ACL Selection Logic Example for Redistribution through Route-Maps

When access control lists are used for redistribution in route-maps, it seems a bit confusing specially when deny statements are in both ACLs and route maps.

Simple logic in here to understand is like the following..

1. Networks permitted in an ACL will be redistributed if the route map has a permit statement.
2. Networks permitted in an ACL will not be redistributed if the route map has a deny statement.
3. Networks denied in an ACL will be pushed down further through the route map.

Let's get an example and go through the selection logic using a flow diagram..

Following ACLs will be used in route map. Note that a deny any is shown here which is actually the implicit deny in any ACL..

ip access-list standard ACL-PERMIT_11
 permit 11.0.0.0
 deny any

ip access-list standard ACL-DENY_12-PERMIT_13
 deny   12.0.0.0
 permit 13.0.0.0
 deny any

ip access-list standard ACL-DENY_14-PERMIT_15
 deny   14.0.0.0
 permit 15.0.0.0
 deny any

ip access-list standard ACL-PERMIT_16
 permit 16.0.0.0
 deny any

Following is the route map defined. Note that implicit deny is shown here, which is not to be configured but it comes by default like in ACLs..

route-map REDISTRIBUTE permit 10
 match ip address ACL-PERMIT_11

route-map REDISTRIBUTE permit 20
 match ip address ACL-DENY_12-PERMIT_13

route-map REDISTRIBUTE deny 30
 match ip address ACL-DENY_14-PERMIT_15

route-map REDISTRIBUTE deny 40
 match ip address ACL-PERMIT_16

implicit deny all

Following is the selection logic diagram.

If you want to redistribute 12 and 14 networks, you should add implicit permit all as the last statement by just configuring a match all statement.