Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 679
  • Last Modified:

Route-maps and redistribution. Simple scenario question

Hello everyone,
 
my virgin post on EE.. here it is:

I'm trying to understand the following route-map behaviour
I'm doing some redistribution labs and I have the following scenario.
 
{ (EIGRP 100) R4 ----- [ R2 } ------ R1 (OSPF) ]
 
R2 sits between EIGRP and OSPF AS.
R4 has the following subnets (loopbacks) with the following requirements when redistributed into OSPF:
 
R4 LOOPBACKS and redistribution (into ospf) requirements
10.4.0.0/24 -- seed 100 - tag 10
10.4.2.0/24 -- seed 200 - tag 20
10.4.4.0/24 -- deny
All other subnets: seed metric 300 - tag 30
 
Where I'm having problems is with the requirement that 10.4.4.0 should be denied from crossing over to OSPF.
 
Here's my configuration for R2
I've configured the following ACLs:
 
access-list 1 permit 10.4.0.0 0.0.0.255
access-list 2 permit 10.4.2.0 0.0.0.255
access-list 3 deny 10.4.4.0 0.0.0.255 [b]<---[/b] 

Open in new window


put them in a route-map EIGRP-TO-OSPF:
 
route-map EIGRP-TO-OSPF permit 10
match ip address 1
set metric 100
set tag 10
route-map EIGRP-TO-OSPF permit 20
match ip address 2
set metric 200
set tag 20
route-map EIGRP-TO-OSPF permit 30 [b]<-------- permitting because ACL has a DENY statement[/b]
match ip address 3                 [b] <----[/b]
route-map EIGRP-TO-OSPF permit 40
set metric 300    [b]  <--- (no match statement to select all others)[/b]
set tag 30

Open in new window


and then under R2, router ospf 1:
redistribute eigrp 100 subnets route-map EIGRP-TO-OSPF

Open in new window


So far so good!
 
However, requirement for route 10.4.4.0 to be denied doesn't work! It passes through to R1 and I'm trying to figure out why since this is an exercise for me to understand route-maps and redistribution.
 

 
The way around to solve it was to change the ACL 3 and route-map to:
 
access-list 3 permit 10.4.4.0 0.0.0.255
route-map EIGRP-TO-OSPF deny 30
match ip address 3

Open in new window


essentially what I've noticed is that with the deny statement in the ACL, 10.4.4.0 passes through and has a tag of 30 so I guess it's caught by the match all of the route-map seq 40. I've tried to rearrange the statement and put it before last but it didn't change anything.
On the other hand when the deny is at the route map seq 30, then 10.4.4.0 isn't caught by the seq 40 and works as it should... very confusing!
 
so my question is why does it work when denied at the route map but not when denied at the ACL ?
 
thank you!
0
128bits
Asked:
128bits
  • 3
  • 2
2 Solutions
 
Sandeep GuptaConsultantCommented:
You have your answer..

route-map took over priority over ACLs.
0
 
rochey2009Commented:
Hi,

You have to define what your going to match so that it can be permitted or denied by the route-map.

If you deny it in the access-list then it doesn't get matched by the route-map entry 30 i.e. it fails the "match ip address 3" test and the process moves onto the next sequence of the route-map i.e. permit 40.
0
 
128bitsAuthor Commented:
So if there's a deny statement in the ACL inside the route-map permit... it's not "permitting" it to be denied by the ACL ?
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
rochey2009Commented:
This is from Cisco:

If you use an ACL in a route-map permit clause, routes that are permitted by the ACL are redistributed.

If you use an ACL in a route-map deny clause, routes that are permitted by the ACL are not redistributed.

If you use an ACL in a route-map permit or deny clause, and the ACL denies a route, then the route-map clause match is not found and the next  route-map clause is evaluated.
0
 
128bitsAuthor Commented:
The ccnp route book from wendell odom nails it in the head and answers all my questions:

The match command can reference an ACL or prefix list, but doing so does introduce the possibility of confusion. The confusing part is that the decision to filter a route or allow the route through is based on the deny or permit in the route-map command, and not the deny or permit in the ACL or prefix list. When referencing an ACL or prefix list from a  route map, the ACL or prefix list simply matches all routes permitted by the ACL or prefix list. Routes that are denied by the ACL or prefix list simply do not match that match command’s logic, making IOS then consider the next route-map command.

[...]

And once a particular route has been
matched and determined to be either filtered (deny) or allowed to pass (permit), even if more route-map commands exist later in the list, IOS stops processing the route-map for that route.
0
 
128bitsAuthor Commented:
Most elaborate answer quoting formal reference.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now