(invisible deny all) in prefix-lists vs route-maps

Networking CCNP Enterprise
2

Hey Major,

The difference is in how they are applied. Let’s go through your route map (let’s say BGP inbound from a neighbor).

I am router 1, I have applied your route map to my neighbor router 2 inbound. I have 2 routes coming in from this neighbor.

  • 10.0.0.101/32
  • 192.168.1.1/32

Okay, let’s check our routes against the prefix lists and the route-map

10.0.0.101/32

  • There is a route-map for the neighbor inbound, check the first sequence number.
  • Sequence 10 matches prefix list test-100.
  • I go down prefix list test-100 to see if I have a matching IP address. As my IP is not 10.0.0.100/32 I do not match the first entry. I check the second entry, deny all. Because it is a deny, I can’t get a match on anything else in this prefix (we only match permit statements in a prefix list), we do not match this list.
  • Since I do not match against this list, I do not set my local preference to 1000. Move on to sequence 20 in the route-map
  • Sequence 20 matches prefix list test-101.
  • I check the first entry in the prefix list and it matches my first entry of 10.0.0.101/32!
  • Because it matches, I check my actions under the route-map. Actions say I should update the local preference.
  • I update the local preference and add the route to my bgp-adj-in table. If it meets other criteria, it will be added to my RIB.

192.168.1.1/32

  • There is a route-map for the neighbor inbound, check the first sequence number.
  • I go down prefix list test-100 to see if I have a matching IP address. As my IP is not 10.0.0.100/32 I do not match the first entry. I check the second entry, deny all. Because it is a deny, I can’t get a match on anything else in this prefix (we only match permit statements in a prefix list), we do not match this list.
  • Since I do not match against this list, I do not set my local preference to 1000. Move on to sequence 20 in the route-map
  • This continues through all of the sequences until I get to sequence 50 in the route-map
  • Because there is a deny all in this statement, I am saying to BGP to deny this packet, so BGP will not allow me to add 192.168.1.1/32 to my bgp-adj-in, it cannot be checked and added to my routing table. I have effectively blocked this route.

This is how the route-map uses the denies in both the prefix-list and the route-map. Since I saw you made another post on the specifics of an implicit and explicit deny, I will answer that under that post.

1 Like