RE: route-map permit with empy acl

hey guys

Thanks for replying, what was intended is listed below. though i found correct
answer but i feel that i still should explain what i was doing.

Created route-map PBR-Customer with 2 clauses.

Clause 1 ( sequence 10 )
 1) Next-hop 10.0.0.1 if IP Matches acl-1

Clause 2 ( sequence 20 )
  1) Next-hop 192.168.0.1 if IP Matches acl-2

but i created an empty access-list with name acl-1 for clause 1 so that i can
add IP address if required but not right away and non-empty access-list with
acl-2 for clause 2. Now i was assuming that empty acl have implicit deny any
any in acl-1 as it is empty, so all the source address will not match clause 1
( sequence 10 ) as it is empty and will match Clause 2 ( sequence 20 ) for
traffic matching acl-2 ( namely acl-2 ) and will set next-hop 192.168.0.1. But
in reality what was happening was all the traffic was getting matched with
acl-1 and was getting next-hop 10.0.0.1 instead of 192.168.0.1.

I hope that is clear enough .

Thanks and best regards

Date: Sat, 23 Jan 2010 13:32:13 -0500
Subject: Re: route-map permit with empy acl
From: dr3d3m3nt0_at_gmail.com
To: all.from.nj_at_gmail.com
CC: khanzadap_at_hotmail.com; ccielab_at_groupstudy.com

Hello Sameer,

Practical Studies Vol 2
If there is not a corresponding ACL to the match statement in the
route map instance, all routes are matched.
The set statement, in turn,
applies to all routes.

On Sat, Jan 23, 2010 at 12:05 PM, ALL From_NJ <all.from.nj_at_gmail.com> wrote:

Hello Sameer, I hope this email finds you 'peachy' and doing super. ;-)

Not sure I understand what it is you are trying to accomplish. It sounds

like you do not want seq 10 to match?

When you deny all packets via the access list ... then what will be left to

match for this route-map sequence? Nothing ...

Is this what you are seeing / describing?

A simple note concerning route-maps - access lists are for matching or not

matching. Not deny or permit as in interface ACLs ... so this adds a lot of

flexibility to your design and what you can do with your routing and

design.

Complicated configs? Yes, you betcha. You can get quite granular in your

matching and excluding statements. PBR comes before normal routing ... so a

lot you can do.

Here is Cisco's PBR page.

http://www.cisco.biz/en/US/products/ps6599/products_white_paper09186a00800a44
09.shtml

You can also find a lot of good info on youtube, just search for PBR, and

the CCIE vendors websites. Can someone suggest a good vendor link? So many

talented people work for these companies, I am constantly in awe.

A good youtube search:

http://www.youtube.com/results?search_type=search_playlists&search_query=cisc
o+policy+based+routing&uni=1

HTH,

Andrew Lissitz

.

On Sat, Jan 23, 2010 at 8:28 AM, sameer khan <khanzadap_at_hotmail.com> wrote:

> hey all gr8 ppl

>

> to best of my understanding empty acl have a implicit deny. but i m getting

> confused about the following

>

> route-map PBR-Customer, permit, sequence 10

> Match clauses:

> ip address (access-lists): acl-1

> Set clauses:

> ip next-hop 10.0.0.1

>

> route-map PBR-Customer, permit, sequence 20

> Match clauses:

> ip address (access-lists): acl-2

> Set clauses:

> ip next-hop 192.168.0.1

>

>

> #show access-lists acl-1

> Extended IP access list acl-1

>

> route-map seq 20 is not getting hit as it should because there is an

> implicit

> deny in acl-1. but if i put deny any any i.e. :

>

> show access-list acl-1

> Extended IP access list acl-1

> 10 deny ip any any (806 matches)

>

> everything works fine as it should. PBR is applied on 3560. Can some one

> highlight the logic

>

>

> Best regards

>

>

> _________________________________________________________________

> Got a cool Hotmail story? Tell us now

> http://clk.atdmt.com/UKM/go/195013117/direct/01/

>

>

> Blogs and organic groups at http://www.ccie.net

>

> _______________________________________________________________________

> Subscription information may be found at:

> http://www.groupstudy.com/list/CCIELab.html

>

>

>

>

>

>

>

>

--
Andrew Lee Lissitz
all.from.nj_at_gmail.com
Blogs and organic groups at http://www.ccie.net