ā02-25-2010 02:08 PM - edited ā03-04-2019 07:37 AM
Hi,
There are four subnets : 10.1.1.0 /26 , 10.1.1.64 /26 , 10.1.1.128/26 and last 10.1.1.192/26 ( 255.255.255.192 )
These subnets are from EIGRP and are redistributed into OSP. Following are the cases with different access-list configuration and route-map configuration
and it shows the routing table of the next router running OSPF.
CASE 1 :
router ospf 10
log-adjacency-changes
redistribute eigrp 1 subnets route-map send
network 192.168.1.4 0.0.0.3 area 0
network 192.168.1.8 0.0.0.3 area 0
!
ip http server
no ip http secure-server
ip classless
!
!
!
!
ip access-list extended send
permit ip host 10.1.1.0 host 255.255.255.192 ( matches exact 10.1.1.0 /26 !! )
deny ip any any
!
route-map send deny 10
match ip address send
!
route-map send permit 20 ( without this statement nothing is redistributed to OSPF , THOSE DENIED IN THE ACCESS LIST ARE AGAIN DENIED
IN THE ROUTE-MAP IS'NT THAT THE PERMIT ACTION )
Routing table of next OSPF router is
Gateway of last resort is not set
10.0.0.0/26 is subnetted, 3 subnets
O E2 10.1.1.64 [110/20] via 192.168.1.5, 00:04:36, Serial1/0 ( 10.1.1.0 /26 is not coming here )
O E2 10.1.1.128 [110/20] via 192.168.1.5, 00:04:36, Serial1/0
O E2 10.1.1.192 [110/20] via 192.168.1.5, 00:04:36, Serial1/0
192.168.1.0/30 is subnetted, 2 subnets
O E2 192.168.1.0 [110/20] via 192.168.1.5, 00:04:36, Serial1/0
C 192.168.1.4 is directly connected, Serial1/0
Router#
CASE 2:
router ospf 10
log-adjacency-changes
redistribute eigrp 1 subnets route-map send
network 192.168.1.4 0.0.0.3 area 0
network 192.168.1.8 0.0.0.3 area 0
!
ip http server
no ip http secure-server
ip classless
!
!
!
!
ip access-list extended send
deny ip host 10.1.1.0 host 255.255.255.192
permit ip any any
!
route-map send permit 10 ( only one statement in route-map send )
match ip address send
Gateway of last resort is not set
10.0.0.0/26 is subnetted, 3 subnets
O E2 10.1.1.64 [110/20] via 192.168.1.5, 00:00:39, Serial1/0 ( 10.1.1.0 /26 is not coming here )
O E2 10.1.1.128 [110/20] via 192.168.1.5, 00:00:39, Serial1/0
O E2 10.1.1.192 [110/20] via 192.168.1.5, 00:00:39, Serial1/0
192.168.1.0/30 is subnetted, 2 subnets
O E2 192.168.1.0 [110/20] via 192.168.1.5, 00:00:39, Serial1/0
C 192.168.1.4 is directly connected, Serial1/0
Router#
CASE 3 :
router eigrp 1
network 192.168.1.0 0.0.0.3
no auto-summary
!
router ospf 10
log-adjacency-changes
redistribute eigrp 1 subnets route-map send
network 192.168.1.4 0.0.0.3 area 0
network 192.168.1.8 0.0.0.3 area 0
!
ip http server
no ip http secure-server
ip classless
!
!
!
!
ip access-list extended send
deny ip host 10.1.1.0 host 255.255.255.192
permit ip any any
!
route-map send permit 10
match ip address send
!
route-map send permit 20
10.0.0.0/26 is subnetted, 4 subnets
O E2 10.1.1.0 [110/20] via 192.168.1.5, 00:04:36, Serial1/0 ( all four subnet appear in routing table )
O E2 10.1.1.64 [110/20] via 192.168.1.5, 00:05:45, Serial1/0
O E2 10.1.1.128 [110/20] via 192.168.1.5, 00:05:45, Serial1/0
O E2 10.1.1.192 [110/20] via 192.168.1.5, 00:05:45, Serial1/0
192.168.1.0/30 is subnetted, 2 subnets
O E2 192.168.1.0 [110/20] via 192.168.1.5, 00:05:45, Serial1/0
C 192.168.1.4 is directly connected, Serial1/0
Router#
In this case 10.1.1.0 /26 is denied in the access-list whch appears in the first line of route-map permit statement.
When second line in the route-map is added it permits all sub_nets that kind of negates the effect of the first line.
Is it so that the subnets from the source process are seperated filtered by each route-map statement?
If we take the CASE 1, 10.1.1.0 /26 is denied by the first statement in route-map and permited by second statement but it doesnt appear in the routing table?
Please share the experience how route-maps and access-list logic filters the routes it's confusing to me
Thanks
Subodh
ā02-25-2010 02:41 PM
Hi Subodh,
In your case examples you actually show how route-maps work.
Basically if you configure an empty permit route-map, that is with no match statements, it acts as a permit any in your redistribution or policy routing action. Route-map's have an implicit deny, that is, if you have only 1 route-map sequence permitting or denying a match statement, it will only act on that. That is why in your Case #1, that "permit 20" statement basically means let through everything else that statement 10 denied. That is the best way to do what you want to achieve as However, as you have a "deny ip any any" in the ACL, you are telling the route-map to deny the ACL permitted subnet and deny the ACL deny ip any any, which would make a permit all (AND/OR logic).
Try removing "deny ip any any" in that ACL in Case 1 and this should fix your issue.
http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_pi1.html#wp1015665
The above link should explain it all for you. It is a bit confusing, but as you play around with them it should help you understand how they work and how and when to use them.
HTH
Joe.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide