Subnetting Made Easy And Other Cisco Tidbits

Route Maps and Access-Lists
Sunday, 7 June 2009

I received an email from one of the readers, Joel, who is getting confused as to how access-lists and route-maps work together. I have therefore created this topic to cover the very basics of access-lists and how they link into route-maps. In turn I have expanded the lesson on route-maps to cover a little more of the nuances of route-map theory as well as an aid to other readers.

Access-lists contain very simple logic. Lists 1-99 (standard access-lists) will permit or deny all IP traffic from a particular source whereas access-lists 101-199 (extended access-lists) extend this functionality allowing you to permit/deny with more granularity, for example, specifying both source and destination address, Layer 4 protocols and port number (i.e. TCP/UDP), and Layer 3 protocols other than IP (i.e. ICMP).

The syntax for standard access-lists is as follows:

"I wish to permit all IP traffic from host [host-ip-address]"
"I wish to permit all traffic from [subnet] [wildcard-mask]"
"I wish to deny all IP traffic from host [host-ip-address]"
"I wish to deny all traffic from [subnet] [wildcard-mask]"

An example is you want to allow all IP traffic from 192.168.1.0/24. The access-list is simple:

access-list [1-99] permit 192.168.1.0 0.0.0.255

The syntax for extended access-lists is slightly different:

"I wish to [permit/deny] [type-of-traffic] going from [source-address] [source-wildcard-mask] to [destination-address] [destination-wildcard-mask] [optional port-number]"

Let's say you would like to permit all Telnet traffic going from 192.168.1.0/24 to a device at 192.168.2.1.

Telnet uses TCP port 23 and here is how you would write the extended access-list:

"access-list [101-199] permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 23"

In English, this access-list permits TCP from 192.168.1.0/24 to the host whose address is 192.168.2.1 where the TCP port number is 23.

How to apply access-lists to route-maps

Believe me there is nothing tricky about doing this. A route-map is a way of influencing the routing decision made by a routing device. The basic syntax of a route-map is as follows:

route-map [route-map-name] [permit/deny] [sequence-number]
match [condition]
set [what-you-want-to-do-with-the-packet-if-it-matches-the-match-criteria]

As you build up your route-map you simply increase the sequence number for each match you want to do. Once you have created your route-map you must then apply it to a router interface e.g.

int fa0/0
ip policy route-map [route-map-name] [in/out]

Let's step back up to the match criteria. There are a number of things that we can match on but what we will focus on is how we can influence traffic flows through a router. We do this by using the match ip address [access-list-number] command. The extended access-list in my earlier example called for allowing Telnet traffic from 192.168.1.0/24 to be able to reach host 192.168.2.1. Let's take that example a bit further and say that we want to make all Telnet traffic going from 192.168.1.0/24 to host 192.168.2.1 which has entered my router's fa0/0 interface to leave my router's Serial0/0 interface. We could use that access-list and apply it to our route-map (I've called it MYMAP):

access-list 101 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 23

route-map MYMAP permit 10
match ip address 101 <---this line refers to access-list 101
set interface Serial0/0

int fa0/0
ip policy route-map MYMAP in <---applies the MYMAP route-map inbound on fa0/0

How does the router service the route-map?

Actually it is very logical. The router starts at the lowest sequence number until it finds a match.

So let's run through it. A host at 192.168.1.1 tries to Telnet to 192.168.2.1 and the packet is received on fa0/0 of our router. Our router, looking at fa0/0, realises that policy-based routing is required and that it should look at the route-map named MYMAP in order to make a decision on how to forward the traffic. The router starts at the lowest sequence number in the route-map and checks the match criteria. The example above tells the router to check access-list 101. The packet received matches access-list 101 so the router returns to the route-map and checks what the set command tells it to do. The set command tells it to forward this traffic out of Serial0/0

What if there is no match found?

If there is no match then the router will route the packet based on the contents of the routing table. If a host at 192.168.3.1 tried to Telnet to 192.168.2.1 and the packet is received through fa0/0 of our router, the router will look into MYMAP, then at access-list 101, realise that access-list 101 does not match 192.168.3.1 as a source address and will return to the route-map looking for the next highest sequence number. In our example there is not another sequence number so the router will simply forward the traffic based upon the contents of its routing table (i.e. what it would do if there was no route-map applied to the fa0/0 interface).

How could we use route-maps to drop traffic?

Chris, you've just told us that if no match is found then the packet will be forwarded by the contents of the routing table so how can I influence that?
Generally, you would drop traffic on an interface using an access-list applied directly to the interface, however, it can be done using a route-map. Let's say you want to have control over all traffic coming in on fa0/0 of our router and want to drop anything that doesn't match our defined criteria. Let's say I have created access-lists 101-105 which specifies my criteria. My route-map would look as follows:

route-map MYMAP permit 10
match ip address 101 <---this line refers to access-list 101
set interface Serial0/0
route-map MYMAP permit 20
match ip address 102 <---this line refers to access-list 102
set interface Serial0/1
route-map MYMAP permit 30
match ip address 103 <---this line refers to access-list 103
set interface Serial0/2
route-map MYMAP permit 40
match ip address 104 <---this line refers to access-list 104
set interface Serial0/3
route-map MYMAP permit 50
match ip address 105 <---this line refers to access-list 105
set interface Serial0/4

Now I want to deny everything else. Remember the Null0 interface, what I like to call Packet Heaven (as that is where packets that need to be dropped/die go)? Check this route-map statement out:

route-map MYMAP permit 60
set interface Null0

Whoa Chris! What did you do there? Where has the match statement gone? The beauty is you don't need it. Sure, you could configure an access-list (e.g. access-list 106 permit ip any any) and have:

route-map MYMAP permit 60
match ip address 106
set interface Null0

But there really is no need. If the route-map evaluation has got this far we are just saying "drop everything else, send it to Packet Heaven, Null0". By removing the match statement you are in effect creating a catch-all statement. Equally, you may have wanted all traffic not matching access-lists 101-105 to be routed out of Serial0/5 rather than be routed using the routing table or dropped. Your last route-map clause would have been:

route-map MYMAP permit 60
set interface Serial0/5 <-- all traffic not previously matched will go via Serial0/5

Other Key Points About Route-Maps

1. The route map statements can also be marked with a deny. If the statement is marked as a deny, the packets meeting the match criteria are sent back through the normal forwarding channels (in other words, destination-based routing is performed). Only if the statement is marked as permit and the packets meet the match criteria are all the set clauses applied. If the statement is marked as permit and the packets do not meet the match criteria, then those packets are also forwarded through the normal routing channel.

2. There can be multiple match criteria on the same line where only ONE of the criteria has to match. There can be multiple match statements on different lines where ALL match statements must match. I think an example here is in order:

route-map MYMAP permit 10
match ip address 101 102 103 104
match ip address 105
set interface Serial0/0

The logic here works thus:

match ip address 101 OR 102 OR 103 OR 104
AND
match ip address 105

So a packet comes in and matches access-list 104, the router then goes on to check access-list 105. If the received packet also matches access-list 105 then the set command is used. If the packet had failed to match access-list 105 then the next statement in the route-map would be evaluated or the packet would be forwarded normally.

3. There are other match criteria such as packet length but I'll focus on the other set criteria.

set ip next-hop [next-hop-ip-address] - specifies where to send the packet. Preferable to use this rather than exit interface.

set default interface [interface] - If there is no entry in the routing table for the destination of this packet route it through the specified interface

set default ip next-hop [next-hop-ip-address] - if there is no entry in the routing table for the destination of this packet route it via the specified next-hop

Notice the use of the "default". This is only true if there is no corresponding entry in the routing table.

4. Like match statements, you can have multiple set statements too. Again, an example will help illustrate this.

route-map MYMAP permit 10
match ip address 101
set interface Serial0/0 Serial0/1

By default any matches to access-list 101 will exit Serial0/0 but if that fails Serial0/1 will be used as the exit interface.

Conclusion

Like everything, route-maps are easy once you understand how the syntax works. Any questions or feedback please feel free to leave comments and/or email me using the Contact Me tab at the top of the screen. Good luck to you all in your studies!

Posted byChris Bloomfield at 18:07 16 comments  

Labels: access, access-lists, Cisco, extended, network, Route Summarization, route-map, route-maps, standard