• Advertisement

route-map access-list

CCNA, CCDA, CCNP, CCDP, CCIP, CCVP and CCIE

route-map access-list

Postby Guest » Sat Feb 13, 2010 11:03 pm

Hi. Could someone please clarify the answer for me please ?

 

This is question 3 in chapter 4 of CCNP Route training guide 642-902

 

 

 

3. R1 has correctly configured EIGRP to filter routes using a route  map named question. The configuration that follows shows the entire  route map and related configuration .Which of the following is true  regarding the filtering action on prefix 10.10.10.0/24 in this case?

 

route-map question deny 10

 

match ip address 1

 

route-map question permit 20

 

match ip address prefix-list fred

 

!

 

access-list 1 deny 10.10.10.0 0.0.0.255

 

ip prefix-list fred permit 10.10.10.0/23 le 25

 

A. It will be filtered due to the deny action in route map clause 10.

 

B. It will be allowed because of the double negative two deny references in clause 10.

 

C. It will be permitted due to matching clause 20’s reference to prefix-list fred.

 

D. It will be filtered due to matching the implied deny all route map clause at the end of the route map.

 

 

 

Answer:C. When used for route filtering, the route map action (permit  or deny) defines the filtering action, and any referenced match  commands’ permit or deny action just defines whether the prefix is  matched. By not matching ACL 1 with a permit action, EIGRP does not  consider a match to have occurred with clause 10, so it moves to clause  20. The prefix list referenced in clause 20 has a permit action,  matching prefixes from 10.10.10.0–10.10.11.255, with prefix lengths from  23–25. Both criteria match the prefix in question, making answer C  correct.

 

 

 

My query, Is it not answer A in fact matching the route exactly, meaning that 10.10.10.0 0.0.0.255 in ACL 1 matches the route to 10.10.10.0 / 24 ?

 

Is answer A not correct because traffic for 10.10.10.0 will be discarded by ACL 1 before it can be proccessed by route-map ?

 

I just cannot get my head around this, Could someone please clarify the explanation as why C is correct and A is not?

 

 

 

Many thanks

Guest
 

Advertisement

Re:route-map access-list

Postby Guest » Sun Feb 14, 2010 12:05 am

The logic is sometimes difficult to follow in route maps that use deny in the route map statement. I find it helpful to think of them in this way. The route map statement 10 specifies an action to take (in this case deny) when there is a positive result in the match statement. If the result in the access list says yes/permit then the action of the route map statement is taken. But if the result in the access list says no/deny then the action of the route map statement is not taken and the route map goes on to the next step.

 

Since access list 1 has deny 10.10.10.0 the result of the access list is no/deny and the action of route map 10 is not taken and so the route map goes on to statement 20.

 

HTH

 

Rick

Guest
 

Re:route-map access-list

Postby Guest » Sun Feb 14, 2010 12:20 am

Thank you Richard for the explanation. I am getting closer to the understanding of the logic behind it. I hope you don mind if I take advantage of your knowledge and attach another example.The question remains the same,we are still concerned about 10.10.10.0/24 . I tried to list all possible scenarios to get a full picture. The 22.22.22.0 0.0.0.255 is basically any random IP not matching 10.10.10.0/24 .I hope you understand where I am coming from.

 

###############
route-map question deny 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 deny 10.10.10.0 0.0.0.255

...

route-map question deny 10            Action taken, route filtered out
match ip address 1
access-list 1 permit 10.10.10.0 0.0.0.255

...

route-map question permit 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 deny 10.10.10.0 0.0.0.255  

...

route-map question permit 10            Action taken, route permited
match ip address 1
access-list 1 permit 10.10.10.0 0.0.0.255

 

##################

 

route-map question deny 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 deny 22.22.22.0 0.0.0.255

...

route-map question deny 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 permit 22.22.22.0 0.0.0.255

...

route-map question permit 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 deny 22.22.22.0 0.0.0.255

...

route-map question permit 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 permit 22.22.22.0 0.0.0.255

 

##################

 

Thank you again Richard for all your effort.

Guest
 

Re:route-map access-list

Postby Guest » Sun Feb 14, 2010 1:30 am

I am putting my responses in line marked with Bold and Italics

 

 

###############
route-map question deny 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 deny 10.10.10.0 0.0.0.255

Yes this is correct

...

route-map question deny 10            Action taken, route filtered out
match ip address 1
access-list 1 permit 10.10.10.0 0.0.0.255

Yes this is correct

...

route-map question permit 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 deny 10.10.10.0 0.0.0.255 

Yes this is correct

...

route-map question permit 10            Action taken, route permited
match ip address 1
access-list 1 permit 10.10.10.0 0.0.0.255

Yes this is correct

 

##################

In this set of examples the access list never mentions 10.10.10.0. Since there is no permit for 10.10.10.0 this network would not be redistributed in any of the scenarios that you suggest.

 

route-map question deny 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 deny 22.22.22.0 0.0.0.255

Yes this is correct Note that this has nothing to do with 10.10.10.0

...

route-map question deny 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 permit 22.22.22.0 0.0.0.255

Not correct. the match statement returns a value of true and 22.22.22.0 is filtered out.

Note that this has no effect on 10.10.10.0

...

route-map question permit 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 deny 22.22.22.0 0.0.0.255

Yes this is correct. Note that this has nothing to do with 10.10.1.0

...

route-map question permit 10            Action not taken, proceed to next route-map statement
match ip address 1
access-list 1 permit 22.22.22.0 0.0.0.255

Not correct. the match statement return a value of true and 22.22.22.0 is redistributed.

Note that this has no effect on 10.10.10.0

##################

 

HTH

 

Rick

Guest
 

Re:route-map access-list

Postby Guest » Sun Feb 14, 2010 2:56 am

Hi Rick. You really rock.

Sorry for the confusion caused with the second half of the examples. I did not formulate the question correctly but anyway, you answered with exactly what I wanted to hear. What I meant was , that any of the ACL 1 statements containing only 22.22.22.0 0.0.0.255 would have no effect on 10.10.10.0 /24 being filtered or not solely in this simple scenario.

 

Thanks again for the great explanation and I obviously marked your answers as correct. Now I am back to studying and I might be back with more questions soon 

 

All the best.

 

V.

Guest
 



  • Advertisement


Similar topics

HTC mobile phone access WLAN problem
Forum: Cisco Wireless
Author: Anonymous
Replies: 14

QoS on trunked access links
Forum: Cisco Switching
Author: Anonymous
Replies: 4

QuickVPN and Outlook / Exchange mobile access fails
Forum: Small Business Routers
Author: Anonymous
Replies: 0

can I plug port 2 of my WLC 4404 into my dmz for guest user access
Forum: Cisco Wireless
Author: Anonymous
Replies: 0

ASA Blocking VPN access
Forum: Cisco Security
Author: Anonymous
Replies: 12


Return to Cisco Certifications

Who is online

Users browsing this forum: No registered users and 1 guest