(invisible deny all) in prefix-lists vs route-maps

@Network_Eric
Hi
let`s use this example configured on R1

ip prefix-list test-100 permit 10.0.0.100/32

(invisible deny all)

ip prefix-list test-101 permit 10.0.0.101/32

(invisible deny all)

ip prefix-list test-102 permit 10.0.0.102/32

(invisible deny all)

ip prefix-list test-103 permit 10.0.0.103/32

(invisible deny all)

route-map ine permit 10

match ip address prefix-list test-100

set local preference 1000

route-map ine permit 20

match ip address prefix-list test-101

set local preference 1001

route-map ine permit 30

match ip address prefix-list test-102

set local preference 1002

route-map ine permit 40

match ip address prefix-list test-103

set local preference 1003

(invisible deny all)

sir, what is the difference between the ((invisible deny all)

in the prefix-list and (invisible deny all) in the route-map?

for example, 10.0.0.104/32 is going to match

(invisible deny all) in the prefix-lists ? or in the route-map?

when we have stanza 10 referring to prefix-list test-100 , what is going to happened ?

the ios should go to prefix-list test-100 seq 10 and if it doesnt match it should move to the next seq in the prefix-list test-100 . but since we dont have another seq in prefix-list test-100 which means that route should move to the next seq which is (invisible deny all ) in the prefix-list 100

Hey Major,

The difference is in how they are applied. Let’s go through your route map (let’s say BGP inbound from a neighbor).

I am router 1, I have applied your route map to my neighbor router 2 inbound. I have 2 routes coming in from this neighbor.

• 10.0.0.101/32
• 192.168.1.1/32

Okay, let’s check our routes against the prefix lists and the route-map

10.0.0.101/32

• There is a route-map for the neighbor inbound, check the first sequence number.
• Sequence 10 matches prefix list test-100.
• I go down prefix list test-100 to see if I have a matching IP address. As my IP is not 10.0.0.100/32 I do not match the first entry. I check the second entry, deny all. Because it is a deny, I can’t get a match on anything else in this prefix (we only match permit statements in a prefix list), we do not match this list.
• Since I do not match against this list, I do not set my local preference to 1000. Move on to sequence 20 in the route-map
• Sequence 20 matches prefix list test-101.
• I check the first entry in the prefix list and it matches my first entry of 10.0.0.101/32!
• Because it matches, I check my actions under the route-map. Actions say I should update the local preference.
• I update the local preference and add the route to my bgp-adj-in table. If it meets other criteria, it will be added to my RIB.

192.168.1.1/32

• There is a route-map for the neighbor inbound, check the first sequence number.
• I go down prefix list test-100 to see if I have a matching IP address. As my IP is not 10.0.0.100/32 I do not match the first entry. I check the second entry, deny all. Because it is a deny, I can’t get a match on anything else in this prefix (we only match permit statements in a prefix list), we do not match this list.
• Since I do not match against this list, I do not set my local preference to 1000. Move on to sequence 20 in the route-map
• This continues through all of the sequences until I get to sequence 50 in the route-map
• Because there is a deny all in this statement, I am saying to BGP to deny this packet, so BGP will not allow me to add 192.168.1.1/32 to my bgp-adj-in, it cannot be checked and added to my routing table. I have effectively blocked this route.

This is how the route-map uses the denies in both the prefix-list and the route-map. Since I saw you made another post on the specifics of an implicit and explicit deny, I will answer that under that post.