Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide, Release 4.0
Configuring Route Policy Manager
Download this chapter
Configuring Route Policy ManagerConfiguring Route Policy Manager
Download the complete book
Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide, Release 4.0Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide, Release 4.0 (PDF - 6 MB)
give_us_feedback

Table Of Contents

Configuring Route Policy Manager

Information About Route Policy Manager

Prefix Lists

Route Maps

Match Criteria

Set Changes

Access Lists

AS-path Lists for BGP

Community Lists for BGP

Route Redistribution and Route Maps

Policy-Based Routing

Licensing Requirements for Route Policy Manager

Prerequisites for Route Policy Manager

Guidelines and Limitations

Configuring Route Policy Manager

Configuring IP Prefix Lists

Configuring AS-path Lists

Configuring Community Lists

Configuring Route Maps

Verifying Route Policy Manager Configuration

Route Policy Manager Example Configuration

Related Topics

Default Settings

Additional References

Related Documents

Standards


Configuring Route Policy Manager

This chapter describes how to configure the Route Policy Manager.

This chapter includes the following sections:

Information About Route Policy Manager

Licensing Requirements for Route Policy Manager

Prerequisites for Route Policy Manager

Guidelines and Limitations

Configuring Route Policy Manager

Verifying Route Policy Manager Configuration

Route Policy Manager Example Configuration

Related Topics

Default Settings

Information About Route Policy Manager

Route Policy Manager supports route maps and IP prefix lists. These features are used for route redistribution and policy-based routing. A prefix list contains one or more IPv4 or IPv6 network prefixes and the associated prefix length values. You can use a prefix list by itself in features such as BGP templates, route filtering, or redistribution of routes that are exchanged between routing domains.

Route maps can apply to both routes and IP packets. Route filtering and redistribution pass a route through a route map while policy based routing passes IP packets through a route map.

This section includes the following topics:

Prefix Lists

Route Maps

Route Redistribution and Route Maps

Policy-Based Routing

Prefix Lists

You can use prefix lists to permit or deny an address or range of addresses. Filtering by prefix list involves matching the prefixes of routes or packets with the prefixes listed in the prefix list. An implicit deny is assumed if a given prefix does not match any entries in a prefix list.

You can configure multiple entries in a prefix list and permit or deny the prefixes that match the entry. Each entry has an associated sequence number that you can configure. If you do not configure a sequence number, Cisco NX-OS assigns a sequence number automatically. Cisco NX-OS evaluates prefix lists starting with the lowest sequence number. Cisco NX-OS processes the first successful match for a given prefix. Once a match occurs, Cisco NX-OS processes the permit or deny statement and does not evaluate the rest of the prefix list.

Note An empty prefix list permits all routes.

Route Maps

You can use route maps for route redistribution or policy-based routing. Route map entries consist of a list of match and set criteria. The match criteria specify match conditions for incoming routes or packets and the set criteria specify the action taken if the match criteria are met.

You can configure multiple entries in the same route map. These entries contain the same route map name and are differentiated by a sequence number.

You create a route map with one or more route map entries arranged by the sequence number under a unique route map name. The route map entry has the following parameters:

Sequence number

Permission—permit or deny

Match criteria

Set changes

By default, a route map processes routes or IP packets in a linear fashion, that is, starting from the lowest sequence number. You can configure the route map to process in a different order using the continue statement, which allows you to determine which route map entry to process next.

Match Criteria

You can use a variety of criteria to match a route or IP packet in a route map. Some criteria, such as BGP community lists, are applicable only to a specific routing protocol, while other criteria, such as the IP source or the destination address, can be used for any route or IP packet.

When Cisco NX-OS processes a route or packet through a route map, it compares the route or packet to each of the match statements configured. If the route or packet matches the configured criteria, Cisco NX-OS processes it based on the permit or deny configuration for that match entry in the route map, and any set criteria configured.

The match categories and parameters are as follows:

IP access lists—(For policy-based routing only). Match based on source or destination IP address, protocol, or QoS parameters.

BGP parameters—Match based on AS-path or community attributes.

Prefix lists—Match based on an address or range of addresses.

Multicast parameters—Match based on rendezvous point, groups, or sources.

Other parameters—Match based on IP next-hop address or packet length.

Set Changes

Once a route or packet matches an entry in a route map, the route or packet can be changed based on one or more configured set statements.

The set changes are as follows:

BGP parameters—Change the AS-path, tag, community, dampening, local preference, origin, or weight attributes.

Metrics—Change the route-metric, the route-tag, or the route-type.

Policy-based routing only—Change the interface or the default next-hop address.

Other parameters—Change the forwarding address or the IP next-hop address.

Access Lists

IP access lists can match the packet to a number of IP packet fields such as the following:

Source or destination IPv4 or IPv6 address

Protocol

Precedence

ToS

You can use ACLs in a route map for policy-based routing only. See the Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 4.0 for more information on ACLs.

AS-path Lists for BGP

You can configure an AS-path list to filter inbound or outbound BGP route updates. If the route update contains an AS-path attribute that matches an entry in the AS-path list, the router processes the route based on the permit or deny condition configured. You can configure AS-path lists within a route map.

You can configure multiple AS-path entries in an AS-path list by using the same AS-path list name. The router processes the first entry that matches.

Community Lists for BGP

You can filter BGP route updates based on the BGP community attribute by using community lists in a route map. A community list contains one or more community attributes. If you configure more than one community attribute in the same community list entry, then the BGP route must match all community attributes listed to be considered a match.

You can also configure multiple community attributes as individual entries in the community list by using the same community list name. In this case, the router processes the first community attribute that matches the BGP route, using the permit or deny configuration for that entry.

You can configure community attributes in the community list in one of the following formats:

Named community attribute, such as internet or no-export

A 4-byte value that represents the autonomous system (AS) number and a user-defined network number

A regular expression

See the Cisco Nexus 7000 Series NX-OS Unicast Routing Command Reference, Release 4.0 for more information on regular expressions.

Route Redistribution and Route Maps

You can use route maps to control the redistribution of routes between routing domains. Route maps match on the attributes of the routes to redistribute only those routes that pass the match criteria. The route map can also modify the route attributes during this redistribution using the set changes.

The router matches redistributed routes against each route map entry.If there are multiple match statements, the route must pass all of the match criteria. If a route passes the match criteria defined in a route map entry, the actions defined in the entry are executed. If the route does not match the criteria, the router compares the route against subsequent route map entries. Route processing continues until a match is made or the route is processed by all entries in the route map with no match. If the router processes the route against all entries in a route map with no match, the router does accept the route (inbound route maps) or forward the route (outbound route maps).

Policy-Based Routing

You can use policy-based routing to forward a packet to a specified next-hop address based on the source of the packet or other fields in the packet header. See Chapter 16, "Configuring Policy-Based Routing."

Licensing Requirements for Route Policy Manager

The following table shows the licensing requirements for this feature:

Product
License Requirement

NX-OS

Route Policy Manager requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For a complete explanation of the NX-OS licensing scheme, see the Cisco Nexus 7000 Series NX-OS Licensing Guide, Release 4.0e.


Prerequisites for Route Policy Manager

Route Policy Manager has the following prerequisites:

If you configure VDCs, install the Advanced Services license and enter the desired VDC (see the Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide, Release 4.0).

Guidelines and Limitations

Route Policy Manager has the following guidelines and limitations:

An empty route map denies all the routes.

An empty prefix lists permits all the routes.

Without any match statement in a route-map entry, the permission (permit or deny) of the route-map entry decides the result for all the routes or packets.

If referred policies (for example, prefix lists) within a match statement of a route-map entry return either a no-match or a deny-match, Cisco NX-OS fails the match statement and processes the next route-map entry.

When you change a route map, Cisco NX-OS hold all the changes until you exit from the rout- map configuration submode. Cisco NX-OS then sends all the changes to the protocol clients to take affect.

Since you can use a route map before you define it, verify that all your route map exist when you finish a configuration change.

You can view route-map usage for redistribution and filtering. Each individual routing protocol provides a way to display these statistics.

Configuring Route Policy Manager

Route Policy Manager configuration includes the following topics:

Configuring IP Prefix Lists

Configuring AS-path Lists

Configuring Community Lists

Configuring Route Maps

Note If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.

Configuring IP Prefix Lists

IP prefix lists match the IP packet or route against a list of prefixes and prefix lengths. Create an IP prefix list for IPv4 and create an IPv6 prefix list for IPv6.

You can configure the prefix list entry to match the prefix length exactly, or to match any prefix with a length that matches the configured range of prefex lengths.

Use the ge and le keywords to specify a range of the prefix lengths to match. Cisco NX-OS processes the prefix list as an exact match if you do not configure the ge or le keyword. If you configure only the ge value , the range is from the ge value to 32 for IPv4 or the range is from the ge value to 128 for IPv6. If you configure only the le value, the range is from the configured prefix length value to the le value. If you configure both the ge and le keywords, the range is shown in the following formula:

prefix/length < ge value< le value <= maximum length

The maximum length for IPv4 is 32. The maximum length for IPv6 is 128.

SUMMARY STEPS

1. config t

2. {ip | ipv6} prefix-list name description string

3. ip prefix-list name [seq number] [{permit | deny} prefix/length {[eq prefix-length] | [ge prefix-length] [le prefix-length]}]

or

ipv6 prefix-list name [seq number] [{permit | deny} prefix/length {[eq prefix-length] | [ge prefix-length] [le prefix-length]}]

4. show {ip | ipv6} prefix-list name

5. copy running-config startup-config

DETAILED STEPS

 
Command
Purpose

Step 1 

config t


Example:

switch# config t

switch(config)#

Enters configuration mode.

Step 2 

{ip | ipv6} prefix-list name description string


Example:

switch(config)# ip prefix-list AllowPrefix description allows engineering server

(Optional) Adds an information string about the prefix list.

Step 3 

ip prefix-list name [seq number] [{permit | deny} prefix/length {[eq prefix-length] | [ge prefix-length] [le prefix-length]}]


Example:

switch(config)# ip prefix-list AllowPrefix seq 10 permit 192.0.2.0/24 eq 24


Creates an IPv4 prefix list or adds a prefix to an existing prefix list. The prefix length is matched as follows:

eq—Match exact prefix length.

ge—Match a prefix length that is equal to or greater than the configured prefix length.

le—Match a prefix length that is equal to or less than the configured prefix length.

ipv6 prefix-list name [seq number] [{permit | deny} prefix/length {[eq prefix-length] | [ge prefix-length] [le prefix-length]}]


Example:

switch(config)#ipv6 prefix-list AllowIPv6Prefix seq 20 permit 2001:0DB8:/32: le 32


Creates an IPv6 prefix list or adds a prefix to an existing prefix list. The prefix length is configured as:

eq—Match exact prefix length.

ge—Match a prefix length that is equal to or greater than the configured prefix length.

le—Match a prefix length that is equal to or less than the configured prefix length.

Step 4 

show {ip | ipv6} prefix-list name


Example:

switch(config)# show ip prefix-list AllowPrefix

(Optional) Displays information about prefix lists.

Step 5 

copy running-config startup-config


Example:

switch# copy running-config startup-config

(Optional) Saves this configuration change.

The following example shows how to create an IPv4 prefix list with two entries and apply the prefix list to a BGP neighbor:

switch# config t

switch(config)# ip prefix-list allowprefix seq 10 permit 192.0.2.0/24 eq 24

switch(config)# ip prefix-list allowprefix seq 20 permit 209.165.201.0/24 eq 27

switch(config)# router bgp 33:20

switch(config-router)# neighbor 192.0.2.1/16 remote-as 99:20

switch(config-router-neighbor)# address-family ipv4 unicast

switch(config-router-neighbor-af)# prefix-list allowprefix in


Configuring AS-path Lists

You can specify an AS-path list filter on both inbound and outbound BGP routes. Each filter is an access list based on regular expressions. If the regular expression matches the representation of the AS-path attribute of the route as an ASCII string, then the permit or deny condition applies.

SUMMARY STEPS

1. config t

2. ip as-path access-list name {deny | permit} expression

3. show {ip | ipv6} as-path list name

4. copy running-config startup-config

DETAILED STEPS

 
Command
Purpose

Step 1 

config t


Example:

switch# config t

switch(config)#

Enters configuration mode.

Step 2 

ip as-path access-list name {deny | permit} expression


Example:

switch(config)# ip as-path access-list Allow40 permit 40

Creates a BGP AS-path list using a regular expression.

Step 3 

show {ip | ipv6} as-path-access-list name


Example:

switch(config)# show ip as-path-access-list Allow40

(Optional) Displays information about as-path access lists.

Step 4 

copy running-config startup-config


Example:

switch# copy running-config startup-config

(Optional) Saves this configuration change.

The following example shows how to create an AS-path list with two entries and apply the AS path list to a BGP neighbor:

switch# config t

switch(config)# ip as-path access-list AllowAS permit 40

switch(config)# ip as-path access-list AllowAS permit 40000

switch(config)# copy running-config startup-config 

switch(config)# router bgp 33:20

switch(config-router)# neighbor 192.0.2.1/16 remote-as 99:20

switch(config-router-neighbor)# address-family ipv4 unicast

switch(config-router-neighbor-af)# filter-list AllowAS in


Configuring Community Lists

You can use community lists to filter BGP routes based on the community attribute. The community number consists of a 4-byte value in the aa:nn format. The first two bytes represent the autonomous system number, and the trailing two bytes represent a user-defined network number.

When you configure multiple values in the same community list statement, all community values must match to satisfy the community list filter. When you configure multiple values in separate community list statements, the first list that matches a condition is processed.

SUMMARY STEPS

1. config t

2. ip community-list standard list-name [community-list] [internet] [local-AS] [no-advertise] [no-export]

or

ip community-list expanded list-name {deny | permit} expression

3. show ip community-list name

4. copy running-config startup-config

DETAILED STEPS

 
Command
Purpose

Step 1 

config t


Example:

switch# config t

switch(config)#

Enters configuration mode.

Step 2 

ip community-list standard list-name {deny | permit} [community-list] [internet] [local-AS] [no-advertise] [no-export]



Example:

switch(config)# ip community-list standard BGPCommunity permit no-advertise 40000:20


Creates a standard BGP community list. The community-list can be one or more of the following:

internet

local-AS

no-advertise

no-export

one or more communities in the aa:nn format.

ip community-list expanded list-name {deny | permit} line


Example:

switch(config)# ip community-list expanded BGPComplex deny 50000:[0-9][0-9]_


Creates an expanded BGP community list using a regular expression.

Step 3 

show ip community-list name


Example:

switch(config)# show ip community-list BGPCommunity

(Optional) Displays information about prefix lists.

Step 4 

copy running-config startup-config


Example:

switch# copy running-config startup-config

(Optional) Saves this configuration change.

The following example shows how to create a community list with two entries:

switch# config t

switch(config)# ip community-list standard BGPCommunity permit no-advertise 40000:20

switch(config)# ip community-list standard BGPCommunity permit local-AS no-export

switch(config)# copy running-config startup-config


Configuring Route Maps

You can use route maps for route redistribution or route filtering. Route maps can contain multiple match criteria and multiple set criteria.

Configuring a route map for BGP triggers an automatic soft clear or refresh of BGP neighbor sessions.

SUMMARY STEPS

1. config t

2. route-map map-name [permit | deny] [seq]

3. Add optional match or set parameters in route-map configuration mode

4. exit

5. copy running-config startup-config

DETAILED STEPS

 
Command
Purpose

Step 1 

config t


Example:

switch# config t

switch(config)#

Enters configuration mode.

Step 2 

route-map map-name [permit | deny] [seq]


Example:

switch(config)# route-map Testmap permit 10

switch(config-route-map)#

Creates a route map or enters route-map configuration mode for an existing route map. Use seq to order the entries in a route map.

Step 3 

description string


Example:

switch(config-route-map)# description A test route map

(Optional) Adds a description for the route-map sequence.

Step 4 

continue seq


Example:

switch(config-route-map)# continue 10

(Optional) Determines what sequence statement to process next in the route map. Used only for filtering and redistribution.

Step 5 

exit


Example:

switch(config-route-map)# exit

(Optional) Exits route-map configuration mode.

Step 6 

copy running-config startup-config


Example:

switch(config)# copy running-config startup-config

(Optional) Saves this configuration change.

You can configure the following optional match parameters for route maps in route-map configuration mode:

Command
Purpose

match as-path name [name...]


Example:

switch(config-route-map)# match as-path Allow40

Matches against one or more AS-path lists. Create the AS-path list with the ip as-path access-list command.

match community name [name...][exact-match]


Example:

switch(config-route-map)# match community BGPCommunity

Matches against one or more community lists. Create the AS-path list with the ip community-list command.

match ip address prefix-list name [name...]


Example:

switch(config-route-map)# match ip address prefix-list AllowPrefix

Matches against one or more IPv4 prefix lists. Use the ip prefix-list command to create the prefix list.

match ipv6 address prefix-list name [name...]


Example:

switch(config-route-map)# match ip address prefix-list AllowIPv6Prefix

Matches against one or more IPv6 prefix lists. Use the ipv6 prefix-list command to create the prefix list.

match ip multicast [source ipsource] [[group ipgroup] [rp iprp]]


Example:

switch(config-route-map)# match ip multicast rp 192.0.2.1

Matches an IPv4 multicast packet based on multicast source, group, or rendezvous point.

match ipv6 multicast [source ipsource] [[group ipgroup] [rp iprp]]


Example:

switch(config-route-map)# match ip multicast source 2001:0DB8::1

Matches an IPv6 multicast packet based on multicast source, group, or rendezvous point.

match ip next-hop prefix-list name [name...]


Example:

switch(config-route-map)# match ip next-hop prefix-list AllowPrefix

Matches the IPv4 next-hop address of a route to one or more IP prefix lists. Use the ip prefix-list command to create the prefix list.

match ipv6 next-hop prefix-list name [name...]


Example:

switch(config-route-map)# match ip next-hop prefix-list AllowIPv6Prefix

Matches the IPv6 next-hop address of a route to one or more IP prefix lists. Use the ipv6 prefix-list command to create the prefix list.

match ip route-source prefix-list name [name...]


Example:

switch(config-route-map)# match ip route-source prefix-list AllowPrefix

Matches the IPv4 route source address of a route to one or more IP prefix lists. Use the ip prefix-list command to create the prefix list.

match ipv6 route-source prefix-list name [name...]


Example:

switch(config-route-map)# match ip route-source prefix-list AllowIPv6Prefix

Matches the IPv6 route-source address of a route to one or more IP prefix lists. Use the ipv6 prefix-list command to create the prefix list.

match route-type route-type

Example:

switch(config-route-map)# match route-type level 1 level 2

Matches against a type of route. The route-type can be one or more of the following:

external

internal

level-1

level-2

local

nssa-external

type-1

type-2

match tag tagid [tagid...]


Example:

switch(config-route-map)# match tag 2

Matches a route against one or more tags for filtering or redistribution.


You can configure the following optional set parameters for route maps in route-map configuration mode:

Command
Purpose

set as-path {tag | prepend {last-as number | as-1 [as-2...]}}


Example:

switch(config-route-map)# set as-path prepend 10 100 110

Modifies an AS-path attribute for a BGP route. You can prepend the configured number of last AS numbers or a string of particular AS-path values (as-1 as-2...as-n).

set comm-list name delete


Example:

switch(config-route-map)# set comm-list BGPCommunity delete

Removes communities from the community attribute of an inbound or outbound BGP route update. Use the ip community-list command to create the community list.

set community {none |{additive | local-AS | no-advertise | no-export | community-1 [community-2...]}


Example:

switch(config-route-map)# set community local-AS

Sets the community attribute for a BGP route update.

Note When you use both the set community and set comm-list delete commands in the same sequence of a route map attribute, the deletion operation is performed before the set operation.

set dampening halflife reuse suppress duration

Example:

switch(config-route-map)# set dampening 30 1500 10000 120

Sets the BGP route dampening parameters.

halflife—The range is from 1 to 45 minutes. The default is 15.

reuse—The range is from is 1 to 20000 seconds. The default is 750.

suppress—The range is from is 1 to 20000. The default is 2000.

duration—The range is from is 1 to 255 minutes. The default is 60.

set forwarding-address


Example:

switch(config-route-map)# set forwarding-address

Sets the forwarding address for OSPF.

set level {backbone | level-1 | level-1-2 | level-2}


Example:

switch(config-route-map)#

Sets what area to import routes to for IS-IS. The options for IS-IS are level-1, level-1-2, or level-2. Default is level-1.

set local-preference value


Example:

switch(config-route-map)# set local-preference 4000

Sets the BGP local preference value. The range is from 0 to 4294967295.

set metric metric0 [metric1 metric2 metric3 metric4]


Example:

switch(config-route-map)#

Sets the route metric values. Metrics are as follows:

metric0—Bandwidth in Kb/s

metric1—Delay in 10-microsecond units

metric2—Reliability. The range is from 0 to 255 (100% reliable).

metric3—Loading. The range is from 1 to 200 (100% loaded).

metric4—MTU of the path.

set metric-type {external | internal | type-1 | type-2}


Example:

switch(config-route-map)# set metric-type internal.

Sets the metric type for the destination routing protocol. The options are as follows:

external—IS-IS external metric

internal—Use IGP metric as the MED for BGP

type-1—OSPF external type 1 metric

type-2—OSPF external type 2 metric

set origin {egp as-number | igp | incomplete}


Example:

switch(config-route-map)#

Sets the BGP origin attribute. The EGP as-number range is from 0 to 65535.

set tag name


Example:

switch(config-route-map)# set tag 33

Sets the tag value for the destination routing protocol. The name parameter is an unsigned integer.

set weight count


Example:

switch(config-route-map)#

Sets the weight for the BGP route. The range is from 0 to 65535.


The set metric-type internal command affects only on an outgoing policy and only for an eBGP neighbor. If you configure both metric and metric-type internal commands in the same BGP peer outgoing policy, then Cisco NX-OS ignores the metric-type internal command.

Verifying Route Policy Manager Configuration

Use the show route-map command to verify the Route Policy Manager configuration.

Route Policy Manager Example Configuration

This example shows how to use an address family to configure BGP so that any unicast and multicast routes from neighbor 209.0.2.1 are accepted if they match access list 1: 

router bgp 40000

  address-family ipv4 unicast

    network 192.0.2.0/24

    network 209.165.201.0/27 route-map filterBGP

route-map filterBGP

 match ip next-hop prefix-list AllowPrefix


ip prefix-list AllowPrefix 10 permit 192.0.2.0 eq 24

ip prefix-list AllowPrefix 20 permit 209.165.201.0 eq 27


Related Topics

The following topics can give more information on Route Policy Manager:

Chapter 9, "Configuring Basic BGP"

Chapter 16, "Configuring Policy-Based Routing"

Default Settings

Table 15-1 lists the default settings for Route Policy Manager.

Table 15-1 Default Route Policy Manager Parameters 

Parameters
Default

Route Policy Manager

Enabled


Additional References

For additional information related to implementing IP, see the following sections:

Related Documents

Standards

Related Documents

Related Topic
Document Title

Route Policy Manager CLI commands

Cisco Nexus 7000 Series NX-OS Unicast Routing Command Reference, Release 4.0

VDCs and VRFs

Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide, Release 4.0


Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.