Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2 - Defining Route Maps [Cisco ASA 5500 Series Adaptive Security Appliances]

Table Of Contents

Defining Route Maps

Overview

Permit and Deny Clauses

Match and Set Commands

Licensing Requirements for Route Maps

Guidelines and Limitations

Defining a Route Map

Customizing a Route Map

Defining a Route to Match a Specific Destination Address

Configuring the Metric Values for a Route Action

Configuration Example for Route Maps

Feature History for Route Maps

Additional References

Related Documents

Defining Route Maps

This chapter includes the following sections:

•Overview

•Licensing Requirements for Route Maps

•Guidelines and Limitations

•Defining a Route Map

•Customizing a Route Map

•Configuration Example for Route Maps

•Feature History for Route Maps

Overview

Route maps are used when redistributing routes into an OSPF, RIP, or EIGRP routing process. They are also used when generating a default route into an OSPF routing process. A route map defines which of the routes from the specified routing protocol are allowed to be redistributed into the target routing process.

Route-maps have many features in common with widely known access control lists (ACLs). These are some of the traits common to both mechanisms:

•They are an ordered sequence of individual statements, each has a permit or deny result. Evaluation of ACL or route-maps consists of a list scan, in a predetermined order, and an evaluation of the criteria of each statement that matches. A list scan is aborted once the first statement match is found and an action associated with the statement match is performed.

•They are generic mechanisms—criteria matches and match interpretation are dictated by the way they are applied. The same route-map applied to different tasks might be interpreted differently.

These are some of the differences between route-maps and ACLs:

•Route-maps frequently use ACLs as matching criteria.

•The main result from the evaluation of an access list is a yes or no answer—an ACL either permits or denies input data. Applied to redistribution, an ACL determines if a particular route can (route matches ACLs permit statement) or can not (matches deny statement) be redistributed. Typical route-maps not only permit (some) redistributed routes but also modify information associated with the route, when it is redistributed into another protocol.

•Route-maps are more flexible than ACLs and can verify routes based on criteria which ACLs can not verify. For example, a route-map can verify if the type of route is internal.

•Each ACL ends with an implicit deny statement, by design convention; there is no similar convention for route-maps. If the end of a route-map is reached during matching attempts, the result depends on the specific application of the route-map. Fortunately, route-maps that are applied to redistribution behave the same way as ACLs: if the route does not match any clause in a route-map then the route redistribution is denied, as if the route-map contained deny statement at the end.

The dynamic protocol redistribute command allows you to apply a route-map. Route-maps are preferred if you intend to either modify route information during redistribution or if you need more powerful matching capability than an ACL can provide. If you simply need to selectively permit some routes based on their prefix or mask, Cisco recommends that you use route-map to map to an ACL (or equivalent prefix list) directly in the redistribute command. If you use a route-map to selectively permit some routes based on their prefix or mask, you typically use more configuration commands to achieve the same goal.

The following is a typical Open Shortest Path First to Enhanced Interior Gateway Routing Protocol (OSPF-to-EIGRP) route-map, applied in a redistribute command:
!
router eigrp 1
 redistribute ospf 1 route-map ospf-to-eigrp
 default-metric 20000 2000 255 1 1500
!--- Output suppressed.
!
route-map ospf-to-eigrp deny 10
match route-type external type-2
!
route-map ospf-to-eigrp permit 20
 match ip address prefix-list pfx
 set metric 40000
!
route-map ospf-to-eigrp permit 30
There are several points to note from this example:

•Route-map clauses are numbered. In the above example, clauses have sequence numbers 10, 20, and 30. Sequence numbers allow you to do these actions:

–Easily delete one specific clause but not affect other parts of the route-map.

–Insert a new clause between two existing clauses.

Cisco recommends that you number clauses in intervals of 10, to reserve numbering space in case you need to insert clauses in the future.

Permit and Deny Clauses

Route-maps can have permit and deny clauses. In route-map ospf-to-eigrp, there is one deny clause (with sequence number 10) and two permit clauses. The deny clause rejects route matches from redistribution. Therefore, these rules apply:

•If you use an ACL in a route-map permit clause, routes that are permitted by the ACL are redistributed.

•If you use an ACL in a route-map deny clause, routes that are permitted by the ACL are not redistributed.

•If you use an ACL in a route-map permit or deny clause, and the ACL denies a route, then the route-map clause match is not found and the next route-map clause is evaluated.

Match and Set Commands

Each route-map clause has two types of commands:

•match—Selects routes to which this clause should be applied.

•set—Modifies information which will be redistributed into the target protocol.

For each route that is being redistributed, the router first evaluates the match command of a clause in the route-map. If the match criteria succeeds, then the route is redistributed or rejected as dictated by the permit or deny clause, and some of its attributes might be modified by set commands. If the match criteria fails, then this clause is not applicable to the route, and the software proceeds to evaluate the route against the next clause in the route-map. Scan of the route-map continues until a clause is found whose match command(s) match the route or until the end of the route-map is reached.

A match or set command in each clause can be missed or repeated several times, if one of these conditions exist:

•If several match commands are present in a clause, all must succeed for a given route in order for that route to match the clause (in other words, the logical AND algorithm is applied for multiple match commands).

•If a match command refers to several objects in one command, either of them should match (the logical OR algorithm is applied). For example, in the match ip address 101 121 command, a route is permitted if it is permitted by access list 101 or access list 121.

•If a match command is not present, all routes match the clause. In the previous example, all routes that reach clause 30 match; therefore, the end of the route-map is never reached.

•If a set command is not present in a route-map permit clause then the route is redistributed without modification of its current attributes.

Note Do not configure a set command in a deny route-map clause because the deny clause prohibits route redistribution—there is no information to modify.

A route-map clause without a match or set command performs an action. An empty permit clause allows a redistribution of the remaining routes without modification. An empty deny clause does not allows a redistribution of other routes (this is the default action if a route-map is completely scanned but no explicit match is found).

Licensing Requirements for Route Maps

Model

License Requirement

All models

Base License.

Guidelines and Limitations

This section includes the guidelines and limitations for this feature:

Context Mode Guidelines

Supported in single context mode.

Firewall Mode Guidelines

Supported only in routed firewall mode. Transparent mode is not supported.

IPv6 Guidelines

Does not support IPv6.

Defining a Route Map

To define a route map, perform the following steps:

Detailed Steps
Command

Purpose
route-map name {permit | deny} 
[sequence_number] 
Example:
hostname(config)# route-map name {permit} 
[12]
Create the route map entry.

Route map entries are read in order. You can identify the order using the sequence_number option, or the adaptive adaptive security appliance uses the order in which you add the entries.
Customizing a Route Map

This section describes how to customize the route map, and includes the following topics:

•Defining a Route to Match a Specific Destination Address

•Configuring the Metric Values for a Route Action

Defining a Route to Match a Specific Destination Address

To define a route to match a specified desitnation address, perform the following steps:

Detailed Steps
Command

Purpose
Step 1
route-map name {permit | deny} 
[sequence_number] 
Example:
hostname(config)# route-map name {permit} 
[12]
Create the route map entry.

Route map entries are read in order. You can identify the order using the sequence_number option, or the adaptive adaptive security appliance uses the order in which you add the entries.
Step 2

Enter one of the following match commands to match routes to a specified destination address:
match ip address acl_id [acl_id] [...]
Example:
hostname(config-route-map)# match ip 
address acl_id [acl_id] [...]
This allows you to match any routes that have a destination network that matches a standard ACL.

If you specify more than one ACL, then the route can match any of the ACLs.
match metric metric_value
Example:
hostname(config-route-map)# match metric 
200
This allows you to match any routes that have a specified metric.

The metric_value can be from 0 to 4294967295.
match ip next-hop acl_id [acl_id] [...]
Example:
hostname(config-route-map)# match ip 
next-hop acl_id [acl_id] [...]
This allows you to match any routes that have a next hop router address that matches a standard ACL.

If you specify more than one ACL, then the route can match any of the ACLs.
match interface if_name
Example:
hostname(config-route-map)# match 
interface if_name 
This allows you to match any routes with the specified next hop interface.

If you specify more than one interface, then the route can match either interface.
match ip route-source acl_id [acl_id] 
[...]
Example:
hostname(config-route-map)# match ip 
route-source acl_id [acl_id] [...]
This allows you to match any routes that have been advertised by routers that match a standard ACL.

If you specify more than one ACL, then the route can match any of the ACLs.
match route-type {internal | external 
[type-1 | type-2]}
Example:
hostname(config-route-map)# match 
route-type internal type-1
This allows you to match the route type.
Configuring the Metric Values for a Route Action

If a route matches the match commands, then the following set commands determine the action to perform on the route before redistributing it.

To configure a route's action, perform the following steps:

Detailed Steps
Command

Purpose
Step 1
route-map name {permit | deny} 
[sequence_number] 
Example:
hostname(config)# route-map name {permit} 
[12]
Create the route map entry.

Route map entries are read in order. You can identify the order using the sequence_number option, or the adaptive adaptive security appliance uses the order in which you add the entries.
Step 2

Enter one or more of the following set commands to set a metric for the route map.
set metric metric_value
Example:
hostname(config-route-map)# set metric 200
This allows you to set the metric.

The metric_value can be a value between 0 and 294967295.
set metric-type {type-1 | type-2}
Example:
hostname(config-route-map)# set 
metric-type type-2
This allows you to set the metric type.

The metric-type can be type-1 or type-2.
Configuration Example for Route Maps

The following example shows how to redistribute routes with a hop count equal to 1 into OSPF. The adaptive security appliance redistributes these routes as external LSAs with a metric of 5, metric type of Type 1.

Step 1 Create a route map.
hostname(config)# route-map 1-to-2 permit
Step 2 Define a route to match the specified value:
hostname(config-route-map)# match metric 1
Step 3 Set the metric value for the route map.
hostname(config-route-map)# set metric 5
hostname(config-route-map)# set metric-type type-1
Feature History for Route Maps

Table 20-1 lists the release history for this feature.

Table 20-1 Feature History for Route Maps

Feature Name

Releases

Feature Information

route-map

7.0

The route-map command allows you to define a route map entry.

Additional References

For additional information related to routing, see the following:

•Related Documents

Related Documents

Related Topic

Document Title

Routing Overview

Information About Routing

How to configure OSPF

Configuring OSPF

How to configure EIGRP

Configuring EIGRP

How to configure RIP

Configuring RIP

How to configure a static or default route

Configuring Static and Default Routes

How to configure multicast routing

Configuring Multicast Routing