[Q] IP policy route-map questions

Discussion in 'Cisco' started by Henry Yen, Apr 15, 2004.

  1. Henry Yen

    Henry Yen Guest

    Greetings. I've re-re-reviewed my cisco IOS12 books as well as this
    group's FAQ as well as some googling. I didn't find a comprehensive
    reference on policy routing route-map semantics. My basic understanding
    is that policy routing occurs when a packet is RECEIVED on an interface
    on which the "ip policy route-map" command is placed (at least, that's
    the way it currently works on those handful of instances where
    I currently am running policy routing).

    [Q1] My first question concerns the ACL on the "match ip address" statement.
    The sources I reviewed are conflicting in their description of
    whether the ACL refers to the SOURCE address of the packet or the
    DESTINATION address. Which is it?

    route-map TEST1 permit 1
    match ip address 60
    set <...>

    access-list 60 permit 10.9.8.0 0.0.0.255

    When applied via "ip policy policy route-map TEST1", which packets coming
    from that interface will be matched, SOURCE 10.9.8.0/24 or DESTINATION
    10.9.8.0/24, or both?

    [Q2] Does the use of an extended IP ACL allow matching on both SOURCE and
    DESTINATION simultaneously?

    route-map TEST2 permit 1
    match ip address ACL2
    set <...>

    ip access-list extended ACL2
    permit tcp any host 10.8.6.4 eq smtp

    Would the above be stating a match to the route-map for only TCP packets
    coming from the interface in which TEST2 was specified, and which have a
    destination of 10.8.6.4/32, port 25?

    [Q3] In light of these questions, how does "match ip address <ACL ...>"
    relate to "match ip next-hop <ACL ...>"? By the time the packet is received
    (the route-map is now being interpreted on the receiving interface), wouldn't
    the next-hop address (from the sending interface) be missing?

    [Q4] What are the semantics if more than one ACL is listed:

    match ip address 61 ACL3

    Do packets match if they are in BOTH ACL's, or in EITHER ACL?

    [Q4] What is the meaning of the TAG value -- briefly, what is it,
    and does it have any functionality for policy routing?

    [Q5] What is the meaning of "match interface" -- what is it, and how
    could it ever differ from the interface on which the ip policy route-map
    is applied? (This is along the same lines as [Q3].)

    [Q6] I think that the difference between "set ip default next-hop" and
    "set ip next-hop" is that the former is used for when the next-hop
    address might not appear in the routing table (so that the packet would
    effectively have its very own default route); is that correct?

    [Q7] What's the relationship between "set default interface" and
    "set interface" (IP addresses/masks are in the routing table, but
    interfaces are not)?

    [Q8] How does the chaining of sequenced route-map sections act with
    the "deny" and "permit" keywords? I think that it works like:
    - if there is no "match" on this section, proceed to the next-higher-numbered
    section and try again.
    - if there is a "match" on this section, and the keyword is "permit",
    execute the "set" clause(s), stop parsing the route-map, and route
    the resulting packet.
    - if there is a "match" on this section, and the keyword is "deny",
    just stop parsing the route-map, and route the resulting packet (ignoring
    any "set" clauses).

    [Q9] With regard to "match ip address" (and/or "match ip next-hop"?),
    a route-map section will be considered a "match" if the packet would
    normally not have been blocked if the specified ACL(s) (AND or OR?)
    were referenced via an "access-group" interface statement?

    If there's a good cisco.com link that describes these in detail,
    just let me know. Thanks in advance.
     
    Henry Yen, Apr 15, 2004
    #1
    1. Advertisements

  2. I suspect it's the same as when using a standard ACL in a packet filter,
    which I believe matches the destination address.
    Yes. It matches the same way as using the ACL in a packet filter.
    I've never seen this type of matching done in a policy route. However,
    I expect that it will normally use the next-hop address that was
    determined using standard routing.
    It's OR. If you want to AND them, use two separate match statements:

    match ip address 61
    match ip address ACL3
    You can apply the same route-map to multiple interfaces. This allows
    the route-map to determine which one the packet was received on.
    Correct. If there's an entry in the routing table that matches the
    packet's destination, "set ip next-hop" will override it, but 'set ip
    default next-hop" won't.
    You can put interfaces in the routing table:

    ip route 1.2.3.0 255.255.255.0 Serial0

    So this route-map statement is just like "set ip [default] next-hop",
    except that it routes to an interface rather than a next-hop address,
    just like the above routing statement.
    Correct.
     
    Barry Margolin, Apr 15, 2004
    #2
    1. Advertisements

  3. Henry Yen

    AnyBody43 Guest

    http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
    "the order in which transactions are processed"

    This document references NAT in particular however my ASSUMPTION
    has always been that one just misses out any steps that are
    not relevant.

    http://www.cisco.com/en/US/products...on_guide_chapter09186a00800b3e13.html#1001229
    CISCO IOS SOFTWARE RELEASES 12.1 MAINLINE
    Configuring IP Services
    Says:
    "Defines a standard IP access list using a source address and
    wildcard."
    I _believe_ it.

    Good luck.
     
    AnyBody43, Apr 15, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.