[c-nsp] BGP/route-map/acl question/logic...
Dumitru Ciobarcianu
cisco-nsp at lnx.ro
Tue Feb 3 03:08:23 EST 2015
Hi,
route-maps are "first rule match" based.
The "permit any" in the acl will "match" the announcement and skip the
rest of the rules.
you need to do something like:
access-list 98 permit 10.0.0.0 0.255.255.255
(or better:
prefix-list PL-NAME permit 10.0.0.0/8
)
route-map UPSTREAM_A_IN *deny* 10
match ip address 98
(or better:
match ip address prefix-list PL-NAME
)
route-map UPSTREAM_A_IN permit 20
set community 12345:10000
You "permit" the prefix to be denied. A bit counter-intuitive, yes :)
Dumitru
On 02/03/2015 07:21 AM, CiscoNSP List wrote:
> Hi Everyone,
>
> If I want to block certain prefixes from an upstream, and accept the rest and then tag the accepted prefixes, which is the correct method..I *thought* the first one was correct, but it doesnt do what I expected...i.e. the ACL gets a hit on deny 10.0.0.0/24, but it is still allowed(i.e We still receive the prefix)?:
>
> route-map UPSTREAM_A_IN permit 10
> match ip address 98
> continue 20
> route-map UPSTREAM_A_IN permit 20
> set community 12345:10000
>
> access-list 98 deny 10.0.0.0 0.255.255.255
> access-list 98 permit any
>
> or...(I havent tested this one yet):
>
> route-map UPSTREAM_A_IN deny 10
> match ip address 98
> continue 20
> route-map UPSTREAM_A_IN permit 20
> set community 12345:10000
>
> access-list 98 permit 10.0.0.0 0.255.255.255
>
> Cheers.
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list