Configure IP Route Policies

Configure a route policy so that the device can control routes that certain packets can take. For example, you can use a route policy to deny certain Border Gateway Protocol (BGP) routes.

The route policy defines the matching criteria and the actions taken if the policy matches.

About this task

After you create and enable the policy, you can apply it to an interface. You can apply one policy for one purpose, for example, RIP Announce, on a given RIP interface. In this case, all sequence numbers under the given policy apply to that filter.

Create and enable the policy for IS-IS accept policies for Fabric Connect for Layer 3 Virtual Services Networks (VSNs) and IP Shortcuts, then apply the IS-IS accept policy filters.

Note

Note

After you configure route-map in Global Configuration mode or VRF Router Configuration mode, the device enters Route-Map Configuration mode, where you configure the action the policy takes, and define other fields the policy enforces.

Note

Note

The route policies treat permit and deny rules differently for inbound and outbound traffic.
  • For an in-policy (RIP, BGP) or an accept policy (OSPF) using a route-map, if a particular route is not explicitly denied in the accept policy or in-policy with the route-map, then the route is implicitly allowed.

  • For an out-policy (RIP, BGP) or a redistribute policy (RIP, OSPF, BGP) using a route-map, even if a particular route is not explicitly allowed in the redistribution policy or out-policy with the route-map, then the route is implicitly denied.

  • In order to permit or deny only explicit routes, configure a policy with additional sequences, where, the last sequence permits all routes that are not explicitly permitted or denied.

Note

Note

You cannot configure IPv4 and IPv6 route-maps on the same match statement.

Procedure

  1. Enter Route-Map Configuration mode:

    enable

    configure terminal

    route-map WORD<1-64> <1-65535>

  2. At the route-map prompt, define the match criteria for the policy:

    match {as—path WORD<0-256> | community WORD<0-256> | community-exact enable | extcommunity WORD<0-1027> | interface WORD<0-259> | local-preference <0-2147483647> |metric <0-65535> | metric-type-isis <any|internal|external> | network WORD<0-259> | next-hop WORD<0-259> | protocol WORD<0-60> | route-source WORD<0-259> | route-type <any|local|internal|external|external-1|external-2>| tag WORD<0-256> | vrf WORD<1-16> | vrfids WORD<0-512> }

  3. Define the action the policy takes:
    1. Allow the route:

      permit

      OR

    2. Ignore the route:

      no permit

  4. Define the set criteria for the policy:

    set {as—path WORD<0-256> | as-path-mode <tag|preprend> | automatic-tag enable | community WORD<0-256> | community-mode <additive|none|unchanged>| injectlist WORD<0-1027> | ip—preference <0-255> | local-preference <0-2147483647> | mask <A.B.C.D> | metric <0-65535> | metric-type <type1|type2> | metric-type-internal <0–1> | metric-type-isis <none|internal|external>| metric-type-live-metric | next-hop WORD<0-256> | nssa—pbit enable | origin <igp|egp|incomplete> | origin—egp—as <0–65535>| tag WORD<0-256> | weight <0-65535> }

  5. Display current information about the IP route policy:

    show route-map [WORD<1-64>] [<1-65535>] [vrf WORD<1-16>] [vrfids WORD<0-512>]

Example

Enter Route-Map Configuration mode. At the route-map prompt, define the fields the policy enforces. Define the action the policy takes. Display current information about the IP route policy.

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#route-map RedisStatic 1 
Switch:1(route-map)# match metric 0
Switch:1(route-map)# permit
Switch:1(route-map)# show route-map RedisStatic
================================================================================
                          Route Policy - GlobalRouter
================================================================================

NAME                                                            SEQ   MODE EN 
--------------------------------------------------------------------------------
RedisStatic                                                     1     PRMT DIS

Variable Definitions

Use the data in the following table to use the match command.

Variable

Value

as-path WORD<0-256>

Configures the device to match the as-path attribute of the Border Gateway Protocol (BGP) routes against the contents of the specified AS-lists. This field is used only for BGP routes and ignored for all other route types.

WORD <0-256> specifies the list IDs of up to four AS-lists, separated by a comma.

Use the no operator to disable match as-path: no match as-path WORD<0–256>

community WORD<0-256>

Configures the device to match the community attribute of the BGP routes against the contents of the specified community lists. This field is used only for BGP routes and ignored for all other route types.

WORD <0-256> specifies the list IDs of up to four defined community lists, separated by a comma.

Use the no operator to disable match community: no match community WORD<0–256>

community-exact enable

When disabled, configures the device so match community-exact results in a match when the community attribute of the BGP routes match an entry of a community-list specified in match-community.

When enabled, configures the device so match-community-exact results in a match when the community attribute of the BGP routes matches all of the entries of all the community lists specified in match-community.

enable enables match community-exact.

Use the no operator to disable match community-exact: no match community-exact enable

extcommunity WORD <0–1027>

Configures the device to match the extended community.

WORD<0-1027> specifies an integer value from 1–1027 that represents the community list ID you want to create or modify.

interface WORD <0-259>

If configured, configures the device to match the IP address of the interface by which the RIP route was learned against the contents of the specified prefix list. This field is used only for RIP routes and ignored for all other route types.

WORD <0-259> specifies the name of up to four defined prefix lists, separated by a comma.

Use the no operator to disable match-interface: no match interface WORD <0–259>

local-preference <0-2147483647>

Configures the device to match the local preference, applicable to all protocols.

<0-2147483647> specifies the preference value.

metric <0-65535>

Configures the device to match the metric of the incoming advertisement or existing route against the specified value. If 0, this field is ignored.

<0-65535> specifies the metric value. The default is 0.

network WORD <0-259>

Configures the device to match the destination network against the contents of the specified prefix lists.

WORD <0-259> specifies the name of up to four defined prefix lists, separated by a comma.

Use the no operator to disable match network: no match network WORD <0–259>

next-hop WORD<0-259>

Configures the device to match the next-hop IP address of the route against the contents of the specified prefix list. This field applies only to nonlocal routes.

WORD <0-259> specifies the name of up to four defined prefix lists, separated by a comma.

Use the no operator to disable match next hop: no match next-hop WORD<0–259>

protocol WORD<0-60>

Configures the device to match the protocol through which the route is learned.

WORD <0-60> is |xxx, where xxx is local, ospf, ebgp, ibgp,isis, rip, static, or a combination separated by |,

Use the no operator to disable match protocol: no match protocol WORD<0–60>

route-source WORD<0-259>

Configures the system to match the next-hop IP address for RIP routes and advertising router IDs for OSPF routes against the contents of the specified prefix list. This option is ignored for all other route types.

WORD <0-259> specifies the name of up to four defined prefix lists, separated by a comma.

Use the no operator to disable match route source: no match route-source WORD<0–259>

route-type {any|local|internal|external|external-1|external-2}

Configures a specific route type to match (applies only to OSPF routes).

any|local|internal|external|external-1|external-2 specifies OSPF routes of the specified type only (External-1 or External-2). Another value is ignored.

tag WORD<0-256>

Specifies a list of tags used during the match criteria process. Contains one or more tag values.

WORD<0-256> is a value from 0–256.

[vrf WORD<1-16>] [vrfids WORD<0-512>]

Configures a specific VRF to match (applies only to RIP routes).

Use the data in the following table to use the set command.

Variable

Value

as-path WORD<0-256>

Configures the device to add the AS number of the AS-list to the BGP routes that match this policy.

WORD<0-256> specifies the list ID of up to four defined AS-lists separated by a comma.

Use the no operator to delete the AS number: no set as-path WORD<0–256>

as-path-mode <tag|prepend>

Configures the AS path mode.

Prepend is the default configuration. The device prepends the AS number of the AS-list specified in set-as-path to the old as-path attribute of the BGP routes that match this policy.

Note:

Prepend is not applicable to an internal BGP (iBGP) peer with outbound route policy. For more information about iBGP, see BGP.

automatic-tag enable

Configures the tag automatically. Used for BGP routes only.

Use the no operator to disable the tag: no set automatic-tag enable

community WORD<0-256>

Configures the device to add the community number of the community list to the BGP routes that match this policy.

WORD <0-256> specifies the list ID of up to four defined community lists separated by a comma.

Use the no operator to delete the community number: no set community WORD<0–256>

community-mode <additive|none|unchanged>

Configures the community mode.

additive—the device prepends the community number of the community list specified in set-community to the old community path attribute of the BGP routes that match this policy.

none—the device removes the community path attribute of the BGP routes that match this policy to the specified value.

injectlist WORD<0-1027>

Configures the device to replace the destination network of the route that matches this policy with the contents of the specified prefix list.

WORD<0-1027> specifies one prefix list by name.

Use the no operator to disable set injectlist: no set injectlist

ip-preference <0-255>

Configures the preference. This applies to accept policies only.

<0-255> is the range you can assign to the routes.

local-preference <0-65535>

Configures the device to match the local preference, applicable to all protocols. <0–655356> specifies the preference value.

mask <A.B.C.D>

Configures the mask of the route that matches this policy. This applies only to RIP accept policies.

A.B.C.D is a valid contiguous IP mask.

Use the no operator to disable set mask: no set mask

metric <0-65535>

Configures the metric value for the route while announcing a redistribution. The default is 0. If the default is configured, the original cost of the route is advertised into OSPF for RIP, the original cost of the route or default-import-metric is used (applies to IS-IS routes also).

metric-type {type1|type2}

Configures the metric type for the routes to announce into the OSPF domain that matches this policy. The default is type 2. This field is applicable only for OSPF announce policies.

metric-type-internal <0–1>

Configures the MED value for routes advertised to ebgp nbrs to the IGP metric value.

<0-1> specifies the metric type internal.

metric-type-isis <none | internal | external>

Configures the metric type for IS-IS routes. The default is none. This field is applicable only for IS_IS policies.

metric-type-live-metric

Configures the metric type for BGP routes. The default is disabled. This field is applicable only for BGP policies.

next-hop WORD <1-256>

Specifies the IP address of the next-hop router. Both IPv4 and IPv6 addresses are supported.

Use the no operator to disable set next-hop: no set next-hop

nssa-pbit enable

Configures the not so stubby area (NSSA) translation P bit. Applicable to OSPF announce policies only.

Use the no operator to disable set nssa-pbit: no set nssa-pbit enable

origin {igp|egp|incomplete}

Configures the device to change the origin path attribute of the BGP routes that match this policy to the specified value.

origin-egp-as <0-65535>

Indicates the remote autonomous system number. Applicable to BGP only.

tag <0-65535>

Configures the tag of the destination routing protocol. If not specified, the device forwards the tag value in the source routing protocol. A value of 0 indicates that this parameter is not configured.

Note:

This parameter is not supported on all hardware platforms.

weight <0-65535>

Configures the weight value for the routing table. For BGP, this value overrides the weight configured through NetworkTableEntry, FilterListWeight, or NeighborWeight. Used for BGP only. A value of 0 indicates that this parameter is not configured.

Use the data in the following table to use the name command.

Variable

Value

WORD<1-64>

Renames a policy and changes the name field for all sequence numbers under the given policy.

Job aid

Use the data in the following table to use the show route-map command output.

Table 1. Variable definitions

Variable

Value

NAME

Indicates the name of the route policy.

SEQ

Indicates the second index used to identify a specific policy within the route policy group (grouped by ID). Use this field to specify different match and set parameters and an action.

MODE

Indicates the action to take when this policy is selected for a specific route. Options are permit, deny, or continue. Permit indicates to allow the route. Deny indicates to ignore the route. Continue means continue checking the next match criteria configured in the next policy sequence; if none, take the default action in the given context.

EN

Indicates whether this policy is enabled. If disabled, the policy is not used.