Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Route-map & access list question

Can someone please tell me what these three router config items are doing?

We have a router on a stick enviorment.

we have an IP poiicy statement on the Ethernet 0/0

IP policy route-map EDI

We have a route-map definition that looks like this:

route-map EDI permit 10

match ip add EDI-Fuse

set ip next-hop 10.49.1.2

We have a long Extended ACL that has both permit and deny statement in it. For simplicy I have just one of the deny and one of the permits: The list of denies are first if that makes a difference:

deny ip any 10.0.0.0 0.255.255.255

permit ip host 10.49.2.183 host 12.163.226.2

2 ACCEPTED SOLUTIONS

Accepted Solutions
Blue

Re: Route-map & access list question

John:

What you are showing us is an example of what is called "policy routing."

Typically, a router makes a forwading decision based on the destination address of the packet received on its interface.

There are times when a network designer would like the router to make a forwarding decision based on the source IP address instead.

With an extended access list, not only is the source address the concern, but also where the packet is destined.

Take note that policy routing is performed before normal, destination-based routing. So, the route map is going to be activated and its going to "call" the access list when a packet is received on your e0/0 interface.

With the "match" command, the route map is telling the router, "IF the source is any network and it is destined for the 10.0.0.0/8 network, deny it and do NOT forward it. IF the source is 10.49.2.183 and its destined for host 12.163.226.2, THEN permit it and SET the next hop to be 10.49.1.2.

Makes sense?

HTH

Victor

Hall of Fame Super Bronze

Re: Route-map & access list question

Correct?

Yes. It's not a security ACL.

__

Edison.

7 REPLIES
Hall of Fame Super Bronze

Re: Route-map & access list question

John,

It's changing the next hop on packets arriving the E0/0 interface from the next hop to be use in the routing table.

For more information on Policy-Based Routing (PBR), please refer to the documentation:

http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_ip_prot_indep_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1056703

Based on your ACL:

deny ip any 10.0.0.0 0.255.255.255

traffic won't be PBR'd and the next hop on those packets will be the one on the routing table while:

permit ip host 10.49.2.183 host 12.163.226.2

will be PBR so the next hop will be 10.49.1.2

HTH,

__

Edison.

New Member

Re: Route-map & access list question

Thanks

I was somewhat confused about how the ACL was being used in PBR. I was thinking that the packet was being droped but that did not make sense so I posted the question. If I understand what you are saying correctly then the deny statement is saying; "don't change the route just let it go where it is destined." Whereas the permit is saying, "send this one to the next hop whcih is the 10.49.1.2." Correct?

Hall of Fame Super Bronze

Re: Route-map & access list question

Correct?

Yes. It's not a security ACL.

__

Edison.

Blue

Re: Route-map & access list question

John:

What you are showing us is an example of what is called "policy routing."

Typically, a router makes a forwading decision based on the destination address of the packet received on its interface.

There are times when a network designer would like the router to make a forwarding decision based on the source IP address instead.

With an extended access list, not only is the source address the concern, but also where the packet is destined.

Take note that policy routing is performed before normal, destination-based routing. So, the route map is going to be activated and its going to "call" the access list when a packet is received on your e0/0 interface.

With the "match" command, the route map is telling the router, "IF the source is any network and it is destined for the 10.0.0.0/8 network, deny it and do NOT forward it. IF the source is 10.49.2.183 and its destined for host 12.163.226.2, THEN permit it and SET the next hop to be 10.49.1.2.

Makes sense?

HTH

Victor

Blue

Re: Route-map & access list question

Edison, sorry for the cross-post. I was writing mine at the same time. :-)

New Member

Re: Route-map & access list question

Both of you shed needed light on my confused mind. Thanks for your help!

Blue

Re: Route-map & access list question

"If I understand what you are saying correctly then the deny statement is saying; "don't change the route just let it go where it is destined.""

Correct again. Just finish that statement by saying "...let it go where it is destined according to the route table"

Thanks for the rating.

Victor

141
Views
0
Helpful
7
Replies