Combining Route-Map and ACL on Cisco Devices – Best Practices

aclciscoroute-map

Consider the following:

Scenario 1 (route-map PERMIT and ACL permit):

router(config)#route-map boston permit 1
router(config-route-map)#match ip address 5
router(config-route-map)#set community 120
router(config)#access-list 5 permit 10.5.1.121 0.0.0.255

Scenario 2 (route-map PERMIT and ACL deny):

router(config)#route-map boston permit 1
router(config-route-map)#match ip address 5
router(config-route-map)#set community 120
router(config)#access-list 5 deny 10.5.1.121 0.0.0.255

Scenario 3 (route-map DENY and ACL permit):

router(config)#route-map boston deny 1
router(config-route-map)#match ip address 5
router(config-route-map)#set community 120
router(config)#access-list 5 permit 10.5.1.121 0.0.0.255

Scenario 4 (route-map DENY and ACL DENY):

router(config)#route-map boston deny 1
router(config-route-map)#match ip address 5
router(config-route-map)#set community 120
router(config)#access-list 5 deny 10.5.1.121 0.0.0.255

Q: What is the difference in the four scenarios? Please clarify. For ease of understanding, is there some kind of truth table that we can construct?

Can the following truth table be applied universally?

Route-map(permit), ACL(permit)—->DO THE TASK

Route-map(permit), ACL(deny)—->DON'T DO THE TASK

Route-map(deny), ACL(permit)—->DON'T DO THE TASK

Route-map(deny), ACL(deny)—->DON'T DO THE TASK

Best Answer

Scenario 1: Will set the community to 120 for 10.5.1.0/24
Scenario 2: Will not set the community to 120 for any route
Scenario 3: Will not set the community to 120 for any route
Scenario 4: Will not set the community to 120 for any route

There is an implicit deny in the route-map statement. So if permit 1's match clause in Scenario 2 doesn't match because of the deny statement in the ACL, then the rest of the networks would not be matched either.

Consider this additional scenario:

router(config)#route-map boston permit 10
router(config-route-map)#match ip address 5
router(config-route-map)#set community 120
router(config)#access-list 5 deny 10.5.1.121 0.0.0.255
router(config)#route-map boston permit 20

In this scenario, you would be saying set the community to 120 for any route that's NOT 10.5.1.0/24.

Related Solutions

Cisco – Why does Cisco ios save and display access list entries out of order

From the Cisco documentation:

The major difference in a standard access list is that the Cisco IOS adds an entry by descending order of the IP address, not on a sequence number.

You can read more here.

Cisco – route tags and policy routing alternatives – traffic engineering question

I am not 100% sure whether tags are carried in BGP updates but here is what I put together pretty quick:

enter image description here

Router "Static":

interface Loopback0
 ip address 172.16.1.1 255.255.255.0
!
interface Loopback1
 ip address 172.16.2.1 255.255.255.0

interface Ethernet0/1
 ip address 172.16.0.1 255.255.255.0
 half-duplex

ip route 0.0.0.0 0.0.0.0 172.16.0.2

Router R1:

interface Ethernet0/0
 ip address 10.0.0.1 255.255.255.252
 half-duplex

interface Ethernet0/1
 ip address 172.16.0.2 255.255.255.0
 half-duplex

ip route 172.16.1.0 255.255.255.0 172.16.0.1 tag 20
ip route 172.16.2.0 255.255.255.0 172.16.0.1 tag 20

router eigrp 100
 redistribute static route-map MyRouteMap
 network 10.0.0.0 0.0.0.3
 no auto-summary

route-map MyRouteMap permit 10
 match tag 20

Router R2:

interface Ethernet0/0
 ip address 10.0.0.2 255.255.255.252
 half-duplex

interface Ethernet0/1
 ip address 10.0.0.5 255.255.255.252
 half-duplex

router eigrp 100
 network 10.0.0.0 0.0.0.3
 no auto-summary

router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 redistribute eigrp 100 route-map MyRouteMap
 neighbor 10.0.0.6 remote-as 65000
 neighbor 10.0.0.6 next-hop-self
 no auto-summary

route-map MyRouteMap permit 10
 match tag 20

R2#show ip route 172.16.1.0
Routing entry for 172.16.1.0/24
  Known via "eigrp 100", distance 170, metric 307200
  Tag 20, type external

Router R3:

interface Ethernet0/1
 ip address 10.0.0.6 255.255.255.252
 half-duplex

router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 neighbor 10.0.0.5 remote-as 65000
 no auto-summary

R3#show ip bgp 172.16.1.0
BGP routing table entry for 172.16.1.0/24, version 3
Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Not advertised to any peer
  Local
    10.0.0.5 from 10.0.0.5 (10.0.0.2)
      Origin incomplete, metric 307200, localpref 100, valid, internal, best

I hope this is what you were asking for.

Best Answer

Related Solutions

Cisco – Why does Cisco ios save and display access list entries out of order

Cisco – route tags and policy routing alternatives – traffic engineering question

Related Topic