02-25-2006 03:12 AM - edited 03-03-2019 11:52 AM
I have 2 routers with the folowing config:
hostname R5
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
router bgp 500
bgp log-neighbor-changes
neighbor 10.10.10.2 remote-as 700
neighbor 10.10.10.2 route-map block7 in
neighbor 20.20.20.1 remote-as 100
ip as-path access-list 1 deny _700$
route-map block7 permit 10
match as-path 1
!
route-map block7 permit 20
another router is R7:
interface Loopback0
ip address 7.7.7.7 255.255.255.255
interface Loopback1
ip address 6.6.6.6 255.255.255.255
interface Loopback2
ip address 8.8.8.8 255.255.255.255
interface Ethernet0/0
ip address 10.10.10.2 255.255.255.0
router bgp 700
network 6.6.6.6 mask 255.255.255.255
network 7.7.7.7 mask 255.255.255.255
network 8.8.8.8 mask 255.255.255.255
neighbor 10.10.10.1 remote-as 500
neighbor 10.10.10.1 route-map addas out
access-list 1 permit 7.7.7.7
access-list 2 permit 6.6.6.6
route-map addas permit 10
match ip address 1
set as-path prepend 777
!
route-map addas permit 20
match ip address 2
set as-path prepend 666
!
route-map addas permit 30
___
From R5, I want to see some network were blocked because of the route-map, but I saw allof them:
R5#sh ip bgp
BGP table version is 10, local router ID is 137.20.33.33
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 6.6.6.6/32 10.10.10.2 0 0 700 666 i
*> 7.7.7.7/32 10.10.10.2 0 0 700 777 i
*> 8.8.8.8/32 10.10.10.2 0 0 700 i
R5#
After I remove the "route-map block7 permit 20" from R5, I got this:
R5#sh ip bgp
R5#
My understanding is: 6.6.6.6/32, 7.7.7.7/32 and 8.8.8.8/32 should be blocked because of the route-map 10 on the R5 before it passing through route-map block7 permit 20. That is there should be no difference before and after I remove the command. but from the result, I am wrong, can some one explain this?
Solved! Go to Solution.
02-25-2006 03:38 AM
Always happy to be of assistance, mate !
Ok, here's the difference. When you use a deny within the as-path access-list, it denies the specified route for the purpose of matching within a subsequent entry in a route-map. Which means that the match condition within the route-map will not match so it will evaluate the next clause in the route-map. That is why it falls through to 'route-map block7 permit 20' in your case. Also, since there is an implicit deny within the as-path acl, having a single deny statement does not make sense.
Now, looking at my way of doing it: the as-path will match routes with the specified AS-PATHs. When used as a match statement within a route-map, the use of that as-path ACL will cause a match for routes with that AS-PATH. The route-map will then look at the action associated with that clause - permit or deny. Since it is a deny, these routes will not be let through.
Hope that helps - pls do rate the post if it does.
Paresh
02-25-2006 03:21 AM
Hi,
If I understand what you are trying to do, you are trying to block routes with an AS-PATH that ends with 700. Is that correct ? If so, you want to block 8.8.8.8/32 but let the others through ?
If so, here is what you need on R5:
router bgp 500
neighbor 10.10.10.2 route-map block7 in
!
ip as-path access-list 1 permit _700$
!
route-map block7 deny 10
match as-path 1
!
route-map block7 permit 20
The trick is that you should permit the routes you want matched with your as-path access-list. Then deny those routes using the route-map.
Hope that helps - pls do rate the post if it does.
Paresh
02-25-2006 03:29 AM
hi Paresh, thanks for your quick reply, you solved my lots pf problem...
The pronblem is I know how to config, but I just cannot understand my current configration.
Now Can you answer my another question:
what is the difference between:
ip as-path access-list 1 permit _700$
!
route-map block7 deny 10
match as-path 1
!
route-map block7 permit 20
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
and:
ip as-path access-list 1 DENY _700$
!
route-map block7 PERMIT 10
match as-path 1
!
route-map block7 permit 20
~~~~~~~~~~~~~~~~~~~~~
?
you put the deny in the route-map while I put the deny in the as-path access list.
02-25-2006 03:38 AM
Always happy to be of assistance, mate !
Ok, here's the difference. When you use a deny within the as-path access-list, it denies the specified route for the purpose of matching within a subsequent entry in a route-map. Which means that the match condition within the route-map will not match so it will evaluate the next clause in the route-map. That is why it falls through to 'route-map block7 permit 20' in your case. Also, since there is an implicit deny within the as-path acl, having a single deny statement does not make sense.
Now, looking at my way of doing it: the as-path will match routes with the specified AS-PATHs. When used as a match statement within a route-map, the use of that as-path ACL will cause a match for routes with that AS-PATH. The route-map will then look at the action associated with that clause - permit or deny. Since it is a deny, these routes will not be let through.
Hope that helps - pls do rate the post if it does.
Paresh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: