Introduction to Route-maps

Route-maps are the “if-then” programming solution for Cisco devices.  A route-map allows you to check for certain match conditions and (optionally) set a value.

Route-maps are the "if-then" programming solution for Cisco devices.  A route-map allows you to check for certain match conditions and (optionally) set a value. https://vimeo.com/296874107 Here are some quick examples: Only advertise some EIGRP routes to your neighbor. Example: if prefix matches 192

Here are some quick examples:

  • Only advertise some EIGRP routes to your neighbor.
    • Example: if prefix matches 192.168.1.0/24 in access-list then advertise it.
  • Set BGP attributes based on certain match conditions.
    • Example: if prefix matches 192.168.0.0/24 then set the local preference to 500.
  • Redistribute networks from OSPF into EIGRP based on certain match conditions.
    • Example: if prefix matches 192.168.4.0/24 then redistribute it from OSPF into EIGRP.
  • Change the next hop IP address with policy-based routing.
    • Example: if packet length > 500 bytes, change the next hop IP address to 192.168.1.254.

Route-maps are a bit like access-lists on steroids. They are far more powerful since besides prefixes, there are a lot of different match conditions and you set certain values.

In this lesson, I’ll give you a global overview of how route-maps work and I’ll show you how to configure them.

Like access-lists, route-maps work with different permit or deny statements:

Route Map Overview

We start at the top and process the first statement. There are two possible outcomes:

  • Match: there is a match, we apply our action and that’s it. We don’t check the other route-map statements to see if there is another match.
  • No match: we continue and check the next route-map statement.

When you don’t have any matches, we hit the invisible implicit deny at the bottom of the route-map. This is similar to how an access-list works.

Each route-map can have one or more match conditions. Here’s an example:

Route Map Match Condition

Our first two statements (10 and 20) have a match condition. There are a lot of possible match conditions. To name a few:

  • prefix-list
  • access-list
  • BGP local preference
  • BGP AS path
  • Packet Length
  • And many more…

If you don’t have a match condition then your statement matches everything.

Besides a match condition, we can also change something with a set command:

Route Map Set

Route-map statements 10 and 30 have a set command. Here are some examples of set commands:

  • Change the BGP AS path length.
  • Set a BGP community.
  • Set the BGP weight.
  • Set the metric of an OSPF or EIGRP route in redistribution.
  • Set a redistribution tag.
  • Set the next hop IP address in policy-based routing.
  • Set the DSCP value of an IP packet.
  • And many other options…

This is the “if-then” logic of the route-map. IF we match a certain match condition, then SET something.

The best way to learn about route-maps is to see them in action.

Configuration

Route-maps are the "if-then" programming solution for Cisco devices.  A route-map allows you to check for certain match conditions and (optionally) set a value. https://vimeo.com/296874107 Here are some quick examples: Only advertise some EIGRP routes to your neighbor. Example: if prefix matches 192

To demonstrate route-maps, we need to create route-maps and have something to apply them to.  I’ll use two routers for this lesson:

R1 R2 Gigabit Interfaces

EIGRP is pre-configured and R1 advertises some loopback interfaces to R2. We’ll use route-maps to filter networks that R1 advertises to R2.

Configurations

Want to take a look for yourself? Here you will find the startup configuration of each device.

R1

hostname R1
!
ip cef
!
interface Loopback0
 ip address 192.168.0.1 255.255.255.0
!
interface Loopback1
 ip address 192.168.1.1 255.255.255.0
!
interface Loopback2
 ip address 192.168.2.1 255.255.255.0
!
interface Loopback3
 ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet0/1
 ip address 192.168.12.1 255.255.255.0
!
router eigrp 1
 network 192.168.0.0 0.0.255.255
!
end

R2

hostname R2
!
ip cef
!
interface GigabitEthernet0/1
 ip address 192.168.12.2 255.255.255.0
!
router eigrp 1
 network 192.168.0.0 0.0.255.255
!
end

R2 has learned these four networks:

R2#show ip route eigrp | include /24
D     192.168.0.0/24 
D     192.168.1.0/24 
D     192.168.2.0/24 
D     192.168.3.0/24

Let’s see what we can do with route-maps.

Match Condition- Permit

Let’s create a new route-map and see what options we have:

R2(config)#route-map ?
WORD  Route map tag

First, we need to give it a name. Let’s call it TEST_1:

R2(config)#route-map TEST_1 ?
  <0-65535>  Sequence to insert to/delete from existing route-map entry
  deny       Route map denies set operations
  permit     Route map permits set operations
  

I can choose between a permit or deny statement. So far, this is similar to how an access-list looks. Let’s go for permit and use sequence number 10:

R2(config)#route-map TEST_1 permit 10

Let’s look at the options of our route-map:

R2(config-route-map)#?
    Route Map configuration commands:
      continue     Continue on a different entry within the route-map
      default      Set a command to its defaults
      description  Route-map comment
      exit         Exit from route-map configuration mode
      help         Description of the interactive help system
      match        Match values from routing table
      no           Negate a command or set its defaults
      set          Set values in destination routing protocol

There are a couple of options to choose from. We’ll start with match:

R2(config-route-map)#match ?
    additional-paths  BGP Add-Path match policies
    as-path           Match BGP AS path list
    clns              CLNS information
    community         Match BGP community list
    extcommunity      Match BGP/VPN extended community list
    interface         Match first hop interface of route
    ip                IP specific information
    ipv6              IPv6 specific information
    length            Packet length
    local-preference  Local preference for route
    mdt-group         Match routes corresponding to MDT group
    metric            Match metric of route
    mpls-label        Match routes which have MPLS labels
    policy-list       Match IP policy list
    route-type        Match route-type of route
    rpki              Match RPKI state of route
    security-group    Security Group
    source-protocol   Match source-protocol of route
    tag               Match tag of route
    track             tracking object

Above, you see a big list of stuff you can match on. I want to use an access-list as my match condition. We can find this under the ip parameter:

R2(config-route-map)#match ip ?                      
    address                Match address of route or match packet
    flowspec               Match src/dest prefix component of flowspec prefix
    next-hop               Match next-hop address of route
    redistribution-source  route redistribution source (EIGRP only)
    route-source           Match advertising source address of route

We have a couple of options. Let’s pick address:

R2(config-route-map)#match ip address ?
    <1-199>      IP access-list number
    <1300-2699>  IP access-list number (expanded range)
    WORD         IP access-list name
    prefix-list  Match entries of prefix-lists

Now I can choose between an access-list of prefix-list. Let’s refer to an access-list called “R1_L0_PERMIT”:

R2(config-route-map)#match ip address R1_L0_PERMIT

We now have a route-map…great! It doesn’t do anything yet though, and we still need to create that access-list.

Access-list Permit

Let’s create the access-list that we refer to in our route-map. I’ll create a permit statement that matches network 192.168.0.0/24:

R2(config)#ip access-list standard R1_L0_PERMIT 
R2(config-std-nacl)#permit 192.168.0.0 0.0.0.255

The only thing left to do is to attach our route-map to something. We’ll keep it simple, I’ll attach it to a distribute-list in EIGRP. This allows us to filter networks that R1 advertises to R2:

R2(config)#router eigrp 1
R2(config-router)#distribute-list route-map TEST_1 in

What I like about EIGRP is that it resyncs when you apply a distribute-list. This helps to speed things up when testing. You’ll see the following message on your console:

 %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.12.1 (GigabitEthernet0/1) is resync: route configuration changed

Right now, we have the following access-list and route-map:

ip access-list standard R1_L0_PERMIT
permit 192.168.0.0 0.0.0.255

route-map TEST_1 permit 10
 match ip address R1_L0_PERMIT

Let’s check the routing table of R2:

R2#show ip route eigrp | include /24
D     192.168.0.0/24

We only see the 192.168.0.0/24 network. What happened?

  • Our route-map has a single permit statement that has our access-list as a match condition.
  • Our access-list has a single permit statement for 192.168.0.0/24.
  • Everything else is denied in the access-list by the invisible implicit deny any.
  • We only have one route-map statement so we hit the invisible implicit deny any in the route-map.

Let’s continue with our next example.

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 683 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

666 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Forum Replies

  1. Hi Rene, great post!

    I am looking for a route-map quite difficult to apply to my BGP.

    The target is to filter packets with an specific source network and all loopbacks within a specific destination range. I have tried it with a route-map with an ACL for the source network and a prefix-list for the destinations and a set policy to route it to a next-hop pointing to null but it is not allowed…

    % prefix-list and access-list can not co-exist in one route-map sequence.

    Any idea how can I achieve this?

  2. Hello Jose Luis,

    This will be difficult. You can use a route-map in combination with BGP for inbound or outbound filtering. For example, when you receive routes, you can use a route-map to permit/deny the routes you want to install. When you advertise routes, you can use a route-map to define the routes that you want to advertise to your peer.

    When you want to filter traffic based on source and/or destination addresses, you need different tools like access-lists and apply those to interfaces or use something like CBAC/ZBF.

    Rene

  3. Hi Rene, Thank you for your response,

    My goal is using this router as a filter to avoid a source to reach some remote destinations, but the difficulty here is the fact I only want to filter /32 destinations within a network, let’s say 10.0.0.0/8.

    I do not want to filter advertisements as the remote routers or equipments in between could I need them, I just want if my router look to packet with source X.X.X.X / 28 that want to reach Y.Y.Y.Y / 32 and then discard it. tacking into account that this router has not clue about / 32 but about the full network.

    Thanks,

  4. Hi together,
    As I red through your Introduction, there was one thing I missed.
    It was the following:

    Which logical operation (AND; OR) gets used in the following scenarios:

    Scenario 1:
    route-map TEST-MAP permit 10
    match ip address ACL1 ACL2

    Scenario 2:
    route-map TEST-MAP permit 10
    match ip address ACL1
    match ip next-hop ACL2

    The following article described it but I want to be sure that I’m right with my assumption:
    http://www.internationalstudent-s.com/route-maps.html
    Scenario 1 = Logical OR (either of the ACLs need to have a match)
    Scenario 2 = Logical AND (bo

    ... Continue reading in our forum

  5. Hello Marcel

    Take a look at this Cisco Documentation:


    On page 20-2 it states the following:

    • If several match commands are present in a clause, all must succeed for a given route in order for that route to match the clause (in other words, the logical AND algorithm is applied for multiple match commands).
    • If a match command refers to several objects in one command, either of them should match (the logical OR algorithm is applied). For example, in the match ip address 101 121 command, a rout
    ... Continue reading in our forum

8 more replies! Ask a question or join the discussion by visiting our Community Forum