Introduction to Route-maps

Hello Gayathri

In the example you posted, you have created a route map called isp that sets the weight attribute of BGP routes to a value of 32869. And you have applied this route to Neighbor 1.1.1.1 in an inbound direction.

Now what this means is that any BGP update that is received from 1.1.1.1 will have that route map applied. The incoming direction does not have to do with the direction of the user data, but the direction of the BGP update.

So when the 1.1.1.1 neighbor sends a BGP update to your local router about its BGP routes, before they are installed in the local BGP table, the weight is changed. So the result is that any routes learned from 1.1.1.1 will have a wight of 32869 in the BGP table. Take a look at this NetworkLessons note on BGP, route maps, and how direction affects the behavior of BGP.

I hope this has been helpful!

Laz

FYI, while going through the examples in my own lab, I want to mention that section 1.4 Set Action omits the part where the route-map MULTIPLE_MATCH in needs to be removed on R2.

I went back to the video and followed that section and noticed that Renee does it in the video but it’s not mentioned. Because of this, I didn’t see loopback 4 show up in the routing table on R2 at first until I re-watched that section and noticed that the route-map needs to be removed.

Aside from that, I learned a lot from this lesson and it was fairly straightforward!

1 Like

Hello Brian

Thanks for pointing that out, I will let @ReneMolenaar know to make any necessary adjustments. In the meantime, we’re happy that the content is helpful for you!

Laz

Thanks @brionesb , I fixed this. Normally I remove things like route-maps or access-lists at the end of a section.

Rene

Hello!

I’ve this route map where I configured to set the metric for the 192.168.1.0/24 to “90”, yet it doesn’t work as intended. Here’s my topology.


obrĂĄzok

obrĂĄzok

(I know that there’s an implicit deny at the end of my route map, you can ignore that.)
obrĂĄzok

Any suggestions on how to fix this problem? Thank you all in advance.

Kind regards,
David

Hello David

This particular behavior that you are seeing is normal for situations where a distribute-list is used to reference a route map in this way. Any set commands used will be ignored. Take a look at this NetworkLessons note on distribute-lists and using route maps to set attributes for more info.

I hope this has been helpful!

Laz

Hi Everyone,
In Match Condition – Deny section, based on the examples, could we say that the permit or deny statement in access lists is not important and is not affecting the route map? The only important thing is the permit or deny statement in route map? As far as I understand access lists only used for specifying the traffic.

Thank you for clarification.

Hello Görgen

When used with route maps, the access lists are used only to match traffic. They don’t actually permit or deny traffic as they would if you applied them to an interface.

In an ACL that is used with a route map, only the permit statements are meaningful. The permit statements are those that match traffic. The deny statements don’t actually match anything.

Now having said that, you might think that deny statements are useless when it comes to ACLs used for route maps. Well, this is not the case. Let’s say you want to match all IP addresses within the range of 192.168.10.0/24 except for 192.168.10.15 and 192.168.10.27. How would you create a route map that would match that range? Well, you would do this:

R1(config)#access-list 1 deny ip host 192.168.10.15
R1(config)#access-list 1 deny ip host 192.168.10.27
R1(config)#access-list 1 permit ip 192.168.10.0 0.0.0.255

The above access list, when used by a route map to match packets, will match the whole 192.168.10.0/24 subnet EXCEPT for those two addresses.

I hope this has been helpful!

Laz

Hi,

Here is my configuration;
R1:

ip cef
!
interface Loopback0
 ip address 192.168.0.1 255.255.255.0
!
interface Loopback1
 ip address 192.168.1.1 255.255.255.0
!
interface Loopback2
 ip address 192.168.2.1 255.255.255.0
!         
interface Loopback3
 ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet0/0
 ip address 192.168.12.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45

!
router eigrp 1
 network 192.168.0.0 0.0.255.255

R2:

ip cef
no ipv6 cef
!
interface Loopback0
 ip address 192.168.78.1 255.255.255.0
!
interface GigabitEthernet0/0
 ip address 192.168.12.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45  
!
!
router eigrp 1
 distribute-list route-map TEST_2 in 
 network 192.168.0.0 0.0.255.255
!
!
ip access-list standard R1_L0_DENY
 deny   192.168.0.0 0.0.0.255
ip access-list standard R1_L0_PERMIT
 permit 192.168.0.0 0.0.0.255
!
route-map TEST_1 permit 10
 match ip address R1_L0_PERMIT
!
route-map TEST_2 permit 10
 match ip address R1_L0_DENY
!
R2#sh ip route eigrp        
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

It should show 192.168.0.0/24 route but it didnt. Why?

  1. Question
    Hi,

R2:

R2#sh route-map TEST_3
route-map TEST_3, permit, sequence 10
  Match clauses:
    ip address (access-lists): R1_L0_PERMIT 
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map TEST_3, permit, sequence 20
  Match clauses:
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
R2#SH ACCESS-LIST R1_L0_PERMIT
Standard IP access list R1_L0_PERMIT
    10 permit 192.168.0.0, wildcard bits 0.0.0.255 (5 matches)
R2#sh ip route eigrp | i /24
D     192.168.0.0/24 
D     192.168.1.0/24 
D     192.168.2.0/24 
D     192.168.3.0/24 
R2#

Why I still see 192.168.0.0/24?

Thanks

Could you help me? Thanks.

Hello Görgen

Concerning your first question:

If you want the route map to allow only the 192.168.0.0/24 network to be advertised to R2, then you must do the following:

ip access-list standard R1_L0_DENY
 deny   192.168.0.0 0.0.0.255
 permit any

route-map TEST_2 deny 10
 match ip address R1_L0_DENY

Why? Because the route map will only act on anything that the ACL matches or permits. So, by adding the permit any entry in the ACL, we are matching everything EXCEPT the 192.168.0.0/24 network.

As we said, the route map will act upon whatever is permitted. Since everything in the ACL is permitted except for the 192.168.0.0/24 network, we want to act on that by denying it. So we use a deny statement in the route map.

So the result is we deny everything the ACL permits (or matches). So everything is denied except for 192.168.0.0/24, and that network should appear in the routing table. Take a look at this NetworkLessons note for more information on how ACLs and route maps interact.

For the second question, you have a route map with two statements, where you permit anything that is matched by the R1_L0_PERMIT ACL, and denying anything else. But your second statement is a permit statement without any match clauses. This results in matching everything. So your first statement matches the 192.168.0.0/24 network while your second statement matches everything thus letting all networks through.

I hope this has been helpful!

Laz

Hi Lazarus thank you I understand.

But these whole configurations are same with the route-map lesson. And these results are not the same with the ones that are in the lesson. That’s why actually I asked the way I asked (“It should be bla bla but it’s not”)When I didn’t see any same result while I’m doing this in my lab, I’ve dissappointed. Thank you for clarifying

Best Regards

Hello Görgen

If you take a look at the lesson, you’ll see that you get the same results as those in the lesson. In section 1.1.2, you’ll see that Rene also didn’t see any routes in his results.

In your second question in your original post, you had a second permit clause for the route map (sequence 20) which Rene didn’t have. That’s why you see the difference there.

I hope this has been helpful!

Laz

1 Like

I did this LAB with a DENY in ACL and in route-map without any other sequences of route-map.
I got an update on what you taught in this lesson. To play around with this concept I just added PERMIT seq in ACL
and then added 2nd sequence of route-map to match all prefixes but the output shows only 1.1.1.1/32 prefixes
which I denied in the 1st route-map statement. Not sure why it matches in the 2nd route-map statement where it
supposed to be matched all prefixes ?.

Please can someone explain this behaviour

Router#sh ip access-lists 
Standard IP access list R1
    10 deny   1.1.1.1 (4 matches)
    20 permit any (14 matches)
Router#
Router#sh route-map       
route-map TEST, deny, sequence 10
  Match clauses:
    ip address (access-lists): R1 
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map TEST, permit, sequence 20
  Match clauses:
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
Router#
Router#sh run | s r e     
router eigrp 10
 distribute-list route-map TEST in 
 network 0.0.0.0
Router#
Router#sh ip route eigrp  
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D        1.1.1.1 [90/131072] via 192.168.23.1, 00:02:08, GigabitEthernet0/2

Hello Sathish

What you are seeing is expected behavior. This has to do with how ACLs and route maps interact. A match statement of a route map that references an ACL will only match permit statements in that ACL.

In your case, sequence 10 of your route map is matching the R1 ACL. Your ACL has these statements:

10 deny   1.1.1.1 (4 matches)
20 permit any (14 matches)

So the route map will match only the permit statements, which means everything except for 1.1.1.1. So everything except for 1.1.1.1 will be denied since the route map action is “deny”. So that is why the 1.1.1.1 network is permitted. Does that make sense?

I hope this has been helpful!

Laz

Thank you @lagapidis

If i am not wrong, a route-map of deny statement with a rule of deny/permit ACL would be denied

With single route-map deny:-
I have a single route-map deny statement that has an access rule to deny 1.1.1.1 and permit any. In this case route-map denies whatever matches like as below ( if i am not wrong ),

route-map deny + deny ACL = no match
route-map deny + permit ACL = Match but route-map denies all the match rule.

So the output of received eigrp route is none as expected, and thats what i got.

Router#sh ip access-lists R1
Standard IP access list R1
    10 deny   1.1.1.1 (1 match)
    20 permit any (5 matches)
Router#
Router#sh route-map
route-map TEST, deny, sequence 10
  Match clauses:
    ip address (access-lists): R1 
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
Router#
Router#sh run | s r e
router eigrp 10
 distribute-list route-map TEST in 
 network 0.0.0.0
Router#
Router#sh ip route eigrp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

Router#

Adding second route-map to permit all:-
I have added second route-map seq 20 statement to permit everything without any match rule. The output should match everything and must allow all routes
but it allows only 1.1.1.1 network. could you please explain why it allows a single prefix

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#route-map TEST permit 20
Router(config-route-map)#exit
Router(config)#
Router(config)#
Router(config)#exit
Router#
*Sep 26 12:22:05.126: %SYS-5-CONFIG_I: Configured from console by console
*Sep 26 12:22:13.304: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.13.1 (GigabitEthernet0/1) is resync: route configuration changed
Router#
Router#sh ip access-lists R1
Standard IP access list R1
    10 deny   1.1.1.1 (1 match)
    20 permit any (5 matches)
Router#
Router#sh route-map         
route-map TEST, deny, sequence 10
  Match clauses:
    ip address (access-lists): R1 
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map TEST, permit, sequence 20
  Match clauses:
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
Router#
Router#sh ip route eigrp    
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D        1.1.1.1 [90/130816] via 192.168.13.1, 00:00:20, GigabitEthernet0/1
Router#

I removed the distribution list and see all the routes, just for your reference.

Router(config)#router eigrp 10
Router(config-router)#no distri
Router(config-router)#no distribute-list route-map TEST in
Router(config-router)#exit
Router(config)#
Router(config)#
Router(config)#exit
Router#
*Sep 26 12:35:02.049: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.13.1 (GigabitEthernet0/1) is resync: route configuration changed

Router#sh ip route eigrp 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
D        1.1.1.1 [90/130816] via 192.168.13.1, 00:00:04, GigabitEthernet0/1
      172.16.0.0/32 is subnetted, 5 subnets
D        172.16.1.1 [90/130816] via 192.168.13.1, 00:00:04, GigabitEthernet0/1
D        172.16.2.1 [90/130816] via 192.168.13.1, 00:00:04, GigabitEthernet0/1
D        172.16.3.1 [90/130816] via 192.168.13.1, 00:00:04, GigabitEthernet0/1
D        172.16.4.1 [90/130816] via 192.168.13.1, 00:00:04, GigabitEthernet0/1
D        172.16.5.1 [90/130816] via 192.168.13.1, 00:00:04, GigabitEthernet0/1
Router#

Hello Sathish

This is expected behavior. Let’s take a look at it in detail.

The route map is the following:

route-map TEST, deny, sequence 10
  Match clauses:
    ip address (access-lists): R1 
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
route-map TEST, permit, sequence 20

There are no match clauses or set clauses for sequence number 20, therefore it permits everything that sequence 10 has allowed through. The ACL is as follows:

Standard IP access list R1
    10 deny   1.1.1.1 (1 match)
    20 permit any (5 matches)

So, the question is, why is 1.1.1.1 the only route that is being advertised by EIGRP?

Let’s take a look at the situation where EIGRP advertises the 1.1.1.1/32 network along with other networks as well.

  1. Route map sequence 10: Route map deny statement examines the ACL. It sees a 1.1.1.1/32 deny in the ACL, so it matches nothing. It then sees a permit all statement and matches everything else. Therefore sequence 10 of the route map denies everything except for the 1.1.1.1/32 network.
  2. Route map sequence 20: Route map permit statement examines everything allowed to pass through sequence 10, which is just the 1.1.1.1/32 network. Since sequence 20 permits everything, it will permit the 1.1.1.1/32 network.

Therefore only the 1.1.1.1/32 network gets advertised. Does that make sense?

I hope this has been helpful!

Laz

Thank you @lagapidis for the explanation, i am still vague in understanding this concept.

Are the route-map sequences work dependently?.

I agreed that 1.1.1.1/32 network doesnt match in route-map seq-10 , so the route-map seq 20 takes it in account and allows. agreed as i have put more prefixed in ACL deny that are allowed ( verified ).

But why other prefixes are not allowed? , was it due to those prefixes matched in route-map seq -10 ?.

If i remove the permit ACL in the route-map seq-10, all the prefixes are allowed in the route-map seq 20?.

until i mix up the things it was clear for me, now i want to understand the behaviour of route-map .

Hello Sathish
’
I know it can sometimes be difficult to get your head around. I’ll do my best to explain.

Yes, that’s exactly why. Remember that route map statements are applied sequentially. The “permit any” statement of the ACL called in sequence 10 of the route map matches everything. (except for 1.1.1.1/32 which is denied in the previous statement in the ACL) And the route map action is deny. So everything except for 1.1.1.1/32 is denied. The next seq 20 statement permits everything that got through the seq 10 statement. Which is just 1.1.1.1/32.

If you remove that permit statement from the ACL, then the ACL denies everything (including the 1.1.1.1/32 network), and nothing is ever matched in that route map sequence. So everything is allowed. Does that make sense?

I hope this has been helpful!

Laz