08-13-2010 11:18 PM - edited 03-04-2019 09:25 AM
Hi All,
Can you please explain whats is the main differences between ACLs & Route maps?
Regards,
Srinadh.
08-14-2010 12:24 AM
Hi,
Acl is used for filtering the traffic based on configured parameters. But it is a single statement. If it match then it will permitted or denied. But you get more flexibility in Route-maps. You can use the ACL as a match statement in Route map and same time you can set some attributes which will get attached to that prefix and it will be advertised in WAN with same to achieve some routing requirement.
As per my understanding its Route-map give me full flexiblity to route my traffic from where i want like interface, attach attribute, etc. Its a kind of programming i can see. Like for this match do this ...
Route-map are used in redistribution, BGP neighborship, etc
For more detailed information visit: http://startnetworks.blogspot.com/2010/08/cisco-acl-and-route-map.html
Hope this information will help you....
Uttam
05-24-2013 06:34 AM
am currently experiencing and issue with a route map.
i believe the route-map to be configured correctly but the route map does not appear to be matching the acl
GigabitEthernet0/0 is up, line protocol is up
Internet address is 172.20.38.254/16
interface GigabitEthernet0/0
ip address 172.20.38.254 255.255.0.0
ip route-cache flow
ip policy route-map EXC-DAG
route-map assigned to interface
show ip int gi0/0
Policy routing is enabled, using route map EXC-DAG
route-map EXC-DAG, permit, sequence 20
Match clauses:
ip address (access-lists): 150
Set clauses:
ip next-hop 172.20.57.234
Policy routing matches: 0 packets, 0 bytes
Policy routing is enabled, using route map EXC-DAG
access-list 150 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
show access-list 150
10 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255 log (3 matches)
show route-map
route-map EXC-DAG, permit, sequence 20
Match clauses:
ip address (access-lists): 150
Set clauses:
ip next-hop 172.20.57.234
Policy routing matches: 0 packets, 0 bytes <<<<
i dont think i am missing anything from the configuration
any ideas?
thanks in adviance.
05-24-2013 06:54 AM
Hello,
You can policy route via the data plane ( that is traffic traversing your router) or Control plane( traffic originating from the router) by specifying acls, protocol types and port numbers
For Data plane PBR you specify the policy on the interface from where the traffic is travesing from -
int xx
ip policy route-map TST
For Control plane you specify the policy globally on the router the traffic originates from -
conf t
ip local policy route-map TST
In your policy you are using acl 150 to specify traffic originating from interface gig0/0 between
192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255 to be routed out of the next hop interface of
172.20.57.234 -
Is this what you want to happen?
Also you have no resiliency set in place, so if the next hop interface is unreachable your present policy will still try to forward traffic based on the match statements and start arping for the next hop address.
apply set ip next-hp verify-availability into the policy so in this way the router will do a cdp lookup for the next-hop address before policy routing and if not found will instead route normal.
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
05-24-2013 07:03 AM
Can you disable CEF and check
.
Also in the ACL you have use log keyword can you remove that and check.
show access-list 150
10 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255 log
Do not use the "log" key word on ACLs when using PBR. Here is a note from Cisco.
"The log keyword should not be used with this command in policy-based routing (PBR) because logging is not supported at the interrupt level for ACLs."
05-24-2013 11:52 AM
I believe that there is a simple logic problem here that is causing PBR to not work as desired.
First notice the subnet configured on the interface where PBR is configured
interface GigabitEthernet0/0
ip address 172.20.38.254 255.255.0.0
Then notice the source address specified in the ACL used with PBR
access-list 150 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
So my question is whether 192.168.4.0 is really connected through interface Gig0/0? That is the only way that PBR configured like this will work.
HTH
Rick
05-28-2013 04:05 AM
Hi
And thanks for the speedy responses, your input has been very helpful.
i have since been able to get it to work this morning.
the device connected on this interface Gi0/0 is a firewall that had a missing routing entry.
added the following static route 192.168.3.0 255.255.255.0 use 172.20.38.254 255.255.255.0
192.168.3.0 172.20.38.254 255.255.255.0 UG
route-map EXC-DAG, permit, sequence 20
Match clauses:
ip address (access-lists): 150
Set clauses:
ip next-hop 172.20.57.234
Policy routing matches: 3075964 packets, 555386572 bytes
Thanks to you all for you imput, Apprecitated.
05-28-2013 04:06 AM
Paul,
cant seem to rate your post. shame as it was very informative!
thanks
ray
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: