What Is Route Map in Networking?
Also known as: route map, cisco route map, route map enor, route map definition, ccnp route map
On This Page
Quick Definition
A route map is like a traffic cop for network data. It checks each packet or route against a set of rules you create. If a packet matches a rule (like coming from a certain address), the route map tells the router what to do with it, such as allowing it, blocking it, or sending it a different way. This helps network administrators manage how data moves through a network securely and efficiently.
Must Know for Exams
The Cisco CCNP Enterprise 350-401 ENCOR exam places significant emphasis on route maps, especially within the 'Layer 3' and 'Infrastructure Services' domains. Cisco expects candidates not only to know what a route map is but to be able to configure, verify, and troubleshoot them in various scenarios. The exam objectives list 'Route Maps' explicitly under 'Layer 3' and 'Policy-Based Routing.'
In the ENCOR exam, you will encounter route maps in at least three major contexts. First, in BGP path manipulation questions, where you use route maps with 'set local-preference' or 'set metric' to influence inbound or outbound route selection. Second, in route redistribution scenarios, where you configure a route map to filter specific routes from OSPF into EIGRP while changing the metric to prevent routing loops. Third, in Policy-Based Routing questions, where you apply a route map to an interface to match traffic by source IP or protocol and forward it to a specific next-hop.
The exam tests both configuration and analysis. You might be given a show command output (like 'show route-map') and asked to interpret what the route map will do. Or you might be given a network topology with symptoms of a routing issue (e.g., traffic not reaching a server) and asked to identify which route map entry is causing the problem. Cisco often tests the sequential nature of route maps and the implicit deny at the end. For example, a question might present a route map with two permit entries and ask what happens to a route that does not match either entry. The correct answer is that it is denied (not redistributed).
To succeed, you must memorize the syntax and behavior: 'permit' allows matching routes to be processed, 'deny' rejects them; 'set' modifies attributes; and routes are processed in sequence number order. Practice with real lab configurations on Packet Tracer or GNS3 to gain confidence.
Simple Meaning
Imagine you are the manager of a busy office building with many departments. Every day, hundreds of deliveries arrive at the front desk. You cannot let every package go everywhere, or there would be chaos. You need a simple set of rules. For example, all packages from the postal service go to the mail room. Packages marked 'confidential' go directly to the legal department. Food deliveries go to the cafeteria. You post these rules on a clipboard at the front desk. This clipboard is your 'route map.' In networking, a route map works exactly like that clipboard.
A route map is a sequence of rules, called 'match and set' statements. The 'match' part describes a condition, like 'if a packet comes from this network address' or 'if a route has a specific tag.' The 'set' part tells the router what action to perform, such as 'change the next hop to this other router' or 'block this traffic.' The router goes through the route map from top to bottom. It checks each packet or route against the first rule. If it matches, the router does the action and stops checking further rules (by default). If it does not match, the router moves to the next rule. This makes route maps very flexible for controlling traffic flow, rerouting around failures, or enforcing security policies.
You can think of a route map as a sophisticated filter or policy that goes beyond simple routing table lookups. While a basic routing table just says 'send packets for network X to router Y,' a route map can say 'send packets for network X to router Y, but only if they come from network Z, and tag them as priority traffic.' This granular control is essential in large enterprise networks where administrators need to manage traffic from hundreds of devices, prioritize critical applications like voice or video, and prevent unauthorized access.
Full Technical Definition
A route map is a Cisco IOS data structure that provides conditional logic for route redistribution, policy-based routing, and BGP path manipulation. It is configured using a sequence of statements, each containing a match clause and optionally one or more set clauses. The match clause specifies criteria (e.g., IP prefix, next-hop, metric, tag, community value) that a route or packet must satisfy. The set clause specifies actions to perform on matching routes (e.g., set metric, set next-hop, set local preference, set community).
Route maps are processed sequentially. Each route or packet is tested against the first route map entry. If it matches the match criteria, the set actions are applied, and by default, the router does not evaluate further entries for that route (unless the 'continue' keyword is used). If it does not match, the router proceeds to the next entry. If no entry matches, the route or packet is denied (i.e., not redistributed, not policy-routed, or not advertised in BGP). This implicit deny at the end is a critical security and design consideration.
Route maps are heavily used in BGP (Border Gateway Protocol) to control path selection and route advertisement. For example, an administrator can use a route map to set a higher local preference for traffic from a specific customer network, making that path preferred. They are also used in route redistribution between routing protocols (e.g., OSPF to EIGRP) to filter routes and modify metrics so that routes from one protocol are 'translated' correctly into another. In Policy-Based Routing (PBR), route maps allow forwarding decisions based on source address, packet length, or even application type, overriding the normal routing table.
Key components include: the 'sequence number' which defines the order of evaluation; the 'permit' or 'deny' keyword which controls whether a matching route is processed or rejected; and match/set clauses that use access-lists, prefix-lists, community-lists, or directly specified values. Route maps can also reference other route maps via the 'continue' clause to create more complex logic chains. Understanding route maps is essential for CCNP-level networking professionals, as they appear in almost every advanced routing scenario, especially in BGP and redistribution contexts on the ENCOR exam.
Real-Life Example
Think of a large university library that has a very detailed book sorting and borrowing system. The library receives thousands of books every day from different sources. Some books are new purchases, some are donations, and some are returns from branch libraries. The library cannot just put every book on any shelf. It needs a rulebook, which is the route map.
First, the rulebook says: 'If a book is a textbook (match: genre is 'textbook'), send it to the 'Reserve Section' (set: destination = reserve shelf).' This is a 'permit' statement. If a book is a donated romance novel (match: genre is 'romance'), the rulebook says 'put it in the 'General Fiction' section (set: destination = fiction floor).' If a book is damaged (match: condition is 'damaged'), the rulebook says 'reject it' (deny). The library assistant follows the rules in order. She picks up a book, reads the first rule. If it matches, she puts it where the rule says and stops. If not, she reads the second rule. If the book doesn't match any rule, she puts it aside for special processing (implicit deny).
In networking, the 'books' are network routes or packets. The 'library' is the router. The 'rulebook' is the route map. The 'shelves' are different interfaces or routers. When a route arrives from a neighbor, the route map checks its source, its tag, its prefix. If it matches a permit rule, the route is accepted and maybe its metric is changed. If it matches a deny rule, the route is dropped. In BGP, for example, a route map can control which routes are advertised to a business partner and which are kept private, just like the rulebook decides which books go to which shelves.
Why This Term Matters
Route maps are a core tool in any enterprise network that runs Cisco equipment. They give network engineers precise control over routing behavior that basic routing protocols cannot provide alone. Without route maps, a router would simply follow its routing table and make decisions based solely on destination IP. Route maps allow engineers to implement business policies directly into the network.
For example, a company might want traffic from its research department to use a faster but more expensive connection to the internet, while all other traffic uses a cheaper backup link. This is impossible with a standard routing table. But with a route map using Policy-Based Routing, the engineer can match traffic based on source IP (the research department subnet) and set the next-hop to the fast link. This ensures that critical data gets the priority it needs.
Route maps are also vital for network security. They can be used to filter out malicious or unwanted route advertisements. In BGP, improperly configured route maps can cause traffic to be hijacked or sent to the wrong destination. By using route maps with prefix-lists, administrators can ensure that only authorized networks are advertised to internet peers, preventing accidental or malicious route leaks.
In large-scale networks with multiple routing protocols (OSPF, EIGRP, BGP), route maps are the only practical way to redistribute routes safely. They allow an administrator to control which routes are injected from OSPF into BGP and to adjust the metrics so that the receiving router knows the relative cost of the route. This is critical for maintaining loop-free topology and predictable traffic flows. For anyone studying for the CCNP ENCOR exam, mastering route maps is not optional—it is directly tested and required for real-world configurations.
How It Appears in Exam Questions
Route map questions in the CCNP ENCOR exam typically fall into four categories: configuration, interpretation, troubleshooting, and design.
Configuration questions require you to select the correct command sequence to achieve a specific goal. For example, 'You need to redistribute only routes from the 10.10.0.0/16 network from OSPF into EIGRP with a metric of 100. Which route map configuration accomplishes this?' The answer will involve creating a prefix-list to match the network, then a route map referencing that prefix-list with a permit statement and a set metric command.
Interpretation questions present a show command output and ask you to predict behavior. For example, 'Given the show route-map output showing two permit entries, one matching network A with set local-preference 200, and one matching network B with set local-preference 100, what will be the local preference for a route that matches both networks?' Since route maps stop at the first match (by default), the route will get local-preference 200. You must understand the default behavior that evaluation stops after a match unless 'continue' is used.
Troubleshooting questions describe a network problem and ask which route map entry is misconfigured. For instance, 'Traffic from the Engineering VLAN is being sent to the backup router instead of the primary. The policy-based routing route map has three entries. Which entry is incorrect?' You might find that the match statement for Engineering source addresses is using the wrong prefix-list, or that the sequence order causes a less specific match to override a more specific one.
Design questions ask you to choose the best route map strategy. For example, 'You need to ensure that only customer routes with community value 100:1 are advertised to BGP peer 192.0.2.1. Which route map approach is correct?' The correct answer uses a community-list to match, and a route map with deny for routes without the community, and permit for those with it.
Another common pattern is the 'what happens next' question. 'A route matches the first entry in a route map (permit) and has a set metric of 50. It also matches the second entry (deny). What is the final metric?' The answer is 50, because the first match is applied and the route map stops. Understanding this sequential logic is critical.
Study encor
Test your understanding with exam-style practice questions.
Example Scenario
A company called TechFlow has two connections to the internet. One is a high-speed fiber link, and the other is a slower DSL backup. TechFlow uses BGP to exchange routes with both internet service providers. The network administrator wants to send all outbound traffic from the finance department (subnet 10.0.10.0/24) through the fiber link for better performance, while all other traffic uses the DSL link as the default. Additionally, any traffic from finance that goes to the fiber link should be tagged with a community value '65000:100' so that the ISP can track it.
To implement this, the administrator configures a route map called 'FINANCE-PBR'. The first entry (sequence 10) matches traffic with source IP 10.0.10.0/24 (using an access-list). The set clause changes the next-hop to the fiber link interface IP and adds the community tag. A second entry (sequence 20) sends all other traffic to the DSL next-hop. The route map is then applied to the outbound interface on the core router.
Now, when a finance employee sends a request to a web server, the router checks the source IP against the route map. It matches the first entry, so the traffic is forwarded to the fiber link. If an employee from sales (subnet 10.0.20.0/24) sends a request, it does not match the first entry, so the second entry applies, sending it out the DSL link. This is a straightforward yet powerful use of route maps for policy-based routing.
Common Mistakes
Thinking that a route map processes all entries for a single route, applying multiple sets from different sequence numbers.
By default, a route map stops processing after the first matching permit entry. It does not continue to later entries. The 'continue' keyword can override this, but without it, only the first match executes.
Remember: route maps are top-down, first-match-wins. The router evaluates sequence 10 first. If it matches (permit), it applies the set actions and stops. If it matches but is a deny, the route is rejected and no further entries are tried for that route.
Assuming that a 'deny' in a route map means the route is allowed but not modified.
A 'deny' statement means the route is rejected (not redistributed, not policy-routed, or not advertised). It is not a 'no-op' that just passes the route through unmodified.
Think of permit as 'accept and optionally modify' and deny as 'reject outright.' If you want to pass a route unmodified, use a permit statement with no set clauses.
Forgetting the implicit deny at the end of every route map.
Cisco route maps have an implicit deny all at the end. If a route does not match any permit entry, it is denied. Many learners add permit entries but forget that the default last entry denies everything else.
Always include a final permit statement (e.g., sequence 9999 that matches any) if you want to allow all non-matching routes to pass through without modification.
Confusing the match clause with a condition that must be true for the entire route map to execute.
Each entry in a route map has its own match clause. The match clause only applies to that specific sequence number, not to the entire route map. Different entries can have different match criteria.
Read a route map as a list of independent if-then statements. The first 'if' that is true runs its 'then' and stops. Do not think of it as a single global condition.
Using an access-list in a route map without understanding that the access-list logic (implicit deny) interacts with the route map logic.
Access-lists themselves have an implicit deny at the end. When a route map entry uses an access-list, only traffic that matches a permit in the access-list will satisfy the route map's match. Traffic that matches a deny in the access-list (or none) will not match the route map entry, even if the route map entry itself is a permit.
Ensure your access-lists have the necessary permit statements for the traffic you intend to match. And remember that the access-list implicit deny can block traffic you thought should match the route map.
Exam Trap — Don't Get Fooled
A question shows a route map with two entries: first entry is 'deny' matching network 10.0.0.0/8, second entry is 'permit' matching everything. The question asks: 'What happens to a route for 10.
1.1.0/24?' Many learners think the deny entry only denies exact routes 10.0.0.0/8, so 10.1.1.0/24 passes through to the second entry and is permitted. Always check the exact matching criteria used in the match clause.
If it uses an access-list that permits 10.0.0.0 0.255.255.255, then all subnets of 10.0.0.0/8 are matched. Also, remember that a deny entry stops further processing for that route, regardless of later permit entries.
The only way to continue is to use the 'continue' keyword.
Commonly Confused With
An ACL is a simple ordered list of permit/deny statements that match packets based on source/destination IP, port, or protocol. It can filter traffic but cannot modify route attributes. A route map can do everything an ACL does (match conditions) plus modify routes (set commands) and apply complex logic across multiple protocols. A route map is more powerful and is used for routing policies, not just packet filtering.
An ACL on a router interface can block traffic from subnet 10.0.0.0/24. A route map can match that same traffic, forward it to a specific next-hop, and tag it with a BGP community.
A prefix-list is a configuration object that matches IP prefixes based on length and range. It is often used inside a route map as a match criterion. A prefix-list on its own does not take any action; it simply defines which routes match a pattern. A route map combines the match (often using a prefix-list) with an action (set). Prefix-lists are more efficient than ACLs for matching routes in route maps.
A prefix-list named 'MY-NETS' matches 10.0.0.0/8 le 24. A route map uses 'match ip address prefix-list MY-NETS' to select those routes, then 'set metric 100' to change their metric.
PBR is a technique that uses a route map to override the normal routing table for certain packets. While route maps are used to implement PBR, they are also used for many other purposes like route redistribution, BGP policy, and NAT. PBR specifically refers to the act of forwarding packets based on source IP, protocol, or other fields, rather than just destination. So PBR is one application of route maps, not a synonym.
Applying a route map to an interface for PBR: match traffic from subnet 10.1.1.0/24, set next-hop 192.168.1.1. The same route map could be reused for BGP outbound filtering by applying it to a BGP neighbor statement.
Step-by-Step Breakdown
Define the objective
Before writing a route map, decide what you want to achieve: filter routes, modify attributes, redirect traffic, or a combination. This determines the match criteria and set actions. For example, 'I want to set the local preference to 200 for routes from customer A in BGP.'
Create the match criteria using ACL or prefix-list
Route maps do not contain IP addresses directly. They refer to an access list or prefix-list to define which prefixes or packets to match. For route redistribution, use a prefix-list (more efficient). For PBR, use an extended ACL that matches source/destination IP, port, protocol. Create the ACL or prefix-list first.
Write the route map entries in sequence
Use the 'route-map NAME permit/deny SEQUENCE' command to create entries. Sequence numbers (e.g., 10, 20) set the order of evaluation. Use 'permit' to allow and modify, 'deny' to reject. For each entry, add 'match' commands (e.g., 'match ip address prefix-list X') and optionally 'set' commands (e.g., 'set metric 50').
Apply the route map to the appropriate process
A route map does nothing until it is applied. In BGP, apply it to a neighbor using 'neighbor x.x.x.x route-map NAME in/out'. In redistribution, use 'redistribute ospf 1 route-map NAME'. In PBR, apply it to an interface with 'ip policy route-map NAME'. The direction (in/out) is critical.
Verify and troubleshoot
Use 'show route-map NAME' to see the entries and match counters. Use 'show ip policy' for PBR. If the counters are not incrementing, the traffic may not match, or the route map may not be applied correctly. Check the sequence order and ensure the implicit deny is not blocking legitimate traffic. Add a final permit entry if needed.
Practical Mini-Lesson
Let us walk through a real-world configuration of a route map for BGP route manipulation. This is a common task for CCNP-level engineers. Suppose you manage an enterprise network that connects to two ISPs. You use BGP to receive full routes from both providers. Your goal: prefer routes from ISP-A for traffic destined to the 10.10.0.0/16 network, but use ISP-B as a backup. You also want to tag routes received from ISP-A with community 100:1 for internal tracking.
First, you need to create a prefix-list that matches the 10.10.0.0/16 prefix exactly. The command is 'ip prefix-list PREFERRED-NET permit 10.10.0.0/16'. Then, you create the route map. Enter global configuration mode: 'route-map SET-LOCAL-PREF permit 10'. This creates the first entry. Then add the match statement: 'match ip address prefix-list PREFERRED-NET'. Next, add the set commands: 'set local-preference 200' and 'set community 100:1'.
Now, create a second entry for everything else. Use 'route-map SET-LOCAL-PREF permit 20'. This entry should not have a match clause, meaning it matches all routes. Optionally, set a lower local preference, like 'set local-preference 100'. Without this, unmatched routes would be implicitly denied, and you would lose all other routes.
Apply the route map to the BGP neighbor for ISP-A: 'router bgp 65000', then 'neighbor 192.0.2.1 route-map SET-LOCAL-PREF in'. The 'in' direction means the route map processes routes coming from ISP-A into your router. Now, when ISP-A sends the 10.10.0.0/16 route, the first entry matches, sets its local preference to 200, and tags it with community 100:1. Other routes match the second entry and get local preference 100. Since higher local preference is preferred, traffic to 10.10.0.0/16 will go to ISP-A.
What can go wrong? If you forget the 'permit' on the second entry and type 'route-map SET-LOCAL-PREF deny 20', then all other routes would be denied, effectively dropping all routes from ISP-A except 10.10.0.0/16. The router would lose internet connectivity for most destinations. Always verify with 'show route-map' to see the number of matches. Also, if you put the entries in the wrong order (more specific first), it works, but if you put a broad match before a specific one, the specific match may never be reached. For example, if entry 10 matches all routes (no match clause), it will apply its set actions to everything, and entry 20 will never be evaluated.
Professionals also use route maps for redistribution between OSPF and EIGRP. When redistributing OSPF into EIGRP, you must set a seed metric because EIGRP requires one. A route map allows you to set different metrics for different OSPF routes. For example, routes from OSPF area 0 get metric 1000, while routes from area 1 get metric 2000. This is done by matching on a tag or prefix.
In summary, route maps are a Swiss army knife for Cisco routing. They are powerful but require careful design. Always plan your logic on paper, test in a lab, and use verify commands. For the ENCOR exam, practice configuring route maps on actual equipment or simulators to internalize the syntax and behavior.
Memory Tip
Think 'Sequence, Match, Set, Apply.' Route maps are evaluated in Sequence order. Each entry has a Match condition. If it matches, you Set attributes. Then you Apply the map to a process or interface. Remember: first match wins, implicit deny at the end.
Covered in These Exams
Related Glossary Terms
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
Frequently Asked Questions
Can a route map have multiple match statements in one entry?
Yes, you can have multiple match commands in a single route map entry. The default behavior is that all match conditions must be met (AND logic). You can also use the 'match ip address' and 'match interface' together, and the route will match only if it satisfies both.
What is the difference between applying a route map 'in' vs 'out' in BGP?
In BGP, 'in' means the route map processes routes received from the neighbor before they enter the BGP table. 'Out' means it processes routes before they are sent to the neighbor. Choose based on whether you want to filter or modify routes coming to you or going out to your peer.
Do I always need an ACL or prefix-list inside a route map?
Not always. You can match on other attributes like BGP community, AS-path, or interface without an ACL. For example, 'match community 100:1' or 'match as-path 65000'. However, for matching IP prefixes, you typically use a prefix-list or ACL.
What happens if two route map entries have the same sequence number?
Cisco IOS will accept the second entry but it will overwrite the first entry with the same sequence number. It is best practice to use unique sequence numbers (e.g., 10, 20, 30) to avoid accidental overwrites.
Can a route map be used for IPv6?
Yes, route maps work with IPv6 as well. You use the same syntax but replace 'ip' with 'ipv6' in match and set commands, for example, 'match ipv6 address prefix-list' and 'set ipv6 next-hop'.
Is the implicit deny at the end of a route map always a problem?
It is a problem only if you want to allow non-matching routes to pass through unmodified. The solution is to add a final permit entry with no match condition, which matches everything and applies no set actions, effectively allowing them unchanged.
Summary
Route maps are a fundamental Cisco configuration tool that enables network engineers to apply conditional logic to routing decisions. They function as ordered lists of match and set statements, processed top-down until a match is found, with an implicit deny at the end. Route maps are used in BGP path manipulation, route redistribution, and policy-based routing, making them indispensable in enterprise networks.
For the CCNP ENCOR exam, you must understand their syntax, sequential processing, and the difference between permit and deny. Remember that the first matching permit entry applies its set actions and stops, and that all non-matching routes are denied unless a final permit entry is included. Practice configuring route maps in a lab to solidify your understanding, and always verify with show commands.
Mastery of route maps will not only help you pass the exam but will also be a daily tool in your networking career.