×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Understanding a route map

Answered Question
Apr 29th, 2014
User Badges:

Hi All,

 

I have just taken over supporting a network, and have come accross a route map, that I don't really understand. The route-map is copied below. Can anyone please tell me step by step how its processed, and what the outcome is?

 

route-map test permit 5
 match ip address prefix-list path_one_prefer
!
route-map test permit 10
 match as-path 3
!
route-map test permit 20
 match ip address prefix-list route-filter
 set as-path prepend 65100
 
ip prefix-list path_one_prefer seq 5 permit 10.10.0.0/16
 
ip as-path access-list 3 permit _65000_
 
ip prefix-list route-filter seq 10 deny 172.130.1.0/28
ip prefix-list route-filter seq 15 deny 172.131.1.248/29
ip prefix-list route-filter seq 20 deny 172.200.128.0/27
 
The route map is applied outbound towards an ebgp peer
 
Many Thanks
 
Russ
Correct Answer by Bilal Nawaz about 3 years 3 months ago

Hello Russ,

Yes that is indeed the case.

route-map test permit 20
 match ip address prefix-list route-filter
 set as-path prepend 65100
!
ip prefix-list route-filter seq 10 deny 172.130.1.0/28
ip prefix-list route-filter seq 15 deny 172.131.1.248/29
ip prefix-list route-filter seq 20 deny 172.200.128.0/27
 
In the route-map lines 20 - it is set to "match ip address prefix-list route-filter"
Since the deny is in place in the prefix list, take it as "Not these ones"
Everything else is permitted and AS-Path prepended.
After line 20 there is no other - ACL logic - explicit deny - so if there is no match, its a deny, so the prefix's in the prefix-list "route-filter" are not advertised.
This line 20 seems to be the "catch all" other routes except for these ones i.e. that prefix list, and prepend them.
Check the routes you are advertising them as I stated in my first post with "show ip bgp neigh x.x.x.x advertised-routes" which should correlate with the route-map applied to your BGP peer.
Hope this makes it clear.
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
paul driver Wed, 04/30/2014 - 01:34
User Badges:
  • Green, 3000 points or more

Hello

Anything that matches the first stanza 5 = advertise and DONT proceed to check any further down the route-map

Anything that doesn't match 5 but stanza 10 with as path of 3 = advertise and DONT proceed to check any further down the route-map

Anything that doesn't match 5 or 10  will match stanza 20 and filter on those routes and prepend as path 6500 once to any prefix that has traverse the 6500 AS and as this in its as path attribute

I don't see a catch all statement at the end so everything else is denied

 

 

Res Paul

r.gasper Wed, 04/30/2014 - 13:34
User Badges:

Hi Guys

Thanks for all of your help with this question. Are you sure if a 'match' is found without a 'set' then the router will not proceed any further?

Anything that doesn't match 5 or 10  will match stanza 20 and filter on those routes and prepend as path 6500 once to any prefix that has traverse the 6500 AS and as this in its as path attribute

I don't understand the above... not all routes will match stanza 20. Are you also saying that only routes that have 6500 in the path will be prepended with 6500?

 

Thanks 

Russ

Bilal Nawaz Thu, 05/01/2014 - 00:09
User Badges:
  • Red, 2250 points or more
  • Community Spotlight Award,

    Questions Answered, June 2015

Hello Russ, The logic is like an ACL, if it doesn't match, move on to the next one... If it does match then it may be denied or permitted depending on the route-map statement. Because you can have...

route-map xxxxxx permit or

route-map xxxxxx deny

so.....

Route-map test permit 5 calls to match a specific prefix - 10.10.0.0/16 this seems to be permitted

if no match found move to next line (10)

Route-map test permit 10 calls an AS path of _65000_ anything that transits AS 65000 to be permitted

if no match found move to next line (20)

Route-map test permit 20 calls on a prefix list route-filter which sets the AS path prepend which is permited.

This route-map prepends all other prefix's with 65100 except for the prefix's in the route filter one (which are deny statements - so the logic is "not these prefix's")  - which may not even be advertised.

Everything else will be denied (although line 20 is like your catch all by the looks of it)

So everything apart from the prefix's in route-filter set an AS-PATH prepend of 65100 to anything else.

Hope this makes it more clear.

r.gasper Thu, 05/01/2014 - 13:08
User Badges:

Thanks Bilal..

last question, does this mean that 10.10.0.0/16 subnets and everything that transits AS65000 also gets its AS path prepended with 65100 as well ?

 

Thanks

Bilal Nawaz Thu, 05/01/2014 - 13:51
User Badges:
  • Red, 2250 points or more
  • Community Spotlight Award,

    Questions Answered, June 2015

Hello Russ,

No, so to explain this - anything that match prefix line 5 and 10 are permitted without anything being done to the routes. (there is no set commands for line 5 and 10)

If I wanted to change the AS-Path for the 10.10.0.0/16 subnet I would have done it in line 5 like this:

route-map test permit 5
 match ip address prefix-list path_one_prefer
 set as-path prepend xxxx
 
But this isn't the case and therefor the normal prefix is just matched and permitted.
Route map 20 however, denies the prefix in the prefix list "route-filter" from being set an as-path prepend, BUT all other routes are set with this.
So everything that matches the above statements, without a "set" command, nothing happens to them - they are just simply permitted or denied, its only set that changes/modifies the attributes in the BGP prefix being advertised or in other cases learnt.
Hope this answers your question.
r.gasper Thu, 05/01/2014 - 15:52
User Badges:

Thanks :).. Does route map 20 also deny the networks in the prefix list from being advertised?

 

Cheers

Russ

Correct Answer
Bilal Nawaz Thu, 05/01/2014 - 23:28
User Badges:
  • Red, 2250 points or more
  • Community Spotlight Award,

    Questions Answered, June 2015

Hello Russ,

Yes that is indeed the case.

route-map test permit 20
 match ip address prefix-list route-filter
 set as-path prepend 65100
!
ip prefix-list route-filter seq 10 deny 172.130.1.0/28
ip prefix-list route-filter seq 15 deny 172.131.1.248/29
ip prefix-list route-filter seq 20 deny 172.200.128.0/27
 
In the route-map lines 20 - it is set to "match ip address prefix-list route-filter"
Since the deny is in place in the prefix list, take it as "Not these ones"
Everything else is permitted and AS-Path prepended.
After line 20 there is no other - ACL logic - explicit deny - so if there is no match, its a deny, so the prefix's in the prefix-list "route-filter" are not advertised.
This line 20 seems to be the "catch all" other routes except for these ones i.e. that prefix list, and prepend them.
Check the routes you are advertising them as I stated in my first post with "show ip bgp neigh x.x.x.x advertised-routes" which should correlate with the route-map applied to your BGP peer.
Hope this makes it clear.
r.gasper Thu, 05/01/2014 - 23:42
User Badges:

Thanks very much for your help.  I had some spare time last night, so I took the time to set this up in GNS3, and the result were exactly as you said.

Thanks again

Russ

Bilal Nawaz Wed, 04/30/2014 - 00:44
User Badges:
  • Red, 2250 points or more
  • Community Spotlight Award,

    Questions Answered, June 2015

Hello Russ,

It seems like the route-map is controlling which routes to be advertised to its peer. You can see which routes are being advertised with "show ip bgp neighbors 1.1.1.1 advertised-routes"

Route-map test permit 5 calls to match a specific prefix - 10.10.0.0/16 this seems to be permitted

Route-map test permit 10 calls an AS path of _65000_ anything that transits AS 65000 (I think)

Route-map test permit 20 calls on a prefix list route-filter which sets the AS path prepend which is permited. This route-map prepends all other prefix's with 65100 except for the prefix's in the route filter one (which are deny statements - so the logic is "not these prefix's")  - which may not even be advertised.

Depending on your routing table, if you have the relevant routes and with the show command above you should be able to see things match and correlate with the filtering policy if configured correctly.

hth

paul driver Wed, 04/30/2014 - 01:35
User Badges:
  • Green, 3000 points or more

Hello Bial

Route-map test permit 10 calls an AS path of _65000_ anything that transits AS 65000 (I think)

This is incorrect mate - stanza 10 is set to match on as-path attribute 3 -

route-map test permit 10

 match as-path 3 

 

res

Paul

 

Bilal Nawaz Wed, 04/30/2014 - 02:15
User Badges:
  • Red, 2250 points or more
  • Community Spotlight Award,

    Questions Answered, June 2015

Hi, thanks for pointing that out - probably typing quicker than I could think. (Its Bilal btw, not Bial or mate) :)

Ta

Bilal Nawaz Wed, 04/30/2014 - 02:04
User Badges:
  • Red, 2250 points or more
  • Community Spotlight Award,

    Questions Answered, June 2015

Hi Paul,

I re-read, and am bit puzzled as to what is wrong with the statement? It match's the AS path - the Reg Expression has _65000_

What does that mean then?

paul driver Wed, 04/30/2014 - 02:24
User Badges:
  • Green, 3000 points or more

Hello

 

 

route-map test permit 5
 match ip address prefix-list path_one_prefer
!
route-map test permit 10
 match as-path 3
!
route-map test permit 20
 match ip address prefix-list route-filter
 set as-path prepend 65100
 
 
Route maps are read sequentially so a route will pass down this list until a match is made on that stanza  then the action is processed by the set command ( if any is specified). and the route-map will not be read any  further, unless you use the continue command, then even if an match and action is made.the route map will continue to process.

so in this case of stanza 5 -10  if a match is made and then the default action without a set command is to permit

You stated that stanza 10 is to match "an AS path of _65000_ anything that transits AS 65000 (I think)"

This is incorrect mate - stanza 10 is set to match on as-path attribute 3

res
Paul
 
Bilal Nawaz Wed, 04/30/2014 - 02:27
User Badges:
  • Red, 2250 points or more
  • Community Spotlight Award,

    Questions Answered, June 2015

I don't get your point?

You said:

This is incorrect mate - stanza 10 is set to match on as-path attribute 3 -

route-map test permit 10

 match as-path 3

Which you said was incorrect.

I said:

Route-map test permit 10 calls an AS path of _65000_ anything that transits AS 65000 (I think)

So.... the AS-Path ACL is:

ip as-path access-list 3 permit _65000_

So to me, in my mind this reads

route-map 10 to permit

Anything that matches the AS path _65000_

And that's exactly what I said here... Is my understanding of this wrong?

 

paul driver Wed, 04/30/2014 - 02:51
User Badges:
  • Green, 3000 points or more

Helo

 

You are correct- I am misreading the posting- stanza 10 is indeed referring the _6500_  for the attribute aspath 3

 

I am looking at the dam prefix list not the as-path list -

Apologies Bilal

 

res

Paul
 

Actions

This Discussion