cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17105
Views
10
Helpful
9
Replies
Highlighted
Participant

Route-map deny statements with denying access-lists

hello mates,

I can't fully understand one point with route-maps:

if we have a route map that it contains this statement:

route-map fred deny 10

match ip address one

and the access-list named "one" is only denying routes.

So routes in ACL "one" will be permited ? (because its denying to be denied) ? or just non-matched and go down for the other statemets in that route-map ? What's is the default behavior ? can't really find info on the books..

9 REPLIES 9
Highlighted
Rising star

Hi,

(Route-Map) is validated per sequence numbers, its similar to the access-list checklist, if the route-map deny is the first statement , it will deny all traffic for access-list 1 whether the access-list has deny or permit statement, and it will then look for the second sequence number to match.


If there is no other sequence number to match, and (implicit deny all) at the end of any route-map would kick in.

A good reference for Route-map and its configuration would be (Routing TCP/IP book).

HTH

Mohamed

Highlighted

Thanks for reply.

Routing TCP/IP book says:

"The behavior of a "deny" action depends on whether the route map is being used for policy routing or for redistribution. If a route map is being used for redistribution and a route matches a statement with a deny action, the route will not be redistributed. If the route map is being used for policy routing and a packet matches a statement with a deny action, the packet is not policy routed but is passed back to the normal routing process for forwarding. " So yes, it says that u are right Mohamed.

but when i read Wendell Odom (OCG) i got a question:

Router R1 refers to route-map fred when redistributing from EIGRP into OSPF. The entire route-map is listed next. Which of the following answers must be true based on the configuration asshown?

route-map fred deny 10

  match ip address one

route-map fred deny 20

match ip address two

route-map fred permit 100

A. The third route map clause will allow any routes not already filtered by the first two clauses.
B. Routes permitted by ACL "two" will be redistributed.
C. Routes denied by ACL "one" will be redistributed.
D. All routes will be filtereD

Answer is A.

So from "Routing TCP/IP" perspective first two statemts of route-map will deny routes in access-lists without needing two look at ACL statemts (deny or permit). But Wendell Odom expains:

The deny clauses in the route map mean that the route map will filter routes matched by that clause. The permit or deny action of the referenced ACLs just defines whether the route is matched. So, routes permitted by ACL "two" will be matched and then filtered due to the route-map clause deny action. Routes denied by ACL "one" simply do not match the route map clause numbered 10; such routes mayor may not be redistributed depending on the next two clauses. Clause number 100 does not have a match command, meaning it matches all routes not otherwise matched, with a permit action, allowing these routes to be redistributed.

So routes in ACL "one" will be not filtered by that statement...

I got a confusion, help me guys

P.S

also found this in http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008047915d.shtml :

  • If you use an ACL in a route-map permit or deny clause, and the ACL             denies a route, then the route-map clause match is not found and the next             route-map clause is evaluated.

    Still confusing..

    P.P.S

    after reading about 5 diff sources i think i found the answer, i Think Wendell is right.

    He states, that if the ACL or Prefix List has the deny statement, it thinks that that MATCH statement is not matched, and goes down to other route-map statements..

  • Highlighted

    Here's a more basic, to the point expanation:

    !---------DENY DISTRIBUTION OF ROUTES THAT RETURN A PERMIT-MATCH ON ACCESS LIST "one"-------

    route-map fred deny 10

      match ip address one

    !---------DENY DISTRIBUTION OF ROUTES THAT RETURN A PERMIT-MATCH ON ACCESS LIST "two"-------

    route-map fred deny 20

    match ip address two

    !---------NO ACL, SO BY DEFAULT THIS IS A "PERMIT-MATCH-ALL"-------

    route-map fred permit 100

  • If you use an ACL in a route-map permit or deny clause, and the ACL             denies a route, then the route-map clause match is not found and the next             route-map clause is evaluated.

    Still confusing..

  • Don't over-think it.  This just means that if a route returns a DENY-MATCH in ACL "one" or "two" then it is ignored by the route map statements 10 & 20 respectively and goes on to the next route-map statement 100, which in its default configuration (no ACL) is a PERMIT-MATCH-ALL and means that it would be processed by statement 100 and will be redistributed.

    Hope that helps.

    Message was edited by: Antonio Knox

    Highlighted

    Thanks Antonio,

    Yes we use this logic on redistribution.

    But on PBR it's a little bit different. If the PBR matches route-map with the deny statement in a route-map or deny in ACL (whatever the route-map statement is) the packet is normaly forwarded instantly - without checking the whole route-map.

    I am right ? :)

    Highlighted

    If the PBR matches route-map with the deny statement in a route-map or deny in ACL (whatever the route-map statement is) the packet is normaly forwarded instantly - without checking the whole route-map.

    I am right ?

    That is incorrect.  Take a look at my previous explanation, in most cases it's the same concept, regardless of how the route map is applied.  In the case of PBR, you could essentially take the same previous explanation and replace the word '(re)distribute' with the term 'forward per PBR policy'.  The ACL will ALWAYS be referenced when a 'match' statement is used (whether route-map permit or deny is used), and the route-map will process traffic according to the first ACL match found (permit, deny or implicit-deny).  And again, in the case of either deny-match type, processing for that route-map statement ends and processing proceeds on to the next route-map statement.

    Hope that makes sense.

    Highlighted
    Beginner

    here's how route-maps work:

    lets take your route map for example. you have a deny on your route map. this will "deny" all that is matched by acl "one". so if acl "one" is denying, say some subnets and passing others then you are also "denying" those same subnets on the route-map. the deny on a route map is defined on how you use the route map. for example you apply the route map in BGP using redistribution you deny those subnets from being redistributed.

    in my own opinion it is best to use an ACL that "permits" unless totally necessary to use a deny when applying the ACL to a match statement on a route-map. to me it avoids confusion in interpreting the action of the route-map.

    HTH

    Highlighted
    Beginner

    If you perform a deny on an ACL and then perform a deny on a route map, it will allow what you denied and allow what you permitted.

    access-list 15 deny 10.1.1.0 0.0.0.255

    access-list 15 permit any

    route-map redist-ospf deny 10

       match ip address 15

    The above statement would allow routes from 10.1.1.0 and block all other routes

    Highlighted

    thought its an old post, I came across it and did a lab test. below is the result

    Topology               R1 -------R2


    Case_1
    @r1
    router bgp 65010
    address-family vpnv4
    neighbor 10.190.0.1 route-map PERMIT out

    ip prefix-list 10_70_0_LP_150 seq 5 permit 10.70.0.0/24
    ip prefix-list 10_70_0_LP_150 seq 10 deny 10.70.1.0/24
    ip prefix-list 10_70_1_LP_160 seq 5 permit 10.70.1.0/24

    route-map PERMIT permit 10
    match ip address prefix-list 10_70_0_LP_150
    set local-preference 150
    route-map PERMIT permit 20
    match ip address prefix-list 10_70_1_LP_160
    set local-preference 160

    Result:
    R2#sh ip bgp vpnv4 all neighbors 10.255.194.52 routes
    Network Next Hop Metric LocPrf Weight Path
    *>i 10.70.0.0/24 10.255.194.52 0 150 0 ?
    *>i 10.70.1.0/24 10.255.194.52 0 160 0 ?

    => prefix - 10.70.0.0/24 is matched in route-map "route-map PERMIT permit 10" as it is permited in prefix list 10_70_0_LP_150
    => prefix - 10.70.1.0/24 is matched in route-map "route-map PERMIT permit 20" although it is denied in prefix list 10_70_0_LP_150


    Case_2
    @r1
    router bgp 65010
    address family vpnv4
    neighbor 10.190.0.1 route-map DENY out

    ip prefix-list 10_70_0_LP_150 seq 5 permit 10.70.0.0/24
    ip prefix-list 10_70_0_LP_150 seq 10 deny 10.70.1.0/24

    ip prefix-list 10_70_1_LP_160 seq 5 permit 10.70.1.0/24

    route-map DENY deny 10
    match ip address prefix-list 10_70_0_LP_150
    set local-preference 150
    route-map DENY permit 20
    match ip address prefix-list 10_70_1_LP_160
    set local-preference 160

    Result:
    R2#sh ip bgp vpnv4 all neighbors 10.255.194.52 routes
    Network Next Hop Metric LocPrf Weight Path
    *>i 10.70.1.0/24 10.255.194.52 0 160 0 ?

    =>prefix - 10.70.0.0/24 is matched and denied in route-map "route-map DENY deny 10" as it is permited in prefix list 10_70_0_LP_150
    => prefix - 10.70.1.0/24 is matched in route-map "route-map DENY permit 20" although it is denied in prefix list 10_70_0_LP_150

     

    Conclusion:
    1. permited route in access-list is actioned as per route-map's permit or deny action
    2. denied route in access-list will be evaluated in next statement of the route-map irrespective of permit or deny action in current route-map statement.

     

     

    Highlighted

    If you use an ACL in a route-map permit or deny clause, and the ACL denies a route, then the route-map clause match is not found and the next route-map clause is evaluated.

     

    The above is stated in the document: - https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/49111-route-map-bestp.html

     

    So, the answer is that there is no match, and the next route-map statement will be evaluated.

    Content for Community-Ad