About Route Policy Manager
Route Policy Manager supports route maps and IP prefix lists. These features are used for route redistribution. A prefix list contains one or more IPv4 or IPv6 network prefixes and the associated prefix length values. You can use a prefix list by itself in features such as Border Gateway Protocol (BGP) templates, route filtering, or redistribution of routes that are exchanged between routing domains.
Route maps can apply to both routes and IP packets. Route filtering and redistribution pass a route through a route map.
Prefix Lists
You can use prefix lists to permit or deny an address or range of addresses. Filtering by a prefix list involves matching the prefixes of routes or packets with the prefixes listed in the prefix list. An implicit deny is assumed if a given prefix does not match any entries in a prefix list.
You can configure multiple entries in a prefix list and permit or deny the prefixes that match the entry. Each entry has an associated sequence number that you can configure. If you do not configure a sequence number, Cisco NX-OS assigns a sequence number automatically. Cisco NX-OS evaluates prefix lists starting with the lowest sequence number. Cisco NX-OS processes the first successful match for a given prefix. Once a match occurs, Cisco NX-OS processes the permit or deny statement and does not evaluate the rest of the prefix list.
Note |
An empty prefix list permits all routes. |
MAC Lists
You can use MAC lists to permit or deny a MAC address or range of addresses. A MAC list consists of a list of MAC addresses and optional MAC masks. A MAC mask is a wild-card mask that is logically AND-ed with the MAC address when the route map matches on the MAC list entry. Filtering by a MAC list involves matching the MAC address of packets with the MAC addresses listed in the MAC list. An implicit deny is assumed if a given MAC address does not match any entries in a MAC list.
You can configure multiple entries in a MAC list and permit or deny the MAC addresses that match the entry. Each entry has an associated sequence number that you must configure. Cisco NX-OS evaluates MAC lists starting with the lowest sequence number. Cisco NX-OS processes the first successful match for a given MAC address. Once a match occurs, Cisco NX-OS processes the permit or deny statement and does not evaluate the rest of the MAC list.
Route Maps
You can use route maps for route redistribution. Route map entries consist of a list of match and set criteria. The match criteria specify match conditions for incoming routes or packets, and the set criteria specify the action taken if the match criteria are met.
You can configure multiple entries in the same route map. These entries contain the same route map name and are differentiated by a sequence number.
You create a route map with one or more route map entries arranged by the sequence number under a unique route map name. The route map entry has the following parameters:
-
Sequence number
-
Permission—permit or deny
-
Match criteria
-
Set changes
By default, a route map processes routes or IP packets in a linear fashion (that is, starting from the lowest sequence number). You can configure the route map to process in a different order using the continue statement, which allows you to determine which route map entry to process next.
Default Action for Sequences in a Route Map
The default action for any sequence in a route map is permit. The permit action is applied under the following situations:
-
When you configure a new sequence in a route map without explicitly specifying either permit or deny.
-
When you edit a configured sequence in a route map and do not specify an action. In this situation, the permit action is applied even if the edited route map was configured originally with deny. For example, assume sequence 10 was configured with deny. If you later edit sequence 10 without specifying deny again, the action for that sequence is set to permit.
When configuring or editing a sequence of a route map, always set the correct action. Failure to do so causes the default action, permit , to be applied.
Default Sequence Number for a Route Map
The default sequence number for a route-map with no specified sequence value is 10. If you create a new route-map without specifying a sequence number, by default the sequence number for the new route will be 10. The default sequence number is applied under the following situations as well:
-
Existing Route-map with Sequence Number 10: If a route-map already exists with sequence number 10 and you configure the same route-map again without specifying a sequence number, any modifications will be applied to sequence number 10 of that route-map.
-
Existing Route-map with other Sequence Numbers (20, 30, 40, and so on): If a route-map already has sequence numbers assigned (20, 30, 40, etc.) and you configure it again without specifying a sequence number, a new entry with sequence number 10 will be created for that route-map.
Match Criteria
You can use a variety of criteria to match a route or IP packet in a route map. Some criteria, such as BGP community lists, are applicable only to a specific routing protocol while other criteria, such as the IP source or the destination address, can be used for any route or IP packet.
When Cisco NX-OS processes a route or packet through a route map, it compares the route or packet to each of the match statements configured. If the route or packet matches the configured criteria, Cisco NX-OS processes it based on the permit or deny configuration for that match entry in the route map and any set criteria configured.
The match categories and parameters are as follows:
-
BGP parameters—Match based on AS numbers, AS-path, community attributes, or extended community attributes.
-
Prefix lists—Match based on an address or range of addresses.
-
Multicast parameters—Match based on rendezvous point, groups, or sources.
-
Other parameters—Match based on IP next-hop address or packet length.
Set Changes
Once a route or packet matches an entry in a route map, the route or packet can be changed based on one or more configured set statements.
The set changes are as follows:
-
BGP parameters—Change the AS-path, tag, community, extended community, dampening, local preference, origin, or weight attributes.
-
Metrics—Change the route-metric or the route-type.
-
Other parameters—Change the forwarding address or the IP next-hop address.
Access Lists
IP access lists can match the packet to a number of IP packet fields such as the following:
-
Source or destination IPv4 or IPv6 address
-
Protocol
-
Precedence
-
ToS
-
You can use ACLs in a route map for policy-based routing only.
AS Numbers for BGP
You can configure a list of AS numbers to match against BGP peers. If a BGP peer matches an AS number in the list and matches the other BGP peer configuration, BGP creates a session. If the BGP peer does not match an AS number in the list, BGP ignores the peer. You can configure the AS numbers as a list or a range of AS numbers, or you can use an AS-path list to compare the AS numbers against a regular expression.
AS-Path Lists for BGP
You can configure an AS-path list to filter inbound or outbound BGP route updates. If the route update contains an AS-path attribute that matches an entry in the AS-path list, the router processes the route based on the permit or deny condition configured. You can configure AS-path lists within a route map.
You can configure multiple AS-path entries in an AS-path list by using the same AS-path list name. The router processes the first entry that matches.
Community Lists for BGP
You can filter BGP route updates based on the BGP community attribute by using community lists in a route map. You can match the community attribute based on a community list, and you can set the community attribute using a route map.
A community list contains one or more community attributes. If you configure more than one community attribute in the same community list entry, the BGP route must match all community attributes listed to be considered a match.
You can also configure multiple community attributes as individual entries in the community list by using the same community list name. In this case, the router processes the first community attribute that matches the BGP route, using the permit or deny configuration for that entry.
You can configure community attributes in the community list in one of the following formats:
-
A named community attribute, such as internet or no-export .
-
In aa:nn format, where the first two bytes represent the two-byte AS number and the last two bytes represent a user-defined network number.
-
A regular expression.
Extended Community Lists for BGP
Extended community lists support 4-byte AS numbers. You can configure community attributes in the extended community list in one of the following formats:
-
In aa4:nn format, where the first four bytes represent the four-byte AS number and the last two bytes represent a user-defined network number.
-
A regular expression.
Cisco NX-OS supports generic specific extended community lists, which provide similar functionality to regular community lists for four-byte AS numbers. You can configure generic specific extended community lists with the following properties:
-
Transitive—BGP propagates the community attributes across autonomous systems.
-
Nontransitive—BGP removes community attributes before propagating the route to another autonomous system.
Configuring NX-OS BGP Large Communities
About NX-OS BGP Large Communities
NX-OS BGP supports only standard and extended communities. The use of a 4-byte ASN is limited to how you classify the routes as each standard communities have a limit of 4 bytes each and extended communities have a limit of 8 bytes. Out of 8 bytes, 2 bytes are used to define the community type and the remaining 6 bytes available. Large communities are standardized by an IETF RFC (8092) which allows you to define large communities that are 12 bytes in size and provides the flexibility in classification of BGP routes.
This feature provides the ability to classify routes from different data centers in different ASNs using communities to tag the routes. Large communities serve the purpose of classification of routes from different ASNs as they are each 12-bytes long. By adding support for RFC8092, NX-OS BGP will allow you the capability to classify the routes from 4-byte ASNs using standard route policy methods. It will also enable more flexibility in configuring networks and routing policies by removing the 4-byte restrictions of standard BGP communities.
Configuring Large Community List (Expanded)
The following are the steps to configure large community list in expanded form:
SUMMARY STEPS
- configure terminal
- ip large-community-list expanded
- ip large-community-list expanded list-name
- ip large-community-list expanded abcd seq
- ip large-community-list expanded abcd seq 10 {deny | permit }
- ip large-community-list expanded abcd seq 10 permit XX:YY:ZZ
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters global configuration mode. |
Step 2 |
ip large-community-list expanded Example:
|
This option adds an expanded large community list entry. |
Step 3 |
ip large-community-list expanded list-name Example:
|
This option provides the name of the expanded large community list. The list-name can be any case-sensitive, alphanumeric string up to 63 characters. |
Step 4 |
ip large-community-list expanded abcd seq Example:
|
This option provides the sequence number of the entry. |
Step 5 |
ip large-community-list expanded abcd seq 10 {deny | permit } Example:
|
The first option specifies the large community to reject. The second option specifies the large community to accept. |
Step 6 |
ip large-community-list expanded abcd seq 10 permit XX:YY:ZZ Example:
|
This option provides the regular expression which uses a XX:YY:ZZ format. XX can have a range of <0-4294967294> and is a four octet global administrator field which represents ASN. Whereas, YY and ZZ are four octet local data fields, which are defined by an owner of the ASN. The ":" is a separator between global and local data fields. |
Example
switch(config)# ip large-community-list expanded abcd seq 10 permit ”^100:200:300$"
switch(config)# sh run rpm
<<SNIP>>
ip large-community-list expanded abcd seq 10 permit ”^100:200:300$"
Configuring Large Community List (Standard)
The following are the steps to configure large community list in standard form:
SUMMARY STEPS
- configure terminal
- ip large-community-list standard
- ip large-community-list standard list-name
- ip large-community-list standard efgh seq
- ip large-community-list standard efgh seq 15 {deny | permit }
- ip large-community-list standard efgh seq 15 deny XX:YY:ZZ
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters global configuration mode. |
Step 2 |
ip large-community-list standard Example:
|
This option adds a standard large community list entry. |
Step 3 |
ip large-community-list standard list-name Example:
|
This option provides the name of the standard large community list. The list-name can be any case-sensitive, alphanumeric string up to 63 characters. |
Step 4 |
ip large-community-list standard efgh seq Example:
|
This option provides the sequence number of the entry. |
Step 5 |
ip large-community-list standard efgh seq 15 {deny | permit } Example:
|
The first option specifies the large community to reject. The second option specifies the large community to accept. |
Step 6 |
ip large-community-list standard efgh seq 15 deny XX:YY:ZZ Example:
|
This option provides the regular expression which uses a XX:YY:ZZ format. XX can have a range of <0-4294967294> and is a four octet global administrator field which represents ASN. Whereas, YY and ZZ are four octet local data fields, which are defined by an owner of the ASN. The ":" is a separator between global and local data fields. |
Example
switch(config-route-map)# ip large-community-list standard efgh seq 15 deny 1000300:123:456
switch(config)# sh run rpm
<<SNIP>>
ip large-community-list standard efgh seq 15 deny 1000300:123:456
Configuring Route-map Match for Large Community
The following are the steps to configure route-map match for large community:
SUMMARY STEPS
- configure terminal
- match large-community
- match large-community list-name
- match large-community abcd exact-match
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters global configuration mode. |
Step 2 |
match large-community Example:
|
This option matches BGP large community list. |
Step 3 |
match large-community list-name Example:
|
This option provides the name of the community list. The list-name can be any case-sensitive, alphanumeric string up to 63 characters. |
Step 4 |
match large-community abcd exact-match Example:
|
This option does the exact matching of the communities. |
Example
switch(config-route-map)# sh run rpm
<<SNIP>>
route-map test permit 10
match large-community abcd efgh
Configuring Route Map Set for Large Community
The following are the steps to configure route-map set for large community:
SUMMARY STEPS
- configure terminal
- set large-community-list
- set large-community-list list-name
- set large-community-list list-name delete
- set large-community {none | XX:YY:ZZ [additive ] | additive }
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure terminal Example:
|
Enters global configuration mode. |
Step 2 |
set large-community-list Example:
|
This option sets BGP large community attribute. |
Step 3 |
set large-community-list list-name Example:
|
This option sets the name of the large community list. The list-name can be any case-sensitive, alphanumeric string up to 63 characters. |
Step 4 |
set large-community-list list-name delete Example:
Example:
|
This option deletes the matching large communities. |
Step 5 |
set large-community {none | XX:YY:ZZ [additive ] | additive } Example:
Example:
|
This command sets the large-community attribute for a BGP route update.
|
Route Redistribution and Route Maps
You can use route maps to control the redistribution of routes between routing domains. Route maps match on the attributes of the routes to redistribute only those routes that pass the match criteria. The route map can also modify the route attributes during this redistribution using the set changes.
The router matches redistributed routes against each route map sequences. If there are multiple match statements under a route-map sequence, then the route must pass all the match criteria under that route-map sequence. If a route passes the match criteria defined in a route map sequence, then the set-actions defined in that sequences are executed. If the route does not match the criteria in a route-map sequence, then the router compares the route against subsequent route map sequence. This route evaluation against the route-map continues until a match is made, or the route is evaluated by all the sequences in the route map. Finally, if the route does not match against any of the route-map sequences, then the router denies acceptance of the route (for inbound route maps) or denies forwarding of the route (for outbound route maps).
Note |
When you redistribute BGP to IGP, iBGP is redistributed as well. To override this behavior, you must insert an additional deny statement into the route map. |