BGP redistribute route-map question.

Discussion in 'Cisco' started by crzzy1, Apr 23, 2010.

  1. crzzy1

    crzzy1 Guest

    I have a customer that has the config below.
    I would never write it like this, and use a standard ACL or distribute
    list instead.
    but to my surprise, this is allowing every static route to go be
    I would think that "permit ip host host" would get no
    matches and that the explicit deny would deny everything.
    But NOOO... the acl is matching everything.

    Can someone explain this?

    router bgp 65001
    redistribute static route-map redist-stat

    route-map redist-stat permit 10
    match ip address ALLOW-Default

    ip access-list extended ALLOW-Default
    permit ip host host

    Thorofare#sh ip route
    Routing entry for
    Known via "static", distance 1, metric 0
    Redistributing via bgp 65001
    Advertised by bgp 65001 route-map redist-stat

    Thorofare#sh access-l ALLOW-Default
    Extended IP access list ALLOW-Default
    10 permit ip host host (1492680 matches)

    crzzy1, Apr 23, 2010
    1. Advertisements

  2. crzzy1

    crzzy1 Guest

    Would anyone like to take a stab at how I am getting so many matches
    on my ACL?

    crzzy1, Apr 26, 2010
    1. Advertisements

  3. crzzy1

    Rob Guest

    It could be that "host" actually is the internal coding for "any"
    in an access list.
    Although I would expect that it would come back as "permit ip any any"
    on show running-config.
    Rob, Apr 27, 2010
  4. crzzy1

    bod43 Guest

    Ah wait a minute!!! Surely these should be standard ACLs?
    What does ANY extended ACL mean in the context of
    route filtering? What is the source, what is the dest.?

    I have written the stuff below now so I will leave it in
    but I can't see that it is relevant given the above.

    Might just be a bug, after all who is going to test
    such an ACL?

    10 permit ip host host
    is synonymous with
    10 permit ip

    ie all zeros IP address with no wildcard bits.

    I suppose that the BGP process might interpret that
    as a default route or something but that would be a bug.

    Surely the answer is to get rid of that line in the ACL and
    put in what is required?

    Usually all routes would be of course
    perm ip

    zeros IP address with all bits wildcarded.
    bod43, Apr 27, 2010
  5. crzzy1

    crzzy1 Guest

    I see no reason to use an extended ACL for redistribution. Just a
    standard ACL or a distribute list will do.
    I agree with Rob (also BOD43), that this is probably a bug, Rob is
    right in asking who would ever use it for this purpose, and therefore
    test it for this, or even care?

    crzzy1, Apr 28, 2010
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.