route-map access-list

CCNA, CCDA, CCNP, CCDP, CCIP, CCVP and CCIE
Guest

route-map access-list

Post by Guest » Sun Feb 14, 2010 12:03 am

Hi. Could someone please clarify the answer for me please ? This is question 3 in chapter 4 of CCNP Route training guide 642-902   3. R1 has correctly configured EIGRP to filter routes using a route  map named question. The configuration that follows shows the entire  route map and related configuration .Which of the following is true  regarding the filtering action on prefix 10.10.10.0/24 in this case? route-map question deny 10 match ip address 1 route-map question permit 20 match ip address prefix-list fred ! access-list 1 deny 10.10.10.0 0.0.0.255 ip prefix-list fred permit 10.10.10.0/23 le 25 A. It will be filtered due to the deny action in route map clause 10. B. It will be allowed because of the double negative two deny references in clause 10. C. It will be permitted due to matching clause 20’s reference to prefix-list fred. D. It will be filtered due to matching the implied deny all route map clause at the end of the route map.   Answer:C. When used for route filtering, the route map action (permit  or deny) defines the filtering action, and any referenced match  commands’ permit or deny action just defines whether the prefix is  matched. By not matching ACL 1 with a permit action, EIGRP does not  consider a match to have occurred with clause 10, so it moves to clause  20. The prefix list referenced in clause 20 has a permit action,  matching prefixes from 10.10.10.0–10.10.11.255, with prefix lengths from  23–25. Both criteria match the prefix in question, making answer C  correct.   My query, Is it not answer A in fact matching the route exactly, meaning that 10.10.10.0 0.0.0.255 in ACL 1 matches the route to 10.10.10.0 / 24 ? Is answer A not correct because traffic for 10.10.10.0 will be discarded by ACL 1 before it can be proccessed by route-map ? I just cannot get my head around this, Could someone please clarify the explanation as why C is correct and A is not?   Many thanks

Guest

Re:route-map access-list

Post by Guest » Sun Feb 14, 2010 1:05 am

The logic is sometimes difficult to follow in route maps that use deny in the route map statement. I find it helpful to think of them in this way. The route map statement 10 specifies an action to take (in this case deny) when there is a positive result in the match statement. If the result in the access list says yes/permit then the action of the route map statement is taken. But if the result in the access list says no/deny then the action of the route map statement is not taken and the route map goes on to the next step. Since access list 1 has deny 10.10.10.0 the result of the access list is no/deny and the action of route map 10 is not taken and so the route map goes on to statement 20. HTH Rick

Guest

Re:route-map access-list

Post by Guest » Sun Feb 14, 2010 1:20 am

Thank you Richard for the explanation. I am getting closer to the understanding of the logic behind it. I hope you don mind if I take advantage of your knowledge and attach another example.The question remains the same,we are still concerned about 10.10.10.0/24 . I tried to list all possible scenarios to get a full picture. The 22.22.22.0 0.0.0.255 is basically any random IP not matching 10.10.10.0/24 .I hope you understand where I am coming from. ###############route-map question deny 10            Action not taken, proceed to next route-map statementmatch ip address 1access-list 1 deny 10.10.10.0 0.0.0.255...route-map question deny 10            Action taken, route filtered out match ip address 1access-list 1 permit 10.10.10.0 0.0.0.255...route-map question permit 10            Action not taken, proceed to next route-map statementmatch ip address 1access-list 1 deny 10.10.10.0 0.0.0.255   ...route-map question permit 10            Action taken, route permited match ip address 1access-list 1 permit 10.10.10.0 0.0.0.255 ################## route-map question deny 10            Action not taken, proceed to next route-map statementmatch ip address 1access-list 1 deny 22.22.22.0 0.0.0.255...route-map question deny 10            Action not taken, proceed to next route-map statementmatch ip address 1access-list 1 permit 22.22.22.0 0.0.0.255...route-map question permit 10            Action not taken, proceed to next route-map statementmatch ip address 1access-list 1 deny 22.22.22.0 0.0.0.255...route-map question permit 10            Action not taken, proceed to next route-map statementmatch ip address 1access-list 1 permit 22.22.22.0 0.0.0.255 ################## Thank you again Richard for all your effort.

Guest

Re:route-map access-list

Post by Guest » Sun Feb 14, 2010 2:30 am

I am putting my responses in line marked with Bold and Italics  ###############route-map question deny 10            Action not taken, proceed to next route-map statementmatch ip address 1access-list 1 deny 10.10.10.0 0.0.0.255Yes this is correct...route-map question deny 10            Action taken, route filtered out match ip address 1access-list 1 permit 10.10.10.0 0.0.0.255Yes this is correct...route-map question permit 10            Action not taken, proceed to next route-map statementmatch ip address 1access-list 1 deny 10.10.10.0 0.0.0.255  Yes this is correct...route-map question permit 10            Action taken, route permited match ip address 1access-list 1 permit 10.10.10.0 0.0.0.255Yes this is correct ##################In this set of examples the access list never mentions 10.10.10.0. Since there is no permit for 10.10.10.0 this network would not be redistributed in any of the scenarios that you suggest. route-map question deny 10            Action not taken, proceed to next route-map statementmatch ip address 1access-list 1 deny 22.22.22.0 0.0.0.255Yes this is correct Note that this has nothing to do with 10.10.10.0...route-map question deny 10            Action not taken, proceed to next route-map statementmatch ip address 1access-list 1 permit 22.22.22.0 0.0.0.255Not correct. the match statement returns a value of true and 22.22.22.0 is filtered out.Note that this has no effect on 10.10.10.0...route-map question permit 10            Action not taken, proceed to next route-map statementmatch ip address 1access-list 1 deny 22.22.22.0 0.0.0.255Yes this is correct. Note that this has nothing to do with 10.10.1.0...route-map question permit 10            Action not taken, proceed to next route-map statementmatch ip address 1access-list 1 permit 22.22.22.0 0.0.0.255Not correct. the match statement return a value of true and 22.22.22.0 is redistributed.Note that this has no effect on 10.10.10.0################## HTH Rick

Guest

Re:route-map access-list

Post by Guest » Sun Feb 14, 2010 3:56 am

Hi Rick. You really rock.Sorry for the confusion caused with the second half of the examples. I did not formulate the question correctly but anyway, you answered with exactly what I wanted to hear. What I meant was , that any of the ACL 1 statements containing only 22.22.22.0 0.0.0.255 would have no effect on 10.10.10.0 /24 being filtered or not solely in this simple scenario. Thanks again for the great explanation and I obviously marked your answers as correct. Now I am back to studying and I might be back with more questions soon   All the best. V.

Post Reply