08-14-2012 03:29 PM - edited 03-07-2019 08:20 AM
I'm watching the CBT nuggets and Jeremy is stating that if you use the following scenario...
access-list 3 permit 192.168.1.0 0.0.0.255
route-map NAME deny 10
match ip address 3
... the route map will deny whatever ACL 3 permits. This makes sense.
However he then goes on to say that this will do the exact same thing:
access-list 3 deny 192.168.1.0 0.0.0.255
route-map NAME permit 10
match ip address 3
However this does not make sense to me. If there is no permit statement in an ACL, then the ACL will match nothing (because of the implicit deny at the end). This means that in this scenario ACL will match nothing and therefore neither will the route-map. Is this correct?
What I think WOULD work is the following:
access-list 3 deny 192.168.1.0 0.0.0.255
access-list 3 permit any any
route-map NAME permit 10
match ip address 3
But even if I do this, the ACL 3 will simply match "everything except for 192.168.1.0". This does not exclude the 192.168.1.0 network from matching a later sequence number in the route-map where it may potentially be permitted - thus making it different from the first scenario.
Is what I am writing making any sense?
Oh and one more thing... if I have multiple match statements within a route-map sequence entry, do they all have to match or does only one have to match? (is it an OR/disjunction or an AND/conjunction relationship? ... my tests show that is conjunctive but confirmation would help)
Solved! Go to Solution.
08-14-2012 03:49 PM
Hi Steven,
However this does not make sense to me. If there is no permit statement in an ACL, then the ACL will match nothing (because of the implicit deny at the end). This means that in this scenario ACL will match nothing and therefore neither will the route-map. Is this correct?
Yes, this is absolutely correct.
But even if I do this, the ACL 3 will simply match "everything except for 192.168.1.0". This does not exclude the 192.168.1.0 network from matching a later sequence number in the route-map where it may potentially be permitted - thus making it different from the first scenario.
This is correct if there is another block of the route-map present. However, if we remain strictly with your current configuration of:
access-list 3 deny 192.168.1.0 0.0.0.255
access-list 3 permit any any
route-map NAME permit 10
match ip address 3
then the block 10 of the route-map permits anything what ACL 3 permits, and objects not permitted by ACL 3 will be dropped by the implicit "deny any" of the route-map. Remember that a route-map also ends with implicit "match all/deny any".
Oh and one more thing... if I have multiple match statements within a route-map sequence entry, do they all have to match or does only one have to match?
If they are of the same type and written in a single statement, then there is a logical OR, so for example:
route-map NAME permit 10
match ip address 1 2 3
will match all objects that match any of the ACLs 1, 2, or 3.
If the match statements are of different types and are present as multiple match statements then tere is a logical AND:
route-map NAME permit 10
match ip address 1
match tag 123
This route-map matches only networks that both are permitted by ACL 1 and at the same time are tagged with the tag 123.
Best regards,
Peter
08-14-2012 03:49 PM
Hi Steven,
However this does not make sense to me. If there is no permit statement in an ACL, then the ACL will match nothing (because of the implicit deny at the end). This means that in this scenario ACL will match nothing and therefore neither will the route-map. Is this correct?
Yes, this is absolutely correct.
But even if I do this, the ACL 3 will simply match "everything except for 192.168.1.0". This does not exclude the 192.168.1.0 network from matching a later sequence number in the route-map where it may potentially be permitted - thus making it different from the first scenario.
This is correct if there is another block of the route-map present. However, if we remain strictly with your current configuration of:
access-list 3 deny 192.168.1.0 0.0.0.255
access-list 3 permit any any
route-map NAME permit 10
match ip address 3
then the block 10 of the route-map permits anything what ACL 3 permits, and objects not permitted by ACL 3 will be dropped by the implicit "deny any" of the route-map. Remember that a route-map also ends with implicit "match all/deny any".
Oh and one more thing... if I have multiple match statements within a route-map sequence entry, do they all have to match or does only one have to match?
If they are of the same type and written in a single statement, then there is a logical OR, so for example:
route-map NAME permit 10
match ip address 1 2 3
will match all objects that match any of the ACLs 1, 2, or 3.
If the match statements are of different types and are present as multiple match statements then tere is a logical AND:
route-map NAME permit 10
match ip address 1
match tag 123
This route-map matches only networks that both are permitted by ACL 1 and at the same time are tagged with the tag 123.
Best regards,
Peter
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: