Pages

Saturday 15 July 2023

UNDERSTANDING ROUTE-MAPS

Overview

Route-maps provide If/Then/Else logic like in programming languages. Route-maps are very flexible in matching prefixes. A single route-map consists of a series of route-map statements with the same name but uniquely identified using its sequence number. When a route is matched by a route-map statement, either as a permit or deny, processing stops of the route-map.

A route-map statement references an ACL or prefix-list to match against a route with the action to take i.e.,permit or deny.

A single route-map contains one or more route-map commands (entries). Each route-map entry has underlying matching parameters, configured with the match command.

The flexibility of route maps means that they can be utilized in many routing scenarios such as the following:

  • Filtering networks during advertisements
  • BGP Path Attribute Manipulation: such as the next hop, AS PATH, local preference, weight etc. on a neighbor-by-neighbor basis
  • Route tagging in routing protocols such as OSPF
  • Policy based routing(PBR)
  • Modifying network attributes particularly during advertisement.

Like an access-list, an implicit deny any appears at the end of a route-map. The consequences of this deny depend on how the route-map is being used.

Matching Prefixes Using Route-maps

When configuring a route-map, the first action should be a match statement. Route-maps use the following features to match routes:

  • Access control lists
  • Prefix-lists
  • Route-type
  • Metric, metric type
  • Next hop
  • BGP attributes

Actions consist of permit or deny. If a route-map references an ACL or prefix-list, the ACL and prefix-list permit statement means match this prefix. The deny statement means do not match the prefix. Route-maps have an implicity deny all statement at the end. Route-maps support modifying prefix attributes. This is heavily utilized in BGP.

Processing of route-maps starts with the lowest sequence number and proceeds sequentially, until a match statement; processing then stops. However, if a route-map statement has the "continue" keyword, processing continues in spite of the match statement. The code continue keyword is used in route-map statements when logical "AND" processing is needed.

When configuring filtering using prefix lists, only one prefix list can be used for filtering per direction(ingress or egress). However, when filtering using route maps, a route map can be configured with many statements each using different prefix lists.

Configuration

Route maps consist of the following set of actions:
  1. Sequence number: determines the order of processing.
  2. Conditional matching: prefix characteristics
  3. Processing action: permit or deny statements
  4. Addition, modification of route characteristics

When deleting a specific route map statement, include the sequence number to prevent deleting the entire route map.

If no other entry is already defined with the supplied route-map name, an entry is created with the sequence number 10. If only one entry is already defined with the supplied route-map tag, that entry is the default entry for the route-map command, and the sequence number of the sentry is unchanged. If more than one entry is already defined with the supplied route-map tag, an error message is displayed, indicating that the sequence number is required. The match condition route-map configuration commands are used to define the conditions to be checked. The set condition route-map configuration commands are used to define the actions to be followed if there is a match and the action to be taken is permit. A route-map statement without any match statements will be considered matched.

  1. Define the route map: The route map is defined by specifying the route map name, processing action and sequence number. The command used is route-map <route-map-name> [permit | deny] <sequence-number> where:
    • permit | deny (Optional): specifies the action to be taken if the route map match conditions are met. The meaning of permit or deny is dependent on how the route-map is used. The default action of a route-map command is permit with a sequence number of 10 (if not included in the configuration).
    • sequence-number (Optional): number that indicates the position that a new route-map statement will have in the list of route-map statements already configured with the same name. The first route map statement a sequence number of 10 by default. Route-maps do not automatically increment the sequence number like ACLs. If no sequence number is entered, subsequent statements overwrite the first statement.
  2. Matching

    Route mps use ACLs or prefix-lists match the prefixes. The route-map tells what to do with the matched routes using permit or deny. A permit action in the ACL or prefix list means match the prefix and a deny action means do not match the prefix. All ACLs types are supported i.e., named or numbered standard and extended ACLs. It is important to note that when matching prefixes, IPv4 and IPv6 prefixes cannot be matched in the same route map. Different separate route maps are required to match each protocol separately.

    Matching is done using the following commands:

    Command Action
    match ip address [1-199 | 1300 - 1699 | acl-name] Matches based on a referenced named or numbered access control list.
    match ip address prefix-list <prefix-list-name> Matches based on a referenced prefix list.
    match as-path <ASN-acl-number> Matches prefixes based on a regular expression query to isolate the Autonomous System Number (ASN) in the BGP path attribute AS path. The AS path ACLs are numbered 1 - 500. This command allows for multiple match variables.
    match length <min> <max> matches based on a packet's Layer 3 length
    match interface <interface-id> matches any routes that have the next hop out of one of the interfaces specified.
    match ip next-hop <acl-1 acl-2 acl3> matches any routes that have a next-hop router address permitted by one of the access-lists specified
    match ip route-source <acl-1 acl-2 acl-3> matches routes that have been advertised by routers and acccess servers that have an address permitted by one of the access lists specified.
    match metric [<1-4294967295> | external <1-4294967295>] [+-deviation] matches routes have the metric specified, a range, or within acceptable deviation.
    match route-tpe [external | internal | level-1 | level-2 | local] matches routes of the specified type.
    match community <list-name | list-num> matches a BGP community
    match tag <0-4294967295> matches based on the tag of a route that was set by another router. This command allows for multiple match variables.
    match local-preference <local-preference> Matches prefixes based on the BGP attribute local preference. This command allows for multiple match variables.

    A route-map without the match statement is equivalent to match any.

    When processing a route-map, the processing starts at the top with the lowest sequence number and progress sequentially. The first successful match ends the execution of the prefix-list except if the continue statement is used. A deny statement in the ACL/Prefix list that is referenced by a permit statement in the RM results in no match and execution of the RM moves to the next RM sequence number.

    When matching prefixes, it is possible to chain ACLs or prefixes using the match ip address <acl-1> <acl-2> <acl-2> command. This represents and OR function where matching is done successfully if any of the ACLs is matched.

    A deny statement in an ACL, prefix list or AS-Path ACL excludes the route from being matched. When matching using an ACL or prefix list, take note of the following:

    ACL/Prefix-list Action Route-map Action Result
    deny permit

  3. Specify the action to be carried out on matched routes (Optional): This is implemented using the set command. Supported features include the following:

    Command Action
    set metric [+value | -value | <value>] sets the metric value for a route or modifies the existing metric. Allowable values are in the range 0 - 4294967295.
    set metric-type [type-1 | type-2 | internal | external] sets the metric type for the destination routing protocol.
    set default interface <interface-id> indicates where to send output packets that pass a match clause of a route map for policy routing.
    set interface <interface-id> indicates where to sent output packets that pass a match clause of a route map for policy routing.
    set ip default next-hop <ip-address> indicates where to send output packets that pass a match clause of a route map for policy routing and for which the Cisco IOS software has no explicit route to the destination.
    set ip default next-hop verify-availability Forces the router to check the CDP database to determine if an entry is available for the next hop that is specified by the set ip default next-hop command. This command is used to prevent traffic from being "blackholed" if the configured next hop becomes unavailable.
    set ip next-hop <ip-address-1 ip-address-2 ip-address-3 | peer-address | self> indicates where to send output packets that pass a match clause of a route map for policy routing. BGP dynamic manipulation uses the peer-address or self keywords.
    set ip next-hop verify-availability Forces the router to check the CDP database or use object tracking to determine if the next hop that is specified for policy-based routing is available.
    set ip vrf Indicates where to forward packets that pass a match clause of a route map for policy routing when the next hop must be under a specified VRF name.
    set next-hop Specifies the address of the next-hop
    set level [level-1 | level-2 | stub-area | backbone] Indicates at what level or type of area to import routes into (for IS-IS and OSPF routes).
    set as-path [tag | prepend <as-path-string | last-as 1-10>] Modifies an autonomous system path for BGP routes.
    set automatic-tag Automatically computes the BGP tag value.
    set community [<community-number> | additive | <well-known-community> | none] Sets the BGP community attribute.
    set local-preference <bgp-path-attribute> Specifies a local preference value for the BGP autonomous system path.
    set weight <0-65535> Specifies the BGP weight value.
    set origin [igp | incomplete] Specifies the BGP origin code.
    set tag Specifies the tag value for the destination routing protocol.

Interpretation

route-map DEMO permt 10
match X Y Z
match A
set B
set C
route-map DEMO permit 20
match Q
set R
route-map DEMO permit 30

The route map DMEO is interpreted as follows: If ((X or Y or Z) and (A) match) then (set B and C)
Else
If Q matches then set R
Else
Set nothing

A route map without a match or set command such as route-map DEMO permit 40, matches all prefixes and permits all other prefixes. If this is the last sequence in a route map, it disables the implicit deny all command at the end of the route map.

Application of Route Maps

Where route maps are applied depends on what they will be used for:

Filtering

Redistribution

Uses the command redistribute route-map <route-map-name>.

  • Prefix Advertisement: Filtering of prefixes when during advertisement using a routing protocol uses the command distribute-list route-map <route-map-name>

    • Attribute Manipulation

    use the command neighbor <ip-address> route-map <route-map-name>

    Path Control

    use the ip policy route-map <route-map-name> command under the interface. Details of how route maps are used for path control are explained here: HERE

    Redistribution Caveats

    Redistribution of routing information adds to the complexity of a network and increases the potential for routing confusion, so you should use it only when necessary. The key issues that arise when you are using redistribution are as follows:

    • Routing loops
    • Incompatible routing information
    • Inconsistent convergence time

    Verification

    show route-map <route-map-name>

    Verify what was configured. This displays all route maps configured. The specific route map name can be added show route-map <-route-map-name>

    Route Maps

    Route maps are complex access lists that allow some conditions to be tested against the packet or route using match commands. If the conditions match, actions can be taken to modify attributes of the packet or route. These actions are specified by the route-map's set commands. A collection of route map statements that have the same route map name is considered one route map. Within a route map, each route-map statement is numbered and therefore can be edited individually. The statements in a route-map correspond to the lines of an access list.

    Route map actions can be either permit or deny. Route map statements are processed sequencially from top to bottom with a first-match processing just like an access list; the first statement that is matched in the route map ends the processing of the route map. This default behaviour can be modified by using the keyword continue. Route-maps have an implicit deny statement at the end.

    Access-lists and prefix lists can only match on IP addresses or routes. To match against other attributes sch as external or internal routes, BGP attributes route-maps can be used.

    Route map Applications

    • Route filtering
    • Route filtering during Redistribution: Route maps offer the benefit of manipulating route metrics through the set commands. The route maps applied using the redistribute command.
    • Policy-based routing (BR): Route maps can be used to match source and destination addresses, protocol types, and end-user applications. When a match occurs, a set command can be used t determine the interface or next-hop address t which the packet should be sent. The route-map is applied t an interface using the command: policy route-map interface configuration command.
    • BGP: in addition to filtering, route-maps provide sophisticated manipulation of BGP path attributes. The route-map is applied using the BGP neghbir router configuration command.

    Components of a Route Map

    The four components of a route map include the following:

    1. sequence number: much like an ACL wth sequence numbers. The default sequence number is 10.
    2. processing action: agan like an ACL wth permit and deny statements
    3. Match criteria: what is ths sequence n the route map lkng for? f match statement is not configured, the default debavr is t match all addresses.
    4. action (tnal): what d we d wth these matches?

    Configuration of Route Maps

    Step 1: define the route map using the route-map global configuration command: route-map name [permit | deny] sequence

    When defnng a route-map, f the permit / deny statement is not configured, and the sequence number is not configured, then the default wll be permit wth a seeqence number f 10.

    Step 2: define the matching conditions using the match command and tnally the action t be taken when each condition is matched using the set command.

    Step 3: apply the route map.

    Route Map Rules

    route-map sequence numbers d not automatically increment. When the sequence-number parameter f the route-map is not used, the following ccrs:

    • If no other entry is already defined wth the sled route-map tag, that entry is the default entry for the route-map command and the sequence number f the entry is nchanged.
    • If only one entry is already defined wth the sled route-map tag, that entry is the default entry for the route-map command, and the sequence number f the entry is nchanged.
    • If more than one entry is already defined wth the sled route-map tag, an error message is displayed, indicating that the sequence number is required.
    • If the n route-map name command is specified (without the sequence number parameter), the whle route-map is deleted.
    • like an access-list, an implicit deny any aears at the end f a route-map. The cnseqences f ths deny deend n hw the route-map beng used.
    • The match conditions route-map configuration cmmands are used t define the conditions t be checked. The set condition route-map configuration cmmands are used t define the actions t be followed f there is a match and the action t be taken is permit.
    • A route-map statement without any match statements wll be cnsdered matched.
    • If more than one condition is configured nder the same match statement, then t acts as an or logic.
    • If more than one match statement aears nder the same sequence number, then t acts as an AND logic statement.
    • If more than one sequence number is used n a route-map, then each sequence number acts as sme from f Else-f statement blck f the route-map.
    • To match all packets, the route-map clase mts the match command.
    • If a sequence number is mssed, the default sequence number frst sequence number is set t 10. Sccessve route-map statements without sequence numbers verwroute the exstng frst route-map statement (10).
    • When a route is matched by a route-map entry ether as a permit or deny, the is sts processing the route-map for that route, even when there are more entres n the route-map.

    Matching Conditions

    Route maps provide more flexibility when matching various characteristics of the traffic. Route maps map against IP addresses by referencing access-lists or prefix-lists. Additionally, the provide the ability to match against route-type, metric, metric-type, next-hop, BGP attributes etc.

    Command Description
    match address access-list | name | ...access_lst_number|name|prefix-list ... list-name | ... prefix-list prefix-list-name Matches any routes that have a netwrk number that is ermted by a standard or extended access list or prefix list. Mltle access-lists or prefix lists can be specified matching any one reslts n a match.
    match length min max Matches based on a packet's Layer 3 length.
    match interface type-number Matches any routes that have a next-hop router address ermtted by one f the access lists
    match next-hop access-list-number | access-list-name | .... access-list-number | ... access-list-name Matches any routes that have a next-hop router address ermtted by one f the access-lists specified.
    match route-srce access-list-number | access-list-name | .. access-list-number | ...access-list-name Matches routes that have been advertsed by routers and access servers that have an address ermtted by one f the access lists specified.
    match metric metric value Matches routes that have the metric specified.
    match route-type [external | internal | level-1 | level-2 | local] Matches routes f the specified type.
    match community list-number | list-name Matches a BGP community
    match tag tag-value Matches based n the tag f a route.

    Route Map Set Actions

    Command Description
    set metric metric-value Sets the metric value for a routing protocol
    set metric-type [type-1 | type-2 | internal | external] Sets the metric type for the destination routing protocol
    set default-interface type number | .. type number Indicates where to send output packets that pass a match clause of a route-map for policy routing and for which the Cisco IOS Software has no explicit
    set interface type number | ... type number indicates where t send tt packets that ass a match clase f a route-map for policy routing.
    set default next-hop indicates where t send tt packets that ass a match clase f a route-map for policy tng and and for which the Csc is sftware has n exlct route t the destination.
    set default next-hop verify-availability Frces the router t check the CD database t determine f an entry is avalable for the next h that is specified by the set default next-hop command. Ths command is used t revent traffc from beng "black-hled" f the configured next h becomes navalable.
    set next-hop -address | ... address indicates where t send tt packets that ass a match clase f a route-map for policy routing.
    set next-hop verify-availability Frces the router t check the CD database or se bject tracking t determine f the next-hop that is specified for policy-based routing is avalable.
    set vrf indicates where t forward packets that ass a match clase f a route map for policy routing when the next h must be nder a specified vrtal routing and vrwardng (VRF) name.
    set next-hop specifies the address f the next-hop
    set level | level-1 | level-2 | stb-area | backbone| indicates at what level or type f area t mrt routes not (for is-is and SF routes.)
    set as-path | tag | reend< as-path-strng modifies an autonomous system path for BGP routes.
    set automatic tag automatically computes the BGP tag value.
    set community community-number | additive | well-known-community | none Sets the BGP community attribute.
    set local-reference BGP-path-attributes specifies a local reference value for the BGP autonomous system path.
    set weight BGP-weight specifies the BGP weight value
    set rgn specifies the BGP rgn code
    set tag specifies the tag value for destination routing protocol.

    continue command

    processing f a route-map starts from the t t bottom. f a matching statement is found, after processing the matching set statement f the matching statement, the processing f the route-map ends. however, wth the continue command, f a matching statement is processed, the continue command cases the processing t continue and not break t but t continue processing subsequent statements f the route-map.

    Application of the route-map

    To utilise the route map, t has t be applied t an interface (policy based routing) or a routing protocol.

    When Applying a route-map, t should be applied n the inbound interface. Applying a route-map n the t gng interface has n effect. T asscate the route-map, sse the command: policy route-map rt-map-name

    When filtering wth the route-map, the "permit" or "deny" within the ACL or prefix-list des not mean that route wll be fltered or not. t jst means f that is or sn't matched. A permit n an ACL/prefix-list means take action n the route-map. A deny means mve t next route-map sequence number. Dfferent ACLs or prefix-lists can be called by the same route-map.

    Gven the following access-lists: access-list 50 permit 172.16.0.0 0.0.255.255
    access-list 60 permit 192.168.0.0 0.0.255.255
    access-list 60 deny 192.168.10.0 0.0.0.255
    access-list 60 permit any

    route-map TEST deny 10
    match address 50
    route-map TEST permit 20
    match address 60

    The route-map sequence number 10 means the route-map is ermted t deny traffc from 172.16.0.0 0.0.255.255

    Posted by at
    Labels: , ,

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)