596 Configuring Access Control Lists
• List of default next hop IP addresses — The
set ip default next-hop
command checks the list of destination IP addresses in the routing table
and, if there is no explicit route for the packet's destination address in the
routing table, the next-hop destinations in the rule are evaluated, and
packets are routed to the first available next hop. Packets that do not
match are routed using the routing table default. A default route in the
routing table is not considered an explicit route for an unknown
destination address. This type of rule takes priority over default entries in
the routing table but is processed after explicit routing table entries.
• IP precedence — Packets matching the criteria have their IP precedence
rewritten. The IP precedence value is the four ToS bits in the IP packet
header.
Limitations
Set Clause Required
Route-map deny/permit statements without “set” clauses are ignored.
No Implicit “deny all” Rule
When an access-group is applied to an interface, an implicit rule of “deny all”
is applied after the last access-group on the interface. When match rules in an
ACL associated with a permit route-map are successful, the packets are
considered as candidates to be routed according to the set clauses specified in
the route-map. If none of the permit rules match, then the packet is routed
by the standard L3 routing process. The implicit “deny all” rule is not
applicable to ACLs associated with “permit” route-maps.
Black Holes Possible
If the next hop specified by a policy based rule is not reachable, packets
matching the rule are routed using the routing table. If the routing table does
not supply a route to the destination, then the packets are lost. If a set
interface Null0 clause is present in the policy map, the packets are dropped.
The set interface null0 command can also be used to drop undesirable or
unwanted traffic, i.e., to create a black hole route.
To Next Page
Loading...
Need help?
General