Cisco Route-Map Multiple ACL Match (Logical AND)

access-control-listciscorouting

I'm having difficulty to configure a route-map with multiple matches in AND operation.
The issue is, both match criteria are against ACL, but different ACL.

What I want to do is 

route-map TEST permit 10
  match ip address 100
  match ip address 110
  set vrf TESTVRF

I was expecting above to be AND operation for the match requirement.

However, when I issue show run, it becomes

route-map TEST permit 10
  match ip address 100 110
  set vrf TESTVRF

which is an OR operation by Cisco syntax.

The question is, how can I do multiple ACL match in AND operation for route-map?
Thanks.

Best Answer

Easiest way in my opinion is to setup an access-list with all the matches you need and put that in the route-map.

EDIT

Disclaimer: I'm just guessing here.

You can try this, assuming access-list 100 for sources and access-list 110 for destinations:

Here you revert the logic of the access-lists:

access-list 100 deny ip 10.0.0.0 255.255.255.0 any
access-list 100 permit any

access-list 110 deny ip any 192.168.0.0 255.255.255.0
access-list 110 permit any

and then use deny on your route-map (so if the access-list permits, then the rule fails):

route-map TEST deny 10
   match ip address 100
route-map TEST deny 20
   match ip address 110
route-map TEST permit 30
   set vrf TESTVRF

The logic behind this is:

if source_address is not 10.0.0.0/24 {
    fail
} else {
    if destination_address is not 192.168.0.0/24 {
        fail
    } else {
        set vrf TESTVRF
    }
}

Basically it checks first if source is permitted (via access-list 100), if permitted then it checks if destination is permitted (access-list 101), at last if BOTH are permitted set the vrf.

Then you can easily permit N different source networks in access-list 100 and M different destination networks in access-list 101.

Related Topic