Lesson Contents
Route-maps are the “if-then” programming solution for Cisco devices. A route-map allows you to check for certain match conditions and (optionally) set a value.
Here are some quick examples:
- Only advertise some EIGRP routes to your neighbor.
- Example: if prefix matches 192.168.1.0/24 in access-list then advertise it.
- Set BGP attributes based on certain match conditions.
- Example: if prefix matches 192.168.0.0/24 then set the local preference to 500.
- Redistribute networks from OSPF into EIGRP based on certain match conditions.
- Example: if prefix matches 192.168.4.0/24 then redistribute it from OSPF into EIGRP.
- Change the next hop IP address with policy-based routing.
- Example: if packet length > 500 bytes, change the next hop IP address to 192.168.1.254.
Route-maps are a bit like access-lists on steroids. They are far more powerful since besides prefixes, there are a lot of different match conditions and you set certain values.
In this lesson, I’ll give you a global overview of how route-maps work and I’ll show you how to configure them.
Like access-lists, route-maps work with different permit or deny statements:
We start at the top and process the first statement. There are two possible outcomes:
- Match: there is a match, we apply our action and that’s it. We don’t check the other route-map statements to see if there is another match.
- No match: we continue and check the next route-map statement.
When you don’t have any matches, we hit the invisible implicit deny at the bottom of the route-map. This is similar to how an access-list works.
Each route-map can have one or more match conditions. Here’s an example:
Our first two statements (10 and 20) have a match condition. There are a lot of possible match conditions. To name a few:
- prefix-list
- access-list
- BGP local preference
- BGP AS path
- Packet Length
- And many more…
If you don’t have a match condition then your statement matches everything.
Besides a match condition, we can also change something with a set command:
Route-map statements 10 and 30 have a set command. Here are some examples of set commands:
- Change the BGP AS path length.
- Set a BGP community.
- Set the BGP weight.
- Set the metric of an OSPF or EIGRP route in redistribution.
- Set a redistribution tag.
- Set the next hop IP address in policy-based routing.
- Set the DSCP value of an IP packet.
- And many other options…
This is the “if-then” logic of the route-map. IF we match a certain match condition, then SET something.
The best way to learn about route-maps is to see them in action.
Configuration
To demonstrate route-maps, we need to create route-maps and have something to apply them to. I’ll use two routers for this lesson:
EIGRP is pre-configured and R1 advertises some loopback interfaces to R2. We’ll use route-maps to filter networks that R1 advertises to R2.
Configurations
Want to take a look for yourself? Here you will find the startup configuration of each device.
R1
hostname R1
!
ip cef
!
interface Loopback0
ip address 192.168.0.1 255.255.255.0
!
interface Loopback1
ip address 192.168.1.1 255.255.255.0
!
interface Loopback2
ip address 192.168.2.1 255.255.255.0
!
interface Loopback3
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet0/1
ip address 192.168.12.1 255.255.255.0
!
router eigrp 1
network 192.168.0.0 0.0.255.255
!
end
R2
hostname R2
!
ip cef
!
interface GigabitEthernet0/1
ip address 192.168.12.2 255.255.255.0
!
router eigrp 1
network 192.168.0.0 0.0.255.255
!
end
R2 has learned these four networks:
R2#show ip route eigrp | include /24
D 192.168.0.0/24
D 192.168.1.0/24
D 192.168.2.0/24
D 192.168.3.0/24
Let’s see what we can do with route-maps.
Match Condition- Permit
Let’s create a new route-map and see what options we have:
R2(config)#route-map ?
WORD Route map tag
First, we need to give it a name. Let’s call it TEST_1:
R2(config)#route-map TEST_1 ?
<0-65535> Sequence to insert to/delete from existing route-map entry
deny Route map denies set operations
permit Route map permits set operations
I can choose between a permit or deny statement. So far, this is similar to how an access-list looks. Let’s go for permit and use sequence number 10:
R2(config)#route-map TEST_1 permit 10
Let’s look at the options of our route-map:
R2(config-route-map)#?
Route Map configuration commands:
continue Continue on a different entry within the route-map
default Set a command to its defaults
description Route-map comment
exit Exit from route-map configuration mode
help Description of the interactive help system
match Match values from routing table
no Negate a command or set its defaults
set Set values in destination routing protocol
There are a couple of options to choose from. We’ll start with match:
R2(config-route-map)#match ?
additional-paths BGP Add-Path match policies
as-path Match BGP AS path list
clns CLNS information
community Match BGP community list
extcommunity Match BGP/VPN extended community list
interface Match first hop interface of route
ip IP specific information
ipv6 IPv6 specific information
length Packet length
local-preference Local preference for route
mdt-group Match routes corresponding to MDT group
metric Match metric of route
mpls-label Match routes which have MPLS labels
policy-list Match IP policy list
route-type Match route-type of route
rpki Match RPKI state of route
security-group Security Group
source-protocol Match source-protocol of route
tag Match tag of route
track tracking object
Above, you see a big list of stuff you can match on. I want to use an access-list as my match condition. We can find this under the ip parameter:
R2(config-route-map)#match ip ?
address Match address of route or match packet
flowspec Match src/dest prefix component of flowspec prefix
next-hop Match next-hop address of route
redistribution-source route redistribution source (EIGRP only)
route-source Match advertising source address of route
We have a couple of options. Let’s pick address:
R2(config-route-map)#match ip address ?
<1-199> IP access-list number
<1300-2699> IP access-list number (expanded range)
WORD IP access-list name
prefix-list Match entries of prefix-lists
Now I can choose between an access-list of prefix-list. Let’s refer to an access-list called “R1_L0_PERMIT”:
R2(config-route-map)#match ip address R1_L0_PERMIT
We now have a route-map…great! It doesn’t do anything yet though, and we still need to create that access-list.
Access-list Permit
Let’s create the access-list that we refer to in our route-map. I’ll create a permit statement that matches network 192.168.0.0/24:
R2(config)#ip access-list standard R1_L0_PERMIT
R2(config-std-nacl)#permit 192.168.0.0 0.0.0.255
The only thing left to do is to attach our route-map to something. We’ll keep it simple, I’ll attach it to a distribute-list in EIGRP. This allows us to filter networks that R1 advertises to R2:
R2(config)#router eigrp 1
R2(config-router)#distribute-list route-map TEST_1 in
What I like about EIGRP is that it resyncs when you apply a distribute-list. This helps to speed things up when testing. You’ll see the following message on your console:
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.12.1 (GigabitEthernet0/1) is resync: route configuration changed
Right now, we have the following access-list and route-map:
ip access-list standard R1_L0_PERMIT
permit 192.168.0.0 0.0.0.255
route-map TEST_1 permit 10
match ip address R1_L0_PERMIT
Let’s check the routing table of R2:
R2#show ip route eigrp | include /24
D 192.168.0.0/24
We only see the 192.168.0.0/24 network. What happened?
- Our route-map has a single permit statement that has our access-list as a match condition.
- Our access-list has a single permit statement for 192.168.0.0/24.
- Everything else is denied in the access-list by the invisible implicit deny any.
- We only have one route-map statement so we hit the invisible implicit deny any in the route-map.
Let’s continue with our next example.
Hi together,
As I red through your Introduction, there was one thing I missed.
It was the following:
Which logical operation (AND; OR) gets used in the following scenarios:
Scenario 1:
route-map TEST-MAP permit 10
match ip address ACL1 ACL2
Scenario 2:
route-map TEST-MAP permit 10
match ip address ACL1
match ip next-hop ACL2
The following article described it but I want to be sure that I’m right with my assumption:
... Continue reading in our forumhttp://www.internationalstudent-s.com/route-maps.html
Scenario 1 = Logical OR (either of the ACLs need to have a match)
Scenario 2 = Logical AND (bo
Hello Marcel
Take a look at this Cisco Documentation:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/route_maps.pdf
On page 20-2 it states the following:
Hello Justin
Rene created the R1_L0_PERMIT access list with a permit statement for the 192.168.0.0/24 subnet. This was then referenced by the TEST_3 route map with a deny statement for matches to this access list.
So this route map is applied to the distribute-list of EIGRP. Now a router sends the following four subnets via EIGRP and they are “filtered” through this distribute list:
192.
... Continue reading in our forumHello Justin
No problem, this is an opportunity to clarify things for both you and all our readers.
When we say that the route map will stop processing whenever a match is achieved, for your particular scenario, this is the case for each individual prefix.
So you have 192.168.0.0/24. It goes through the route map statements and matches sequence number 10. It is denied, but it was a match, so no more statements are
... Continue reading in our forumThanks a lot. Now I understand the logic.