.

I have route-map route_from_DeviceB on Device A for Device B. to control the inbound prefixes from Device B.

Now to allow the target prefixes I have created the prefix list (route_from_DeviceB) on the Device A and mapped access list (match IP address route_from_DeviceB) with same name instead of prefix list (match IP address prefix-list route_from_DeviceB).

for example: Ip prefix-list route_from_DeviceB seq 10 10.1.1.0/24

Route-map route_from_DeviceB permit 10

match IP address route_from_DeviceB

Route-map route_from_DeviceB deny 1000

Question: I want to know the impact of this, will it allow everything from Device B instead of filtering the specific prefix list, because I mapped access list (which not exist) with same name by mistake instead of prefix list (which actually exist)

Regards

Gurbinder

Harold Ritter · ‎05-22-2025

Hi @Gurbinder-Kabbay ,

Referencing a non-existent ACL in a route-map match statement makes that match statement ineffective, since this is the only match statement in your route-map, all routes are accepted.

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

View solution in original post

David Ruess · ‎05-22-2025

Hello,

So you referenced an ACL that doesn't exist? Then likely it won't permit that traffic because what you referenced isn't configured. By default, a route-map has an implicit deny but you have also configured a deny so that's what the policy will hit.

-David

Harold Ritter · ‎05-22-2025

Hi @Gurbinder-Kabbay ,

Referencing a non-existent ACL in a route-map match statement makes that match statement ineffective, since this is the only match statement in your route-map, all routes are accepted.

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

Royalty · ‎05-22-2025

Hi @Gurbinder-Kabbay,

As @Harold Ritter has correctly pointed out, when a match statement in a route-map references an access list or prefix list that does not exist (meaning it has not been defined elsewhere in the configuration), IOS treats it as if the match condition is missing entirely. In your case specifically, this would mean that the route-map route_from_DeviceB with sequence 10 will match all routes, effectively allowing everything from Device B.

Since sequence 10 is permitting everything (as discussed above), sequence 1000 (deny) will never be evaluated.

As you have already mentioned, it can be fixed to be configured with a match ip address prefix-list <prefix_list_name> statement under the route-map permit 10 sequence. You will have to remove the the generic match ip address <ACL_name> statement, as of course you cannot have a prefix list and an access list configured under the same route-map sequence at the same time.

I will point out that you have not provided any configuration for an application to leverage the route-map. That is, the route-map is not applied to any application/feature (e.g. routing protocol), but I am probably correct in assuming you've omitted that for brevity of the post.