Prefix-list "deny" & route-map"permit/deny"

Hi

i`m going to test the prefix-list deny statement because i tried to test the prefix-list permit statement and everything works as expected i hope to follow me

R3(config)#ip prefix-list test deny 150.1.1.0/24
R3(config)#route-map ine permit 10
R3(config-route-map)#match ip address prefix-list test

R3)#router bgp 3
R3)#neighbor 1.1.1.1 route-map ine in

why this route is filtered on R3 if the action on the route-map is permit .i know the action in the route-map is done not the action in the prefix-list

Hello major133,

If a route-map sequence matches a “deny” statement in either a prefix-list or an access-list, then IOS will immediately cease attempting to perform a match within that sequence. Cisco IOS will then look for the next (higher) sequence of that same route-map. If another (higher) sequence doesn’t exist, then the implicit “deny” statement that is built into all route-maps will take effect.

See the following video at timestamp 6:00 where I talk about this:
https://my.ine.com/Networking/courses/1567ac68/igp-routing-control-with-filtering-redistribution

1 Like

Hello Keith

If a route-map sequence matches a “deny” statement in either a prefix-list or an access-list, then IOS will immediately cease attempting to perform a match within that sequence.

ok,the deny statement in the prefix-list will stop processing this permit/deny stanza in the route map and move to the next.then move to the next,until what ?until it reach to the permit/deny all stanza in the route-map ?
does that means the only case a deny statement in the prefix-list matching stanza in the route-map is stanza which is permit/deny all in the route-map ?

also,what is the name of the video, the link is not opening

Hi Major133,
The name of the course that link points to is “IGP Route Control with Filtering and Redistribution” and the name of the specific video was “Matching Routes with Cisco Route-Maps”.

To answer your other question, the assumption would be that if a “deny” statement in a prefix-list (or ACL) caused the Route-Map sequence to terminate, then the next sequence in that Route-Map would presumably match on something else (maybe another prefix-list or ACL with “permit” statements). There would be little point to creating a route-map with multiple sequences that always point to the same ACL or Prefix-List for matching purposes.

Off of the top of my head, I can’t honestly think of any scenarios where it would be a good design to have a route-map point to an ACL or Prefix-List that said “deny”. The deny action should always be enforced by the route-map sequence…not the classification tool that is being referenced.

1 Like

To answer your other question, the assumption would be that if a “deny” statement in a prefix-list (or ACL) caused the Route-Map sequence to terminate, then the next sequence in that Route-Map would presumably match on something else (maybe another prefix-list or ACL with “permit” statements). There would be little point to creating a route-map with multiple sequences that always point to the same ACL or Prefix-List for matching purposes.

thats really hard to understand. anyway,i dont want to waste your time on this but if you have one or two examples that would be better and easier to understand. if you have any 5 or 10 minutes today or tomorrow to give me examples for this because i know you`re so busy.

Hi Major133, perhaps this example will help:

Objective: When sending EIGRP external routes to any peer, if the prefix matches 10.1.1.0/24 a route tag value of “10” should be applied. If the prefix matches 10.1.any.any /17 through /30 a route tag value of “11” should be applied. All other outbound EIGRP prefixes should have a tag of “14” applied.

Method-1 (incorporating a “deny” statement in Prefix-Lists)

ip prefix-list Tag11 deny 10.1.1.0/24

ip prefix-list Tag11 permit 10.1.0.0/16 ge 17 le 30

!

ip prefix-list Tag10 permit 10.1.1.0/24

!

route-map Tag-EIGRP permit 10

match ip address prefix Tag11

match route-type external

set tag 11

!

route-map Tag-EIGRP permit 20

match ip address prefix Tag10

match route-type external

set tag 10

!

route-map Tag-EIGRP permit 10

match route-type external

set tag 14

!

router eigrp 100

distribute-list route-map Tag-EIGRP out

################################
#################################

Method-2 (using only “permit” statements in Prefix-Lists)

ip prefix-list Tag11 permit 10.1.0.0/16 ge 17 le 30

!

ip prefix-list Tag10 permit 10.1.1.0/24

!

route-map Tag-EIGRP permit 10

match ip address prefix Tag10

match route-type external

set tag 10

!

route-map Tag-EIGRP permit 20

match ip address prefix Tag11

match route-type external

set tag 11

!

route-map Tag-EIGRP permit 10

match route-type external

set tag 14

!

router eigrp 100

distribute-list route-map Tag-EIGRP out

1 Like