Solved: Spinning in circles with route-maps

steven.crutchley · ‎08-14-2012

I'm watching the CBT nuggets and Jeremy is stating that if you use the following scenario...

access-list 3 permit 192.168.1.0 0.0.0.255

route-map NAME deny 10

match ip address 3

... the route map will deny whatever ACL 3 permits. This makes sense.

However he then goes on to say that this will do the exact same thing:

access-list 3 deny 192.168.1.0 0.0.0.255

route-map NAME permit 10

match ip address 3

However this does not make sense to me. If there is no permit statement in an ACL, then the ACL will match nothing (because of the implicit deny at the end). This means that in this scenario ACL will match nothing and therefore neither will the route-map. Is this correct?

What I think WOULD work is the following:

access-list 3 deny 192.168.1.0 0.0.0.255

access-list 3 permit any any

route-map NAME permit 10

match ip address 3

But even if I do this, the ACL 3 will simply match "everything except for 192.168.1.0". This does not exclude the 192.168.1.0 network from matching a later sequence number in the route-map where it may potentially be permitted - thus making it different from the first scenario.

Is what I am writing making any sense?

Oh and one more thing... if I have multiple match statements within a route-map sequence entry, do they all have to match or does only one have to match? (is it an OR/disjunction or an AND/conjunction relationship? ... my tests show that is conjunctive but confirmation would help)

Peter Paluch · ‎08-14-2012

Hi Steven,

However this does not make sense to me. If there is no permit statement  in an ACL, then the ACL will match nothing (because of the implicit deny  at the end). This means that in this scenario ACL will match nothing  and therefore neither will the route-map. Is this correct?

Yes, this is absolutely correct.

But even if I do this, the ACL 3 will simply match "everything except  for 192.168.1.0". This does not exclude the 192.168.1.0 network from  matching a later sequence number in the route-map where it may  potentially be permitted - thus making it different from the first  scenario.

This is correct if there is another block of the route-map present. However, if we remain strictly with your current configuration of:

access-list 3 deny 192.168.1.0 0.0.0.255

access-list 3 permit any any

route-map NAME permit 10

match ip address 3

then the block 10 of the route-map permits anything what ACL 3 permits, and objects not permitted by ACL 3 will be dropped by the implicit "deny any" of the route-map. Remember that a route-map also ends with implicit "match all/deny any".

Oh and one more thing... if I have multiple match statements within a  route-map sequence entry, do they all have to match or does only one  have to match?

If they are of the same type and written in a single statement, then there is a logical OR, so for example:

route-map NAME permit 10

match ip address 1 2 3

will match all objects that match any of the ACLs 1, 2, or 3.

If the match statements are of different types and are present as multiple match statements then tere is a logical AND:

route-map NAME permit 10

match ip address 1

match tag 123

This route-map matches only networks that both are permitted by ACL 1 and at the same time are tagged with the tag 123.

Best regards,

Peter

View solution in original post

Peter Paluch · ‎08-14-2012

Hi Steven,

However this does not make sense to me. If there is no permit statement  in an ACL, then the ACL will match nothing (because of the implicit deny  at the end). This means that in this scenario ACL will match nothing  and therefore neither will the route-map. Is this correct?

Yes, this is absolutely correct.

But even if I do this, the ACL 3 will simply match "everything except  for 192.168.1.0". This does not exclude the 192.168.1.0 network from  matching a later sequence number in the route-map where it may  potentially be permitted - thus making it different from the first  scenario.

This is correct if there is another block of the route-map present. However, if we remain strictly with your current configuration of:

access-list 3 deny 192.168.1.0 0.0.0.255

access-list 3 permit any any

route-map NAME permit 10

match ip address 3

then the block 10 of the route-map permits anything what ACL 3 permits, and objects not permitted by ACL 3 will be dropped by the implicit "deny any" of the route-map. Remember that a route-map also ends with implicit "match all/deny any".

Oh and one more thing... if I have multiple match statements within a  route-map sequence entry, do they all have to match or does only one  have to match?

If they are of the same type and written in a single statement, then there is a logical OR, so for example:

route-map NAME permit 10

match ip address 1 2 3

will match all objects that match any of the ACLs 1, 2, or 3.

If the match statements are of different types and are present as multiple match statements then tere is a logical AND:

route-map NAME permit 10

match ip address 1

match tag 123

This route-map matches only networks that both are permitted by ACL 1 and at the same time are tagged with the tag 123.

Best regards,

Peter