Route Maps

This chapter describes how to configure and customize route-maps, for ASA.

About Route Maps

Route maps are used when redistributing routes into an OSPF, RIP, EIGRP or BGP routing process. They are also used when generating a default route into an OSPF routing process. A route map defines which of the routes from the specified routing protocol are allowed to be redistributed into the target routing process.

Route maps have many features in common with widely known ACLs. These are some of the traits common to both:

  • They are an ordered sequence of individual statements, and each has a permit or deny result. Evaluation of an ACL or a route map consists of a list scan, in a predetermined order, and an evaluation of the criteria of each statement that matches. A list scan is aborted once the first statement match is found and an action associated with the statement match is performed.

  • They are generic mechanisms. Criteria matches and match interpretation are dictated by the way that they are applied and the feature that uses them. The same route map applied to different features might be interpreted differently.

These are some of the differences between route maps and ACLs:

  • Route maps are more flexible than ACLs and can verify routes based on criteria which ACLs can not verify. For example, a route map can verify if the type of route is internal.

  • Each ACL ends with an implicit deny statement, by design convention. If the end of a route map is reached during matching attempts, the result depends on the specific application of the route map. Route maps that are applied to redistribution behave the same way as ACLs: if the route does not match any clause in a route map then the route redistribution is denied, as if the route map contained a deny statement at the end.

Permit and Deny Clauses

Route maps can have permit and deny clauses. The deny clause rejects route matches from redistribution. You can use an ACL as the matching criterion in the route map. Because ACLs also have permit and deny clauses, the following rules apply when a packet matches the ACL:

  • ACL permit + route map permit: routes are redistributed.

  • ACL permit + route map deny: routes are not redistributed.

  • ACL deny + route map permit or deny: the route map clause is not matched, and the next route-map clause is evaluated.

Match and Set Clause Values

Each route map clause has two types of values:

  • A match value selects routes to which this clause should be applied.

  • A set value modifies information that will be redistributed into the target protocol.

For each route that is being redistributed, the router first evaluates the match criteria of a clause in the route map. If the match criteria succeeds, then the route is redistributed or rejected as dictated by the permit or deny clause, and some of its attributes might be modified by the values set from the set commands. If the match criteria fail, then this clause is not applicable to the route, and the software proceeds to evaluate the route against the next clause in the route map. Scanning of the route map continues until a clause is found that matches the route or until the end of the route map is reached.

A match or set value in each clause can be missed or repeated several times, if one of these conditions exists:

  • If several match entries are present in a clause, all must succeed for a given route in order for that route to match the clause (in other words, the logical AND algorithm is applied for multiple match commands).

  • If a match entry refers to several objects in one entry, either of them should match (the logical OR algorithm is applied).

  • If a match entry is not present, all routes match the clause.

  • If a set entry is not present in a route map permit clause, then the route is redistributed without modification of its current attributes.


Note


Do not configure a set entry in a route map deny clause because the deny clause prohibits route redistribution—there is no information to modify.


A route map clause without a match or set entry does perform an action. An empty permit clause allows a redistribution of the remaining routes without modification. An empty deny clause does not allow a redistribution of other routes (this is the default action if a route map is completely scanned, but no explicit match is found).

Guidelines for Route Maps

Firewall Mode

Supported only in routed firewall mode. Transparent firewall mode is not supported.

Additional Guidelines

Route maps do not support ACLs that include a user, user group, or fully qualified domain name objects.

Define a Route Map

You must define a route map when specifying which of the routes from the specified routing protocol are allowed to be redistributed into the target routing process. In ASDM, you can define a route map by adding, editing, or deleting a route map name, sequence number, or redistribution.

Procedure


Step 1

In ASDM, choose Configuration > Device Setup > Routing > Route Maps.

Step 2

Click Add.

The Add Route Map or Edit Route Map dialog box appears.

Step 3

Enter the route map name and sequence number. The route map name is the name that you assign to a particular route. The sequence number is the order in which you add or delete the route map entries into the ASA.

Note

 

If you are editing an existing route map, the fields for Route Map name and sequence number are already filled in.

Step 4

To reject route matches from redistribution, click Deny. If you use an ACL in a route map Deny clause, routes that are permitted by the ACL are not redistributed. To allow route matches for redistribution. click Permit. If you use an ACL in a route map Permit clause, routes that are permitted by the ACL are redistributed.

In addition, if you use an ACL in a route map Permit or Deny clause, and the ACL denies a route, then the route map clause match is not found and the next route map clause is evaluated.

Step 5

Click the Match Clause tab to choose routes to which this clause should be applied, and set the following parameters:

  • Check the Match first hop interface of route check box to enable or disable matching the first hop interface of a route or to match any routes with the specified next hop interface. If you specify more than one interface, then the route can match either interface.

    • Enter the interface name in the Interface field, or click the ellipses to display the Browse Interface dialog box.

    • Choose one or more interfaces, click Interface, then click OK.

  • In the IPv4 and IPv6 sections, do one or more of the following:

    • Check the Match Address check box to enable or disable the Match address of a route or match packet.

    • Check the Match Next Hop check box to enable or disable the Match next hop address of a route.

    • Check the Match Route Source check box to enable or disable the Match advertising source address of the route.

    • Choose Access List to Prefix List from the drop-down list to match the IP address.

    • According to the previous selection, click the ellipses to display the Browse Access List or Browse Prefix List dialog box.

    • Choose the ACL or prefix list that you want.

  • Check the Match metric of route check box to enable or disable matching the metric of a route.

    • In the Metric Value field, type the metric values. You can enter multiple values, separated by commas. This setting allows you to match any routes that have a specified metric. The metric value can range from 0 to 4294967295.

  • Check the Match Route Type check box to enable or disable matching of the route type. Valid route types are External1, External2, Internal, Local, NSSA-External1, and NSSA-External2. When enabled, you can choose more than one route type from the list.

Step 6

Click the Set Clause tab to modify the following information, which will be redistributed to the target protocol:

  • Check the Set Metric Clause check box to enable or disable the metric value for the destination routing protocol, and type the value in the Value field.

  • Check the Set Metric Type check box to enable or disable the type of metric for the destination routing protocol, and choose the metric type from the drop-down list.

  • Adaptive Interface Cost—This option relates to Policy Based Routing. This option sets the output interface based on the interface’s cost. Click the Available Interfaces field and select the interfaces that should be considered. The egress interface is selected from the list of interfaces. If the costs of the interfaces are the same, it is an active-active configuration and packets are load-balanced (round-robin) on the egress interfaces. If the costs are different, the interface with the lowest cost is selected. Interfaces are considered only if they are up.

Step 7

Click the BGP Match Clause tab to choose routes to which this clause should be applied, and set the following parameters:

  • Check the Match AS path access lists check box to enable matching the BGP autonomous system path access list with the specified path access list. If you specify more than one path access list, then the route can match either path access list.

  • Check the Match Community check box to enable matching the BGP community with the specified community. If you specify more than one community, then the route can match either community. Any route that does not match at least one Match community will not be advertised for outbound route maps.

    • Check the Match the specified community exactly check box to enable matching the BGP community exactly with the specified community.

  • Check the Match Policy list check box to configure a route map to evaluate and process a BGP policy. If you specify more than one policy list, then the route can process either policy list.

Step 8

Click the BGP Set Clause tab to modify the following information, which will be redistributed to the BGP protocol:

  • Check the Set AS Path check box to modify an autonomous system path for BGP routes.

    • Check the Prepend AS path check box to prepend an arbitrary autonomous system path string to BGP routes. Usually the local AS number is prepended multiple times, increasing the autonomous system path length. If you specify more than one AS path number then the route can prepend either AS numbers.

    • Check the Prepend Last AS to the AS Path check box to prepend the AS path with the last AS number. Enter a value for the AS number from 1 to 10.

    • Check the Convert route tag into AS Path check box to convert the tag of a route into an autonomous system path.

  • Check the Set Community check box to set the BGP communities attributes.

    • Click Specify Community to enter a community number, if applicable. Valid values are from 1 to 4294967200, internet, no-advertise and no-export.

    • Check Add to the existing communities to add the community to the already existing communities.

    • Click None to remove the community attribute from the prefixes that pass the route map.

  • Check the Set local preference check box to specify a preference value for the autonomous system path.

  • Check the Set weight check box to specify the BGP weight for the routing table. Enter a value between 0 and 65535.

  • Check the Set origin check box to specify the BGP origin code. Valid values are Local IGP and Incomplete.

  • Check the Set next hop check box to specify the output address of packets that fulfill the match clause of a route map.

    • Click Specify IP address to enter the IP address of the next hop to which packets are output. It need not be an adjacent router. If you specify more than one IP address then the packets can output at either IP address.

    • Click Use peer address to set the next hop to be the BGP peer address.

Step 9

Click OK.


Customize a Route Map

This section describes how to customize the route map.

Define a Route to Match a Specific Destination Address

Procedure


Step 1

In ASDM, choose Configuration > Device Setup > Routing > Route Maps.

Step 2

Click Add.

The Add Route Map dialog box appears. From this dialog box you can assign or choose the route map name, the sequence number and its redistribution access (that is, permit or deny). Route map entries are read in order. You can identify the order using the sequence number, or the ASA uses the order in which you add the entries.

Step 3

Click the Match Clause tab to choose routes to which this clause should be applied, and set the following parameters:

  • Check the Match first hop interface of route check box to enable or disable matching the first hop interface of a route or to match any routes with the specified next hop interface. If you specify more than one interface, then the route can match either interface.

    • Enter the interface name in the Interface field, or click the ellipses to display the Browse Interface dialog box.

    • Choose the interface type (inside or outside), click Selected Interface, then click OK.

    • Check the Match IP Address check box to enable or disable the Match address of a route or match packet.

    • Check the Match Next Hop check box to enable or disable the Match next hop address of a route.

    • Check the Match Route Source check box to enable or disable the Match advertising source address of the route.

    • Choose Access List to Prefix List from the drop-down list to match the IP address.

    • According to the previous selection, click the ellipses to display the Browse Access List or Browse Prefix List dialog box.

    • Choose the ACL or prefix list that you want.

  • Check the Match metric of route check box to enable or disable matching the metric of a route.

    • In the Metric Value field, type the metric values. You can enter multiple values, separated by commas. This setting allows you to match any routes that have a specified metric. The metric value can range from 0 to 4294967295.

  • Check the Match Route Type check box to enable or disable matching of the route type. Valid route types are External1, External2, Internal, Local, NSSA-External1, and NSSA-External2. When enabled, you can choose more than one route type from the list.


Configure Prefix Rules


Note


You must configure a prefix list before you may configure a prefix rule.


To configure prefix rules, perform the following steps:

Procedure


Step 1

Choose Configuration > Device Setup > Routing > IPv4 Prefix Rules or IPv6 Prefix Rules.

Step 2

Click Add and choose Add Prefix Rule.

The Add Prefix Rule dialog box appears. From this dialog box, you can add a sequence number, select an IP version- IPv4 or IPv6, specify a prefix for the network, its redistribution access (that is, permit or deny) and the minimum and maximum prefix length.

Step 3

Enter an optional Sequence Number or accept the default value.

Step 4

Specify the Prefix number in the format of IP address/mask length.

Step 5

Click the Permit or Deny radio button to indicate the redistribution access.

Step 6

Enter the optional Minimum length and Maximum length.

Step 7

Click OK when you are done.

The new or revised prefix rule appears in the list.

Step 8

Click Apply to save your changes.


Configure Prefix Lists

ABR type 3 LSA filtering extends the capability of an ABR that is running OSPF to filter type 3 LSAs between different OSPF areas. Once a prefix list is configured, only the specified prefixes are sent from one OSPF area to another OSPF area. All other prefixes are restricted to their OSPF area. You can apply this type of area filtering to traffic going into or coming out of an OSPF area, or to both the incoming and outgoing traffic for that area.

When multiple entries of a prefix list match a given prefix, the entry with the lowest sequence number is used. For efficiency, you may want to put the most common matches or denials near the top of the list by manually assigning them a lower sequence number. By default, sequence numbers are automatically generated in increments of 5, beginning with 5.

To add prefix lists, perform the following steps:

Procedure


Step 1

Choose Configuration > Device Setup > Routing > IPv4 Prefix Rules or IPv6 Prefix Rules.

Step 2

Click Add > Add Prefix List.

The Add Prefix List dialog box appears.

Step 3

Enter the prefix name and description, then click OK.


Configure the Metric Values for a Route Action

To configure the metric value for a route action, perform the following steps:

Procedure


Step 1

In ASDM, choose Configuration > Device Setup > Routing > Route Maps.

Step 2

Click Add.

The Add Route Map or Edit Route Map dialog box appears. From this dialog box, you can assign or select the route map name, the sequence number and its redistribution access (that is, permit or deny). Route map entries are read in order. You can identify the order using the sequence number, or the ASA uses the order in which you add route map entries.

Step 3

Click the Set Clause tab to modify the following information, which will be redistributed to the target protocol:

  • Check the Set Metric Clause check box to enable or disable the metric value for the destination routing protocol, and enter the value in the Value field.

  • Check the Set Metric Type check box to enable or disable the type of metric for the destination routing protocol, and choose the metric type from the drop-down list.


Example for Route Maps

The following example shows how to redistribute routes with a hop count equal to 1 into OSPF.

  1. In ASDM, choose Configuration > Device Setup > Routing > Route Maps.

  2. Click Add.

  3. Enter 1-to-2 in the Route Map Name field.

  4. Enter the routing sequence number in the Sequence Number field.

  5. Click the Permit radio button.

    By default, this tab is on top.

  6. Click the Match Clause tab.

  7. Check the Match Metric of Route check box and type 1 for the metric value.

  8. Click the Set Clause tab.

  9. Check the Set Metric Value check box, and type 5 for the metric value.

  10. Check the Set Metric-Type check box, and choose Type-1.

History for Route Maps

Table 1. Feature History for Route Maps

Feature Name

Platform Releases

Feature Information

Route maps

7.0(1)

We introduced this feature.

We introduced the following screen: Configuration > Device Setup > Routing > Route Maps.

Enhanced support for static and dynamic route maps

8.0(2)

Enhanced support for dynamic and static route maps was added.

Dynamic Routing in Multiple Context Mode

9.0(1)

Route maps are supported in multiple context mode.

Support for BGP

9.2(1)

We introduced this feature.

We updated the following screen: Configuration > Device Setup > Routing > Route Maps with 2 additional tabs BGP match clause and BGP set clause.

IPv6 support for Prefix Rule

9.3.2

We introduced this feature.

We updated the following screens:

Configuration > Device Setup > Routing > IPv4 Prefix Rules and IPv6 Prefix Rules