#

Monday, February 4, 2019

Route-Map Match Statement Logic with ACLs / Prefix-Lists

This seems to be a confusing topic for many students so I tried here to make a simple note. Really the logic behind route-maps is very simple and easy and can be helpful to understand many complex configurations with redistribution, filtering , policy based routing etc..

The confusion comes with mix permit and deny statements in ACLs when used with permit and deny statements in route-maps. I take the example of ACLs here but it also applies to Prefix-Lists too..

Let's get a universal example and let's assume A and B are network IDs.

ACL
 - Permit A
 - Deny B

Route maps can have either permit statements or deny statements just like in ACLs. And also they have an implicit deny at the end just like in ACLs..

Let's say the above ACL is matched in a route-map with a permit statement.

route-map RMAP permit 10
 - match ip address ACL

What happens is that A in ACL will be selected and B will be moved to the next statement of the route-map. If there is no next statement B will be not selected for the application.

Let's say the above ACL is matched in a route-map with a deny statement.

route-map RMAP deny 10
 - match ip address ACL

What happens is that A in ACL will not be selected and B will be moved to the next statement of the route-map. If there is no next statement B will be not selected for the application too.

If you want to match the Denied networks of an ACL through route-map statements, you have to configure the last statement of the route-map as a permit statement without any matching statement, here match nothing means matching everything..

route-map RMAP permit <last sequence number>

In policy based routing, if you don't use the last statement, the filtered traffic will be routed according to the ip routing table.

Only thing to remember is that;

Permit statements in ACL will be permitted by Permit Statements and denied by the Deny statements in route-maps and the Deny statements in ACL will be moved to the next statement of the route-map..

Also you can use logical operators "OR" and "AND" with match statements of route-maps.
When 2 or more ACLs are in one match statement, it will be "OR" selection and when 2 or more match statements are inline after line the selection will be "AND"

OR

route-map RMAP permit 10
 - match ip address ACL-1 ACL-2

AND

route-map RMAP permit 10
 - match ip address ACL-1 
 - match ip address ACL-2

Refer some examples in my blog for policy based routing & redistribution using route-maps.
by at
Tags

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)