Route-map & access list question

Answered Question

Can someone please tell me what these three router config items are doing?


We have a router on a stick enviorment.

we have an IP poiicy statement on the Ethernet 0/0

IP policy route-map EDI


We have a route-map definition that looks like this:

route-map EDI permit 10

match ip add EDI-Fuse

set ip next-hop 10.49.1.2


We have a long Extended ACL that has both permit and deny statement in it. For simplicy I have just one of the deny and one of the permits: The list of denies are first if that makes a difference:

deny ip any 10.0.0.0 0.255.255.255

permit ip host 10.49.2.183 host 12.163.226.2



Correct Answer by Edison Ortiz about 8 years 1 month ago

Correct?


Yes. It's not a security ACL.


__


Edison.

Correct Answer by lamav about 8 years 1 month ago

John:


What you are showing us is an example of what is called "policy routing."


Typically, a router makes a forwading decision based on the destination address of the packet received on its interface.


There are times when a network designer would like the router to make a forwarding decision based on the source IP address instead.


With an extended access list, not only is the source address the concern, but also where the packet is destined.


Take note that policy routing is performed before normal, destination-based routing. So, the route map is going to be activated and its going to "call" the access list when a packet is received on your e0/0 interface.


With the "match" command, the route map is telling the router, "IF the source is any network and it is destined for the 10.0.0.0/8 network, deny it and do NOT forward it. IF the source is 10.49.2.183 and its destined for host 12.163.226.2, THEN permit it and SET the next hop to be 10.49.1.2.


Makes sense?


HTH


Victor


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Edison Ortiz Mon, 03/30/2009 - 10:51
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

John,


It's changing the next hop on packets arriving the E0/0 interface from the next hop to be use in the routing table.


For more information on Policy-Based Routing (PBR), please refer to the documentation:


http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_ip_prot_indep_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1056703


Based on your ACL:


deny ip any 10.0.0.0 0.255.255.255


traffic won't be PBR'd and the next hop on those packets will be the one on the routing table while:


permit ip host 10.49.2.183 host 12.163.226.2


will be PBR so the next hop will be 10.49.1.2




HTH,


__


Edison.

Thanks

I was somewhat confused about how the ACL was being used in PBR. I was thinking that the packet was being droped but that did not make sense so I posted the question. If I understand what you are saying correctly then the deny statement is saying; "don't change the route just let it go where it is destined." Whereas the permit is saying, "send this one to the next hop whcih is the 10.49.1.2." Correct?

Correct Answer
Edison Ortiz Mon, 03/30/2009 - 11:19
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Correct?


Yes. It's not a security ACL.


__


Edison.

Correct Answer
lamav Mon, 03/30/2009 - 10:54
User Badges:
  • Blue, 1500 points or more

John:


What you are showing us is an example of what is called "policy routing."


Typically, a router makes a forwading decision based on the destination address of the packet received on its interface.


There are times when a network designer would like the router to make a forwarding decision based on the source IP address instead.


With an extended access list, not only is the source address the concern, but also where the packet is destined.


Take note that policy routing is performed before normal, destination-based routing. So, the route map is going to be activated and its going to "call" the access list when a packet is received on your e0/0 interface.


With the "match" command, the route map is telling the router, "IF the source is any network and it is destined for the 10.0.0.0/8 network, deny it and do NOT forward it. IF the source is 10.49.2.183 and its destined for host 12.163.226.2, THEN permit it and SET the next hop to be 10.49.1.2.


Makes sense?


HTH


Victor


lamav Mon, 03/30/2009 - 10:55
User Badges:
  • Blue, 1500 points or more

Edison, sorry for the cross-post. I was writing mine at the same time. :-)

lamav Mon, 03/30/2009 - 11:28
User Badges:
  • Blue, 1500 points or more

"If I understand what you are saying correctly then the deny statement is saying; "don't change the route just let it go where it is destined.""


Correct again. Just finish that statement by saying "...let it go where it is destined according to the route table"


Thanks for the rating.


Victor



Actions

This Discussion