Introduction to Route-maps

Route-maps are the “if-then” programming solution for Cisco devices.  A route-map allows you to check for certain match conditions and (optionally) set a value.

Here are some quick examples:

• Only advertise some EIGRP routes to your neighbor.
  • Example: if prefix matches 192.168.1.0/24 in access-list then advertise it.
• Set BGP attributes based on certain match conditions.
  • Example: if prefix matches 192.168.0.0/24 then set the local preference to 500.
• Redistribute networks from OSPF into EIGRP based on certain match conditions.
  • Example: if prefix matches 192.168.4.0/24 then redistribute it from OSPF into EIGRP.
• Change the next hop IP address with policy-based routing.
  • Example: if packet length > 500 bytes, change the next hop IP address to 192.168.1.254.

Route-maps are a bit like access-lists on steroids. They are far more powerful since besides prefixes, there are a lot of different match conditions and you set certain values.

In this lesson, I’ll give you a global overview of how route-maps work and I’ll show you how to configure them.

Like access-lists, route-maps work with different permit or deny statements:

We start at the top and process the first statement. There are two possible outcomes:

• Match: there is a match, we apply our action and that’s it. We don’t check the other route-map statements to see if there is another match.
• No match: we continue and check the next route-map statement.

When you don’t have any matches, we hit the invisible implicit deny at the bottom of the route-map. This is similar to how an access-list works.

Each route-map can have one or more match conditions. Here’s an example:

Our first two statements (10 and 20) have a match condition. There are a lot of possible match conditions. To name a few:

• prefix-list
• access-list
• BGP local preference
• BGP AS path
• Packet Length
• And many more…

If you don’t have a match condition then your statement matches everything.

Besides a match condition, we can also change something with a set command:

Route-map statements 10 and 30 have a set command. Here are some examples of set commands:

• Change the BGP AS path length.
• Set a BGP community.
• Set the BGP weight.
• Set the metric of an OSPF or EIGRP route in redistribution.
• Set a redistribution tag.
• Set the next hop IP address in policy-based routing.
• Set the DSCP value of an IP packet.
• And many other options…

This is the “if-then” logic of the route-map. IF we match a certain match condition, then SET something.

The best way to learn about route-maps is to see them in action.

Configuration

To demonstrate route-maps, we need to create route-maps and have something to apply them to.  I’ll use two routers for this lesson:

EIGRP is pre-configured and R1 advertises some loopback interfaces to R2. We’ll use route-maps to filter networks that R1 advertises to R2.

hostname R1
!
ip cef
!
interface Loopback0
 ip address 192.168.0.1 255.255.255.0
!
interface Loopback1
 ip address 192.168.1.1 255.255.255.0
!
interface Loopback2
 ip address 192.168.2.1 255.255.255.0
!
interface Loopback3
 ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet0/1
 ip address 192.168.12.1 255.255.255.0
!
router eigrp 1
 network 192.168.0.0 0.0.255.255
!
end

hostname R2
!
ip cef
!
interface GigabitEthernet0/1
 ip address 192.168.12.2 255.255.255.0
!
router eigrp 1
 network 192.168.0.0 0.0.255.255
!
end

R2 has learned these four networks:

R2#show ip route eigrp | include /24
D     192.168.0.0/24 
D     192.168.1.0/24 
D     192.168.2.0/24 
D     192.168.3.0/24

Let’s see what we can do with route-maps.

Match Condition- Permit

Let’s create a new route-map and see what options we have:

R2(config)#route-map ?
WORD  Route map tag

First, we need to give it a name. Let’s call it TEST_1:

R2(config)#route-map TEST_1 ?
  <0-65535>  Sequence to insert to/delete from existing route-map entry
  deny       Route map denies set operations
  permit     Route map permits set operations
  

I can choose between a permit or deny statement. So far, this is similar to how an access-list looks. Let’s go for permit and use sequence number 10:

R2(config)#route-map TEST_1 permit 10

Let’s look at the options of our route-map:

R2(config-route-map)#?
    Route Map configuration commands:
      continue     Continue on a different entry within the route-map
      default      Set a command to its defaults
      description  Route-map comment
      exit         Exit from route-map configuration mode
      help         Description of the interactive help system
      match        Match values from routing table
      no           Negate a command or set its defaults
      set          Set values in destination routing protocol

There are a couple of options to choose from. We’ll start with match:

R2(config-route-map)#match ?
    additional-paths  BGP Add-Path match policies
    as-path           Match BGP AS path list
    clns              CLNS information
    community         Match BGP community list
    extcommunity      Match BGP/VPN extended community list
    interface         Match first hop interface of route
    ip                IP specific information
    ipv6              IPv6 specific information
    length            Packet length
    local-preference  Local preference for route
    mdt-group         Match routes corresponding to MDT group
    metric            Match metric of route
    mpls-label        Match routes which have MPLS labels
    policy-list       Match IP policy list
    route-type        Match route-type of route
    rpki              Match RPKI state of route
    security-group    Security Group
    source-protocol   Match source-protocol of route
    tag               Match tag of route
    track             tracking object

Above, you see a big list of stuff you can match on. I want to use an access-list as my match condition. We can find this under the ip parameter:

R2(config-route-map)#match ip ?                      
    address                Match address of route or match packet
    flowspec               Match src/dest prefix component of flowspec prefix
    next-hop               Match next-hop address of route
    redistribution-source  route redistribution source (EIGRP only)
    route-source           Match advertising source address of route

We have a couple of options. Let’s pick address:

R2(config-route-map)#match ip address ?
    <1-199>      IP access-list number
    <1300-2699>  IP access-list number (expanded range)
    WORD         IP access-list name
    prefix-list  Match entries of prefix-lists

Now I can choose between an access-list of prefix-list. Let’s refer to an access-list called “R1_L0_PERMIT”:

R2(config-route-map)#match ip address R1_L0_PERMIT

We now have a route-map…great! It doesn’t do anything yet though, and we still need to create that access-list.

Access-list Permit

Let’s create the access-list that we refer to in our route-map. I’ll create a permit statement that matches network 192.168.0.0/24:

R2(config)#ip access-list standard R1_L0_PERMIT 
R2(config-std-nacl)#permit 192.168.0.0 0.0.0.255

The only thing left to do is to attach our route-map to something. We’ll keep it simple, I’ll attach it to a distribute-list in EIGRP. This allows us to filter networks that R1 advertises to R2:

R2(config)#router eigrp 1
R2(config-router)#distribute-list route-map TEST_1 in

What I like about EIGRP is that it resyncs when you apply a distribute-list. This helps to speed things up when testing. You’ll see the following message on your console:

 %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.12.1 (GigabitEthernet0/1) is resync: route configuration changed

Right now, we have the following access-list and route-map:

ip access-list standard R1_L0_PERMIT
permit 192.168.0.0 0.0.0.255

route-map TEST_1 permit 10
 match ip address R1_L0_PERMIT

Let’s check the routing table of R2:

R2#show ip route eigrp | include /24
D     192.168.0.0/24

We only see the 192.168.0.0/24 network. What happened?

• Our route-map has a single permit statement that has our access-list as a match condition.
• Our access-list has a single permit statement for 192.168.0.0/24.
• Everything else is denied in the access-list by the invisible implicit deny any.
• We only have one route-map statement so we hit the invisible implicit deny any in the route-map.

Let’s continue with our next example.