Pages

Showing posts with label Filtering. Show all posts
Showing posts with label Filtering. Show all posts

Saturday 15 July 2023

UNDERSTANDING ROUTE-MAPS

Route Maps

Route maps are a network tool used to carry out pattern matching against network traffic and take specified actions to traffic that matches specified criteria or traffic that does not match. If the conditions match, actions can be taken to modify attributes of the packet. These actions are specified by the route-map's set commands.

A collection of route map statements that have the same route map name is considered one route map. Within a route map, each route-map statement is numbered and therefore can be edited individually. The statements in a route-map are similar to the statements in an access control list.

Route map actions can be either permit or deny. Route map statements are processed sequentially from top to bottom with a first-match processing; just like an access list. The first statement that is matched in the route map ends the processing of the route map. This default behaviour can be modified by using the keyword continue. Route-maps have an implicit deny statement at the end.

Configuration

  1. Define the route map: a route map is defined by specifying the route map name, processing action and sequence number. The command used is route-map <route-map-name> [permit | deny] <sequence-number> where:
    • permit | deny (Optional): Define the action to be taken if the route map match conditions are met i.e., what do we do with matched traffic? Processing actions consist of permit or deny. The meaning of permit or deny is dependent on how the route-map is used. The default action of a route-map command is permit. If a route-map references an ACL or prefix-list, the ACL and prefix-list permit statement means match this prefix. The deny statement means do not match the prefix.

      Like an access-list, an implicit deny any appears at the end of a route-map. The consequences of this deny depend on how the route-map is being used.

    • sequence-number (Optional): number that indicates the position that a new route-map statement will have in the list of route-map statements already configured with the same name. This is much like the sequence numbers of an access control list(ACL). The sequence number determines the order of processing of the route map. The first route map statement has a sequence number of 10 by default. Route-maps do not automatically increment the sequence number like ACLs. If no sequence number is entered, subsequent statements overwrite the first statement.
    If the permit / deny statement is not configured, and the sequence number is not configured, then the default action will be permit with a sequence number of 10.
  2. Define the matching conditions using the match command and the optional action to be taken when each condition is matched using the set command. What characteristics of the traffic should be checked. If match statement is not configured, the default action is to match all addresses.
  3. Action: Modifying characteristics of packets or traffic flow patterns. This is done using the set command.
  4. Apply the route map.

Route Map Rules

The following are some important guidelines to consider when configuring a route map:

  • When adding a new route map statement:
    • Route map sequence numbers do not increment automatically.
    • If no other entry is already defined with the supplied route-map name, an entry is created with the sequence number 10.
    • If only one entry is already defined with the configured route map name, that entry is the default entry for the route-map command, and the sequence number of the entry is unchanged.
    • If more than one entry is already defined with the configured route map name, an error message is displayed, indicating that the sequence number is required.
  • The match statement is used to define the characteristics that traffic should match against.
  • The set condition command is used to define the actions to be followed if there is a match and the action to be taken is permit.
  • A route-map statement without any match statements will be considered matched.
  • If deleting a route-map using the command no route-map <route-map-name> without specifying the sequence number, the whole route-map is deleted.
  • Like an access-list, an implicit deny any statement appears at the end of a route-map. The conseqeunces of this "deny any" depends on how the where the route map is applied.
  • If more than one condition is configured under the same match statement, then it acts as a logical OR function.
  • If more than one match statement aears nder the same sequence number, then t acts as an AND logic statement.
  • If more than one route map statement is configured, then route map acts as an If-Else-If statement block.
  • To match all packets, the route-map clase mts the match command.
  • If a sequence number is not included in the configuration of the first statement, the default sequence number or first sequence number is set to 10. Successive route map statements without sequence numbers overwrite the existing first route map statement with sequence number 10.
  • When processing statements, the first match ends the processing of the route map even when there are more un-processed entries in the route map.

Matching Conditions

When configuring a route-map, the first action should be a match statement. Route-maps use the following features to match routes:

  • Access control lists
  • Prefix-lists
  • Route-type
  • Metric
  • Metric type
  • Next hop
  • BGP attributes

Route maps use ACLs or prefix-lists match the prefixes. The route-map tells what to do with the matched routes using permit or deny. A permit action in the ACL or prefix list means match the prefix and a deny action means do not match the prefix. All ACLs types are supported i.e., named or numbered standard and extended ACLs. It is important to note that when matching prefixes, IPv4 and IPv6 prefixes cannot be matched in the same route map. Different separate route maps are required to match each protocol separately.

Route maps provide more flexibility when matching various characteristics of the traffic. Route maps map against IP addresses by referencing access-lists or prefix-lists. Additionally, the provide the ability to match against route-type, metric, metric-type, next-hop, BGP attributes etc.

Matching is done using the following commands:

Command Action
match ip address [1-199 | 1300 - 1699 | acl-name] Matches based on a referenced named or numbered access control list. Matches any routes that have a network number that is permitted by a standard or extended access list or prefix list. Multiple access-lists or prefix lists can be specified matching any one results in a match.
match ip address prefix-list <prefix-list-name> Matches based on a referenced prefix list.
match as-path <ASN-acl-number> Matches prefixes based on a regular expression query to isolate the Autonomous System Number (ASN) in the BGP path attribute AS path. The AS path ACLs are numbered 1 - 500. This command allows for multiple match variables.
match length <min> <max> matches based on a packet's Layer 3 length
match route-type [external | internal | level-1 | level-2 | local] Matches packets of the specified type.
match interface <interface-id> matches any routes that have the next hop out of one of the interfaces specified.
match ip next-hop <acl-1 acl-2 acl3> matches any routes that have a next-hop router address permitted by one of the access-lists specified
match ip route-source <acl-1 acl-2 acl-3> matches routes that have been advertised by routers and acccess servers that have an address permitted by one of the access lists specified.
match metric [<1-4294967295> | external <1-4294967295>] [+-deviation] matches routes have the metric specified, a range, or within acceptable deviation.
match route-tpe [external | internal | level-1 | level-2 | local] matches routes of the specified type.
match community <list-name | list-num> matches a BGP community
match tag <0-4294967295> matches based on the tag of a route that was set by another router. This command allows for multiple match variables.
match local-preference <local-preference> Matches prefixes based on the BGP attribute local preference. This command allows for multiple match variables.

A route-map without the match statement is equivalent to match any.

When processing a route-map, the processing starts at the top with the lowest sequence number and progress sequentially. The first successful match ends the execution of the prefix-list except if the continue statement is used. A deny statement in the ACL/Prefix list that is referenced by a permit statement in the route map results in no match and execution of the route map moves to the next route map sequence number.

When matching prefixes, it is possible to chain ACLs or prefixes using the match ip address <acl-1> <acl-2> <acl-2> command. This represents an OR function where matching is done successfully if any of the ACLs is matched.

A deny statement in an ACL, prefix list or AS-Path ACL excludes the route from being matched. When matching using an ACL or prefix list, take note of the following:

ACL/Prefix-list Action Route-map Action Result
deny permit

Set Actions

Specify the action to be carried out on matched routes (Optional): This is implemented using the set command. Supported features include the following:

Command Action
set metric [+value | -value | <value>] sets the metric value for a route or modifies the existing metric. Allowable values are in the range 0 - 4294967295.
set metric-type [type-1 | type-2 | internal | external] sets the metric type for the destination routing protocol.
set default interface <interface-id> Sets the output interface for packets that pass a match clause of a route map if there is no explicit route to the destination. If a list of interfaces is configured and the first interface is down, the next interface in the list is utilized.
set interface <interface-id> sets the exit interface for packets that pass a match clause of a route map for policy routing.
set ip default next-hop <ip-address> sets the next hop for packets that pass a match clause of a route map for policy routing and for which the Cisco IOS software has no explicit route to the destination.
set ip default next-hop verify-availability Forces the router to check the CDP database to determine if an entry is available for the next hop that is specified by the set ip default next-hop command. This command is used to prevent traffic from being "blackholed" if the configured next hop becomes unavailable.
set ip next-hop <ip-address-1 ip-address-2 ip-address-3 | peer-address | self> sets the next hop for packets that pass a match clause of a route map for policy routing. BGP dynamic manipulation uses the peer-address or self keywords.
set ip next-hop verify-availability Forces the router to check the CDP database or use object tracking to determine if the next hop that is specified for policy-based routing is available.
set ip vrf Indicates where to forward packets that pass a match clause of a route map for policy routing when the next hop must be under a specified VRF name.
set next-hop Specifies the address of the next-hop
set level [level-1 | level-2 | stub-area | backbone] Indicates at what level or type of area to import routes into (for IS-IS and OSPF routes).
set as-path [tag | prepend <as-path-string | last-as 1-10>] Modifies an autonomous system path for BGP routes.
set automatic-tag Automatically computes the BGP tag value.
set community [<community-number> | additive | <well-known-community> | none] Sets the BGP community attribute.
set local-preference <bgp-path-attribute> Specifies a local preference value for the BGP autonomous system path.
set weight <0-65535> Specifies the BGP weight value.
set origin [igp | incomplete] Specifies the BGP origin code.
set tag Specifies the tag value for the destination routing protocol.

continue command

Processing of route-maps starts with the lowest sequence number and proceeds sequentially, until a match statement thereafter, processing then stops. However, if a route-map statement has the continue keyword, processing continues in spite of the match statement. The continue keyword is used in route-map statements when logical "AND" processing is needed. the continue command causes the processing to continue processing the next match statements in the route-map.

Example Configuration

route-map DEMO permt 10
match X Y Z
match A
set B
set C
route-map DEMO permit 20
match Q
set R
route-map DEMO permit 30

The route map DMEO is interpreted as follows:

  1. If ((X or Y or Z) and (A) match) then (set B and C)
  2. Else
  3. If Q matches then set R
  4. Else
  5. Set nothing

A route map without a match or set command such as route-map DEMO permit 40, matches all prefixes and permits all other prefixes. If this is the last sequence in a route map, it disables the implicit deny all command at the end of the route map.

Applications

Where route maps are applied depends on what they will be used for:

The flexibility of route maps means that they can be utilized in many routing scenarios such as the following:

  • Route filtering such as between areas in OSPF, in any arbitrary location in EIGRP and BGP.
  • Route filtering during Redistribution: Route maps offer the benefit of manipulating route metrics through the set commands. The route maps applied using the redistribute command.
  • Policy-based routing (PBR): Route maps can be used to match source and destination addresses, protocol types, and end-user applications. When a match occurs, a set command can be used to determine the interface or next-hop address which the packet should be sent. The route-map is applied to an interface using the command: policy route-map interface configuration command.
  • Traffic Engineering in BGP: in addition to filtering, route-maps provide traffic engineering opportunities such as manipulation of BGP path attributes such as the next hop, AS PATH, local preference, weight etc. on a neighbor-by-neighbor basis. The route-map is applied using the BGP neighbor router configuration command.

Filtering

When configuring filtering using prefix lists, only one prefix list can be used for filtering per direction(ingress or egress). However, when filtering using route maps, a route map can be configured with many statements each using different prefix lists.

When using a route map for filtering, the "permit" or "deny" within the ACL or prefix-list does not mean that route will be filtered or not. The permit and deny keywords are used to indicate that the prefix should be matched or not matched respectively. A permit statement in an ACL/prefix-list means take action in the route-map. A deny means move to the next route map statement. Different ACLs or prefix-lists can be called by the same route-map.

Given the following access-lists: access-list 50 permit 172.16.0.0 0.0.255.255
access-list 60 permit 192.168.0.0 0.0.255.255
access-list 60 deny 192.168.10.0 0.0.0.255
access-list 60 permit any

route-map TEST deny 10
match address 50
route-map TEST permit 20
match address 60

The route-map sequence number 10 means the route-map is permitted to deny traffc from 172.16.0.0 0.0.255.255

Redistribution

Uses the command redistribute route-map <route-map-name>.

  • Prefix Advertisement: Filtering of prefixes when during advertisement using a routing protocol uses the command distribute-list route-map <route-map-name>

    • Attribute Manipulation

    use the command neighbor <ip-address> route-map <route-map-name>

    Path Control

    To utilise the route map, it has to be applied to an interface. When applying a route-map, it should be applied in the ingress interface. Applying a route-map to the egress interface has no effect. To associate the route-map, use the command: policy route-map <route-map-name>

    To utilise the route map, it has to be applied to an interface (policy based routing) or a routing protocol.

    When applying a route-map, it should be applied n the inbound interface. Applying a route-map in the outgoing interface has no effect. T0 associate the route-map, use the command: ip policy route-map <route-map-name>.

    use the ip policy route-map <route-map-name> command under the interface. Details of how route maps are used for path control are explained here: HERE

    Redistribution Caveats

    Redistribution of routing information adds to the complexity of a network and increases the potential for routing confusion, so you should use it only when necessary. The key issues that arise when you are using redistribution are as follows:

    • Routing loops
    • Incompatible routing information
    • Inconsistent convergence time

    Verification

    show route-map <route-map-name>

    Verify what was configured. This displays all route maps configured. The specific route map name can be added show route-map <-route-map-name>

    Posted by at No comments:
    Labels: , ,

    Thursday 6 July 2023

    Understanding Prefix-Lists

    Overview

    Like access control lists (ACLs), prefix lists are used as a filtering tool. However, unlike ACLs, which are used for a wide variety of tasks, prefix lists are predominantly used by routing protocols for route/prefix filtering. Prefix lists provide granular control over matching prefixes for route filtering; matching the prefix and prefix-length; ACLs match only the prefix. Like an ACL, prefix-lists use permit or deny clauses to match prefixes and prefix lengths. Internal processing of IP prefix-lists uses an internal tree structure that results in faster matching of routes compared to ACLs. In recent developments, improvements have been made with the processing of prefix-lists and ACLs in hardware.

    Naming and Structure

    The naming and structure of prefix lists is similar to named ACLs. The prefix list naming recommendations include the following:

    • Name cannot contain spaces or punctuation marks.
    • Prefix list name cannot begin with a number
    • Prefix list name must be unique; prefix lists of different types cannot have the same name
    • Prefix list name can have a mixture alpahnumeric characters
    • Recommended that the prefix list name be written in capital letters
    • Prefix list names are locally significant. Multiple routers on the network can be configured to have the same name
    • Choose names that identify the function of the prefix list

    Prefix-lists use the concept of a unique name for a single prefix-list with multiple entries. Each entry has a unique sequence number. The use of sequence numbers allow for subsequent modification of the prefix list through the addition or deletion of individual entries from the prefix list.

    Prefix-lists do not use wildcard masks or bits; they use the prefix length for matching against the network address and subnet mask. A prefix-list is used to match routes particularly for route filtering and not for packet filtering:

    • Permit: the route is matched, the route should not be filtered.
    • Deny: route is not matched and should be filtered.

    Prefix-list have a default implicit deny all statement at the end. The command to configure a prefix-list is: ip prefix-list <name> [seq <num>] {deny | permit} <prefix/prefix-length> [ge <prefix-length>] [le <prefix-length>] where:

    • Prefix/prefix-length: is the prefix and prefix-length that is being matched.
    • ge ( greater than or equal): value is used to match against the subnet mask. The prefix-length to be matched by ge is in the range: ge value and 32. The ge value sets the lower limit of the prefix length range to be matched. The prefix-length MUST be less than the ge value; otherwise IOS will report this error message % Invalid prefix range for 10.1.1.0/24, make sure: len < ge.value <= le.value.

    • le (less than or equal to): when matching the route's prefix length, the le value sets the upper limit of the prefix length comparison range. The range of prefix lengths to be matched is between route prefix length to the le value. The prefix-length must be less than the le value; otherwise IOS will report this error message: % Invalid prefix range for 10.1.1.0/24, make sure: len < ge.value <= le.value
    • le and ge: if both are configured, on the same prefix list statement, the value of le must be greater than or equal to the value of ge:
      • Prefix lengths to be matched are in the range ge value to le value.
      • If le is equal to ge, then the prefix length is matched against the specific le/ge value rather than a range.

    Prefix Matching

    The logic of a prefix-list is as follows:

    • The route's prefix must be within the range of addresses implied by the prefix-list command's prefix/length parameters.
    • The route's prefix-length must match the range of prefixes implied by the prefix-list command's prefix-length, ge and le parameters.

    Every matching done by a prefix list checks the network address and the subnet mask. Up to four types of matching can be performed using prefix lists:

    1. Exact match: only the prefix and prefix length are specified by the prefix list. The ge and le keywords are not used in prefix and prefix length matching.
      • ip prefix-list PL permit 10.1.1.0/24
        • Matches the network address 10.1.1.x.
        • Matches the subnet mask 255.255.255.0.
    2. From minimum prefix length: implemented using the ge keyword.
      • ip prefix-list PL permit 10.1.1.0/24 ge 26
        • Matches the network address 10.1.1.x
        • Matches the subnet mask 255.255.255.192 - 255.255.255.255
      • ip prefix-list PL permit 10.1.1.0/8 ge 9
        • Matches the network address of 10.x.x.x
        • Matches the subnet mask 255.128.0.0 - 255.255.255.255.
    3. Up to a maximum prefix length: implemented using the le keyword prefix length in the range prefix length to le value.
      • ip prefix-list PL permit 10.1.1.0/16 le 26
        • Matches the network address 10.1.x.x
        • Matches the subnet 255.255.0.0 - 255.255.255.192
      • ip prefix-list PL permit 10.1.1.0/19 le 27
        • Matches for the network address of 10.1.x.x/19
        • Matches the subnet mask 255.255.224 - 255.255.255.224.
    4. Range of prefix lengths: implemented by the configuration of both ge and le keywords:
      • ip prefix-list PL permit 10.1.1.0/16 ge 22 le 30
        • Matches the network address 10.1.x.x
        • Matches the subnet 255.255.252.0 - 255.255.255.252
      • ip prefix-list PL permit 10.1.1.0/24 ge 26 le 29
        • Matches the network address of 10.1.1.x
        • Matches the subnet mask 255.255.255.192 - 255.255.255.248.
      • ip prefix-list PL permit 10.1.1.0/24 ge 26 le 26
        • Matches the network address 10.1.1.x
        • Matches the subnet 255.255.255.192

    Matching the Default Route

    IPv4

    ip prefix-list PL permit 0.0.0.0/0

    • Match any address
    • The subnet mask MUST match zero(0). Only the default route has a subnet mask of zero.

    IPv6

    ipv6 prefix-list PL permit ::/0

    Match all prefixes

    IPv4

    ip prefix-list PL permit 0.0.0.0/0 le 32

    • le 32 implies that the subnet mask will match from 0.0.0.0 - 255.255.255.255. Even the broadcast address is matched.

    IPv6

    ipv6 prefix-list PL permit ::/0 le 128

    Exercise

    Objective: Deny all routes which have the first 24-bits of 10.10.10.x AND subnet mask is GE 24 but LE 30.

    Posted by at No comments:
    Labels: , , , ,
    Subscribe to: Posts (Atom)