Route-map deny statements with denying access-lists

Unanswered Question
May 29th, 2011

hello mates,

I can't fully understand one point with route-maps:

if we have a route map that it contains this statement:

route-map fred deny 10

match ip address one

and the access-list named "one" is only denying routes.

So routes in ACL "one" will be permited ? (because its denying to be denied) ? or just non-matched and go down for the other statemets in that route-map ? What's is the default behavior ? can't really find info on the books..

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Mohamed Sobair Sun, 05/29/2011 - 03:49

Hi,

(Route-Map) is validated per sequence numbers, its similar to the access-list checklist, if the route-map deny is the first statement , it will deny all traffic for access-list 1 whether the access-list has deny or permit statement, and it will then look for the second sequence number to match.


If there is no other sequence number to match, and (implicit deny all) at the end of any route-map would kick in.

A good reference for Route-map and its configuration would be (Routing TCP/IP book).

HTH

Mohamed

kajatonas88 Sun, 05/29/2011 - 09:13

Thanks for reply.

Routing TCP/IP book says:

"The behavior of a "deny" action depends on whether the route map is being used for policy routing or for redistribution. If a route map is being used for redistribution and a route matches a statement with a deny action, the route will not be redistributed. If the route map is being used for policy routing and a packet matches a statement with a deny action, the packet is not policy routed but is passed back to the normal routing process for forwarding. " So yes, it says that u are right Mohamed.

but when i read Wendell Odom (OCG) i got a question:

Router R1 refers to route-map fred when redistributing from EIGRP into OSPF. The entire route-map is listed next. Which of the following answers must be true based on the configuration asshown?

route-map fred deny 10

  match ip address one

route-map fred deny 20

match ip address two

route-map fred permit 100

A. The third route map clause will allow any routes not already filtered by the first two clauses.
B. Routes permitted by ACL "two" will be redistributed.
C. Routes denied by ACL "one" will be redistributed.
D. All routes will be filtereD

Answer is A.

So from "Routing TCP/IP" perspective first two statemts of route-map will deny routes in access-lists without needing two look at ACL statemts (deny or permit). But Wendell Odom expains:

The deny clauses in the route map mean that the route map will filter routes matched by that clause. The permit or deny action of the referenced ACLs just defines whether the route is matched. So, routes permitted by ACL "two" will be matched and then filtered due to the route-map clause deny action. Routes denied by ACL "one" simply do not match the route map clause numbered 10; such routes mayor may not be redistributed depending on the next two clauses. Clause number 100 does not have a match command, meaning it matches all routes not otherwise matched, with a permit action, allowing these routes to be redistributed.

So routes in ACL "one" will be not filtered by that statement...

I got a confusion, help me guys

P.S

also found this in http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008047915d.shtml :

  • If you use an ACL in a route-map permit or deny clause, and the ACL             denies a route, then the route-map clause match is not found and the next             route-map clause is evaluated.

    Still confusing..

    P.P.S

    after reading about 5 diff sources i think i found the answer, i Think Wendell is right.

    He states, that if the ACL or Prefix List has the deny statement, it thinks that that MATCH statement is not matched, and goes down to other route-map statements..

    Antonio Knox Sun, 05/29/2011 - 19:29

    Here's a more basic, to the point expanation:

    !---------DENY DISTRIBUTION OF ROUTES THAT RETURN A PERMIT-MATCH ON ACCESS LIST "one"-------

    route-map fred deny 10

      match ip address one

    !---------DENY DISTRIBUTION OF ROUTES THAT RETURN A PERMIT-MATCH ON ACCESS LIST "two"-------

    route-map fred deny 20

    match ip address two

    !---------NO ACL, SO BY DEFAULT THIS IS A "PERMIT-MATCH-ALL"-------

    route-map fred permit 100

  • If you use an ACL in a route-map permit or deny clause, and the ACL             denies a route, then the route-map clause match is not found and the next             route-map clause is evaluated.

    Still confusing..

  • Don't over-think it.  This just means that if a route returns a DENY-MATCH in ACL "one" or "two" then it is ignored by the route map statements 10 & 20 respectively and goes on to the next route-map statement 100, which in its default configuration (no ACL) is a PERMIT-MATCH-ALL and means that it would be processed by statement 100 and will be redistributed.

    Hope that helps.

    Message was edited by: Antonio Knox

    kajatonas88 Sun, 05/29/2011 - 22:15

    Thanks Antonio,

    Yes we use this logic on redistribution.

    But on PBR it's a little bit different. If the PBR matches route-map with the deny statement in a route-map or deny in ACL (whatever the route-map statement is) the packet is normaly forwarded instantly - without checking the whole route-map.

    I am right ? :)

    Antonio Knox Mon, 05/30/2011 - 11:00

    If the PBR matches route-map with the deny statement in a route-map or deny in ACL (whatever the route-map statement is) the packet is normaly forwarded instantly - without checking the whole route-map.

    I am right ?

    That is incorrect.  Take a look at my previous explanation, in most cases it's the same concept, regardless of how the route map is applied.  In the case of PBR, you could essentially take the same previous explanation and replace the word '(re)distribute' with the term 'forward per PBR policy'.  The ACL will ALWAYS be referenced when a 'match' statement is used (whether route-map permit or deny is used), and the route-map will process traffic according to the first ACL match found (permit, deny or implicit-deny).  And again, in the case of either deny-match type, processing for that route-map statement ends and processing proceeds on to the next route-map statement.

    Hope that makes sense.

    gerald.suiza Sun, 05/29/2011 - 22:20

    here's how route-maps work:

    lets take your route map for example. you have a deny on your route map. this will "deny" all that is matched by acl "one". so if acl "one" is denying, say some subnets and passing others then you are also "denying" those same subnets on the route-map. the deny on a route map is defined on how you use the route map. for example you apply the route map in BGP using redistribution you deny those subnets from being redistributed.

    in my own opinion it is best to use an ACL that "permits" unless totally necessary to use a deny when applying the ACL to a match statement on a route-map. to me it avoids confusion in interpreting the action of the route-map.

    HTH

    sclinton13 Mon, 04/23/2012 - 16:37

    If you perform a deny on an ACL and then perform a deny on a route map, it will allow what you denied and allow what you permitted.

    access-list 15 deny 10.1.1.0 0.0.0.255

    access-list 15 permit any

    route-map redist-ospf deny 10

       match ip address 15

    The above statement would allow routes from 10.1.1.0 and block all other routes

    Actions

    Login or Register to take actions

    This Discussion

    Posted May 29, 2011 at 3:17 AM
    Stats:
    Replies:7 Avg. Rating:5
    Views:1758 Votes:0
    Shares:0
    Tags: No tags.

    Discussions Leaderboard

    Rank Username Points
    1 15,007
    2 8,150
    3 7,730
    4 7,083
    5 6,742
    Rank Username Points
    160
    77
    70
    69
    55