Sunday, 7 June 2009

Route Maps and Access-Lists

I received an email from one of the readers, Joel, who is getting confused as to how access-lists and route-maps work together. I have therefore created this topic to cover the very basics of access-lists and how they link into route-maps. In turn I have expanded the lesson on route-maps to cover a little more of the nuances of route-map theory as well as an aid to other readers.

Access-lists contain very simple logic. Lists 1-99 (standard access-lists) will permit or deny all IP traffic from a particular source whereas access-lists 101-199 (extended access-lists) extend this functionality allowing you to permit/deny with more granularity, for example, specifying both source and destination address, Layer 4 protocols and port number (i.e. TCP/UDP), and Layer 3 protocols other than IP (i.e. ICMP).

The syntax for standard access-lists is as follows:

"I wish to permit all IP traffic from host [host-ip-address]"
"I wish to permit all traffic from [subnet] [wildcard-mask]"
"I wish to deny all IP traffic from host [host-ip-address]"
"I wish to deny all traffic from [subnet] [wildcard-mask]"

An example is you want to allow all IP traffic from 192.168.1.0/24. The access-list is simple:

access-list [1-99] permit 192.168.1.0 0.0.0.255

The syntax for extended access-lists is slightly different:

"I wish to [permit/deny] [type-of-traffic] going from [source-address] [source-wildcard-mask] to [destination-address] [destination-wildcard-mask] [optional port-number]"

Let's say you would like to permit all Telnet traffic going from 192.168.1.0/24 to a device at 192.168.2.1.

Telnet uses TCP port 23 and here is how you would write the extended access-list:

"access-list [101-199] permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 23"

In English, this access-list permits TCP from 192.168.1.0/24 to the host whose address is 192.168.2.1 where the TCP port number is 23.

How to apply access-lists to route-maps

Believe me there is nothing tricky about doing this. A route-map is a way of influencing the routing decision made by a routing device. The basic syntax of a route-map is as follows:

route-map [route-map-name] [permit/deny] [sequence-number]
match [condition]
set [what-you-want-to-do-with-the-packet-if-it-matches-the-match-criteria]

As you build up your route-map you simply increase the sequence number for each match you want to do. Once you have created your route-map you must then apply it to a router interface e.g.

int fa0/0
ip policy route-map [route-map-name] [in/out]

Let's step back up to the match criteria. There are a number of things that we can match on but what we will focus on is how we can influence traffic flows through a router. We do this by using the match ip address [access-list-number] command. The extended access-list in my earlier example called for allowing Telnet traffic from 192.168.1.0/24 to be able to reach host 192.168.2.1. Let's take that example a bit further and say that we want to make all Telnet traffic going from 192.168.1.0/24 to host 192.168.2.1 which has entered my router's fa0/0 interface to leave my router's Serial0/0 interface. We could use that access-list and apply it to our route-map (I've called it MYMAP):

access-list 101 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 23

route-map MYMAP permit 10
match ip address 101 <---this line refers to access-list 101
set interface Serial0/0

int fa0/0
ip policy route-map MYMAP in <---applies the MYMAP route-map inbound on fa0/0

How does the router service the route-map?

Actually it is very logical. The router starts at the lowest sequence number until it finds a match.

So let's run through it. A host at 192.168.1.1 tries to Telnet to 192.168.2.1 and the packet is received on fa0/0 of our router. Our router, looking at fa0/0, realises that policy-based routing is required and that it should look at the route-map named MYMAP in order to make a decision on how to forward the traffic. The router starts at the lowest sequence number in the route-map and checks the match criteria. The example above tells the router to check access-list 101. The packet received matches access-list 101 so the router returns to the route-map and checks what the set command tells it to do. The set command tells it to forward this traffic out of Serial0/0

What if there is no match found?

If there is no match then the router will route the packet based on the contents of the routing table. If a host at 192.168.3.1 tried to Telnet to 192.168.2.1 and the packet is received through fa0/0 of our router, the router will look into MYMAP, then at access-list 101, realise that access-list 101 does not match 192.168.3.1 as a source address and will return to the route-map looking for the next highest sequence number. In our example there is not another sequence number so the router will simply forward the traffic based upon the contents of its routing table (i.e. what it would do if there was no route-map applied to the fa0/0 interface).

How could we use route-maps to drop traffic?

Chris, you've just told us that if no match is found then the packet will be forwarded by the contents of the routing table so how can I influence that?
Generally, you would drop traffic on an interface using an access-list applied directly to the interface, however, it can be done using a route-map. Let's say you want to have control over all traffic coming in on fa0/0 of our router and want to drop anything that doesn't match our defined criteria. Let's say I have created access-lists 101-105 which specifies my criteria. My route-map would look as follows:

route-map MYMAP permit 10
match ip address 101 <---this line refers to access-list 101
set interface Serial0/0
route-map MYMAP permit 20
match ip address 102 <---this line refers to access-list 102
set interface Serial0/1
route-map MYMAP permit 30
match ip address 103 <---this line refers to access-list 103
set interface Serial0/2
route-map MYMAP permit 40
match ip address 104 <---this line refers to access-list 104
set interface Serial0/3
route-map MYMAP permit 50
match ip address 105 <---this line refers to access-list 105
set interface Serial0/4

Now I want to deny everything else. Remember the Null0 interface, what I like to call Packet Heaven (as that is where packets that need to be dropped/die go)? Check this route-map statement out:

route-map MYMAP permit 60
set interface Null0

Whoa Chris! What did you do there? Where has the match statement gone? The beauty is you don't need it. Sure, you could configure an access-list (e.g. access-list 106 permit ip any any) and have:

route-map MYMAP permit 60
match ip address 106
set interface Null0

But there really is no need. If the route-map evaluation has got this far we are just saying "drop everything else, send it to Packet Heaven, Null0". By removing the match statement you are in effect creating a catch-all statement. Equally, you may have wanted all traffic not matching access-lists 101-105 to be routed out of Serial0/5 rather than be routed using the routing table or dropped. Your last route-map clause would have been:

route-map MYMAP permit 60
set interface Serial0/5 <-- all traffic not previously matched will go via Serial0/5

Other Key Points About Route-Maps

1. The route map statements can also be marked with a deny. If the statement is marked as a deny, the packets meeting the match criteria are sent back through the normal forwarding channels (in other words, destination-based routing is performed). Only if the statement is marked as permit and the packets meet the match criteria are all the set clauses applied. If the statement is marked as permit and the packets do not meet the match criteria, then those packets are also forwarded through the normal routing channel.

2. There can be multiple match criteria on the same line where only ONE of the criteria has to match. There can be multiple match statements on different lines where ALL match statements must match. I think an example here is in order:

route-map MYMAP permit 10
match ip address 101 102 103 104
match ip address 105
set interface Serial0/0

The logic here works thus:

match ip address 101 OR 102 OR 103 OR 104
AND
match ip address 105

So a packet comes in and matches access-list 104, the router then goes on to check access-list 105. If the received packet also matches access-list 105 then the set command is used. If the packet had failed to match access-list 105 then the next statement in the route-map would be evaluated or the packet would be forwarded normally.

3. There are other match criteria such as packet length but I'll focus on the other set criteria.

set ip next-hop [next-hop-ip-address] - specifies where to send the packet. Preferable to use this rather than exit interface.

set default interface [interface] - If there is no entry in the routing table for the destination of this packet route it through the specified interface

set default ip next-hop [next-hop-ip-address] - if there is no entry in the routing table for the destination of this packet route it via the specified next-hop

Notice the use of the "default". This is only true if there is no corresponding entry in the routing table.

4. Like match statements, you can have multiple set statements too. Again, an example will help illustrate this.

route-map MYMAP permit 10
match ip address 101
set interface Serial0/0 Serial0/1

By default any matches to access-list 101 will exit Serial0/0 but if that fails Serial0/1 will be used as the exit interface.

Conclusion

Like everything, route-maps are easy once you understand how the syntax works. Any questions or feedback please feel free to leave comments and/or email me using the Contact Me tab at the top of the screen. Good luck to you all in your studies!

16 comments:

  1. Hi there,
    Very good and helpfull post here. I have a question, if I have a route map, but without any set statement and is applied globally, does it have some use?
    Thanks

    ReplyDelete
  2. Hi,

    It depends on what you mean. I see there being no value in a route-map if you are not using any set statement. There are the occasions when you want a route-map to implicitly permit everything else such as in BGP or in redistribution otherwise if there is not a match then routes can be denied.

    For example, any updates received from a BGP neighbor that originated in AS 23 will have a MED setting of 50. Everything else will remain the same.

    router bgp 1
    neighbor 10.1.1.2 remote-as 2
    neighbor 10.1.1.2 route-map MYMAP in

    ip as-path access-list 1 permit _23$

    route-map MYMAP permit 10
    match as-path 1
    set metric 50
    route-map MYMAP permit 20

    See how I have an empty permit statement at the end. This allows all other routes to be accepted from the neighbor. If I had failed to do this then the routes not matched by the route-map will be silently dropped.

    HTH

    Chris

    ReplyDelete
  3. Hi Chris,
    For example, is there any difference between these 2 configurations:

    ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
    !
    access-list 122 remark IPSec Rule
    access-list 122 deny ip 10.10.20.0 0.0.0.255 10.20.130.0 0.0.0.255
    access-list 122 deny ip 10.10.20.0 0.0.0.255 10.20.132.0 0.0.0.255
    access-list 122 permit ip 10.10.20.0 0.0.0.255 any
    route-map SDM_RMAP_1 permit 1
    match ip address 122

    and this

    ip nat inside source list 122 interface Dialer0 overload
    !
    access-list 122 remark IPSec Rule
    access-list 122 deny ip 10.10.20.0 0.0.0.255 10.20.130.0 0.0.0.255
    access-list 122 deny ip 10.10.20.0 0.0.0.255 10.20.132.0 0.0.0.255
    access-list 122 permit ip 10.10.20.0 0.0.0.255 any

    Will these 2 configurations behave the same or not?

    ReplyDelete
  4. Hi,

    The configurations do the same. Only use a route-map if you need to add further granularity in your scenario.

    Route-maps are more extensible than access-lists so it may be why SDM has chosen to use route-maps in your scenario rather than access-lists.

    HTH

    ReplyDelete
  5. What do you say about this post http://ccnprecertification.com/2005/04/01/nat-using-a-route-map/ ? Here the author is saying about some differences.

    ReplyDelete
  6. Yes there are differences as they have put but for what you want there are no differences. He was showing that you could use multiple access lists in your NAT by making use of route-maps.

    ReplyDelete
  7. Thank you very much! Your article and the one which I mentioned are very helpful!

    ReplyDelete
  8. Wow, nice... thx

    if I can be a follower of this blog? thanks

    ReplyDelete
  9. Hi Chris,
    Your blog is great by the way.
    In your reply to JaguaR, you gave an example of a route-map ending with an empty permit statement and said:

    "See how I have an empty permit statement at the end. This allows all other routes to be accepted from the neighbor. If I had failed to do this then the routes not matched by the route-map will be silently dropped."

    In your blog you talk about adding a final permit statement at the end of the route-map to null0, I was wondering why would oyu do this if you can just leave it blank and the routes will be silently dropped?

    ReplyDelete
  10. Hi wanabe and thanks for your great question.

    Route-map theory has many nuances and performs slightly differently depending on which function it is used for.

    For PBR the implicit deny at the end of a route-map means that the traffic will not be policy-based routed and will be routed by the routing table.

    For BGP route-filtering as in my reply to Jaguar, the implicit deny at the end of the route-map means that any updates reaching the implicit deny (i.e. not matched by any statement in the route-map) will be dropped.

    Therefore, in my article I refer to a way of forcing the packet to be dropped in PBR by using an explicit permit statement and sending it to null 0. If I hadn't have done this the packet would have reached the implicit deny and be routed via the routing table.

    HTH

    ReplyDelete
  11. Hi again Chris thanks for your reply that cleared up my issue. I am from the UK and studying CCIE RS.
    These fundamental concepts like route-maps, ACL & prefix-lists tend to bug me because there seems to be a variety of combinations of these methods to solve certain problems. On the other hand, I suppose thats the skill that pays experts their healthy salary.
    I am yet to find a good source of info that compares these methods in a simplified way (maybe I might do it in the future).
    Back to route-maps, from what I can see, there is not many ways to implement route-maps, just 2 - PBR & redistribution.
    Feel free to correct me.

    ReplyDelete
  12. Hi Wanabe,

    The BGP course is very good for understanding access-lists, prefix-lists, and route-maps. Yes, you can use route-maps in PBR and redistribution but you can also use them for complex route-filtering and tagging with BGP neighbours e.g.

    neighbor 192.168.1.2 route-map matchas200 in

    This will apply a route-filter to incoming updates from BGP neighbour at 192.168.1.2, for example:

    route-map matchas200 permit 10
    match as-path 1
    set local-preference 200
    route-map matchas200 permit 20

    ip as-path access-list 1 permit ^200$

    This route map checks if a route has only gone through AS 200 and if it has set the local preference to 200. If it hasn't treat as normal.

    Good luck with the R&S, it is my ultimate goal too but I have decided to complete my CCIP first. BGP exam on the 25th Feb!

    ReplyDelete
  13. SUperb Article...The topic was beautifully explained! Thanks

    Mihir V Patankar

    ReplyDelete
  14. Hi About this line in you explanation

    "What if there is no match found? "

    route-map looking for the next highest sequence number.

    Guess this is not correct
    ---------------------------------

    Correct is :
    route-map looking for the next sequence number from lowest to highest


    Example
    --------

    route-map TEST permit 10 <--
    match ip add 1
    set next-hop 10.10.10.1

    route-map TEST permit 20 <--
    match ip add 2
    set next-hop 11.11.11.1

    route-map TEST permit 30 <--
    match ip add 3
    set next-hop 33.33.33.3



    Regards
    Raja Kumar

    ReplyDelete