Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2836
Views
0
Helpful
6
Replies

Route-map <--> access-list

Go to solution
enderkaran
Level 1
Level 1

‎12-21-2011 02:57 AM - edited ‎03-07-2019 04:00 AM

Hello Friends,

i am studying on ACLs and route-maps. while i was doing a lab on GNS i faced a problem. My purpose is to deny "Telnet" packets. If i create an ACL and apply it to interface, it is ok. All telnet attempts are denied.

But if i place the same ACL under a route-map then i apply route-map under interface. at this time, route-map is not working. Telnet is not denied. where am i doing mistake ?

******

ip access-list extended TELNET

deny tcp any any eq telnet

interface Serial1/1

ip address 20.0.0.2 255.255.255.0

ip access-group TELNET in

this configuration works fine,

R3#sh access-lists

Extended IP access list TELNET

   10 permit tcp any any eq telnet (145 matches)

----------

ip access-list extended TELNET

permit tcp any any eq telnet

!

route-map DenyTEL deny 10

match ip address TELNET

!

interface Serial1/1

ip address 20.0.0.2 255.255.255.0

ip policy route-map DenyTEL

this config doesnt work, and route-map doesnt deny telnet attempts, can you please help me to solve this problem ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Amit Singh
Cisco Employee
Cisco Employee

‎12-21-2011 03:28 AM

Hello,

-The acl represents the condition to meet

-The route map determines the action to take when the conditions are met.

Deny action with route-map has a different behaviour for Policy-routing & Redistribution.

When  used for policy-routing & pkt matches with deny sequence then the  pkt is not policy routed but sent to the normal routing process for  fwding.

When used for redistribution & pkt matches with deny sequence then the pkt is not redistributed.

Cheers,

-amit singh

View solution in original post

0 Helpful
6 Replies 6

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎12-21-2011 03:24 AM

Hi,

route-maps are not used for traffic filtering.

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

Go to solution
ajay chauhan
Level 7
Level 7
In response to cadet alain

‎12-21-2011 03:32 AM

route-map basically works on match and set creteria -can be used for multiple things QOS/PBR/Route tagging.Your frist way putting acl for blocking telnet traffic was correct.

Thanks

Ajay

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎12-21-2011 03:27 AM

I am puzzled by some things in your post. When you tell us about your access list it shows that it is denying telnet:

ip access-list extended TELNET

deny tcp any any eq telnet

But the output of your show access list shows that it is permit telnet

R3#sh access-lists

Extended IP access list TELNET

    10 permit tcp any any eq telnet (145 matches)

Also note that if the access has only a single line as you show it, then the telnet traffic would be permitted or denied but no other traffic would be allowed through (because of the implicit deny all at the end of the access list). So be very careful about applying such an access list on a router.

The reason that the route map is not working is that this route map is used in Policy Based Routing

interface Serial1/1

ip policy route-map DenyTEL

Policy Based Routing will affect how traffic is routed but will not permit or deny traffic to come through the interface. If you want to filter traffic then you need to use access-list and access-group and not route map for Policy Based Routing.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Amit Singh
Cisco Employee
Cisco Employee

‎12-21-2011 03:28 AM

Hello,

-The acl represents the condition to meet

-The route map determines the action to take when the conditions are met.

Deny action with route-map has a different behaviour for Policy-routing & Redistribution.

When  used for policy-routing & pkt matches with deny sequence then the  pkt is not policy routed but sent to the normal routing process for  fwding.

When used for redistribution & pkt matches with deny sequence then the pkt is not redistributed.

Cheers,

-amit singh

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Amit Singh

‎12-21-2011 03:34 AM

Amit

I agree with you that the logic of route maps where the route map statement uses deny is more complex and difficult than when the route map uses permit. And I like your suggested replacement route map better than the original. But I still maintain that using a route map and PBR will not prevent telnet. And the original poster was quite clear about what is his requirement:

My purpose is to deny "Telnet" packets.

I do not think that PBR and route map can do this. For this purpose you need access-list and access-group

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
enderkaran
Level 1
Level 1

‎12-21-2011 03:53 AM

Hi Richard, you are really careful i didnt take those captures as my dynamips was crashed. i wrote them again manually and at that moment, i made a mistake.

I got the idea about differences betwn policymaps and acl, thanks your for each of you.

0 Helpful
Customers Also Viewed These Support Documents