Route-map & access list question

Answered Question

Can someone please tell me what these three router config items are doing?

We have a router on a stick enviorment.

we have an IP poiicy statement on the Ethernet 0/0

IP policy route-map EDI

We have a route-map definition that looks like this:

route-map EDI permit 10

match ip add EDI-Fuse

set ip next-hop 10.49.1.2

We have a long Extended ACL that has both permit and deny statement in it. For simplicy I have just one of the deny and one of the permits: The list of denies are first if that makes a difference:

deny ip any 10.0.0.0 0.255.255.255

permit ip host 10.49.2.183 host 12.163.226.2

I have this problem too.
0 votes
Correct Answer by Edison Ortiz about 7 years 9 months ago

Correct?

Yes. It's not a security ACL.

__

Edison.

Correct Answer by lamav about 7 years 9 months ago

John:

What you are showing us is an example of what is called "policy routing."

Typically, a router makes a forwading decision based on the destination address of the packet received on its interface.

There are times when a network designer would like the router to make a forwarding decision based on the source IP address instead.

With an extended access list, not only is the source address the concern, but also where the packet is destined.

Take note that policy routing is performed before normal, destination-based routing. So, the route map is going to be activated and its going to "call" the access list when a packet is received on your e0/0 interface.

With the "match" command, the route map is telling the router, "IF the source is any network and it is destined for the 10.0.0.0/8 network, deny it and do NOT forward it. IF the source is 10.49.2.183 and its destined for host 12.163.226.2, THEN permit it and SET the next hop to be 10.49.1.2.

Makes sense?

HTH

Victor

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Edison Ortiz Mon, 03/30/2009 - 10:51

John,

It's changing the next hop on packets arriving the E0/0 interface from the next hop to be use in the routing table.

For more information on Policy-Based Routing (PBR), please refer to the documentation:

http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_ip_prot_indep_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1056703

Based on your ACL:

deny ip any 10.0.0.0 0.255.255.255

traffic won't be PBR'd and the next hop on those packets will be the one on the routing table while:

permit ip host 10.49.2.183 host 12.163.226.2

will be PBR so the next hop will be 10.49.1.2

HTH,

__

Edison.

Thanks

I was somewhat confused about how the ACL was being used in PBR. I was thinking that the packet was being droped but that did not make sense so I posted the question. If I understand what you are saying correctly then the deny statement is saying; "don't change the route just let it go where it is destined." Whereas the permit is saying, "send this one to the next hop whcih is the 10.49.1.2." Correct?

Correct Answer
lamav Mon, 03/30/2009 - 10:54

John:

What you are showing us is an example of what is called "policy routing."

Typically, a router makes a forwading decision based on the destination address of the packet received on its interface.

There are times when a network designer would like the router to make a forwarding decision based on the source IP address instead.

With an extended access list, not only is the source address the concern, but also where the packet is destined.

Take note that policy routing is performed before normal, destination-based routing. So, the route map is going to be activated and its going to "call" the access list when a packet is received on your e0/0 interface.

With the "match" command, the route map is telling the router, "IF the source is any network and it is destined for the 10.0.0.0/8 network, deny it and do NOT forward it. IF the source is 10.49.2.183 and its destined for host 12.163.226.2, THEN permit it and SET the next hop to be 10.49.1.2.

Makes sense?

HTH

Victor

lamav Mon, 03/30/2009 - 10:55

Edison, sorry for the cross-post. I was writing mine at the same time. :-)

lamav Mon, 03/30/2009 - 11:28

"If I understand what you are saying correctly then the deny statement is saying; "don't change the route just let it go where it is destined.""

Correct again. Just finish that statement by saying "...let it go where it is destined according to the route table"

Thanks for the rating.

Victor

Actions

This Discussion