Solved

Route-maps and redistribution. Simple scenario question

Posted on 2013-01-11
6
633 Views
Last Modified: 2013-01-20
Hello everyone,
 
my virgin post on EE.. here it is:

I'm trying to understand the following route-map behaviour
I'm doing some redistribution labs and I have the following scenario.
 
{ (EIGRP 100) R4 ----- [ R2 } ------ R1 (OSPF) ]
 
R2 sits between EIGRP and OSPF AS.
R4 has the following subnets (loopbacks) with the following requirements when redistributed into OSPF:
 
R4 LOOPBACKS and redistribution (into ospf) requirements
10.4.0.0/24 -- seed 100 - tag 10
10.4.2.0/24 -- seed 200 - tag 20
10.4.4.0/24 -- deny
All other subnets: seed metric 300 - tag 30
 
Where I'm having problems is with the requirement that 10.4.4.0 should be denied from crossing over to OSPF.
 
Here's my configuration for R2
I've configured the following ACLs:
 
access-list 1 permit 10.4.0.0 0.0.0.255
access-list 2 permit 10.4.2.0 0.0.0.255
access-list 3 deny 10.4.4.0 0.0.0.255 [b]<---[/b] 

Open in new window


put them in a route-map EIGRP-TO-OSPF:
 
route-map EIGRP-TO-OSPF permit 10
match ip address 1
set metric 100
set tag 10
route-map EIGRP-TO-OSPF permit 20
match ip address 2
set metric 200
set tag 20
route-map EIGRP-TO-OSPF permit 30 [b]<-------- permitting because ACL has a DENY statement[/b]
match ip address 3                 [b] <----[/b]
route-map EIGRP-TO-OSPF permit 40
set metric 300    [b]  <--- (no match statement to select all others)[/b]
set tag 30

Open in new window


and then under R2, router ospf 1:
redistribute eigrp 100 subnets route-map EIGRP-TO-OSPF

Open in new window


So far so good!
 
However, requirement for route 10.4.4.0 to be denied doesn't work! It passes through to R1 and I'm trying to figure out why since this is an exercise for me to understand route-maps and redistribution.
 

 
The way around to solve it was to change the ACL 3 and route-map to:
 
access-list 3 permit 10.4.4.0 0.0.0.255
route-map EIGRP-TO-OSPF deny 30
match ip address 3

Open in new window


essentially what I've noticed is that with the deny statement in the ACL, 10.4.4.0 passes through and has a tag of 30 so I guess it's caught by the match all of the route-map seq 40. I've tried to rearrange the statement and put it before last but it didn't change anything.
On the other hand when the deny is at the route map seq 30, then 10.4.4.0 isn't caught by the seq 40 and works as it should... very confusing!
 
so my question is why does it work when denied at the route map but not when denied at the ACL ?
 
thank you!
0
Comment
Question by:128bits
  • 3
  • 2
6 Comments
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 38766305
You have your answer..

route-map took over priority over ACLs.
0
 
LVL 17

Assisted Solution

by:rochey2009
rochey2009 earned 230 total points
ID: 38769001
Hi,

You have to define what your going to match so that it can be permitted or denied by the route-map.

If you deny it in the access-list then it doesn't get matched by the route-map entry 30 i.e. it fails the "match ip address 3" test and the process moves onto the next sequence of the route-map i.e. permit 40.
0
 

Author Comment

by:128bits
ID: 38769018
So if there's a deny statement in the ACL inside the route-map permit... it's not "permitting" it to be denied by the ACL ?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 17

Expert Comment

by:rochey2009
ID: 38769062
This is from Cisco:

If you use an ACL in a route-map permit clause, routes that are permitted by the ACL are redistributed.

If you use an ACL in a route-map deny clause, routes that are permitted by the ACL are not redistributed.

If you use an ACL in a route-map permit or deny clause, and the ACL denies a route, then the route-map clause match is not found and the next  route-map clause is evaluated.
0
 

Accepted Solution

by:
128bits earned 0 total points
ID: 38781123
The ccnp route book from wendell odom nails it in the head and answers all my questions:

The match command can reference an ACL or prefix list, but doing so does introduce the possibility of confusion. The confusing part is that the decision to filter a route or allow the route through is based on the deny or permit in the route-map command, and not the deny or permit in the ACL or prefix list. When referencing an ACL or prefix list from a  route map, the ACL or prefix list simply matches all routes permitted by the ACL or prefix list. Routes that are denied by the ACL or prefix list simply do not match that match command’s logic, making IOS then consider the next route-map command.

[...]

And once a particular route has been
matched and determined to be either filtered (deny) or allowed to pass (permit), even if more route-map commands exist later in the list, IOS stops processing the route-map for that route.
0
 

Author Closing Comment

by:128bits
ID: 38798124
Most elaborate answer quoting formal reference.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now