Configure IP Route Policies

Configure a route policy so that the device can control routes that certain packets can take. For example, you can use a route policy to deny certain Border Gateway Protocol (BGP) routes.

The route policy defines the matching criteria and the actions taken if the policy matches.

About this task

After you create and enable the policy, you can apply it to an interface. You can apply one policy for one purpose, for example, RIP Announce, on a given RIP interface. In this case, all sequence numbers under the given policy apply to that filter.

Create and enable the policy for IS-IS accept policies for Fabric Connect for Layer 3 Virtual Services Networks (VSNs) and IP Shortcuts, then apply the IS-IS accept policy filters.

Note

Note

After you create a route-map in Global Configuration mode or VRF Router Configuration mode, the device enters Route-Map Configuration mode, where you configure the action the policy takes, and define other fields the policy enforces.

Note

Note

The route policies treat permit and deny rules differently for inbound and outbound traffic.
  • For an in-policy (RIP, BGP) or an accept policy (OSPF) using a route-map, if a particular route is not explicitly denied in the accept policy or in-policy with the route-map, then the route is implicitly allowed.

  • For an out-policy (RIP, BGP) or a redistribute policy (RIP, OSPF, BGP) using a route-map, even if a particular route is not explicitly allowed in the redistribution policy or out-policy with the route-map, then the route is implicitly denied.

  • In order to permit or deny only explicit routes, configure a policy with additional sequences, where, the last sequence permits all routes that are not explicitly permitted or denied.

Note

Note

You cannot configure IPv4 and IPv6 route-maps on the same match statement.

Procedure

  1. Enter either Global Configuration mode or VRF Router Configuration mode for a specific VRF context:

    enable

    configure terminal

    Optional: router vrf WORD<1-16>

  2. Create a route-map policy by giving it a name and sequence number:
    route-map WORD<1-64> <1-65535> [permit | deny]

    After you enter the command, the switch automatically transitions to Route-Map Configuration mode for the new policy where you can complete the policy configuration. By default, a new policy permits the route.

  3. Define the match criteria for the policy:

    match {as—path WORD<0-256> | community WORD<0-256> | community-exact enable | extcommunity WORD<0-1027> | interface WORD<0-259> | local-preference <0-2147483647> |metric <0-65535> | metric-type-isis <any|internal|external> | multicast-group WORD<0-259> | multicast-source WORD<0-259> | network WORD<0-259> | next-hop WORD<0-259> | protocol WORD<0-60> | route-source WORD<0-259> | route-type <any|local|internal|external|external-1|external-2>| tag WORD<0-256> | vrf WORD<1-16> | vrfids WORD<0-512> }

  4. Define the action the policy takes, if not done at time of policy creation:
    • Permit the route:

      permit

    • Ignore the route:

      no permit

  5. Optional: Define the set criteria for the policy:

    set {as—path WORD<0-256> | as-path-mode <tag|preprend> | automatic-tag enable | community WORD<0-256> | community-mode <additive|none|unchanged>| data-isid <1-15999999> | injectlist WORD<0-1027> | ip—preference <0-255> | local-preference <0-2147483647> | mask <A.B.C.D> | metric <0-65535> | metric-type <type1|type2> | metric-type-internal <0–1> | metric-type-isis <none|internal|external>| metric-type-live-metric | next-hop WORD<0-256> | nssa—pbit enable | origin <igp|egp|incomplete> | origin—egp—as <0–65535>| rx-only | tag WORD<0-256> | tx-only | weight <0-65535> }

  6. Enable the policy:
    enable
  7. Display current information about the IP route policy:

    show route-map [WORD<1-64>] [<1-65535>] [vrf WORD<1-16>] [vrfids WORD<0-512>]

Example

Enter Route-Map Configuration mode for the named policy. At the route-map prompt, define the fields the policy enforces. Define the action the policy takes. Display current information about the IP route policy.

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch:1(config)#route-map RedisStatic 1 
Switch:1(route-map)#match metric 0
Switch:1(route-map)#permit
Switch:1(route-map)#show route-map RedisStatic
================================================================================
                          Route Policy - GlobalRouter
================================================================================

NAME                                                            SEQ   MODE EN 
--------------------------------------------------------------------------------
RedisStatic                                                     1     PRMT DIS

Variable Definitions

The following table defines the parameters for the match command.

Variable

Value

as-path WORD<0-256>

Configures the device to match the as-path attribute of the Border Gateway Protocol (BGP) routes against the contents of the specified AS-lists. This field is used only for BGP routes and ignored for all other route types.

Specify the list IDs of up to four AS-lists, separated by a comma.

community WORD<0-256>

Configures the device to match the community attribute of the BGP routes against the contents of the specified community lists. This field is used only for BGP routes and ignored for all other route types.

Specify the list IDs of up to four defined community lists, separated by a comma.

community-exact enable

When disabled, configures the device so match community-exact results in a match when the community attribute of the BGP routes match an entry of a community-list specified in match-community.

When enabled, configures the device so match-community-exact results in a match when the community attribute of the BGP routes matches all of the entries of all the community lists specified in match-community.

enable enables match community-exact.

extcommunity WORD <0–1027>

Configures the device to match the extended community.

Specify an integer value that represents the community list ID you want to create or modify.

interface WORD <0-259>

If configured, configures the device to match the IP address of the interface by which the RIP route was learned against the contents of the specified prefix list. This field is used only for RIP routes and ignored for all other route types.

Specify the name of up to four defined prefix lists, separated by a comma.

local-preference <0-2147483647>

Configures the device to match the local preference, applicable to all protocols.

metric <0-65535>

Configures the device to match the metric of the incoming advertisement or existing route against the specified value. If 0, this field is ignored.

The default is 0.

multicast-group WORD<0-259>

Configures the device to match the multicast destination group address for the routed multicast policy.

Specify the name of one or more prefix lists, separated by a comma..

multicast-source WORD<0-259>

Configures the device to match the multicast source address for the routed multicast policy.

Specify the name of one or more prefix lists, separated by a comma..

network WORD <0-259>

Configures the device to match the destination network against the contents of the specified prefix lists.

Specify the name of up to four defined prefix lists, separated by a comma.

next-hop WORD<0-259>

Configures the device to match the next-hop IP address of the route against the contents of the specified prefix list. This field applies only to nonlocal routes.

Specify the name of up to four defined prefix lists, separated by a comma.

protocol WORD<0-60>

Configures the device to match the protocol through which the route is learned.

WORD <0-60> is |xxx, where xxx is local, ospf, ebgp, ibgp,isis, rip, static, or a combination separated by a vertical bard ( | ).

route-source WORD<0-259>

Configures the system to match the next-hop IP address for RIP routes and advertising router IDs for OSPF routes against the contents of the specified prefix list. This option is ignored for all other route types.

Specify the name of up to four defined prefix lists, separated by a comma.

route-type {any|local|internal|external|external-1|external-2}

Configures a specific route type to match (applies only to OSPF routes).

tag WORD<0-256>

Specifies a list of tags used during the match criteria process. Contains one or more tag values.

This parameter applies to BGP and OSPF.

[vrf WORD<1-16>] [vrfids WORD<0-512>]

Configures a specific VRF to match (applies only to RIP routes).

Use the data in the following table to use the set command.

Variable

Value

as-path WORD<0-256>

Configures the device to add the AS number of the AS-list to the BGP routes that match this policy.

Specify the list ID of up to four defined AS-lists separated by a comma.

as-path-mode <tag|prepend>

Configures the AS path mode.

Prepend is the default configuration. The device prepends the AS number of the AS-list specified in set-as-path to the old as-path attribute of the BGP routes that match this policy.

Note:

Prepend does not apply to an internal BGP (iBGP) peer with outbound route policy. For more information about iBGP, see BGP.

automatic-tag enable

Configures the tag automatically. Used for BGP routes only.

community WORD<0-256>

Configures the device to add the community number of the community list to the BGP routes that match this policy.

Specify the list ID of up to four defined community lists separated by a comma.

community-mode <additive|none|unchanged>

Configures the community mode.

additive—the device prepends the community number of the community list specified in set-community to the old community path attribute of the BGP routes that match this policy.

none—the device removes the community path attribute of the BGP routes that match this policy to the specified value.

data-isid

Configures the data service instance identifier (I-SID) for routed multicast policy.

injectlist WORD<0-1027>

Configures the device to replace the destination network of the route that matches this policy with the contents of the specified prefix list.

ip-preference <0-255>

Configures the preference. This applies to accept policies only.

local-preference <0-65535>

Configures the device to match the local preference, applicable to all protocols.

mask <A.B.C.D>

Configures the mask of the route that matches this policy. This applies only to RIP accept policies.

metric <0-65535>

Configures the metric value for the route while announcing a redistribution. The default is 0. If the default is configured, the original cost of the route is advertised into OSPF for RIP, the original cost of the route or default-import-metric is used (applies to IS-IS routes also).

metric-type {type1|type2}

Configures the metric type for the routes to announce into the OSPF domain that matches this policy. The default is type 2. This field applies only for OSPF announce policies.

metric-type-internal <0–1>

Configures the MED value for routes advertised to ebgp neighbors to the IGP metric value.

metric-type-isis <none | internal | external>

Configures the metric type for IS-IS routes. The default is none. This field applies only for IS-IS policies.

metric-type-live-metric

Configures the metric type for BGP routes. The default is disabled. This field applies only for BGP policies.

next-hop WORD <1-256>

Specifies the IP address of the next-hop router. Both IPv4 and IPv6 addresses are supported.

nssa-pbit enable

Configures the not so stubby area (NSSA) translation P bit. Applicable to OSPF announce policies only.

origin {igp|egp|incomplete}

Configures the device to change the origin path attribute of the BGP routes that match this policy to the specified value.

origin-egp-as <0-65535>

Indicates the remote autonomous system number. Applicable to BGP only.

rx-only

Configures rx only for routed multicast policy.

tag <0-65535>

Configures the tag of the destination routing protocol. If not specified, the device forwards the tag value in the source routing protocol. A value of 0 indicates that this parameter is not configured.

This parameter applies to BGP.

tx-only

Configures tx only for routed multicast policy.

weight <0-65535>

Configures the weight value for the routing table. For BGP, this value overrides the weight configured through NetworkTableEntry, FilterListWeight, or NeighborWeight. Used for BGP only. A value of 0 indicates that this parameter is not configured.

Use the data in the following table to use the name command.

Variable

Value

WORD<1-64>

Renames a policy and changes the name field for all sequence numbers under the given policy.