Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

route-map problem

I have 2 routers with the folowing config:

hostname R5

interface Ethernet0

ip address 10.10.10.1 255.255.255.0

router bgp 500

bgp log-neighbor-changes

neighbor 10.10.10.2 remote-as 700

neighbor 10.10.10.2 route-map block7 in

neighbor 20.20.20.1 remote-as 100

ip as-path access-list 1 deny _700$

route-map block7 permit 10

match as-path 1

!

route-map block7 permit 20

another router is R7:

interface Loopback0

ip address 7.7.7.7 255.255.255.255

interface Loopback1

ip address 6.6.6.6 255.255.255.255

interface Loopback2

ip address 8.8.8.8 255.255.255.255

interface Ethernet0/0

ip address 10.10.10.2 255.255.255.0

router bgp 700

network 6.6.6.6 mask 255.255.255.255

network 7.7.7.7 mask 255.255.255.255

network 8.8.8.8 mask 255.255.255.255

neighbor 10.10.10.1 remote-as 500

neighbor 10.10.10.1 route-map addas out

access-list 1 permit 7.7.7.7

access-list 2 permit 6.6.6.6

route-map addas permit 10

match ip address 1

set as-path prepend 777

!

route-map addas permit 20

match ip address 2

set as-path prepend 666

!

route-map addas permit 30

___

From R5, I want to see some network were blocked because of the route-map, but I saw allof them:

R5#sh ip bgp

BGP table version is 10, local router ID is 137.20.33.33

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*> 6.6.6.6/32 10.10.10.2 0 0 700 666 i

*> 7.7.7.7/32 10.10.10.2 0 0 700 777 i

*> 8.8.8.8/32 10.10.10.2 0 0 700 i

R5#

After I remove the "route-map block7 permit 20" from R5, I got this:

R5#sh ip bgp

R5#

My understanding is: 6.6.6.6/32, 7.7.7.7/32 and 8.8.8.8/32 should be blocked because of the route-map 10 on the R5 before it passing through route-map block7 permit 20. That is there should be no difference before and after I remove the command. but from the result, I am wrong, can some one explain this?

1 ACCEPTED SOLUTION

Accepted Solutions
Purple

Re: route-map problem

Always happy to be of assistance, mate !

Ok, here's the difference. When you use a deny within the as-path access-list, it denies the specified route for the purpose of matching within a subsequent entry in a route-map. Which means that the match condition within the route-map will not match so it will evaluate the next clause in the route-map. That is why it falls through to 'route-map block7 permit 20' in your case. Also, since there is an implicit deny within the as-path acl, having a single deny statement does not make sense.

Now, looking at my way of doing it: the as-path will match routes with the specified AS-PATHs. When used as a match statement within a route-map, the use of that as-path ACL will cause a match for routes with that AS-PATH. The route-map will then look at the action associated with that clause - permit or deny. Since it is a deny, these routes will not be let through.

Hope that helps - pls do rate the post if it does.

Paresh

3 REPLIES
Purple

Re: route-map problem

Hi,

If I understand what you are trying to do, you are trying to block routes with an AS-PATH that ends with 700. Is that correct ? If so, you want to block 8.8.8.8/32 but let the others through ?

If so, here is what you need on R5:

router bgp 500

neighbor 10.10.10.2 route-map block7 in

!

ip as-path access-list 1 permit _700$

!

route-map block7 deny 10

match as-path 1

!

route-map block7 permit 20

The trick is that you should permit the routes you want matched with your as-path access-list. Then deny those routes using the route-map.

Hope that helps - pls do rate the post if it does.

Paresh

New Member

Re: route-map problem

hi Paresh, thanks for your quick reply, you solved my lots pf problem...

The pronblem is I know how to config, but I just cannot understand my current configration.

Now Can you answer my another question:

what is the difference between:

ip as-path access-list 1 permit _700$

!

route-map block7 deny 10

match as-path 1

!

route-map block7 permit 20

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

and:

ip as-path access-list 1 DENY _700$

!

route-map block7 PERMIT 10

match as-path 1

!

route-map block7 permit 20

~~~~~~~~~~~~~~~~~~~~~

?

you put the deny in the route-map while I put the deny in the as-path access list.

Purple

Re: route-map problem

Always happy to be of assistance, mate !

Ok, here's the difference. When you use a deny within the as-path access-list, it denies the specified route for the purpose of matching within a subsequent entry in a route-map. Which means that the match condition within the route-map will not match so it will evaluate the next clause in the route-map. That is why it falls through to 'route-map block7 permit 20' in your case. Also, since there is an implicit deny within the as-path acl, having a single deny statement does not make sense.

Now, looking at my way of doing it: the as-path will match routes with the specified AS-PATHs. When used as a match statement within a route-map, the use of that as-path ACL will cause a match for routes with that AS-PATH. The route-map will then look at the action associated with that clause - permit or deny. Since it is a deny, these routes will not be let through.

Hope that helps - pls do rate the post if it does.

Paresh

120
Views
0
Helpful
3
Replies