Introduction to Route-maps

Route-maps are the “if-then” programming solution for Cisco devices.  A route-map allows you to check for certain match conditions and (optionally) set a value.

Here are some quick examples:

  • Only advertise some EIGRP routes to your neighbor.
    • Example: if prefix matches 192.168.1.0/24 in access-list then advertise it.
  • Set BGP attributes based on certain match conditions.
    • Example: if prefix matches 192.168.0.0/24 then set the local preference to 500.
  • Redistribute networks from OSPF into EIGRP based on certain match conditions.
    • Example: if prefix matches 192.168.4.0/24 then redistribute it from OSPF into EIGRP.
  • Change the next hop IP address with policy-based routing.
    • Example: if packet length > 500 bytes, change the next hop IP address to 192.168.1.254.

Route-maps are a bit like access-lists on steroids. They are far more powerful since besides prefixes, there are a lot of different match conditions and you set certain values.

In this lesson, I’ll give you a global overview of how route-maps work and I’ll show you how to configure them.

Like access-lists, route-maps work with different permit or deny statements:

Route Map Overview

We start at the top and process the first statement. There are two possible outcomes:

  • Match: there is a match, we apply our action and that’s it. We don’t check the other route-map statements to see if there is another match.
  • No match: we continue and check the next route-map statement.

When you don’t have any matches, we hit the invisible implicit deny at the bottom of the route-map. This is similar to how an access-list works.

Each route-map can have one or more match conditions. Here’s an example:

Route Map Match Condition

Our first two statements (10 and 20) have a match condition. There are a lot of possible match conditions. To name a few:

  • prefix-list
  • access-list
  • BGP local preference
  • BGP AS path
  • Packet Length
  • And many more…

If you don’t have a match condition then your statement matches everything.

Besides a match condition, we can also change something with a set command:

Route Map Set

Route-map statements 10 and 30 have a set command. Here are some examples of set commands:

  • Change the BGP AS path length.
  • Set a BGP community.
  • Set the BGP weight.
  • Set the metric of an OSPF or EIGRP route in redistribution.
  • Set a redistribution tag.
  • Set the next hop IP address in policy-based routing.
  • Set the DSCP value of an IP packet.
  • And many other options…

This is the “if-then” logic of the route-map. IF we match a certain match condition, then SET something.

The best way to learn about route-maps is to see them in action.

Configuration



To demonstrate route-maps, we need to create route-maps and have something to apply them to.  I’ll use two routers for this lesson:

R1 R2 Gigabit Interfaces

EIGRP is pre-configured and R1 advertises some loopback interfaces to R2. We’ll use route-maps to filter networks that R1 advertises to R2.

Configurations

Want to take a look for yourself? Here you will find the startup configuration of each device.

R1

hostname R1
!
ip cef
!
interface Loopback0
 ip address 192.168.0.1 255.255.255.0
!
interface Loopback1
 ip address 192.168.1.1 255.255.255.0
!
interface Loopback2
 ip address 192.168.2.1 255.255.255.0
!
interface Loopback3
 ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet0/1
 ip address 192.168.12.1 255.255.255.0
!
router eigrp 1
 network 192.168.0.0 0.0.255.255
!
end

R2

hostname R2
!
ip cef
!
interface GigabitEthernet0/1
 ip address 192.168.12.2 255.255.255.0
!
router eigrp 1
 network 192.168.0.0 0.0.255.255
!
end

R2 has learned these four networks:

R2#show ip route eigrp | include /24
D     192.168.0.0/24 
D     192.168.1.0/24 
D     192.168.2.0/24 
D     192.168.3.0/24

Let’s see what we can do with route-maps.

Match Condition- Permit

Let’s create a new route-map and see what options we have:

R2(config)#route-map ?
WORD  Route map tag

First, we need to give it a name. Let’s call it TEST_1:

R2(config)#route-map TEST_1 ?
  <0-65535>  Sequence to insert to/delete from existing route-map entry
  deny       Route map denies set operations
  permit     Route map permits set operations
  

I can choose between a permit or deny statement. So far, this is similar to how an access-list looks. Let’s go for permit and use sequence number 10:

R2(config)#route-map TEST_1 permit 10

Let’s look at the options of our route-map:

R2(config-route-map)#?
    Route Map configuration commands:
      continue     Continue on a different entry within the route-map
      default      Set a command to its defaults
      description  Route-map comment
      exit         Exit from route-map configuration mode
      help         Description of the interactive help system
      match        Match values from routing table
      no           Negate a command or set its defaults
      set          Set values in destination routing protocol

There are a couple of options to choose from. We’ll start with match:

R2(config-route-map)#match ?
    additional-paths  BGP Add-Path match policies
    as-path           Match BGP AS path list
    clns              CLNS information
    community         Match BGP community list
    extcommunity      Match BGP/VPN extended community list
    interface         Match first hop interface of route
    ip                IP specific information
    ipv6              IPv6 specific information
    length            Packet length
    local-preference  Local preference for route
    mdt-group         Match routes corresponding to MDT group
    metric            Match metric of route
    mpls-label        Match routes which have MPLS labels
    policy-list       Match IP policy list
    route-type        Match route-type of route
    rpki              Match RPKI state of route
    security-group    Security Group
    source-protocol   Match source-protocol of route
    tag               Match tag of route
    track             tracking object

Above, you see a big list of stuff you can match on. I want to use an access-list as my match condition. We can find this under the ip parameter:

R2(config-route-map)#match ip ?                      
    address                Match address of route or match packet
    flowspec               Match src/dest prefix component of flowspec prefix
    next-hop               Match next-hop address of route
    redistribution-source  route redistribution source (EIGRP only)
    route-source           Match advertising source address of route

We have a couple of options. Let’s pick address:

R2(config-route-map)#match ip address ?
    <1-199>      IP access-list number
    <1300-2699>  IP access-list number (expanded range)
    WORD         IP access-list name
    prefix-list  Match entries of prefix-lists

Now I can choose between an access-list of prefix-list. Let’s refer to an access-list called “R1_L0_PERMIT”:

R2(config-route-map)#match ip address R1_L0_PERMIT

We now have a route-map…great! It doesn’t do anything yet though, and we still need to create that access-list.

Access-list Permit

Let’s create the access-list that we refer to in our route-map. I’ll create a permit statement that matches network 192.168.0.0/24:

R2(config)#ip access-list standard R1_L0_PERMIT 
R2(config-std-nacl)#permit 192.168.0.0 0.0.0.255

The only thing left to do is to attach our route-map to something. We’ll keep it simple, I’ll attach it to a distribute-list in EIGRP. This allows us to filter networks that R1 advertises to R2:

R2(config)#router eigrp 1
R2(config-router)#distribute-list route-map TEST_1 in

What I like about EIGRP is that it resyncs when you apply a distribute-list. This helps to speed things up when testing. You’ll see the following message on your console:

 %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.12.1 (GigabitEthernet0/1) is resync: route configuration changed

Right now, we have the following access-list and route-map:

ip access-list standard R1_L0_PERMIT
permit 192.168.0.0 0.0.0.255

route-map TEST_1 permit 10
 match ip address R1_L0_PERMIT

Let’s check the routing table of R2:

R2#show ip route eigrp | include /24
D     192.168.0.0/24

We only see the 192.168.0.0/24 network. What happened?

  • Our route-map has a single permit statement that has our access-list as a match condition.
  • Our access-list has a single permit statement for 192.168.0.0/24.
  • Everything else is denied in the access-list by the invisible implicit deny any.
  • We only have one route-map statement so we hit the invisible implicit deny any in the route-map.

Let’s continue with our next example.

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 651 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

555 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Forum Replies

  1. Hi Rene, great post!

    I am looking for a route-map quite difficult to apply to my BGP.

    The target is to filter packets with an specific source network and all loopbacks within a specific destination range. I have tried it with a route-map with an ACL for the source network and a prefix-list for the destinations and a set policy to route it to a next-hop pointing to null but it is not allowed…

    % prefix-list and access-list can not co-exist in one route-map sequence.

    Any idea how can I achieve this?

  2. Hello Jose Luis,

    This will be difficult. You can use a route-map in combination with BGP for inbound or outbound filtering. For example, when you receive routes, you can use a route-map to permit/deny the routes you want to install. When you advertise routes, you can use a route-map to define the routes that you want to advertise to your peer.

    When you want to filter traffic based on source and/or destination addresses, you need different tools like access-lists and apply those to interfaces or use something like CBAC/ZBF.

    Rene

  3. Rene
    I have a route-map issue maybe you canhelp
    how many route maps can you have within BGP pointing to a peer?
    The reason I ask this is I have currently 2 route maps which prefix list on a 25. X network
    and I am migrating to the 10.X network

  4. Hi together,
    As I red through your Introduction, there was one thing I missed.
    It was the following:

    Which logical operation (AND; OR) gets used in the following scenarios:

    Scenario 1:
    route-map TEST-MAP permit 10
    match ip address ACL1 ACL2

    Scenario 2:
    route-map TEST-MAP permit 10
    match ip address ACL1
    match ip next-hop ACL2

    The following article described it but I want to be sure that I’m right with my assumption:
    http://www.internationalstudent-s.com/route-maps.html
    Scenario 1 = Logical OR (either of the ACLs need to have a match)
    Scenario 2 = Logical AND (bo

    ... Continue reading in our forum

  5. Hello Marcel

    Take a look at this Cisco Documentation:

    https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/route_maps.pdf


    On page 20-2 it states the following:

    • If several match commands are present in a clause, all must succeed for a given route in order for that route to match the clause (in other words, the logical AND algorithm is applied for multiple match commands).
    • If a match command refers to several objects in one command, either of them should match (the logical OR algorithm is applied). For example, in the match ip add
    ... Continue reading in our forum

2 more replies! Ask a question or join the discussion by visiting our Community Forum