Pages

Saturday, 15 July 2023

UNDERSTANDING ROUTE-MAPS

Route Maps

Route maps are a network tool used to carry out pattern matching against network traffic and take specified actions to traffic that matches specified criteria or traffic that does not match. If the conditions match, actions can be taken to modify attributes of the packet. These actions are specified by the route-map's set commands.

A collection of route map statements that have the same route map name is considered one route map. Within a route map, each route-map statement is numbered and therefore can be edited individually. The statements in a route-map are similar to the statements in an access control list.

Route map actions can be either permit or deny. Route map statements are processed sequentially from top to bottom with a first-match processing; just like an access list. The first statement that is matched in the route map ends the processing of the route map. This default behaviour can be modified by using the keyword continue. Route-maps have an implicit deny statement at the end.

Configuration

  1. Define the route map: a route map is defined by specifying the route map name, processing action and sequence number. The command used is route-map <route-map-name> [permit | deny] <sequence-number> where:
    • permit | deny (Optional): Define the action to be taken if the route map match conditions are met i.e., what do we do with matched traffic? Processing actions consist of permit or deny. The meaning of permit or deny is dependent on how the route-map is used. The default action of a route-map command is permit. If a route-map references an ACL or prefix-list, the ACL and prefix-list permit statement means match this prefix. The deny statement means do not match the prefix.

      Like an access-list, an implicit deny any appears at the end of a route-map. The consequences of this deny depend on how the route-map is being used.

    • sequence-number (Optional): number that indicates the position that a new route-map statement will have in the list of route-map statements already configured with the same name. This is much like the sequence numbers of an access control list(ACL). The sequence number determines the order of processing of the route map. The first route map statement has a sequence number of 10 by default. Route-maps do not automatically increment the sequence number like ACLs. If no sequence number is entered, subsequent statements overwrite the first statement.
    If the permit / deny statement is not configured, and the sequence number is not configured, then the default action will be permit with a sequence number of 10.
  2. Define the matching conditions using the match command and the optional action to be taken when each condition is matched using the set command. What characteristics of the traffic should be checked. If match statement is not configured, the default action is to match all addresses.
  3. Action: Modifying characteristics of packets or traffic flow patterns. This is done using the set command.
  4. Apply the route map.

Route Map Rules

The following are some important guidelines to consider when configuring a route map:

  • When adding a new route map statement:
    • Route map sequence numbers do not increment automatically.
    • If no other entry is already defined with the supplied route-map name, an entry is created with the sequence number 10.
    • If only one entry is already defined with the configured route map name, that entry is the default entry for the route-map command, and the sequence number of the entry is unchanged.
    • If more than one entry is already defined with the configured route map name, an error message is displayed, indicating that the sequence number is required.
  • The match statement is used to define the characteristics that traffic should match against.
  • The set condition command is used to define the actions to be followed if there is a match and the action to be taken is permit.
  • A route-map statement without any match statements will be considered matched.
  • If deleting a route-map using the command no route-map <route-map-name> without specifying the sequence number, the whole route-map is deleted.
  • Like an access-list, an implicit deny any statement appears at the end of a route-map. The conseqeunces of this "deny any" depends on how the where the route map is applied.
  • If more than one condition is configured under the same match statement, then it acts as a logical OR function.
  • If more than one match statement aears nder the same sequence number, then t acts as an AND logic statement.
  • If more than one route map statement is configured, then route map acts as an If-Else-If statement block.
  • To match all packets, the route-map clase mts the match command.
  • If a sequence number is not included in the configuration of the first statement, the default sequence number or first sequence number is set to 10. Successive route map statements without sequence numbers overwrite the existing first route map statement with sequence number 10.
  • When processing statements, the first match ends the processing of the route map even when there are more un-processed entries in the route map.

Matching Conditions

When configuring a route-map, the first action should be a match statement. Route-maps use the following features to match routes:

  • Access control lists
  • Prefix-lists
  • Route-type
  • Metric
  • Metric type
  • Next hop
  • BGP attributes

Route maps use ACLs or prefix-lists match the prefixes. The route-map tells what to do with the matched routes using permit or deny. A permit action in the ACL or prefix list means match the prefix and a deny action means do not match the prefix. All ACLs types are supported i.e., named or numbered standard and extended ACLs. It is important to note that when matching prefixes, IPv4 and IPv6 prefixes cannot be matched in the same route map. Different separate route maps are required to match each protocol separately.

Route maps provide more flexibility when matching various characteristics of the traffic. Route maps map against IP addresses by referencing access-lists or prefix-lists. Additionally, the provide the ability to match against route-type, metric, metric-type, next-hop, BGP attributes etc.

Matching is done using the following commands:

Command Action
match ip address [1-199 | 1300 - 1699 | acl-name] Matches based on a referenced named or numbered access control list. Matches any routes that have a network number that is permitted by a standard or extended access list or prefix list. Multiple access-lists or prefix lists can be specified matching any one results in a match.
match ip address prefix-list <prefix-list-name> Matches based on a referenced prefix list.
match as-path <ASN-acl-number> Matches prefixes based on a regular expression query to isolate the Autonomous System Number (ASN) in the BGP path attribute AS path. The AS path ACLs are numbered 1 - 500. This command allows for multiple match variables.
match length <min> <max> matches based on a packet's Layer 3 length
match route-type [external | internal | level-1 | level-2 | local] Matches packets of the specified type.
match interface <interface-id> matches any routes that have the next hop out of one of the interfaces specified.
match ip next-hop <acl-1 acl-2 acl3> matches any routes that have a next-hop router address permitted by one of the access-lists specified
match ip route-source <acl-1 acl-2 acl-3> matches routes that have been advertised by routers and acccess servers that have an address permitted by one of the access lists specified.
match metric [<1-4294967295> | external <1-4294967295>] [+-deviation] matches routes have the metric specified, a range, or within acceptable deviation.
match route-tpe [external | internal | level-1 | level-2 | local] matches routes of the specified type.
match community <list-name | list-num> matches a BGP community
match tag <0-4294967295> matches based on the tag of a route that was set by another router. This command allows for multiple match variables.
match local-preference <local-preference> Matches prefixes based on the BGP attribute local preference. This command allows for multiple match variables.

A route-map without the match statement is equivalent to match any.

When processing a route-map, the processing starts at the top with the lowest sequence number and progress sequentially. The first successful match ends the execution of the prefix-list except if the continue statement is used. A deny statement in the ACL/Prefix list that is referenced by a permit statement in the route map results in no match and execution of the route map moves to the next route map sequence number.

When matching prefixes, it is possible to chain ACLs or prefixes using the match ip address <acl-1> <acl-2> <acl-2> command. This represents an OR function where matching is done successfully if any of the ACLs is matched.

A deny statement in an ACL, prefix list or AS-Path ACL excludes the route from being matched. When matching using an ACL or prefix list, take note of the following:

ACL/Prefix-list Action Route-map Action Result
deny permit

Set Actions

Specify the action to be carried out on matched routes (Optional): This is implemented using the set command. Supported features include the following:

Command Action
set metric [+value | -value | <value>] sets the metric value for a route or modifies the existing metric. Allowable values are in the range 0 - 4294967295.
set metric-type [type-1 | type-2 | internal | external] sets the metric type for the destination routing protocol.
set default interface <interface-id> Sets the output interface for packets that pass a match clause of a route map if there is no explicit route to the destination. If a list of interfaces is configured and the first interface is down, the next interface in the list is utilized.
set interface <interface-id> sets the exit interface for packets that pass a match clause of a route map for policy routing.
set ip default next-hop <ip-address> sets the next hop for packets that pass a match clause of a route map for policy routing and for which the Cisco IOS software has no explicit route to the destination.
set ip default next-hop verify-availability Forces the router to check the CDP database to determine if an entry is available for the next hop that is specified by the set ip default next-hop command. This command is used to prevent traffic from being "blackholed" if the configured next hop becomes unavailable.
set ip next-hop <ip-address-1 ip-address-2 ip-address-3 | peer-address | self> sets the next hop for packets that pass a match clause of a route map for policy routing. BGP dynamic manipulation uses the peer-address or self keywords.
set ip next-hop verify-availability Forces the router to check the CDP database or use object tracking to determine if the next hop that is specified for policy-based routing is available.
set ip vrf Indicates where to forward packets that pass a match clause of a route map for policy routing when the next hop must be under a specified VRF name.
set next-hop Specifies the address of the next-hop
set level [level-1 | level-2 | stub-area | backbone] Indicates at what level or type of area to import routes into (for IS-IS and OSPF routes).
set as-path [tag | prepend <as-path-string | last-as 1-10>] Modifies an autonomous system path for BGP routes.
set automatic-tag Automatically computes the BGP tag value.
set community [<community-number> | additive | <well-known-community> | none] Sets the BGP community attribute.
set local-preference <bgp-path-attribute> Specifies a local preference value for the BGP autonomous system path.
set weight <0-65535> Specifies the BGP weight value.
set origin [igp | incomplete] Specifies the BGP origin code.
set tag Specifies the tag value for the destination routing protocol.

continue command

Processing of route-maps starts with the lowest sequence number and proceeds sequentially, until a match statement thereafter, processing then stops. However, if a route-map statement has the continue keyword, processing continues in spite of the match statement. The continue keyword is used in route-map statements when logical "AND" processing is needed. the continue command causes the processing to continue processing the next match statements in the route-map.

Example Configuration

route-map DEMO permt 10
match X Y Z
match A
set B
set C
route-map DEMO permit 20
match Q
set R
route-map DEMO permit 30

The route map DMEO is interpreted as follows:

  1. If ((X or Y or Z) and (A) match) then (set B and C)
  2. Else
  3. If Q matches then set R
  4. Else
  5. Set nothing

A route map without a match or set command such as route-map DEMO permit 40, matches all prefixes and permits all other prefixes. If this is the last sequence in a route map, it disables the implicit deny all command at the end of the route map.

Applications

Where route maps are applied depends on what they will be used for:

The flexibility of route maps means that they can be utilized in many routing scenarios such as the following:

  • Route filtering such as between areas in OSPF, in any arbitrary location in EIGRP and BGP.
  • Route filtering during Redistribution: Route maps offer the benefit of manipulating route metrics through the set commands. The route maps applied using the redistribute command.
  • Policy-based routing (PBR): Route maps can be used to match source and destination addresses, protocol types, and end-user applications. When a match occurs, a set command can be used to determine the interface or next-hop address which the packet should be sent. The route-map is applied to an interface using the command: policy route-map interface configuration command.
  • Traffic Engineering in BGP: in addition to filtering, route-maps provide traffic engineering opportunities such as manipulation of BGP path attributes such as the next hop, AS PATH, local preference, weight etc. on a neighbor-by-neighbor basis. The route-map is applied using the BGP neighbor router configuration command.

Filtering

When configuring filtering using prefix lists, only one prefix list can be used for filtering per direction(ingress or egress). However, when filtering using route maps, a route map can be configured with many statements each using different prefix lists.

When using a route map for filtering, the "permit" or "deny" within the ACL or prefix-list does not mean that route will be filtered or not. The permit and deny keywords are used to indicate that the prefix should be matched or not matched respectively. A permit statement in an ACL/prefix-list means take action in the route-map. A deny means move to the next route map statement. Different ACLs or prefix-lists can be called by the same route-map.

Given the following access-lists: access-list 50 permit 172.16.0.0 0.0.255.255
access-list 60 permit 192.168.0.0 0.0.255.255
access-list 60 deny 192.168.10.0 0.0.0.255
access-list 60 permit any

route-map TEST deny 10
match address 50
route-map TEST permit 20
match address 60

The route-map sequence number 10 means the route-map is permitted to deny traffc from 172.16.0.0 0.0.255.255

Redistribution

Uses the command redistribute route-map <route-map-name>.

  • Prefix Advertisement: Filtering of prefixes when during advertisement using a routing protocol uses the command distribute-list route-map <route-map-name>

    • Attribute Manipulation

    use the command neighbor <ip-address> route-map <route-map-name>

    Path Control

    To utilise the route map, it has to be applied to an interface. When applying a route-map, it should be applied in the ingress interface. Applying a route-map to the egress interface has no effect. To associate the route-map, use the command: policy route-map <route-map-name>

    To utilise the route map, it has to be applied to an interface (policy based routing) or a routing protocol.

    When applying a route-map, it should be applied n the inbound interface. Applying a route-map in the outgoing interface has no effect. T0 associate the route-map, use the command: ip policy route-map <route-map-name>.

    use the ip policy route-map <route-map-name> command under the interface. Details of how route maps are used for path control are explained here: HERE

    Redistribution Caveats

    Redistribution of routing information adds to the complexity of a network and increases the potential for routing confusion, so you should use it only when necessary. The key issues that arise when you are using redistribution are as follows:

    • Routing loops
    • Incompatible routing information
    • Inconsistent convergence time

    Verification

    show route-map <route-map-name>

    Verify what was configured. This displays all route maps configured. The specific route map name can be added show route-map <-route-map-name>

    Posted by at
    Labels: , ,

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)