route-map access-list

Answered Question
Jan 16th, 2011

Hi. Could someone please clarify the answer for me please ?

This is question 3 in chapter 4 of CCNP Route training guide 642-902

3. R1 has correctly configured EIGRP to filter routes using a route  map named question. The configuration that follows shows the entire  route map and related configuration .Which of the following is true  regarding the filtering action on prefix 10.10.10.0/24 in this case?

route-map question deny 10

match ip address 1

route-map question permit 20

match ip address prefix-list fred

!

access-list 1 deny 10.10.10.0 0.0.0.255

ip prefix-list fred permit 10.10.10.0/23 le 25

A. It will be filtered due to the deny action in route map clause 10.

B. It will be allowed because of the double negative (two deny references) in clause 10.

C. It will be permitted due to matching clause 20’s reference to prefix-list fred.

D. It will be filtered due to matching the implied deny all route map clause at the end of the route map.

Answer:C. When used for route filtering, the route map action (permit  or deny) defines the filtering action, and any referenced match  commands’ permit or deny action just defines whether the prefix is  matched. By not matching ACL 1 with a permit action, EIGRP does not  consider a match to have occurred with clause 10, so it moves to clause  20. The prefix list referenced in clause 20 has a permit action,  matching prefixes from 10.10.10.0–10.10.11.255, with prefix lengths from  23–25. Both criteria match the prefix in question, making answer C  correct.

My query, Is it not answer A in fact matching the route exactly, meaning that 10.10.10.0 0.0.0.255 in ACL 1 matches the route to 10.10.10.0 / 24 ?

Is answer A not correct because traffic for 10.10.10.0 will be discarded by ACL 1 before it can be proccessed by route-map ?

I just cannot get my head around this, Could someone please clarify the explanation as why C is correct and A is not?

Many thanks

I have this problem too.
0 votes
Correct Answer by Richard Burts about 3 years 3 months ago

I am putting my responses in line marked with Bold and Italics

###############
route-map question deny 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 deny 10.10.10.0 0.0.0.255

Yes this is correct

...

route-map question deny 10            Action taken, route filtered out
match ip address 1
access-list 1 permit 10.10.10.0 0.0.0.255

Yes this is correct

...

route-map question permit 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 deny 10.10.10.0 0.0.0.255 

Yes this is correct

...

route-map question permit 10            Action taken, route permited
match ip address 1
access-list 1 permit 10.10.10.0 0.0.0.255

Yes this is correct

##################

In this set of examples the access list never mentions 10.10.10.0. Since there is no permit for 10.10.10.0 this network would not be redistributed in any of the scenarios that you suggest.

route-map question deny 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 deny 22.22.22.0 0.0.0.255

Yes this is correct Note that this has nothing to do with 10.10.10.0

...

route-map question deny 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 permit 22.22.22.0 0.0.0.255

Not correct. the match statement returns a value of true and 22.22.22.0 is filtered out.

Note that this has no effect on 10.10.10.0

...

route-map question permit 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 deny 22.22.22.0 0.0.0.255

Yes this is correct. Note that this has nothing to do with 10.10.1.0

...

route-map question permit 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 permit 22.22.22.0 0.0.0.255

Not correct. the match statement return a value of true and 22.22.22.0 is redistributed.

Note that this has no effect on 10.10.10.0

##################

HTH

Rick

Correct Answer by Richard Burts about 3 years 3 months ago

The logic is sometimes difficult to follow in route maps that use deny in the route map statement. I find it helpful to think of them in this way. The route map statement 10 specifies an action to take (in this case deny) when there is a positive result in the match statement. If the result in the access list says yes/permit then the action of the route map statement is taken. But if the result in the access list says no/deny then the action of the route map statement is not taken and the route map goes on to the next step.

Since access list 1 has deny 10.10.10.0 the result of the access list is no/deny and the action of route map 10 is not taken and so the route map goes on to statement 20.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
Correct Answer
Richard Burts Mon, 01/17/2011 - 12:20

The logic is sometimes difficult to follow in route maps that use deny in the route map statement. I find it helpful to think of them in this way. The route map statement 10 specifies an action to take (in this case deny) when there is a positive result in the match statement. If the result in the access list says yes/permit then the action of the route map statement is taken. But if the result in the access list says no/deny then the action of the route map statement is not taken and the route map goes on to the next step.

Since access list 1 has deny 10.10.10.0 the result of the access list is no/deny and the action of route map 10 is not taken and so the route map goes on to statement 20.

HTH

Rick

photosynthesis Mon, 01/17/2011 - 19:25

Thank you Richard for the explanation. I am getting closer to the understanding of the logic behind it. I hope you don't mind if I take advantage of your knowledge and attach another example.The question remains the same,we are still concerned about 10.10.10.0/24 . I tried to list all possible scenarios to get a full picture. The 22.22.22.0 0.0.0.255 is basically any random IP not matching 10.10.10.0/24 .I hope you understand where I am coming from.

###############
route-map question deny 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 deny 10.10.10.0 0.0.0.255

...

route-map question deny 10            Action taken, route filtered out
match ip address 1
access-list 1 permit 10.10.10.0 0.0.0.255

...

route-map question permit 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 deny 10.10.10.0 0.0.0.255  

...

route-map question permit 10            Action taken, route permited
match ip address 1
access-list 1 permit 10.10.10.0 0.0.0.255

##################

route-map question deny 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 deny 22.22.22.0 0.0.0.255

...

route-map question deny 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 permit 22.22.22.0 0.0.0.255

...

route-map question permit 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 deny 22.22.22.0 0.0.0.255

...

route-map question permit 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 permit 22.22.22.0 0.0.0.255

##################

Thank you again Richard for all your effort.

Correct Answer
Richard Burts Mon, 01/17/2011 - 19:58

I am putting my responses in line marked with Bold and Italics

###############
route-map question deny 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 deny 10.10.10.0 0.0.0.255

Yes this is correct

...

route-map question deny 10            Action taken, route filtered out
match ip address 1
access-list 1 permit 10.10.10.0 0.0.0.255

Yes this is correct

...

route-map question permit 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 deny 10.10.10.0 0.0.0.255 

Yes this is correct

...

route-map question permit 10            Action taken, route permited
match ip address 1
access-list 1 permit 10.10.10.0 0.0.0.255

Yes this is correct

##################

In this set of examples the access list never mentions 10.10.10.0. Since there is no permit for 10.10.10.0 this network would not be redistributed in any of the scenarios that you suggest.

route-map question deny 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 deny 22.22.22.0 0.0.0.255

Yes this is correct Note that this has nothing to do with 10.10.10.0

...

route-map question deny 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 permit 22.22.22.0 0.0.0.255

Not correct. the match statement returns a value of true and 22.22.22.0 is filtered out.

Note that this has no effect on 10.10.10.0

...

route-map question permit 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 deny 22.22.22.0 0.0.0.255

Yes this is correct. Note that this has nothing to do with 10.10.1.0

...

route-map question permit 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 permit 22.22.22.0 0.0.0.255

Not correct. the match statement return a value of true and 22.22.22.0 is redistributed.

Note that this has no effect on 10.10.10.0

##################

HTH

Rick

photosynthesis Mon, 01/17/2011 - 22:24

Hi Rick. You really rock.

Sorry for the confusion caused with the second half of the examples. I did not formulate the question correctly but anyway, you answered with exactly what I wanted to hear. What I meant was , that any of the ACL 1 statements containing only 22.22.22.0 0.0.0.255 would have no effect on 10.10.10.0 /24 being filtered or not solely in this simple scenario.

Thanks again for the great explanation and I obviously marked your answers as correct. Now I am back to studying and I might be back with more questions soon 

All the best.

V.

Richard Burts Wed, 01/19/2011 - 19:32

V

I am glad that my explanations were helpful to you. Thanks for marking the questions as resolved (and thanks for the points). It makes the forum more useful when people can read questions and can know that some responses did resolve the question. Your marking makes this obvious to other readers.

Good luck with your studies. And do feel free to post more questions in the forum. After all that is what the forum is really about - asking questions and finding answers.

HTH

Rick

Actions

Login or Register to take actions

This Discussion

Posted January 16, 2011 at 1:11 PM
Stats:
Replies:5 Avg. Rating:5
Views:1014 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard