Solved: Route-Map with ACLs - - - - permit or deny

Andrew M12 · ‎02-22-2012

Question on redistribution via route-map and ACLs, I have 3 routers in the lab topology connected by serials like so

So I'm just learning redistribution and the end result here is for R3 to have routes for 10.3.3.0 and 192.168.1.0 with a metric of 150 and tag of 10, whilst the 10.4.4.0 is going to be denied.

The 10.4.4.0 does NOT show successfully with this config on R2

conf t

access-list 1 permit 10.4.4.0 0.0.0.255

!

route-map TEST deny 5

match ip add 1

route-map TEST permit 10

set metric 150

set tag 10

!

router ospf 1

redistribute eigrp 100 subnets route-map TEST

!

R3#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

172.16.0.0/24 is subnetted, 1 subnets

C 172.16.1.0 is directly connected, Serial0/0

However, if I try to use a deny ACL and a permit sequence on the route-map it gets through and gets the metric of 150 and tag of 10 with the below config

conf t

access-list 1 deny 10.4.4.0 0.0.0.255

!

route-map TEST permit 5

match ip add 1

route-map TEST permit 10

set metric 150

set tag 10

!

router ospf 1

redistribute eigrp 100 subnets route-map TEST

!

R3#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

172.16.0.0/24 is subnetted, 1 subnets

C 172.16.1.0 is directly connected, Serial0/0

10.0.0.0/24 is subnetted, 2 subnets

O E2 10.4.4.0 [110/150] via 172.16.1.2, 00:00:05, Serial0/0

O E2 10.3.3.0 [110/150] via 172.16.1.2, 00:00:05, Serial0/0

O E2 192.168.1.0/24 [110/150] via 172.16.1.2, 00:00:05, Serial0/0

R3#

R3#sh ip route 10.4.4.0

Routing entry for 10.4.4.0/24

Known via "ospf 1", distance 110, metric 150

Tag 10, type extern 2, forward metric 64

Last update from 172.16.1.2 on Serial0/0, 00:00:14 ago

Routing Descriptor Blocks:

* 172.16.1.2, from 192.168.1.1, 00:00:14 ago, via Serial0/0

Route metric is 150, traffic share count is 1

Route tag 10

R3#

Both configs should block the 10.4.4.0,.....the first one is denying a permit, the second one is permitting a deny. But why in the second config does the route-map then go onto the next sequence and let 10.4.4.0 through and give it the metric and tag?

Am I missing something simple in the logic of route-maps?

daudparvez · ‎02-22-2012

Hi Andrew,

I can answer your second question : "But why in the second config does the route-map then go onto the next sequence and let 10.4.4.0 through and give it the metric and tag?"

Lets see your second configuration:

conf t

access-list 1 deny 10.4.4.0 0.0.0.255

!

route-map TEST permit 5

match ip add 1

route-map TEST permit 10

set metric 150

set tag 10

!

router ospf 1

redistribute eigrp 100 subnets route-map TEST

!

In this case the ACL is actually denying all the routes since there is an Implicit Deny (deny any) at the last of every ACL. Thus all the routes are matched by this ACL with a Deny Statement. This is why, the Route Map statement no. 5 is not applicable to any route including 10.4.4.0/24. Due to this reason, all the routes are tested on Route Map Statement No. 10 which matches all routes since it does not have any match clause. Thats why all the routes including 10.4.4.0/24 are redistributed and get metric=50 and tag=10.

As far as the first scenario is concerned, I really cannot find any reason for the behaviour. May be someone else can point out the reason.

HTH

View solution in original post

Andrew M12 · ‎02-22-2012

Never mind, been searching through route-map material for a few hours before posting this....then I post the question above and 5minutes later my answer jumps out at me

For anyone interested here are the route-map rules to pay attention to (mainly the 3rd one)

If you use an ACL in a route-map permit clause, routes that are permitted by the ACL are redistributed.
If you use an ACL in a route-map deny clause, routes that are permitted by the ACL are not redistributed.
If you use an ACL in a route-map permit or deny clause, and the ACL denies a route, then the route-map clause match is not found and the next route-map clause is evaluated.

So my conclusion on this is if you want to use route-maps and ACLs to block a network from being redistributed then the simplest way is to route-map deny an ACL permit.

I just tested it out and the only way I can get it to work with a route-map permit on an ACL deny is if in the route-map the permit sequence is the last sequence matching the deny ACL.....and all the route-map sequences that come before it do NOT match the network you want to deny. Hope that makes sense

daudparvez · ‎02-22-2012

Hi Andrew,

I can answer your second question : "But why in the second config does the route-map then go onto the next sequence and let 10.4.4.0 through and give it the metric and tag?"

Lets see your second configuration:

conf t

access-list 1 deny 10.4.4.0 0.0.0.255

!

route-map TEST permit 5

match ip add 1

route-map TEST permit 10

set metric 150

set tag 10

!

router ospf 1

redistribute eigrp 100 subnets route-map TEST

!

In this case the ACL is actually denying all the routes since there is an Implicit Deny (deny any) at the last of every ACL. Thus all the routes are matched by this ACL with a Deny Statement. This is why, the Route Map statement no. 5 is not applicable to any route including 10.4.4.0/24. Due to this reason, all the routes are tested on Route Map Statement No. 10 which matches all routes since it does not have any match clause. Thats why all the routes including 10.4.4.0/24 are redistributed and get metric=50 and tag=10.

As far as the first scenario is concerned, I really cannot find any reason for the behaviour. May be someone else can point out the reason.

HTH

Andrew M12 · ‎02-22-2012

Hi Daud

Thanks for the input but I think you have it wrong. In the second config the reason the 10.4.4.0 is not being dealt with in route-map seq 5 is because it is a route-map permit on a deny ACL and as per Cisco wording then this clause is not matched and it moves onto the next seq in the route-map which in this case is seq 10 which catches all traffic not previously matched,…and 10.4.4.0 now drops into this match statement due to no previous matching.

Cisco Wording = If you use an ACL in a route-map permit or deny clause, and the ACL denies a route, then the route-map clause match is not found and the next route-map clause is evaluated.

As for the first scenario, the behaviour is correct, there is no problem on that one. My confusion was always with the second scenario.

You are right on ACLs having an explicit deny, but in this case the 10.4.4.0 was matched already by it and then route-map rules took over.

Also if you or anyone is interested (been reading a lot since my posting), route-maps have their own explicit deny at the end of them. Doesn’t come into play in my 2 examples I believe as I think my seq 10 is like the route-map equivalent of a ‘permit any’ ACL statement as it is catching everything else I haven’t explicitly matched with the ACL.

That’s my understanding of it all, thanks again for your input

Andrew

Andrew M12 · ‎03-02-2012

What I said is right however have been going over more info and testing in my lab on this one and Dauds information is 100% relevant.

As there was the explicit deny on that access-list then the rule I mentioned comes into play. That rule again is

Cisco Wording =If you use an ACL in a route-map permit or deny clause, and the ACL denies a route, then the route-map clause match is not found and the next route-map clause is evaluated.

As everything got denied by the acl the route-map just skips to the next sequence which is 10 and the 10.4.4.0 was seen as just another network by that sequence and given a metric and tag.

The config needs to be changed to the below for it to work how I want it, bolded the changes

conf t

access-list 1 deny 10.4.4.0 0.0.0.255

access-list 1 permit any

!

route-map TEST permit 5

match ip add 1

set metric 150 <----- moved from sequence 10

set tag 10 <----- moved from sequence 10

!

no route-map TEST permit 10 <------this sequence is now not needed

!

router ospf 1

redistribute eigrp 100 subnets route-map TEST

!

So the access-list will match the 10.4.4.0 and deny it, then allow all other traffic

In route-map sequence 5 it will use the access-list and see that 10.4.4.0 is denied, it will then move to all the allowed traffic and set the metric and tag on it

Route-map sequence 10 previously was for catching all other traffic but now the access-list and sequence 5 have that covered it is no longer needed.

Thankyou Daud for your input, just took me a while to click with the relevance of what you told me.