Re: route-map permit with empy acl

Hi,

I Think that should be the normal behaviour.

From my understanding, until you create an entry in an acl, the
implicit deny does not kick in, but when you remove all statements,
the impicit deny remains.

Technically, acl-1 does NOT exist so all packets are permitted.

"If an access list is referenced by name in a command, but the access
list does not exist, all packets pass."

http://www.cisco.com/en/US/docs/ios/12_2s/feature/guide/fsaclseq.html#wp1036808

HTH,

On 1/23/10, sameer khan <khanzadap_at_hotmail.com> wrote:
> hey guys
>
>
> Thanks for replying, what was intended is listed below. though i found
> correct
> answer but i feel that i still should explain what i was doing.
>
> Created route-map PBR-Customer with 2 clauses.
>
>
> Clause 1 ( sequence 10 )
> 1) Next-hop 10.0.0.1 if IP Matches acl-1
>
> Clause 2 ( sequence 20 )
> 1) Next-hop 192.168.0.1 if IP Matches acl-2
>
> but i created an empty access-list with name acl-1 for clause 1 so that i
> can
> add IP address if required but not right away and non-empty access-list with
> acl-2 for clause 2. Now i was assuming that empty acl have implicit deny any
> any in acl-1 as it is empty, so all the source address will not match clause
> 1
> ( sequence 10 ) as it is empty and will match Clause 2 ( sequence 20 ) for
> traffic matching acl-2 ( namely acl-2 ) and will set next-hop 192.168.0.1.
> But
> in reality what was happening was all the traffic was getting matched with
> acl-1 and was getting next-hop 10.0.0.1 instead of 192.168.0.1.
>
>
> I hope that is clear enough .
>
> Thanks and best regards
>
>
>
>
>
> Date: Sat, 23 Jan 2010 13:32:13 -0500
> Subject: Re: route-map permit with empy acl
> From: dr3d3m3nt0_at_gmail.com
> To: all.from.nj_at_gmail.com
> CC: khanzadap_at_hotmail.com; ccielab_at_groupstudy.com
>
> Hello Sameer,
>
>
>
> Practical Studies Vol 2
> If there is not a corresponding ACL to the match statement in the
> route map instance, all routes are matched.
> The set statement, in turn,
> applies to all routes.
>
>
>
>
> On Sat, Jan 23, 2010 at 12:05 PM, ALL From_NJ <all.from.nj_at_gmail.com> wrote:
>
> Hello Sameer, I hope this email finds you 'peachy' and doing super. ;-)
>
>
>
> Not sure I understand what it is you are trying to accomplish. It sounds
>
> like you do not want seq 10 to match?
>
>
>
> When you deny all packets via the access list ... then what will be left to
>
> match for this route-map sequence? Nothing ...
>
>
>
> Is this what you are seeing / describing?
>
>
>
> A simple note concerning route-maps - access lists are for matching or not
>
> matching. Not deny or permit as in interface ACLs ... so this adds a lot of
>
> flexibility to your design and what you can do with your routing and
>
> design.
>
>
>
> Complicated configs? Yes, you betcha. You can get quite granular in your
>
> matching and excluding statements. PBR comes before normal routing ... so a
>
> lot you can do.
>
>
>
> Here is Cisco's PBR page.
>
> http://www.cisco.biz/en/US/products/ps6599/products_white_paper09186a00800a44
> 09.shtml
>
>
>
> You can also find a lot of good info on youtube, just search for PBR, and
>
> the CCIE vendors websites. Can someone suggest a good vendor link? So many
>
> talented people work for these companies, I am constantly in awe.
>
>
>
> A good youtube search:
>
> http://www.youtube.com/results?search_type=search_playlists&search_query=cisc
> o+policy+based+routing&uni=1
>
>
>
>
> HTH,
>
>
>
> Andrew Lissitz
>
>
>
>
>
> .
>
> On Sat, Jan 23, 2010 at 8:28 AM, sameer khan <khanzadap_at_hotmail.com> wrote:
>
>
>
>> hey all gr8 ppl
>
>>
>
>> to best of my understanding empty acl have a implicit deny. but i m
>> getting
>
>> confused about the following
>
>>
>
>> route-map PBR-Customer, permit, sequence 10
>
>> Match clauses:
>
>> ip address (access-lists): acl-1
>
>> Set clauses:
>
>> ip next-hop 10.0.0.1
>
>>
>
>> route-map PBR-Customer, permit, sequence 20
>
>> Match clauses:
>
>> ip address (access-lists): acl-2
>
>> Set clauses:
>
>> ip next-hop 192.168.0.1
>
>>
>
>>
>
>> #show access-lists acl-1
>
>> Extended IP access list acl-1
>
>>
>
>> route-map seq 20 is not getting hit as it should because there is an
>
>> implicit
>
>> deny in acl-1. but if i put deny any any i.e. :
>
>>
>
>> show access-list acl-1
>
>> Extended IP access list acl-1
>
>> 10 deny ip any any (806 matches)
>
>>
>
>> everything works fine as it should. PBR is applied on 3560. Can some one
>
>> highlight the logic
>
>>
>
>>
>
>> Best regards
>
>>
>
>>
>
>> _________________________________________________________________
>
>> Got a cool Hotmail story? Tell us now
>
>> http://clk.atdmt.com/UKM/go/195013117/direct/01/
>
>>
>
>>
>
>> Blogs and organic groups at http://www.ccie.net
>
>>
>
>> _______________________________________________________________________
>
>> Subscription information may be found at:
>
>> http://www.groupstudy.com/list/CCIELab.html
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>
>
>
>
> --
>
> Andrew Lee Lissitz
>
> all.from.nj_at_gmail.com
>
>
>
>
>
> Blogs and organic groups at http://www.ccie.net
>
>
>
> _______________________________________________________________________
>
> Subscription information may be found at:
>
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
> It is said that if you know your enemies and know yourself, you will not be
> imperiled in a hundred battles; if you do not know your enemies but do know
> yourself, you will win one and lose one; if you do not know your enemies nor
> yourself, you will be imperiled in every single battle.
>
> _________________________________________________________________
> Send us your Hotmail stories and be featured in our newsletter
> http://clk.atdmt.com/UKM/go/195013117/direct/01/
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Best Regards,
Tolulope.
Blogs and organic groups at http://www.ccie.net