Solved

Route-maps and redistribution. Simple scenario question

Posted on 2013-01-11
6
650 Views
Last Modified: 2013-01-20
Hello everyone,
 
my virgin post on EE.. here it is:

I'm trying to understand the following route-map behaviour
I'm doing some redistribution labs and I have the following scenario.
 
{ (EIGRP 100) R4 ----- [ R2 } ------ R1 (OSPF) ]
 
R2 sits between EIGRP and OSPF AS.
R4 has the following subnets (loopbacks) with the following requirements when redistributed into OSPF:
 
R4 LOOPBACKS and redistribution (into ospf) requirements
10.4.0.0/24 -- seed 100 - tag 10
10.4.2.0/24 -- seed 200 - tag 20
10.4.4.0/24 -- deny
All other subnets: seed metric 300 - tag 30
 
Where I'm having problems is with the requirement that 10.4.4.0 should be denied from crossing over to OSPF.
 
Here's my configuration for R2
I've configured the following ACLs:
 
access-list 1 permit 10.4.0.0 0.0.0.255
access-list 2 permit 10.4.2.0 0.0.0.255
access-list 3 deny 10.4.4.0 0.0.0.255 [b]<---[/b] 

Open in new window


put them in a route-map EIGRP-TO-OSPF:
 
route-map EIGRP-TO-OSPF permit 10
match ip address 1
set metric 100
set tag 10
route-map EIGRP-TO-OSPF permit 20
match ip address 2
set metric 200
set tag 20
route-map EIGRP-TO-OSPF permit 30 [b]<-------- permitting because ACL has a DENY statement[/b]
match ip address 3                 [b] <----[/b]
route-map EIGRP-TO-OSPF permit 40
set metric 300    [b]  <--- (no match statement to select all others)[/b]
set tag 30

Open in new window


and then under R2, router ospf 1:
redistribute eigrp 100 subnets route-map EIGRP-TO-OSPF

Open in new window


So far so good!
 
However, requirement for route 10.4.4.0 to be denied doesn't work! It passes through to R1 and I'm trying to figure out why since this is an exercise for me to understand route-maps and redistribution.
 

 
The way around to solve it was to change the ACL 3 and route-map to:
 
access-list 3 permit 10.4.4.0 0.0.0.255
route-map EIGRP-TO-OSPF deny 30
match ip address 3

Open in new window


essentially what I've noticed is that with the deny statement in the ACL, 10.4.4.0 passes through and has a tag of 30 so I guess it's caught by the match all of the route-map seq 40. I've tried to rearrange the statement and put it before last but it didn't change anything.
On the other hand when the deny is at the route map seq 30, then 10.4.4.0 isn't caught by the seq 40 and works as it should... very confusing!
 
so my question is why does it work when denied at the route map but not when denied at the ACL ?
 
thank you!
0
Comment
Question by:128bits
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 38766305
You have your answer..

route-map took over priority over ACLs.
0
 
LVL 17

Assisted Solution

by:rochey2009
rochey2009 earned 230 total points
ID: 38769001
Hi,

You have to define what your going to match so that it can be permitted or denied by the route-map.

If you deny it in the access-list then it doesn't get matched by the route-map entry 30 i.e. it fails the "match ip address 3" test and the process moves onto the next sequence of the route-map i.e. permit 40.
0
 

Author Comment

by:128bits
ID: 38769018
So if there's a deny statement in the ACL inside the route-map permit... it's not "permitting" it to be denied by the ACL ?
0
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

 
LVL 17

Expert Comment

by:rochey2009
ID: 38769062
This is from Cisco:

If you use an ACL in a route-map permit clause, routes that are permitted by the ACL are redistributed.

If you use an ACL in a route-map deny clause, routes that are permitted by the ACL are not redistributed.

If you use an ACL in a route-map permit or deny clause, and the ACL denies a route, then the route-map clause match is not found and the next  route-map clause is evaluated.
0
 

Accepted Solution

by:
128bits earned 0 total points
ID: 38781123
The ccnp route book from wendell odom nails it in the head and answers all my questions:

The match command can reference an ACL or prefix list, but doing so does introduce the possibility of confusion. The confusing part is that the decision to filter a route or allow the route through is based on the deny or permit in the route-map command, and not the deny or permit in the ACL or prefix list. When referencing an ACL or prefix list from a  route map, the ACL or prefix list simply matches all routes permitted by the ACL or prefix list. Routes that are denied by the ACL or prefix list simply do not match that match command’s logic, making IOS then consider the next route-map command.

[...]

And once a particular route has been
matched and determined to be either filtered (deny) or allowed to pass (permit), even if more route-map commands exist later in the list, IOS stops processing the route-map for that route.
0
 

Author Closing Comment

by:128bits
ID: 38798124
Most elaborate answer quoting formal reference.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Please see preceding article here: http://www.experts-exchange.com/Networking/Operating_Systems/A_11209-Root-Bridge-Election.html Figure 1 After Root Bridge has been elected, then what?..... Let's start by defining a Root Port in la…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question