Route-map - multiple statements with sequence numbers


When you create a [route-map](/route-map) that references an [access list](/acl), it can be confusing what the permit and deny statements within the access list and within the route-map actually do.  To clarify this, let's keep the following in mind.  When you apply a route map that references access lists:

* the access list is used only to **match (or not match) traffic**
* the route map is used **to act upon that traffic**

In other words, an access list in such a situation will not permit or deny anything.  It does not perform that functionality.  It only matches.

For example, take a look at this access list:

```
R2(config)#ip access-list standard R1_DENY
R2(config-std-nacl)#deny 192.168.0.0 0.0.0.255
R2(config-std-nacl)#permit any
```

If used on an interface, this access list would deny all traffic with a source address that falls within the 192.168.0.0/24 subnet, and would permit everything else.

However, if this were to be used in a route-map, then it would act as a parameter that matches traffic.  Anything with a permit statement is matched, anything with a deny statement is not matched.  For this particular access list:

* anything within the range of 192.168.0.0/24 is NOT matched
* anything else IS matched

Now if this access list were to be applied to a route map like so:

```
R2(config)#route-map TEST deny 10
R2(config-route-map)#match ip address R1_DENY
R2(config-route-map)#exit
R2(config)#route-map TEST permit 20
```

... the result is that **whatever is matched** will be denied, and everything else will be permitted.  (Remember if there is no match condition then your statement **matches everything**).

For example, a packet with an address of 172.16.5.5 is being examined by the route map. 

* Putting it through the access list, we see that it is permitted.  This simply means that traffic **has been matched**.
* The route map will now act upon that matched traffic by denying it
* Thus 172.16.5.5 will be denied.


Another example, a packet with an address of 192.168.0.55 is being examined by the route map:

* Putting it through the access list, we see that it is denied.  This simply means that traffic **has NOT been matched**.
* The route map will now act upon that matched traffic by denying it.  But there is no matched traffic so the deny statement is not applied.
* The route map goes on to the next statement 20 which permits everything, so the traffic is permitted.
* Thus 192.168.0.55 will be permitted.

Links:

https://networklessons.com/cisco/ccnp-route/introduction-to-route-maps

https://forum.networklessons.com/t/ospf-lsa-type-5-filtering-on-cisco-ios/1259/25?u=lagapides

https://forum.networklessons.com/t/introduction-to-route-maps/5258/52?u=lagapides



Route-Map and ACL matching

QoS - LLQ applied only outbound

QoS - LLQ bandwidth configuration

QoS - LLQ priority commands

QoS - Nested policy maps

QoS - Policing command syntax

QoS - QoS Groups

QoS - RSVP bandwidth and flow reservations

QoS - Tail Drop

QoS - Using CBWFQ with traffic shaping

QoS - WRED traffic profile thresholds

QoS - applying policies

QoS - auto qos trust

QoS - classification

QoS - effects of bandwidth interface command

QoS - is WRED really a congestion avoidance mechanism

QoS - key and nonkey fields

QoS - marking

QoS CBWFQ traffic allocation when there are empty queues

QoS CoS vs DSCP

QoS Hierarchical Queuing Framework (HQF)

QoS Modular QoS CLI (MQC)

QoS Network Based Application Recognition (NBAR)

QoS RSVP Path message

QoS RSVP Resv message

QoS Resource Reservation Protocol (RSVP)

QoS Traffic Shaping Parameters

QoS hardware queues scheduling

QoS how traffic shaping is achieved

QoS max-reserved-bandwidth

QoS mechanisms kick in only when there is congestion

QoS models

QoS specifying reserved bandwidth for a class belonging to a policy-map

QoS tokens in shaping and policing

QoS traffic policing

QoS traffic shaping

QoS using a shared policer on Nexus devices connected with vPC

REST API security

REST API token-based authentication

RIP - poison reverse

RIP timers

RITE

RSPAN

Rapid Spanning Tree port states

Real-time Transport Protocol

Redistribute static route into EIGRP stub router

Reliable Transport Protocol

Rev Up To Recert

Route-map matching OSPF router ID

Route-map with multiple parameters in one match statement

Route-map without a match statement

Route-map

Routers - what is a loopback interface

Routing -  Difference between IGPs and EGPs

Routing - A Directed Broadcast is only detected by the last router

Routing - Administrative Distance

Routing - Cisco Performance Routing (PfR)

Routing - Distance Vector Routing Protocols

Routing - Distance-vector routing protocol use cases

Routing - Dynamic routing protocols

Routing - How the routing table is populated

Routing - IP event dampening

Routing - Injecting a Static Route

Routing - Link State Routing Protocols

Routing - Link-State vs Distance-Vector routing protocols

Routing - Link-state routing protocol use cases

Routing - OER master and border routers

Routing - PfR MC and BR on same device

Routing - Using Anycast with BGP Multipath

Routing - address-family

Routing - default gateway

Routing - default routing using DHCP

Routing - directed broadcast

Routing - fully specified route

Routing - ip default-network command

Routing - l2transport

Routing - link-local IPv6 next hop address needs exit interface

Routing - network vs redistribute connected commands

Routing - redistribute command

Routing - redistribution and the routing table

Routing - route tagging

Routing - seed metrics

Routing - what is a WAN port

Routing - what is recursive routing

Routing NX-OS passive-interface default

Routing Table

Routing in both directions

Routing what if the administrative distance is the same

Routing

SD-WAN - EVE-NG connection options

SD-WAN - cEdge

SD-WAN - vAnalytics

SD-WAN - vBond

SD-WAN - vEdge full mesh

SD-WAN - vEdge vs cEdge

SD-WAN - vEdge

SD-WAN - vManage

Route-Map and ACL matching

Links to this page: