Professional Documents
Culture Documents
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-1
Primary objectives: Secondary high-level
• Exchange internal routing objectives:
information • Filtering routing updates
• Exchange external routing • Routing policy implementation
information (influencing route selection)
Exchange external
Exchange internal
SP routing information.
routing information.
SP
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-2
Filter: Filter based on:
• Incoming updates • Prefix and prefix length
• Outgoing updates (subnet mask)
• Redistributed routes from other • Update parameters (routing
routing protocols protocol-specific)
Redistributed routes
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-3
Filter OSPF based on:
• Prefix and prefix length (subnet mask)
• LSA type (internal, external, NSSA-external)
• Route source
• SFP algorithm
OSPF update
Prefix: 10.1.1.0/24
Route source: 10.1.1.1
LSA type: Router LSA (type 1)
Redistributed routes
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-4
Filter BGP based on:
• Prefix and prefix length (subnet mask)
• Next-hop address
• Route source address
• AS path attribute
• BGP community and BGP extended community attributes
• Local preference attribute
NLRI: 10.1.1.0/24
Next-hop: 192.168.1.1
Origin: igp Incoming updates Outgoing updates
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-5
Prefix lists:
• Used for prefix-based filtering or matching of routes
• Can be used to match on the prefix, route source, or next-hop address
AS path access lists:
• Used in BGP for filtering or route matching based on BGP AS Path
attribute
Route maps:
• Primarily used to implement complex routing policies
• Can also be used as a powerful filtering tool
Routing policy language:
• Replaces route maps in Cisco IOS XR Software
• Feature-rich language for complex routing policies
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-6
ASBR:
• Filter redistributed routes:
- Static ▪ Prefix list OSPF Domain
- Connected Area 0
- Other OSPF processes ABR ABR
EIGRP
▪ Route map or routing
policy
▪ Match on route type
▪ Match on tag
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-7
Typical inbound filtering Typical outbound filtering
requirements: requirements:
• Permit only customer routes. • Permit only the default route.
• Permit a specific list of routes from • Permit default route and local
peering service providers. routes.
• Permit all routes.
BGP AS
▪ Prefix list
▪ Route map or policy
Customer Upstream SP
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-8
• Complex routing policies are most often implemented using BGP.
• Influencing route selection for:
- Outgoing traffic
- Incoming traffic
• Routing decision influenced:
- Locally
- Remotely (e.g. by customer or downstream service provider)
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-9
Customer selecting primary or Policy implemented by service
backup ISP: provider:
• AS path prepending by customer • Setting local preference
• BGP community sent by customer • Translating BGP community to local
preference
BGP AS
▪ Route map or policy
▪ Route map
Customer
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-10
• Designed for route filtering/matching
• Replaces access-lists that were designed for packet filtering/matching
• Available in Cisco IOS/IOS XE and Cisco IOS XR Software with slight
differences
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-11
Cisco IOS/IOS XE Software
• Each prefix list is identified using a case-sensitive name.
• Each prefix list can have one or more lines.
• Edit and order prefix list entries by using line numbers.
• The network/length pair identifies the bits in prefixes to match.
• The ge and le operators identify the length of prefixes to match:
- le :“less or equal” matches any prefix that is shorter or equal in length to the
specified value.
- ge :“greater or equal” matches any prefix that is longer or equal in length to
the specified value.
- ge x le x :“equal” (There is no “eq” operator in Cisco IOS/IOS XE Software.)
Router(config)#
ip prefix-list name [seq num] {deny|permit} net/length [ge len] [le len]
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-12
Cisco IOS/IOS XE Software
• Host routes are often filtered out to minimize the size of the routing table.
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-13
Cisco IOS/IOS XE Software
• Single-homed customers running BGP or multi-homed customers that
do not require full Internet routing should receive only the default route.
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-14
Cisco IOS/IOS XE Software
• There is no keyword any as in access lists.
• Use this example instead, to match any route.
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-15
Cisco IOS/IOS XE Software
• Small prefixes (e.g., prefix length greater than 24) are sometimes filtered
out to minimize the size of the full Internet routing table.
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-16
Cisco IOS/IOS XE Software
• Host routes are sometimes matched (e.g., loopback addresses).
• Match the address range used for loopback interfaces.
• Match /32 prefix lengths.
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-17
Cisco IOS/IOS XE Software
• Private networks are always filtered out when sending updates to other
autonomous systems.
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-18
Cisco IOS XR Software
• It is similar to Cisco IOS/IOS XE Software syntax, except it is modular.
• Each prefix list is identified using a case-sensitive name.
• Edit and order prefix list using line numbers.
• The network/length pair identifies the bits in the prefix that must match.
• The ge, le and eq operators identify the length of prefixes to match:
- le: “less or equal” matches any prefix that is shorter or equal in length to the
specified value.
- ge: “greater or equal” matches any prefix that is longer or equal in length to
the specified value.
- eq: “equal” matches any prefix of the exact specified length.
RP/0/RP0/CPU0:CRS(config)#
ipv4 prefix-list name
[seq num] {deny | permit} network/length [ge len] [le len] [eq len]
…
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-19
Cisco IOS XR Software
ipv4 prefix-list Private_Prefixes
deny 10.0.0.0/8 le 32
deny 172.16.0.0/12 le 32
deny 192.168.0.0/16 le 32
permit 0.0.0.0/0 le 32
!
ipv4 prefix-list Core_Loopbacks
permit 172.16.1.0/24 eq 32
!
ipv4 prefix-list Host_Routes
permit 0.0.0.0/0 eq 32
!
ipv4 prefix-list Default_Route
permit 0.0.0.0/0
!
ipv4 prefix-list All_Prefixes
permit 0.0.0.0/0 le 32
!
ipv4 prefix-list Small_Prefixes
permit 0.0.0.0/0 ge 25
!
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-20
• BGP uses autonomous systems to identify the origin and path of a prefix.
• Each path is identified using a sequence of AS numbers.
• AS path attribute is used to carry the AS path in BGP updates.
• Each egress BGP router prepends its own AS number to the AS path attribute.
• AS path access lists are used to match prefixes based on AS path
characteristics.
AS 1
Prefix X; AS path: “1 3 5” Prefix X; AS path: “3 5”
AS 2 AS 3
Prefix X; AS path: “2 1 3 5” Prefix X; AS path: “5”
AS 4 AS 5
X Prefix X; AS path: “”
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-21
Cisco IOS/IOS XE Software
• Each AS path access list is identified using a unique number.
• Regular expressions are used to match prefixes based on the contents
of the AS path attribute.
• The AS path is processed as a string of characters.
Router(config)#
ip as-path access-list acl-number {permit | deny} regexp
AS 22 AS 123 AS 321 AS 11
^ 1 2 3 3 2 1 1 1 $
start end
of space space of
string string
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-22
Character Description
^ matches the start of AS path (e.g. “^20_”)
$ matches the end of AS path (e.g. “^20$”)
matches any delimiter (start, end, or space; e.g.
_
“_20_”)
. matches any single character
matches preceding character any number of times
*
including zero (e.g. “.*” “^20(_20)*$”)
matches preceding character once or more times (e.g.
+
“^[0-9]+$”)
matches preceding character zero or one time (e.g.
?
“^20(_20)?$”)
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-23
Character Description
| logical OR operator (e.g. “_100_|_200_”)
groups characters for precedence or to capture matched
()
values into \n (e.g. “_100_(200|300)_”)
matches s single character from the defined range of
[range]
characters (e.g. “[0-9]”, “[13579]”)
matches again what was found within the n-th pair of
\n
parentheses (e.g. “([0-9]+)(_\1)*”)
removes the special meaning of character X (e.g. “\(” or
\X
“\)”)
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-24
Regular
Expression Description
^$ matches locally originated prefixes
^number$ matches prefixes originating in the specified neighboring
AS
_number$ matches prefixes originating in the specified AS
^number_ matches prefixes learned through the specified
neighboring AS
^([0-9]+)(_\1)*$ matches prefixes originating in any neighboring AS and
allowing prepending
.* matches all prefixes (e.g. “any”)
. matches nonlocal prefixes (e.g. all except empty AS path)
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-25
Cisco IOS/IOS XE Software Net A
• There is no keyword any, as in AS 1
access lists.
• Use this example instead to Net B Net C
match any route: AS 2 AS 3
• Example:
- Matches any prefix A, B, C, E AS 2 Net E
Net D
from any neighbor AS 4 AS 5
A, B, C, E AS 5
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-26
Cisco IOS/IOS XE Software
• Locally originated routes have an Net A
empty AS path attribute. AS 1
• Customers typically use this outbound
filter to announce their prefixes Net B Net C
to their service providers. AS 2 AS 3
D AS 4
• Example:
A, B, C, D AS 3
- AS 4 only sends A, B, C, E AS 2 Net D D AS 4 Net E
its own prefixes. AS 4 AS 5
A, B, C, E AS 5 (multihomed customer)
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-27
Cisco IOS/IOS XE Software
Net A
• The first number in the AS path is AS 1
the last prepended number.
• Directly connected neighboring
Net B Net C
AS is always found as the first AS 2 AS 3
number in the AS path.
• Typically this is used for routing
Net E
policies. AS 4 Net D
AS 5
A, B, C, E AS 5
• Example:
- AS 4 matches any prefix from
neighboring AS 5.
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-28
Cisco IOS/IOS XE Software
Net A
• The last number in the AS path is
AS 1
the first prepended number.
• The originating AS is always
found as the last number in the AS 2
Net B
AS 3
Net C
AS path.
• Typically this is used for routing
policies. Net E
AS 4 Net D AS 5
• Example: A AS 5
- AS 4 matches prefixes A AS 2
originating in AS 1 from
any neighboring AS.
ip as-path access-list permit _1$
Net E
AS 4 Net D AS 5
E AS 5
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-30
Cisco IOS/IOS XE Software Net A
AS 1
• The customer can signal
Prefix X; AS path: “2 5” Prefix X; AS path: “1 2 5”
a backup link using
AS path prepending.
• Alternatively, a specific AS 2 AS 3
(primary ISP) (backup ISP)
per neighbor regular
expression can be Prefix X; AS path: “5” Prefix X; AS path: “5 5 5 5”
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-31
© 2012 Cisco and/or its affiliates. All rights reserved. SPROUTE v1.01—5-32