Wednesday , December 25 2024
Home / IP Routing / routing policy configuration

routing policy configuration

Some time ago I wrote about local PBR and interface PBR.

It’s time to talk about routing policy, that is a different mechanism. Routing policy is applied to routing information and it is combined with routing protocols to form policies. PBR mechanism is applied to data flows and and packets are forwarded according to the configured policy.

Routing policy is a tool which can be used to filter routes and set route attributes, when importing routing information into OSPF, RIP, ISIS or BGP protocols. BGP can use routing policy to filter advertising routes as well. Routing policy defines which of the routes from the specific routing protocol are allowed to be imported into the target routing protocol. It can be also used to match routes or certain route attributes and to change these attributes when the matching rules are met.

Routing policy command syntax:
route-policy route-policy-name { permit | deny } node node

A route-policy may consists of multiple nodes, for example:

route-policy LABNARIO-POLICY permit node 10
route-policy LABNARIO-POLICY deny node 20

The relationship between the nodes of a route-policy is „OR”. This means that if a route matches the node 10 command, the route will not be matched against the node 20. If a route does not match any node, the route fails to match the route-policy. If two nodes are configured, a route is first matched with the node 10 command.

A node in a route-policy can use:

  • permit parameter – If a route matches the node, the router performs actions defined by the apply clauses and the matching is complete. Otherwise, the route continues to match the next node.
  • deny parameter – in this mode the apply clauses are not used. If a route entry matches all the if-match clauses of the node, the route is denied by the node and the next node is not matched. If the entry does not match all the clauses, the next node is matched.

It is important to note that:

  • by default, routes that are unmatched by the nodes, will be denied
  • if multiple nodes are defined, at least one of them should use permit parameter
  • if all the nodes are in deny mode, all the routes will be denied by the route-policy
  • if no if-match clause is defined, all the routes meet the matching rules

Each node can be classified into the following clauses:

  • if-match – match certain route attributes
  • apply – set certain route attributes

The relationship between the if-match clauses is “AND”. This means that a route must match all the if-match clauses.

If-match clauses can match the following:

acl                  Specify an ACL
as-path-filter       BGP AS path list
community-filter     Match BGP community filter
cost                 Match metric of route
extcommunity-filter  Match BGP/VPN extended community filter
interface            Specify the interface matching the first hop of routes
ip                   IP information
  group-address 		Match group address of route
  next-hop      		Match next-hop address of route
  route-source  		Match advertising source address of route
ip-prefix            Specify an address prefix-list
ipv6                 IPv6 Information
  group-address 		Match group address of route
  next-hop      		Match next-hop address of route
  route-source  		Match advertising source address of route
mpls-label           Give the Label
rd-filter            Route-distinguisher filter
route-type           Match route-type of route
  external-type1       OSPF External Type 1 routes
  external-type1or2    OSPF External routes (OSPF type 1/2)
  external-type2       OSPF External Type 2 routes
  internal             Internal route (including OSPF intra/inter area)
  is-is-level-1        IS-IS Level-1 routes
  is-is-level-2        IS-IS Level-2 routes
  nssa-external-type1  OSPF NSSA External Type1 routes
  nssa-external-type1or2  OSPF NSSA External Type1 and Type2 routes
  nssa-external-type2  OSPF NSSA External Type2 routes
tag                  Match tag of route

Apply clauses can set the following:

[Labnario-route-policy]apply ?
  as-path           BGP AS path list
  backup-interface  Backup outgoing interface
  backup-nexthop    Backup nexthop address
  behavior          Specify QoS policy as behavior
  comm-filter       Set BGP community filter (for deletion)
  community         BGP community attribute
  cost              Set metric of route
  cost-type         Type of metric for destination routing protocol
    external   IS-IS external metric
    internal   IS-IS internal metric/Set BGP MED to IGP metric of nexthop
    type-1     OSPF External Type 1 routes
    type-2     OSPF External Type 2 routes
  dampening         Set BGP route flap dampening parameters
  extcommunity      Set BGP/VPN extended community filter
  ip-address        IP information
    next-hop   Next hop address
  ip-precedence     Specify QoS policy as IP precedence
  ipv6              IPv6 Information
    next-hop   Next hop address
  isis              Where to import route
    level-1    Import into a level-1 area
    level-1-2  Import into level-1 and level-2
    level-2    Import into level-2 sub-domain
  local-preference  BGP local preference path attribute
  mpls-label        Give the Label
  origin            BGP origin code
    egp        Remote EGP
    igp        Local IGP
    incomplete Unknown heritage
  ospf              Where to import route
    backbone   Import into OSPF backbone area
    stub-area  Import into OSPF NSSA area  
  preference        Give the Preference  (Route Preference)
  preferred-value   BGP Preferred-value (weight) for routing table
  qos-local-id      Specify QoS policy as qos local id
  tag               Set tag of route
  traffic-index     Specify BGP Traffic Accounting Index

Examples:

Configure a route-policy to import into OSPF:

  • routes tagged with a value of 100
  • routes tagged with a value of 200
  • set them a tag 300
  • block any other routes

Configure a route-policy to import into RIP:

  • All the OSPF routes except the prefix 120.10.1.0/24, if it comes from the source of 150.100.1.5

routing policy

Config should be done on AR1 router, as this is a boundary router between OSPF and RIP domains:

#
route-policy RIP-2-OSPF permit node 10 
 if-match tag 100
 apply tag 300
#
route-policy RIP-2-OSPF permit node 20 
 if-match tag 200
 apply tag 300
#
ospf 1
 import-route rip 1 route-policy RIP-2-OSPF

#
route-policy OSPF-2-RIP deny node 10 
 if-match ip-prefix PREFIX1 
 if-match ip route-source acl 2001 
#
route-policy OSPF-2-RIP permit node 20 
#
ip ip-prefix PREFIX1 index 10 permit 120.10.1.0 24
#
acl number 2001
 rule 10 permit source 150.100.1.5 0 
#
rip 1
 import-route ospf 1 route-policy OSPF-2-RIP

Leave a Reply

Your email address will not be published. Required fields are marked *