route-map not denying

marcusaureliusbrutus

Hi.

I configured two routers connected to each other point to point. Below are the config.

R1:

ip access-list extended test
10 permit icmp any any

route-map test deny 10
match ip address test

int f0/0
ip policy route-map test


The thing is, when i ping from the second router and it goes through R1, the ping is successful. However if i modify the routemap where in i change it to:
route-map test permit 10
match ip address test
set interface null0

This config works and pinging from R2 through R1 fails which is my intention.

According to Cisco, a deny route-map statement should not have any set values since the route-map deny process checks only for matching the acl. I have run debug ip policy and it shows the below:

*Mar 1 00:29:21.927: IP: s=10.1.2.1 (FastEthernet0/1), d=192.168.1.1, len 100,
FIB policy rejected(deny) - normal forwarding


I would appreciate any help on clarifying this and thanks in advance.

rossonieri#1

hi marcus,

The thing is, when i ping from the second router and it goes through R1, the ping is successful.

since you've applied the route-map on R1 interface, then
how about if you change your ping to : from R1 to R2, will the route-map result (deny) be succesful?

and your debugging result did show the correct result, except that you've missed the next-hop/action for the route-map.

HTH.

marcusaureliusbrutus

Pings from R1 to R2 and vice versa are going through. Regarding the debug output, there are no set action on the route-map when i set it to:

route-map test deny 10
match ip address test

Thanks.

APA

ip policy (route-map) name

this command is for policy-based routing... that's why you don't have a set value for 'deny' entries.

Because the default behaviour for a deny via a PBR route-map is to go the usual ip routing table lookup and forward the packet that way.

*Mar 1 00:29:21.927: IP: s=10.1.2.1 (FastEthernet0/1), d=192.168.1.1, len 100,
FIB policy rejected(deny) - normal forwarding

Above you are seeing that the route-map is correctly matching the deny statement - which then informs the router to conduct normal packet forwarding via the ip routing table as I mentioned above... this is why your pings are still getting through.

As for your permit route-map configuration..... this is going to allow a match for the ACL but then divert traffic to the non-existent Null0 interface hence why the pings fail because the router is 'blackholing' the traffic.

If you want to deny icmp from R1-R2 or vice versa implement a standard or extended ACL and apply it to the relevant router interface.

Hope this clarifies things for you.... if you need a further explanation don't hesitate to ask

marcusaureliusbrutus

Hi. Thanks for the explanation. By the way, if i use an acl and PBR on an interface, will the router check the acl or the pbr first?

Thanks again in advance.

Mrock4

IIRC, The ACL would be processed first.

kryolla

yes you are correct in you don't need a set statement when you are denying something in a route-map just a match statement. Remember route-maps are looking for conditions and acting on those conditions. If said condition(match) is true (permit) then do this (set). If said condition (match) is not true (deny) then stop processing and exit route-map. Route-map applied to PBR with an implicit deny just means it will not be PBR routed but routed based on the RIB. Route-map in a redistro means it gets denied from being redistro or permited. Route-map in a distro-list just means it wont be put in the RIB or advertised. Hope this helps

cisco_trooper

yeah, i'm retarded. ooooooops.