Question:
I just wanted to Cisco 3560 Switch ask for your help to
undersstand the following route-map behaviour.
I'm doing some redistribution labs and I
have the following scenario.
{ (EIGRP 100) R4 ----- [ R2 } ------ R1
(OSPF) ]
R2 sits between EIGRP and OSPF AS.
R4 has the following subnets (loopbacks)
with the following requirements when redistributed into OSPF:
R4 LOOPBACKS
All other subnets: seed metric 300 - tag 30
Where I'm having problems is with the
requirement that 10.4.4 .0 should be denied from
crossing over to OSPF.
Here's my configuration for R2
I've configured the following ACLs:
access-list 1 permit 10.4.0 .0
0.0.0.255
access-list 2 permit 10.4.2 .0
0.0.0.255
access-list 3 deny 10.4.4 .0
0.0.0.255 <---
put them in a route-map EIGRP-TO-OSPF:
route-map EIGRP-TO-OSPF permit 10
match ip address 1
set metric 100
set tag 10
route-map EIGRP-TO-OSPF permit 20
match ip address 2
set metric 200
set tag 20
route-map EIGRP-TO-OSPF permit 30
<-------- permitting because ACL has a DENY statement
match ip address 3 <----
route-map EIGRP-TO-OSPF permit 40
set metric 300 <--- (no match statement to select all
others)
set tag 30
and then under R2, router ospf 1:
redistribute eigrp 100 subnets route-map
EIGRP-TO-OSPF
So far so good!
However, requirement for route 10.4.4 .0
to be denied doesn't work! It passes through to R1 and I'm trying to figure out
why since this is an exercise for me to understand route-maps and
redistribution.
The way around to solve it was to change
the ACL 3 and route-map to:
access-list 3 permit 10.4.4 .0
0.0.0.255
route-map EIGRP-TO-OSPF deny 30
match ip address 3
essentially what I've noticed is that with
the deny statement in the ACL, 10.4.4 .0
passes through and has a tag of 30 so I guess it's caught by the match all of
the route-map seq 40. I've tried to rearrange the statement and put it before
last but it didn't change anything.
On the other hand when the deny is at the
route map seq 30, then 10.4.4 .0 isn't caught
by the seq 40 and works as it should... very confusing!
so my question is why does it work when
denied at the route map but not when denied at the ACL ?
Answer:
>> so my question is why does it work
when denied at the route map but not when denied at the ACL ?
Because, this is the way it is implemented
in IOS: the route-map logic provided by permit or deny at route-map clause
(block) is the one that counts. The IP ACLs are invoked to provide a match
condition and a deny in the ACL is simply a not match.
The deny in route-map clause provides a
true filtering action so an IP prefix that matches an ACL in a route-,map
clause with a deny action is actually filtered. A prefix that is denied in the
IP ACL is simply a not match in the route-map clause.
For more Cisco Switch news about Price ans Specification, you can click here.
没有评论:
发表评论