Route-maps are the “if-then” programming solution for Cisco devices. A route-map allows you to check for certain match conditions and (optionally) set a value.
Here are some quick examples:
- Only advertise some EIGRP routes to your neighbor.
- Example: if prefix matches 192.168.1.0/24 in access-list then advertise it.
- Set BGP attributes based on certain match conditions.
- Example: if prefix matches 192.168.0.0/24 then set the local preference to 500.
- Redistribute networks from OSPF into EIGRP based on certain match conditions.
- Example: if prefix matches 192.168.4.0/24 then redistribute it from OSPF into EIGRP.
- Change the next hop IP address with policy-based routing.
- Example: if packet length > 500 bytes, change the next hop IP address to 192.168.1.254.
Route-maps are a bit like access-lists on steroids. They are far more powerful since besides prefixes, there are a lot of different match conditions and you set certain values.
In this lesson, I’ll give you a global overview of how route-maps work and I’ll show you how to configure them.
Like access-lists, route-maps work with different permit or deny statements:
We start at the top and process the first statement. There are two possible outcomes:
- Match: there is a match, we apply our action and that’s it. We don’t check the other route-map statements to see if there is another match.
- No match: we continue and check the next route-map statement.
When you don’t have any matches, we hit the invisible implicit deny at the bottom of the route-map. This is similar to how an access-list works.
Each route-map can have one or more match conditions. Here’s an example:
Our first two statements (10 and 20) have a match condition. There are a lot of possible match conditions. To name a few:
- BGP local preference
- BGP AS path
- Packet Length
- And many more…
If you don’t have a match condition then your statement matches everything.
Besides a match condition, we can also change something with a set command:
Route-map statements 10 and 30 have a set command. Here are some examples of set commands:
- Change the BGP AS path length.
- Set a BGP community.
- Set the BGP weight.
- Set the metric of an OSPF or EIGRP route in redistribution.
- Set a redistribution tag.
- Set the next hop IP address in policy-based routing.
- Set the DSCP value of an IP packet.
- And many other options…
This is the “if-then” logic of the route-map. IF we match a certain match condition, then SET something.
The best way to learn about route-maps is to see them in action.
To demonstrate route-maps, we need to create route-maps and have something to apply them to. I’ll use two routers for this lesson:
EIGRP is pre-configured and R1 advertises some loopback interfaces to R2. We’ll use route-maps to filter networks that R1 advertises to R2.
Want to take a look for yourself? Here you will find the startup configuration of each device.
hostname R1 ! ip cef ! interface Loopback0 ip address 192.168.0.1 255.255.255.0 ! interface Loopback1 ip address 192.168.1.1 255.255.255.0 ! interface Loopback2 ip address 192.168.2.1 255.255.255.0 ! interface Loopback3 ip address 192.168.3.1 255.255.255.0 ! interface GigabitEthernet0/1 ip address 192.168.12.1 255.255.255.0 ! router eigrp 1 network 192.168.0.0 0.0.255.255 ! end
hostname R2 ! ip cef ! interface GigabitEthernet0/1 ip address 192.168.12.2 255.255.255.0 ! router eigrp 1 network 192.168.0.0 0.0.255.255 ! end
R2 has learned these four networks:
R2#show ip route eigrp | include /24 D 192.168.0.0/24 D 192.168.1.0/24 D 192.168.2.0/24 D 192.168.3.0/24
Let’s see what we can do with route-maps.
Match Condition- Permit
Let’s create a new route-map and see what options we have:
R2(config)#route-map ? WORD Route map tag
First, we need to give it a name. Let’s call it TEST_1:
R2(config)#route-map TEST_1 ? <0-65535> Sequence to insert to/delete from existing route-map entry deny Route map denies set operations permit Route map permits set operations
I can choose between a permit or deny statement. So far, this is similar to how an access-list looks. Let’s go for permit and use sequence number 10:
R2(config)#route-map TEST_1 permit 10
Let’s look at the options of our route-map:
R2(config-route-map)#? Route Map configuration commands: continue Continue on a different entry within the route-map default Set a command to its defaults description Route-map comment exit Exit from route-map configuration mode help Description of the interactive help system match Match values from routing table no Negate a command or set its defaults set Set values in destination routing protocol
There are a couple of options to choose from. We’ll start with match:
R2(config-route-map)#match ? additional-paths BGP Add-Path match policies as-path Match BGP AS path list clns CLNS information community Match BGP community list extcommunity Match BGP/VPN extended community list interface Match first hop interface of route ip IP specific information ipv6 IPv6 specific information length Packet length local-preference Local preference for route mdt-group Match routes corresponding to MDT group metric Match metric of route mpls-label Match routes which have MPLS labels policy-list Match IP policy list route-type Match route-type of route rpki Match RPKI state of route security-group Security Group source-protocol Match source-protocol of route tag Match tag of route track tracking object
Above, you see a big list of stuff you can match on. I want to use an access-list as my match condition. We can find this under the ip parameter:
R2(config-route-map)#match ip ? address Match address of route or match packet flowspec Match src/dest prefix component of flowspec prefix next-hop Match next-hop address of route redistribution-source route redistribution source (EIGRP only) route-source Match advertising source address of route
We have a couple of options. Let’s pick address:
R2(config-route-map)#match ip address ? <1-199> IP access-list number <1300-2699> IP access-list number (expanded range) WORD IP access-list name prefix-list Match entries of prefix-lists
Now I can choose between an access-list of prefix-list. Let’s refer to an access-list called “R1_L0_PERMIT”:
R2(config-route-map)#match ip address R1_L0_PERMIT
We now have a route-map…great! It doesn’t do anything yet though, and we still need to create that access-list.
Let’s create the access-list that we refer to in our route-map. I’ll create a permit statement that matches network 192.168.0.0/24:
R2(config)#ip access-list standard R1_L0_PERMIT R2(config-std-nacl)#permit 192.168.0.0 0.0.0.255
The only thing left to do is to attach our route-map to something. We’ll keep it simple, I’ll attach it to a distribute-list in EIGRP. This allows us to filter networks that R1 advertises to R2:
R2(config)#router eigrp 1 R2(config-router)#distribute-list route-map TEST_1 in
What I like about EIGRP is that it resyncs when you apply a distribute-list. This helps to speed things up when testing. You’ll see the following message on your console:
%DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 192.168.12.1 (GigabitEthernet0/1) is resync: route configuration changed
Right now, we have the following access-list and route-map:
ip access-list standard R1_L0_PERMIT permit 192.168.0.0 0.0.0.255 route-map TEST_1 permit 10 match ip address R1_L0_PERMIT
Let’s check the routing table of R2:
R2#show ip route eigrp | include /24 D 192.168.0.0/24
We only see the 192.168.0.0/24 network. What happened?
- Our route-map has a single permit statement that has our access-list as a match condition.
- Our access-list has a single permit statement for 192.168.0.0/24.
- Everything else is denied in the access-list by the invisible implicit deny any.
- We only have one route-map statement so we hit the invisible implicit deny any in the route-map.
Let’s continue with our next example.
Hi Rene, great post!
I am looking for a route-map quite difficult to apply to my BGP.
The target is to filter packets with an specific source network and all loopbacks within a specific destination range. I have tried it with a route-map with an ACL for the source network and a prefix-list for the destinations and a set policy to route it to a next-hop pointing to null but it is not allowed…
% prefix-list and access-list can not co-exist in one route-map sequence.
Any idea how can I achieve this?
Hello Jose Luis,
This will be difficult. You can use a route-map in combination with BGP for inbound or outbound filtering. For example, when you receive routes, you can use a route-map to permit/deny the routes you want to install. When you advertise routes, you can use a route-map to define the routes that you want to advertise to your peer.
When you want to filter traffic based on source and/or destination addresses, you need different tools like access-lists and apply those to interfaces or use something like CBAC/ZBF.
Hi Rene, Thank you for your response,
My goal is using this router as a filter to avoid a source to reach some remote destinations, but the difficulty here is the fact I only want to filter /32 destinations within a network, let’s say 10.0.0.0/8.
I do not want to filter advertisements as the remote routers or equipments in between could I need them, I just want if my router look to packet with source X.X.X.X / 28 that want to reach Y.Y.Y.Y / 32 and then discard it. tacking into account that this router has not clue about / 32 but about the full network.
I have a route-map issue maybe you canhelp
how many route maps can you have within BGP pointing to a peer?
The reason I ask this is I have currently 2 route maps which prefix list on a 25. X network
and I am migrating to the 10.X network
For each neighbor, you can specify a single route-map to filter prefixes. This is done in a command similar to this:
neighbor 192.168.12.2 route-map NEIGHBORS out
where NEIGHBORS is the name of the route-map. However, you can include several statements within the route-map that will match the criteria you need for your application. Take a look at the route-map section of this lesson for more examples:
I hope this has been helpful!