Pages

Wednesday, August 1, 2012

Route maps

This document describes commands that you can use to configure route-maps that are applied with the redistribute command of dynamic routing protocols.
You can apply it to many different tasks, for example, policy-based routing (PBR) and Border Gateway Protocol (BGP) neighbor update modification. One of the most common uses of route-maps is to apply them to routes that are redistributed between dynamic routing protocols. This document examines the possibilities of route-maps when you configure this type of redistribution.

Route-maps
Route-maps have many features in common with widely known access control lists (ACLs). These are some of the traits common to both mechanisms:
  • They are an ordered sequence of individual statements, each has a permit or deny result. Evaluation of ACL or route-maps consists of a list scan, in a predetermined order, and an evaluation of the criteria of each statement that matches. A list scan is aborted once the first statement match is found and an action associated with the statement match is performed.
  • They are generic mechanisms—criteria matches and match interpretation are dictated by the way they are applied. The same route-map applied to different tasks might be interpreted differently.
These are some of the differences between route-maps and ACLs:
  • Route-maps frequently use ACLs as matching criteria.
  • The main result from the evaluation of an access list is a yes or no answer—an ACL either permits or denies input data. Applied to redistribution, an ACL determines if a particular route can (route matches ACLs permit statement) or cannot (matches deny statement) be redistributed. Typical route-maps not only permit (some) redistributed routes but also modify information associated with the route when it is redistributed into another protocol.
  • Route-maps are more flexible than ACLs and can verify routes based on criteria which ACLs cannot verify. For example, a route-map can verify if the type of route is internal or if it has a specific tag.
  • Each ACL ends with an implicit deny statement, by design convention; there is no similar convention for route-maps. If the end of a route-map is reached during matching attempts, the result depends on the specific application of the route-map. Fortunately, route-maps that are applied to redistribution behave the same way as ACLs: if the route does not match any clause in a route-map then the route redistribution is denied as if the route-map contained deny statement at the end.
The dynamic protocol redistributes configuration command allows you to apply either an ACL or a route-map. The differences described in this section identify when you should use a route-map during redistribution. Route-maps are preferred if you intend to either modify route information during redistribution or if you need more powerful matching capability than an ACL can provide. Conversely, if you simply need to selectively permit some routes based on their prefix or mask, Cisco recommends that you use an ACL (or equivalent prefix list) directly in the redistribute command. If you use a route-map to selectively permit some routes based on their prefix or mask, you typically use more configuration commands to achieve the same goal. Route maps are always applied for inbound traffic, and the route-map does not have any effect on the outbound traffic.

Basics:

This is a typical Open Shortest Path First to Enhanced Interior Gateway Routing Protocol (OSPF-to-EIGRP) route-map, applied in a redistribute command:

router eigrp 1
redistribute ospf 1 route-map ospf-to-eigrp
default-metric 20000 2000 255 1 1500
route-map ospf-to-eigrp deny 10
match tag 6
match route-type external type-2
route-map ospf-to-eigrp permit 20
match ip address prefix-list pfx
set metric 40000 1000 255 1 1500
route-map ospf-to-eigrp permit 30
set tag 8













There are several points to note from this example:
·         Route-map clauses are numbered. In this example, clauses have sequence numbers 10, 20, and 30. Sequence numbers allow you to do these actions:
o    Easily delete one specific clause but not affect other parts of the route-map.
o    Insert a new clause between two existing clauses.
Cisco recommends that you number clauses in intervals of 10, to reserve numbering space in case you need to insert clauses in the future.
·         Route-maps can have permit and deny clauses. In route-map ospf-to-eigrp, there is one deny clause (with sequence number 10) and two permit clauses. The deny clause rejects route matches from redistribution. Therefore, these rules apply:
o    If you use an ACL in a route-map permit clause, routes that are permitted by the ACL are redistributed.
o    If you use an ACL in a route-map deny clause, routes that are permitted by the ACL are not redistributed.
o    If you use an ACL in a route-map permit or deny clause, and the ACL denies a route, then the route-map clause match is not found and the next route-map clause is evaluated.
·         Each route-map clause has two types of commands:
o    match—Selects routes to which this clause should be applied.
o    set—Modifies information which will be redistributed into the target protocol.
For each route that is being redistributed, the router first evaluates the match command of a clause in the route-map. If the match criteria succeed, then the route is redistributed or rejected as dictated by the permit or deny clause, and some of its attributes might be modified by set commands. If the match criteria fail, then this clause is not applicable to the route, and Cisco IOS software proceeds to evaluate the route against the next clause in the route-map. The scan of the route-map continues until a clause is found whose match command(s) match the route or until the end of the route-map is reached.
·         A match or set command in each clause can be missed or repeated several times if one of these conditions exist:
o    If several match commands are present in a clause, all must succeed for a given route in order for that route to match the clause (in other words, the logical AND algorithm is applied for multiple match commands).
o    If a match command refers to several objects in one command, either of them should match (the logical OR algorithm is applied). For example, in the match ip address 101 121 command, a route is permitted if it is permitted by access list 101 or access list 121.
o    If a match command is not present, all routes match the clause. In the previous example, all routes that reach clause 30 matches; therefore, the end of the route-map is never reached.
o    If a set command is not present in a route-map permit clause then the route is redistributed without modification of its current attributes.
Do not configure a set command in a deny route-map clause because the deny clause prohibits route redistribution—there is no information to modify.
A route-map clause without a match or set command performs an action. An empty permit clause allows a redistribution of the remaining routes without modification. An empty deny clause does not allow a redistribution of other routes (this is the default action if a route-map is completely scanned but no explicit match is found).
Based on the information in this section, the previous OSPF-to-EIGRP route-map example does this:
·         Prohibits the redistribution of all Type-2 external OSPF routes with tag 6 set.
·         Redistributes into EIGRP all routes which match the pfx prefix list, with five metric values—40000, 1000, 255, 1, and 1500.
·         Redistributes all other routes and sets their tags to 8 (the default).




2 comments:

  1. Very nicely explained sir, but the page is not user friendly, whenever I'm trying to see the image in Android, then it is taking me to next post and again i have to come here using back button, thanks

    ReplyDelete
  2. I am really happy that you found it useful.. Sorry about the page issue.. will try to correct it.

    ReplyDelete