Hi,
Using an extended ACL in a route-map allows you to identify routes based on both network and mask.
For example to filter 192.168.1.0/24, the ACL would be:
ip access-list extended 100
deny ip host 192.168.1.0 host 255.255.255.0
permit ip any any
When used with a routing protocols such as EIGRP, OSPF and BGP, that seems to be the case (according to my labs). Does that sound correct?
Sam
Hello Samir
The behavior for extended ACLs when used in route maps differs depending on the routing protocol in which you are configuring it. For BGP, your description is spot on. However, for IGPs it’s slightly different.
For IGPs, the destination fields of the ACL identify the smallest prefix length allowed in the network range. For BGP it identifies the exact prefix length allowed.
Take a look at slides 8 and 9 of this Cisco Live presentation that details this…
I hope this has been helpful!
Laz
Hi Laz,
Thanks for that.
I have read the document and although I understand it, the examples it gives in Table 15-3 do not clarify things.
So, does it mean that for an IGP an ACL entry of host 155.1.0.0 host 255.255.0.0 would match 155.1.0.0 with a /16 through to /32 prefix length?
Thanks.
Sam
Hello Samir
Yes, for an IGP, the ACL entry host 155.1.0.0 host 255.255.0.0 would match any subnet of 155.1.0.0/16, from /16 up to /32.
I hope this has been helpful!
Laz
Hello Laz,
I have several questions regarding the topics discussed in this lesson:
1). When combining an ACL with a route map in order to filter specific prefixes on a router, what is the relationship between the permit/deny statements in the ACL to the permit/deny statements on each route map sequence?
I am assuming that, when a route map sequence specifies the deny keyword, it will deny traffic that in turn matches the permit statements on the ACL, is this correct? What if a route map deny sequence would have been combined with an ACL thats denying the specific prefix we wanted to filter? for example, using the first example in the lesson where we wanted to filter 192.168.1.0/24 from being advertised to R2, what if this would have been the route map and ACL config:
ip access-list standard TEST
deny 192.168.1.0 0.0.0.255
route-map FILTER_OUT deny 5
match ip address TEST
route-map FILTER_OUT permit 10
Would this config filter anything at all?
2). I wanted to try to filter out the 192.168.1.0/24 like in the lesson, but instead of doing it with an outbound distribute list on R1, I wanted to try doing it with an inbound distribute list on R2. I also wanted to try to combine a route map with a prefix list instead of using an ACL. Would this have been the correct way to do it:
On R2:
ip prefix-list FILTER1 permit 192.168.1.0/24
route-map TEST deny 5
match ip address prefix-list FILTER1
route-map TEST permit 10
router eigrp 1
distribute-list route-map TEST in
Would this be the correct approach? I have tried it in CML and it works, but I have questions regarding the permit/deny statements a prefix list would have and how they work together with the permit/deny statements in each sequence of a route map. I am assuming combining a route map deny sequence with a prefix list that has a permit statement for a specific prefix would mean that prefix gets denied when applied to the eigrp process using the distribute list.
Another question regarding using a route map with a prefix list is regarding the implicit deny at the end of the prefix list. In the example above, i skipped a permit statement for any other prefix on the prefix list (0.0.0.0/0 le 32) because I figured the permit statement on sequence 10 of the route map would allow any other prefix, overriding the implicit deny at the end of my prefix list. Is this correct?
Thank You Laz
Hello Paul
The interaction between ACLs and route-maps is often confusing, so let me try to clarify this.
When using route-maps with ACLs (or prefix-lists) for route filtering, we must understand that there are two separate decision stages:
Stage 1: The Match Decision (ACL): The ACL determines whether a route matches the criteria.
Stage 2: The Action Decision (Route-Map): The route-map sequence determines what action to take on routes that matched in stage 1:
Note that an ACL “deny” does NOT mean “filter this route” as it would if you applied it directly to an interface for packet filtering. Conversely, it means “this route doesn’t match this criteria, so ignore this route-map sequence.”
So your configuration in question 1 would do nothing, because the access list has only one deny statement, and the implicit deny at the end. An ACL with no permit statement will not match any criteria.
Your configuration is correct. It would successfully filter out the 192.168.1.0/24 network. The permit/deny statements in the prefix list have the same logic and functionality with the above-described ACL operation. Anything permitted by the prefix list is simply considered and evaluated by the route-map statement. Anything denied in the prefix list is ignored by the route map.
Your assumption is absolutely correct! The prefix-list implicit deny only affects matching within that specific match statement in the route-map. It does NOT automatically cause the route-map to deny those routes.
I hope this has been helpful!
Laz