[c-nsp] BGP/route-map/acl question/logic...

CiscoNSP List cisconsp_list at hotmail.com
Tue Feb 3 03:19:06 EST 2015 

Thanks very much for the explanation(And examples), and yes, I agree it is a tad counter-intuitive, hence my confusion why my first attempt was not working as I expected it to (Or what I thought it logically should be doing!)

Cheers.


> Date: Tue, 3 Feb 2015 10:08:23 +0200
> From: cisco-nsp at lnx.ro
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] BGP/route-map/acl question/logic...
> 
> 
> Hi,
> 
> route-maps are "first rule match" based.
> 
> The "permit any" in the acl will "match" the announcement and skip the 
> rest of the rules.
> 
> you need to do something like:
> 
> access-list 98 permit 10.0.0.0 0.255.255.255
> (or better:
> prefix-list PL-NAME permit 10.0.0.0/8
> )
> route-map UPSTREAM_A_IN *deny* 10
> match ip address 98
> (or better:
> match ip address prefix-list PL-NAME
> )
> route-map UPSTREAM_A_IN permit 20
> set community 12345:10000
> 
> You "permit" the prefix to be denied. A bit counter-intuitive, yes :)
> 
> Dumitru
> 
> 
> On 02/03/2015 07:21 AM, CiscoNSP List wrote:
> > Hi Everyone,
> >
> > If I want to block certain prefixes from an upstream, and accept the rest and then tag the accepted prefixes, which is the correct method..I *thought* the first one was correct, but it doesnt do what I expected...i.e. the ACL gets a hit on deny 10.0.0.0/24, but it is still allowed(i.e We still receive the prefix)?:
> >
> > route-map UPSTREAM_A_IN permit 10
> > match ip address 98
> > continue 20
> > route-map UPSTREAM_A_IN permit 20
> > set community 12345:10000
> >
> > access-list 98 deny   10.0.0.0 0.255.255.255
> > access-list 98 permit any
> >
> > or...(I havent tested this one yet):
> >
> > route-map UPSTREAM_A_IN deny 10
> > match ip address 98
> > continue 20
> > route-map UPSTREAM_A_IN permit 20
> > set community 12345:10000
> >
> > access-list 98 permit   10.0.0.0 0.255.255.255
> >
> > Cheers.
> >   		 	   		
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list