Hello networklessons,
first of all thank you for this content, i really appreciate it!
I have a question: Is it possible that filtering exercises can be given with solutions? I think with this I can understand the topic or the procedure much better.
Thank you in advance 
Hello Roberto
Great to hear that the content is helpful for you! When you say you want filtering exercises with solutions, can you be more specific? The lesson itself is an exercise in filtering using route maps, and it shows the solution on how to filter a specific network, so in a sense, the solution is in the lesson. If you want to take a look at route-maps specifically, and all of the functions that they can achieve, you can see some more exercises at the following lesson:
If you need anything further, please clarify and we’ll be happy to assist.
I hope this has been helpful!
Laz
Hey Rene\Lazaros. There is still something that I am not understanding. If we are creating a “Route-map” with a “deny” statement, why are we then creating an access-list with the “permit” statement??
Why wouldn’t we just create a Route map with the “deny” statement, and an access-list with a “deny” statement, then a “permit all” statement for everything else to be allowed through?
R1(config)#route-map FILTER_OUT deny 10
R1(config)#ip access-list standard NET_192
R1(config-std-nacl)#permit 192.168.1.0 0.0.0.255
This seems conflicting to me and not making sense. Can you help me understand why this makes sense, versus using two deny statements: One for route-map and one for access-list? Thanks!
Hello Desmond
I can see how the various permit or deny statements found within route maps and ACLs can get confusing. Remember that in such a secnario, the ACL is used to match traffic while the route map is used to act upon matched traffic. Take a look at the following post that clarifies this further.
You may also find it helpful to reveiw the following lesson on route-maps where it includes multiple examples where ACLs and route maps use different combinations of permit/deny statements…
I hope this has been helpful!
Laz
HI Rene,
i think this statement need to be permit otherwise it will allow 1.1.1.0/24 as well
R2(config)#ip access-list standard NET_1
R2(config-std-nacl)#deny 1.1.1.0 0.0.0.255
R2(config-std-nacl)#permit anyHello Ankush
Actually, the statement is correct. The logic involved is the following:
The access list denies 1.1.1.0/24 but permits everything else. When called by the route-map, what matches in the route map statement is anything that is permitted. That is, everything in the access list matches except the 1.1.1.0/24 subnet.
The route-map has two statements: the permit statement, which is statement 10, and an implicit deny statement at the end. So everything that is permitted by the ACL is matched and is permitted by statement 10 of the route map.
Now, 1.1.1.0/24 is not matched by statement 10, so it must then be dealt with using the implicit deny statement at the end.
It is important to note that it is not the deny statement in the ACL that is actually blocking the prefix, but the implicit deny statement at the end of the route map.
I hope this has been helpful!
Laz
Hi Andrew,
I hope you are doing well.
I little bit lost on this particular config that Rene did :
R1(config)#route-map FILTER_OUT deny 20 - ------------ >> [Carlos] Clear for me we don't want to advertise 172.16.0.0/16 ge 26 (/26 , /27) .
R1(config-route-map)#match ip address prefix-list SMALL_PREFIXES [Carlos] Clear .
R1(config)#ip prefix-list SMALL_PREFIXES permit 172.16.0.0/16 ge 26 [Carlos] In this step I am little bit confused. So I why I should use permit?
R1(config)#route-map FILTER_OUT permit 30
Many thanls
Carlos
Hello Carlos
In this example, the route map is referencing a prefix-list called SMALL_PREFIXES in statement 20. When it does so it uses a match statement. In order for the match statement to match the prefixes defined by the prefix-list, it must match anything that is “permitted” in the prefix list. Remember, when configuring the prefix-list, the “permit” statement is not what acts upon the exchanged packets. It is the deny statement of the route map.
The only purpose of the permit statement in the prefix list is to be used to match the particular prefixes for the purpose of the match statement of the route list. The deny statement of the route list does the actual denying.
If deny was used in the prefix-list, the route map match statement would not match anything, and the route map would not function as desired.
I hope this has been helpful!
Laz
Laz,
10/10 Many thanks you are a master.
All clear !
C.
Hey there, i have read the topic here (https://networklessons.com/eigrp/eigrp-route-map-filtering) as i am a memeber. I have the task to filter routes in outgoing direction to only certain neighbors in a network. I dont want to filter all the routes, but only specific ones that are present via a prefix list. All the manuals just show how to filter all the routes to a EIGRP neighbor, or how to filter via prefix list based on an interface. Can you help in this case?
Regards
Hello Systemtechnik
It is possible to filter routes in both an outgoing and incoming direction on particular interfaces using the distribute-list command shown in this lesson. After the out keyword, you are able to add additional keywords to specify the specific interfaces on which you want that route map to be applied, as shown below:
R1(config-router)#distribute-list route-map FILTER_OUT out ?
Async Async interface
Auto-Template Auto-Template interface
BDI Bridge-Domain interface
BVI Bridge-Group Virtual Interface
CDMA-Ix CDMA Ix interface
CTunnel CTunnel interface
Dialer Dialer interface
GMPLS MPLS interface
GigabitEthernet GigabitEthernet IEEE 802.3z
LISP Locator/ID Separation Protocol Virtual Interface
LongReachEthernet Long-Reach Ethernet interface
Loopback Loopback interface
Lspvif LSP virtual interface
MFR Multilink Frame Relay bundle interface
Multilink Multilink-group interface
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-PPP Virtual PPP interface
Virtual-Template Virtual Template interface
Virtual-TokenRing Virtual TokenRing
bgp Border Gateway Protocol (BGP)
connected Connected
R1(config-router)#distribute-list route-map FILTER_OUT out
As you can see, the options include particular interfaces that you can specify.
I hope this has been helpful!
Laz
Kindly clarify the below details for a prefix and how it relates to each other .
ACL deny and Route-map permit = ?
ACL deny and Route-map Deny = ?
ACL permit and Route-map Deny = ?
ACL permit and Route-map Permit= ?
Prefix-list deny and Route-map permit = ?
Prefix-list deny and Route-map Deny = ?
Prefix-list permit and Route-map Deny = ?
Prefix-list permit and Route-map Permit= ?
How the permit and deny in ACL and Prefix list and route-map works exactly ??
I believe on R1 you need “no auto-summary” to demonstrate the filtering of 172.16 networks - otherwise a summary route appears on R2. That doesn’t really show the effect of the filtering.
Hello Charles
You’re absolutely correct. Depending on your IOS version, the auto-summary feature may be enabled or disabled by default. In most modern IOS versions, it is indeed disabled, as is the case in the lesson. You will notice in the output of the show running-config | section eigrp command that auto-summary is indeed disabled.
I hope this has been helpful!
Laz
From the perspective of the route map, it seems that permitting a deny and denying a permit have the same effect. Any advantages to choosing one over the other?
Hello Scott
Yes, the result is the same, but the mechanism by which it is reached is different.
When you use an ACL to match traffic that is then to be acted upon by a route-map, only permit statements can positively match traffic. Any ACL “deny” statement is not matched. What does that mean?
Let’s say you use an ACL to positively match traffic with a source IP address within the 10.10.10.0/24 network using a permit statement. The traffic is matched, therefore it is passed to the route-map and the route map can act upon that traffic in any way. It can permit it or deny it.
But if you use an ACL to deny, say, any source IP address in the 20.20.20.0/24 network using an explicit deny statement, then no match is recorded. Therefore even if you have this ACL referenced by the route map, it will not register as a match. Therefore it will not be past on to the route map to apply whatever it was going to apply. In other words, the process stops here.
This means that from the perspective of the route map, denying a permit means that the ACL matches traffic, passes it to the route map, and the route map can then do what it wants with it.
However, permitting a deny means that nothing is ever matched by the ACL so the route map statement in which that ACL exists isn’t processed at all! So you can even deny a deny or permit a deny, it would be exactly the same thing. In other words, any traffic that matches the deny statement of the ACL is ignored completely.
For more information on how this works, take a look at this NetworkLessons note on Route-Map and ACL matching.
I hope this has been helpful!
Laz
With this explanation it seems that using a deny ACL statement in combination with a route map is awkward and unnecessary unless you can share a real world scenario where such a combination would be useful.
Otherwise, it’s analogous to calling a friend and saying you don’t want to talk
Hello Scott
That’s actually a rather accurate analogy! That is indeed the case, and it would be somewhat superfluous to apply a deny statement in the ACL. This is especially true when you think that there is an implicit deny at the end of the ACL anyway, so by adding a deny statement in an ACL to be used to match traffic in a route map, you are not really adding anything.
There are however cases where it is useful to use a deny statement. For example, if you want to match all traffic in the 10.10.10.0/24 network except the specific IP addresses 10.10.10.25 and 10.10.10.30, then you could use the following ACL:
R2(config)#access-list 2 deny host 10.10.10.25
R2(config)#access-list 2 deny host 10.10.10.30
R2(config)#access-list 2 permit 10.10.10.0 0.0.0.255
If you then match this ACL in a route map and apply some action to matching traffic, then it will apply that action to all of the IP addresses in the 10.10.10.0/24 network except .25 and .30. The implicit deny any at the end will also exclude all other addresses from matching.
Alternatively, you would have to add additional ACLs to match those two IP addresses and create additional route map statements used to deny. This is additional configuration work, and it also adds to the processing needed to be performed by the device.
So you see although it is somewhat cumbersome to think about, it is a logical way of using permit and deny statements in an ACL that is used by a route map. And it eliminates the need for additional processing by the route map.
I hope this has been helpful!
Laz
Very helpful, detailed, and demonstrative of your expertise🔥