Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
774
Views
0
Helpful
4
Replies

Route Maps using ACL'S - Explicit deny or not to deny....

christophermann
Level 1
Level 1

‎03-14-2013 07:17 AM - edited ‎03-07-2019 12:14 PM

I am currently looking at a proposed use of a couple of route map configs and wonder if anybody could help with a question i have.

in the route maps there is an standard ACL configured to allow a specific networks traffic. This ACL is them picked up using the 'match ip address' command in the Route Map.

My question is, if any other network traffic is recieved other than that permitted by the ACL used by the Route Map, will it get dropped?

Reading cisco's information about Route Maps states that they do not have an 'implicit deny' statement.

Thank you all in advance

Chris

Labels:
0 Helpful
4 Replies 4

Jose Jara
Level 3
Level 3

‎03-14-2013 07:30 AM

Hi Chris,

there is an implicit deny in the route-maps. In your case, if the route-map looks like that:

route-map TEST permit 10

match ip address 1

All the networks that will not match the access-lists will not be allowed. If, on the other hand, you want to deny just some networks and allow the rest, the config would be:

route-map TEST deny 10

match ip address 1

route-map TEST permit 20

The second sentence will be empty allowing the rest of the networks.

Hope this helps

Jose.

0 Helpful

christophermann
Level 1
Level 1
In response to Jose Jara

‎03-14-2013 07:58 AM

Jose,

thanks for your reply, thats exactly what i was afraid of, and understood it to be,

here is what the policy looks like...

access-list 22 perimt 192.168.32.0 0.0.0.255

route-map TEST1 permit 10

match ip address 22

set next-hop xx.xx.xx.xx

ip policty route-map TEST1

so looking at your solution should how would the route-map look if i wanted to allow say traffic from a 192.168.40.0/24 network?

Chris

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to christophermann

‎03-14-2013 08:04 AM

Hi,

source IP not in 192.168.32.0/24 will be forwarded following the info in the routing table, in PBR route-maps there's no need for an implicit permit statement because what is not matching the explicit permit statements will get catched by the implicit deny and so they will not be policy routed but will use the normal FIB table for transit traffic.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

cadet alain
VIP Alumni
VIP Alumni

‎03-14-2013 07:36 AM

Hi,

what is the role of this route-map ? in some cases you'll have to use an implicit empty clause with permit to override the explicit deny clause in route-maps.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card