cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
546
Views
0
Helpful
7
Replies

Route-map & access list question

john.wright
Level 3
Level 3

Can someone please tell me what these three router config items are doing?

We have a router on a stick enviorment.

we have an IP poiicy statement on the Ethernet 0/0

IP policy route-map EDI

We have a route-map definition that looks like this:

route-map EDI permit 10

match ip add EDI-Fuse

set ip next-hop 10.49.1.2

We have a long Extended ACL that has both permit and deny statement in it. For simplicy I have just one of the deny and one of the permits: The list of denies are first if that makes a difference:

deny ip any 10.0.0.0 0.255.255.255

permit ip host 10.49.2.183 host 12.163.226.2

2 Accepted Solutions

Accepted Solutions

lamav
Level 8
Level 8

John:

What you are showing us is an example of what is called "policy routing."

Typically, a router makes a forwading decision based on the destination address of the packet received on its interface.

There are times when a network designer would like the router to make a forwarding decision based on the source IP address instead.

With an extended access list, not only is the source address the concern, but also where the packet is destined.

Take note that policy routing is performed before normal, destination-based routing. So, the route map is going to be activated and its going to "call" the access list when a packet is received on your e0/0 interface.

With the "match" command, the route map is telling the router, "IF the source is any network and it is destined for the 10.0.0.0/8 network, deny it and do NOT forward it. IF the source is 10.49.2.183 and its destined for host 12.163.226.2, THEN permit it and SET the next hop to be 10.49.1.2.

Makes sense?

HTH

Victor

View solution in original post

Correct?

Yes. It's not a security ACL.

__

Edison.

View solution in original post

7 Replies 7

Edison Ortiz
Hall of Fame
Hall of Fame

John,

It's changing the next hop on packets arriving the E0/0 interface from the next hop to be use in the routing table.

For more information on Policy-Based Routing (PBR), please refer to the documentation:

http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_ip_prot_indep_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1056703

Based on your ACL:

deny ip any 10.0.0.0 0.255.255.255

traffic won't be PBR'd and the next hop on those packets will be the one on the routing table while:

permit ip host 10.49.2.183 host 12.163.226.2

will be PBR so the next hop will be 10.49.1.2

HTH,

__

Edison.

Thanks

I was somewhat confused about how the ACL was being used in PBR. I was thinking that the packet was being droped but that did not make sense so I posted the question. If I understand what you are saying correctly then the deny statement is saying; "don't change the route just let it go where it is destined." Whereas the permit is saying, "send this one to the next hop whcih is the 10.49.1.2." Correct?

Correct?

Yes. It's not a security ACL.

__

Edison.

lamav
Level 8
Level 8

John:

What you are showing us is an example of what is called "policy routing."

Typically, a router makes a forwading decision based on the destination address of the packet received on its interface.

There are times when a network designer would like the router to make a forwarding decision based on the source IP address instead.

With an extended access list, not only is the source address the concern, but also where the packet is destined.

Take note that policy routing is performed before normal, destination-based routing. So, the route map is going to be activated and its going to "call" the access list when a packet is received on your e0/0 interface.

With the "match" command, the route map is telling the router, "IF the source is any network and it is destined for the 10.0.0.0/8 network, deny it and do NOT forward it. IF the source is 10.49.2.183 and its destined for host 12.163.226.2, THEN permit it and SET the next hop to be 10.49.1.2.

Makes sense?

HTH

Victor

Edison, sorry for the cross-post. I was writing mine at the same time. :-)

Both of you shed needed light on my confused mind. Thanks for your help!

"If I understand what you are saying correctly then the deny statement is saying; "don't change the route just let it go where it is destined.""

Correct again. Just finish that statement by saying "...let it go where it is destined according to the route table"

Thanks for the rating.

Victor

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco