Route Maps: How Permit and Deny Filters Networks

When defining route map, it can be either permit or deny type. What is the difference? How does it influence match statements inside route map? I have a lab for you.

Keep it simple. Connect two routers to each other and create five loopbacks on R1. Turn on OSPF between R1 and R2 and redistribute all connected routes (loopbacks). Apply route map REDIS to this redistribution.

R1:

hostname R1
!
interface Loopback1
 ip address 10.1.1.1 255.255.0.0
!
interface Loopback2
 ip address 10.2.2.2 255.255.0.0
!
interface Loopback3
 ip address 10.3.3.3 255.255.0.0
!
interface Loopback4
 ip address 10.4.4.4 255.255.0.0
!
interface Loopback5
 ip address 10.5.5.5 255.255.0.0
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
!         
router ospf 1
 redistribute connected subnets route-map REDIS
 network 192.168.12.1 0.0.0.0 area 0

R2:

hostname R2
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
!
router ospf 1
 network 192.168.12.2 0.0.0.0 area 0

Which routes do I learn?

R2#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, FastEthernet0/0

None is the answer. Why? I am redistributing everything. Well yes, but we have applied route map and that route map does not exist. Non-existing route map behaves as deny all. In our case, none of the routes are redistributed.

Permit 10

Create first route map statement. It will be permit type and it will contain one match statement. Match ACL 1 and ACL has permit for loopback 1. It is a permit / permit combination.

access-list 1 permit 10.1.0.0 0.0.255.255
route-map REDIS permit 10
 match ip address 1

R2 will show us, how it works.

R2#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, FastEthernet0/0
     10.0.0.0/16 is subnetted, 1 subnets
O E2    10.1.0.0 [110/20] via 192.168.12.1, 00:00:26, FastEthernet0/0

Good, loopback 1 is permitted, no surprise there. Route map by itself is permit type and ACL has permit statement as well.

Permit 20

Add another statement. Again, route map is of permit type. It has one match for ACL 2. However, ACL has deny statement for loopback. And BTW, all ACLs have invisible deny any statement at the end of ACL, so this whole ACL is behaving like deny any, regardless of that deny statement for loopback 2.

access-list 2 deny   10.2.0.0 0.0.255.255
route-map REDIS permit 20
 match ip address 2

Result?

R2#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, FastEthernet0/0
     10.0.0.0/16 is subnetted, 1 subnets
O E2    10.1.0.0 [110/20] via 192.168.12.1, 00:01:16, FastEthernet0/0

Loopback 2 is not redistributed. Now, question is, is it possible to redistribute anything else? I mean, ACL matched all routes and it was not redistributed. Route maps are following first match rule and we have matched everything right now. Question is, are all routes denied from being redistributed or they are just filtered for this particular permit 20 statement? Meaning, they can be matched again later on in route map? This was permit / deny combination.

Deny 30

Create deny / permit combination. Route map is deny type and ACL inside match has permit for loopback 3. What will happen?

access-list 3 permit 10.3.0.0 0.0.255.255
route-map REDIS deny 30
 match ip address 3

R2#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, FastEthernet0/0
     10.0.0.0/16 is subnetted, 1 subnets
O E2    10.1.0.0 [110/20] via 192.168.12.1, 00:01:49, FastEthernet0/0

Seems like nothing changed. No additional route is permitted. Is it because sequence 20 has denied everything or is it because of this particular deny / permit combination?

Deny 40

Deny / deny combination follows. I think you know what will happen.

access-list 4 deny   10.4.0.0 0.0.255.255
route-map REDIS deny 40
 match ip address 4

R2#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, FastEthernet0/0
     10.0.0.0/16 is subnetted, 1 subnets
O E2    10.1.0.0 [110/20] via 192.168.12.1, 00:02:23, FastEthernet0/0

Nothing new is redistributed.

Answer the Questions

Again, are those routes just filtered and they can be redistributed or they were denied in sequence 20 already? Add sequence 50, with permit statement. No match inside. If you match nothing, you match everything (match any). Add set command so we can easily distinguish routes matched against this sequence. Everything matched against sequence 50 will be redistributed as OSPF E1 route.

route-map REDIS permit 50
 set metric-type type-1

And this is what we get:

R2#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, FastEthernet0/0
     10.0.0.0/16 is subnetted, 4 subnets
O E1    10.2.0.0 [110/21] via 192.168.12.1, 00:00:00, FastEthernet0/0
O E2    10.1.0.0 [110/20] via 192.168.12.1, 00:03:14, FastEthernet0/0
O E1    10.4.0.0 [110/21] via 192.168.12.1, 00:00:00, FastEthernet0/0
O E1    10.5.0.0 [110/21] via 192.168.12.1, 00:00:00, FastEthernet0/0

Suddenly, everything except loopback 3 is redistributed. Let’s step back and think, what happened.

  • Seq 10 – permit / permit – matched loopback 1 and allowed it. We see it as OSPF E2 route.
  • Seq 20 – permit / deny – matched loopback 2 and everything else (except loopback 1 as it was permitted already – first match rule). Routes were just filtered meaning, they were not redistributed, but if they are matched later on in route map, they can be permitted. If they are not matched, implicit deny any in route map applies and none of them is permitted.
  • Seq 30 – deny / permit – matched loopback 3. Loopback 3 was matched because of permit in ACL. Because route map is deny, it is not redistributed. If the combination is permit / permit, it is redistributed. If combination is deny / permit, it is matched. ACL says redistribute, but route map deny says “don’t”. Which creates sentence “don’t redistribute” = “deny / permit”.
  • Seq 40 – deny / deny – matched loopback 4 and everything not matched previously (loopback 2 and 5). ACL is deny so it says, “filter it, do not redistribute but also, don’t throw it away. Just do not consider it in this sequence 40, but you can consider it later on, if any other sequences are present”. Route map just says that everything positively matching (any permit in ACL) will be not redistributed. As everything is with deny in ACL, nothing is matched and nothing is prohibited from being redistributed.
  • Seq 50 – permit / nothing – match everything. Loopback 1 was matched against seq 10. Loopback 2 was filtered twice already, but it was never permitted or denied from redistribution, so it is matching this sequence. Loopback 3 matched seq 30 and was denied from redistribution. It cannot be redistributed ever again in this route map so it is not matching this sequence. Loopback 4 was filtered twice, but never prohibited from being redistributed nor redistributed. And loopback 5 was matched twice alredy as loopback 2 and 4.

Very important lesson here. If route map type is permit and you positively match something, in my case within ACL, it is permitted (first match rule) and that is redistribution in my case. If the combination is deny / permit, it is matched and prohibited from being redistributed and it will be never matched again within route map. If ACL is denying something, it doesn’t matter if route map is permit or deny type, it is just filtered for that particular sequence. Meaning, it can be matched later on within route map. That happened to loopbacks 2, 4, 5 in sequences 20 and 40. They were matched again in sequence 50, where they were finally permitted to be redistributed.

And don’t forget, route map has deny any policy at the end of each route map. That is why we have never seen anything besides loopback 1. Do the stuff again on your own with sequence 50 in place all the time. Here are final configs:

R1:

hostname R1
!
interface Loopback1
 ip address 10.1.1.1 255.255.0.0
!
interface Loopback2
 ip address 10.2.2.2 255.255.0.0
!
interface Loopback3
 ip address 10.3.3.3 255.255.0.0
!
interface Loopback4
 ip address 10.4.4.4 255.255.0.0
!
interface Loopback5
 ip address 10.5.5.5 255.255.0.0
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
!
router ospf 1
 redistribute connected subnets route-map REDIS
 network 192.168.12.1 0.0.0.0 area 0
!
access-list 1 permit 10.1.0.0 0.0.255.255
access-list 2 deny   10.2.0.0 0.0.255.255
access-list 3 permit 10.3.0.0 0.0.255.255
access-list 4 deny   10.4.0.0 0.0.255.255
route-map REDIS permit 10
 match ip address 1
!
route-map REDIS permit 20
 match ip address 2
!
route-map REDIS deny 30
 match ip address 3
!
route-map REDIS deny 40
 match ip address 4
!
route-map REDIS permit 50
 set metric-type type-1

R2:

hostname R2
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
!
router ospf 1
 network 192.168.12.2 0.0.0.0 area 0

Try to replace ACL with other match statements. Is there any difference in behaviour?

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s