Route-Map and ACL matching
When you create a route-map that references an access list, it can be confusing what the permit and deny statements within the access list and within the route-map actually do. To clarify this, let's keep the following in mind. When you apply a route map that references access lists:
- the access list is used only to match (or not match) traffic
- the route map is used to act upon that traffic
In other words, an access list in such a situation will not permit or deny anything. It does not perform that functionality. It only matches.
For example, take a look at this access list:
R2(config)#ip access-list standard R1_DENY R2(config-std-nacl)#deny 192.168.0.0 0.0.0.255 R2(config-std-nacl)#permit any
If used on an interface, this access list would deny all traffic with a source address that falls within the 192.168.0.0/24 subnet, and would permit everything else.
However, if this were to be used in a route-map, then it would act as a parameter that matches traffic. Anything with a permit statement is matched, anything with a deny statement is not matched. For this particular access list:
- anything within the range of 192.168.0.0/24 is NOT matched
- anything else IS matched
Now if this access list were to be applied to a route map like so:
R2(config)#route-map TEST deny 10 R2(config-route-map)#match ip address R1_DENY R2(config-route-map)#exit R2(config)#route-map TEST permit 20
... the result is that whatever is matched will be denied, and everything else will be permitted. (Remember if there is no match condition then your statement matches everything).
For example, a packet with an address of 172.16.5.5 is being examined by the route map.
- Putting it through the access list, we see that it is permitted. This simply means that traffic has been matched.
- The route map will now act upon that matched traffic by denying it
- Thus 172.16.5.5 will be denied.
Another example, a packet with an address of 192.168.0.55 is being examined by the route map:
- Putting it through the access list, we see that it is denied. This simply means that traffic has NOT been matched.
- The route map will now act upon that matched traffic by denying it. But there is no matched traffic so the deny statement is not applied.
- The route map goes on to the next statement 20 which permits everything, so the traffic is permitted.
- Thus 192.168.0.55 will be permitted.
Links
https://networklessons.com/cisco/ccnp-encor/introduction-to-route-maps