Configuring Route Policy Manager

This chapter contains the following sections:

About route policy manager

Route Policy Manager is a feature that supports route maps and IP prefix lists for route redistribution and filtering.

  • Supports route maps and IP prefix lists.

  • Enables route redistribution and filtering between routing domains.

  • Prefix lists contain IPv4 or IPv6 network prefixes and associated prefix length values.

Route Policy Manager enables the use of route maps and prefix lists for advanced routing control.

  • Route maps can apply to both routes and IP packets.

  • Prefix lists can be used in BGP templates, route filtering, or redistribution of routes exchanged between routing domains.

Prefix lists

Prefix lists are a method to filter network routes or packets by matching their prefixes against a defined list of permitted or denied prefixes.

  • Permit or deny an address or range of addresses based on prefix matching.

  • Multiple entries can be configured, each with an associated sequence number.

  • Evaluation starts with the lowest sequence number, and processing stops after the first match.

How prefix lists work

Filtering by a prefix list involves matching the prefixes of routes or packets with the prefixes listed in the prefix list. If a given prefix does not match any entries, an implicit deny is assumed.


Note

An empty prefix list permits all routes.

MAC lists

A MAC list is a collection of MAC addresses and optional MAC masks used to permit or deny network traffic based on MAC address matching.

  • Consists of MAC addresses and optional wild-card MAC masks.

  • Used to permit or deny MAC addresses or ranges of addresses.

  • Filtering involves matching packet MAC addresses with entries in the MAC list; unmatched addresses are implicitly denied.

How MAC lists work

MAC lists are evaluated in sequence, and each entry has an associated sequence number. Cisco NX-OS processes the first successful match for a given MAC address and applies the permit or deny action. Once a match occurs, the rest of the MAC list is not evaluated for that address.

MAC list usage

For example, you can configure multiple entries in a MAC list to permit or deny specific MAC addresses. Each entry is assigned a sequence number, and the system evaluates entries starting with the lowest sequence number. The first matching entry determines whether the MAC address is permitted or denied.

Route maps

Route maps are a category of configuration tools that allow you to control route redistribution by specifying match and set criteria for routes or packets.

  • Each route map entry includes a sequence number to determine processing order.

  • Entries specify permission (permit or deny), match criteria, and set changes.

  • Route maps can process entries in a linear or user-defined order using the continue statement.

Route map structure and processing

Route maps are composed of one or more entries, each identified by a sequence number under a unique route map name. Each entry defines how routes or packets are matched and what actions are taken.

The route map entry has the following parameters:

  • Sequence number

  • Permission—permit or deny

  • Match criteria

  • Set changes

By default, a route map processes routes or IP packets in a linear fashion (that is, starting from the lowest sequence number). Route map can be confgured to process in a different order using the continue statement, which determines the route map entry that needs to be processed next.

Default action for sequences in a route map

The default action for any sequence in a route map is permit.

  • If you configure a new sequence in a route map without explicitly specifying either permit or deny. , the default action is permit.

  • If you edit a configured sequence in a route map and do not specify an action, the permit action is applied, even if the sequence was originally configured with deny.

  • Always set the correct action when configuring or editing a sequence of a route map; otherwise, the default action, permit , is applied.

Default sequence number for a route map

The default sequence number for a route-map with no specified sequence value is 10.

  • If you create a new route-map without specifying a sequence number, the default sequence number is 10.

  • If a route-map already exists with sequence number 10 and you configure the same route-map again without specifying a sequence number, any modifications will be applied to sequence number 10 of that route-map.

  • If a route-map already has sequence numbers assigned (20, 30, 40, etc.) and you configure it again without specifying a sequence number, a new entry with sequence number 10 will be created for that route-map.

Match criteria

Match criteria are the set of parameters used to determine whether a route or IP packet meets specific conditions in a route map.

  • Some criteria, such as BGP community lists, are applicable only to a specific routing protocol.

  • Other criteria, such as the IP source or destination address, can be used for any route or IP packet.

  • Match criteria are evaluated by comparing the route or packet to each configured match statement in the route map.

Types of match criteria and processing behavior

The match categories and parameters are as follows:

  • BGP parameters—Match based on AS numbers, AS-path, community attributes, or extended community attributes.

  • Prefix lists—Match based on an address or range of addresses.

  • Multicast parameters—Match based on rendezvous point, groups, or sources.

  • Other parameters—Match based on IP next-hop address or packet length.

For match processing:

  1. If multiple match statements of the same type exist within the same route-map sequence, they are processed as an OR operation. This processing applies whether the match statements are on the same line or not.

  2. If multiple match statements of a different type exist within the same route-map sequence, they are processed as an AND operation.

Set changes

Set changes are modifications applied to a route or packet after it matches an entry in a route map, based on configured set statements.

  • Change BGP parameters such as AS-path, tag, community, extended community, dampening, local preference, origin, or weight attributes.

  • Change metrics, including the route-metric or the route-type.

  • Change other parameters, such as the forwarding address or the IP next-hop address.

Set changes are used in route maps to modify route or packet attributes after a match occurs.

Access lists

  • IP access lists can match packets to fields such as source or destination IPv4 or IPv6 address.

  • They can match on protocol, precedence, and ToS.

  • Access lists can be used in a route map for policy-based routing only.

AS numbers for BGP

AS numbers for BGP are identifiers that allow BGP to match peers and establish sessions based on configured Autonomous System numbers.

  • You can configure a list or range of AS numbers to match against BGP peers.

  • If a BGP peer matches an AS number in the list and matches the other BGP peer configuration, BGP creates a session.

  • If the BGP peer does not match an AS number in the list, BGP ignores the peer.

BGP uses AS numbers to determine whether to establish a session with a peer. You can configure these as a list, a range, or use an AS-path list with a regular expression.

AS-path lists for BGP

An AS-path list is a configuration tool that allows filtering of BGP route updates based on the AS-path attribute.

  • Filters inbound or outbound BGP route updates using AS-path attributes.

  • Processes routes according to permit or deny conditions configured in the AS-path list.

  • Supports multiple AS-path entries under the same list name; the router processes the first matching entry.

AS-path list configuration and processing in BGP

You can configure an AS-path list to filter inbound or outbound BGP route updates. If the route update contains an AS-path attribute that matches an entry in the AS-path list, the router processes the route based on the permit or deny condition configured. You can configure AS-path lists within a route map. Multiple AS-path entries can be configured in an AS-path list by using the same AS-path list name. The router processes the first entry that matches.

Community lists for BGP

Community lists for BGP are mechanisms that allow filtering and matching of BGP route updates based on the community attribute using route maps.

  • Community lists can match the community attribute in BGP routes and set the community attribute using route maps.

  • A community list contains one or more community attributes; all must match for a route to be considered a match within a single entry.

  • Multiple community attributes can be configured as individual entries with the same community list name, and the router processes the first matching entry according to its permit or deny action.

Community list formats and usage in BGP

Community attributes in a community list can be configured in several formats to match BGP routes as needed.

  • A named community attribute, such as internet or no-export .

  • In aa:nn format, where the first two bytes represent the two-byte AS number and the last two bytes represent a user-defined network number.

  • A regular expression.

Extended community lists for BGP

Extended community lists for BGP are a category of access lists that support 4-byte AS numbers and allow configuration of community attributes in specific formats.

  • Support 4-byte AS numbers for BGP community attributes.

  • Allow configuration in aa4:nn format, where the first four bytes represent the AS number and the last two bytes represent a user-defined network number.

  • Permit use of regular expressions for matching community attributes.

Properties and behavior of extended community lists

Extended community lists in Cisco NX-OS provide similar functionality to regular community lists for four-byte AS numbers and can be configured with specific properties.

  • Transitive: BGP propagates the community attributes across autonomous systems.

  • Nontransitive: BGP removes community attributes before propagating the route to another autonomous system.

Configure NX-OS BGP large communities

About NX-OS BGP large communities

NX-OS BGP large communities are standardized 12-byte values (per IETF RFC 8092) that provide enhanced flexibility for classifying BGP routes, especially when using 4-byte ASNs.

  • Allow classification of routes from different data centers and ASNs using large communities.

  • Remove the 4-byte restriction of standard BGP communities by supporting 12-byte large communities.

  • Enable more flexible configuration of networks and routing policies in NX-OS BGP.

Beginning with Cisco NX-OS Release 10.6(2)F, BGP large community is supported on EVPN address-family. In earlier releases, it is supported on IPv4 and IPv6 unicast address family.

Configure a large community list (expanded)

The following are the steps to configure large community list in expanded form:

Procedure

Step 1

configure terminal

Example:
switch# configure terminal
                        switch(config)#

Enters global configuration mode.

Step 2

ip large-community-list expanded

Example:
switch(config)# ip large-community-list
                        expanded

This option adds an expanded large community list entry.

Step 3

ip large-community-list expanded list-name

Example:
switch(config)# ip large-community-list expanded
                        list-name

This option provides the name of the expanded large community list. The list-name can be any case-sensitive, alphanumeric string up to 63 characters.

Step 4

ip large-community-list expanded abcd seq

Example:
switch(config)# ip large-community-list expanded abcd
                        seq

This option provides the sequence number of the entry.

Step 5

ip large-community-list expanded abcd seq 10 {deny | permit }

Example:
switch(config)# ip large-community-list expanded abcd seq 10
                        {deny | permit}

The first option specifies the large community to reject.

The second option specifies the large community to accept.

Step 6

ip large-community-list expanded abcd seq 10 permit XX:YY:ZZ

Example:
switch(config)# ip large-community-list expanded abcd seq 10 permit
                        XX:YY:ZZ

This option provides the regular expression which uses a XX:YY:ZZ format. XX can have a range of <0-4294967294> and is a four octet global administrator field which represents ASN. Whereas, YY and ZZ are four octet local data fields, which are defined by an owner of the ASN.

The ":" is a separator between global and local data fields.

The following example shows how to create a large community list in expanded form:

switch(config)# ip large-community-list expanded abcd seq 10 permit ”^100:200:300$"
                switch(config)# sh run rpm
                <<SNIP>>
                ip large-community-list expanded abcd seq 10 permit ”^100:200:300$"
Configure a large community list (standard)

The following are the steps to configure large community list in standard form:

Procedure

Step 1

configure terminal

Example:
switch# configure terminal
                        switch(config)#

Enters global configuration mode.

Step 2

ip large-community-list standard

Example:
switch(config)# ip large-community-list
                        standard

This option adds a standard large community list entry.

Step 3

ip large-community-list standard list-name

Example:
switch(config)# ip large-community-list standard
                        list-name

This option provides the name of the standard large community list. The list-name can be any case-sensitive, alphanumeric string up to 63 characters.

Step 4

ip large-community-list standard efgh seq

Example:
switch(config)# ip large-community-list standard efgh
                        seq

This option provides the sequence number of the entry.

Step 5

ip large-community-list standard efgh seq 15 {deny | permit }

Example:
switch(config)# ip large-community-list standard efgh seq 15
                        {deny | permit}

The first option specifies the large community to reject.

The second option specifies the large community to accept.

Step 6

ip large-community-list standard efgh seq 15 deny XX:YY:ZZ

Example:
switch(config)# ip large-community-list standard efgh seq 15 deny
                        XX:YY:ZZ

This option provides the regular expression which uses a XX:YY:ZZ format. XX can have a range of <0-4294967294> and is a four octet global administrator field which represents ASN. Whereas, YY and ZZ are four octet local data fields, which are defined by an owner of the ASN.

The ":" is a separator between global and local data fields.

The following example shows how to create a large community list in standard form:

switch(config-route-map)# ip large-community-list standard efgh seq 15 deny 1000300:123:456
                switch(config)# sh run rpm
                <<SNIP>>
                ip large-community-list standard efgh seq 15 deny 1000300:123:456
Configure a route-map match for large community

The following are the steps to configure route-map match for large community:

Procedure

Step 1

configure terminal

Example:
switch# configure terminal
                        switch(config)#

Enters global configuration mode.

Step 2

match large-community

Example:
switch(config-route-map)# match
                        large-community

This option matches BGP large community list.

Step 3

match large-community list-name

Example:
switch(config-route-map)# match large-community
                        list-name

This option provides the name of the community list. The list-name can be any case-sensitive, alphanumeric string up to 63 characters.

Step 4

match large-community abcd exact-match

Example:
switch(config-route-map)# match large-community abcde
                        exact-match

This option does the exact matching of the communities.

The following example shows how to create a large community list in expanded form:

switch(config-route-map)# sh run rpm
                <<SNIP>>
                route-map test permit 10
                match large-community abcd efgh
Configure a route map set for large community

The following are the steps to configure route-map set for large community:

Procedure

Step 1

configure terminal

Example:
switch# configure terminal
                        switch(config)#

Enters global configuration mode.

Step 2

set large-community-list

Example:
switch(config-route-map)# set
                        large-community-list

This option sets BGP large community attribute.

Step 3

set large-community-list list-name

Example:
switch(config-route-map)# set large-community-list
                        list-name

This option sets the name of the large community list. The list-name can be any case-sensitive, alphanumeric string up to 63 characters.

Step 4

set large-community-list list-name delete

Example:
switch(config-route-map)# set large-community-list list-name
                        delete

This option deletes the matching large communities.

Example:
switch(config-route-map)# sh run rpm
                        route-map test permit 10
                        set large-community-list list-name delete

Step 5

set large-community {none | XX:YY:ZZ [additive ] | additive }

Example:
switch(config-route-map)# set large-community
                        {none | XX:YY:ZZ [additive] | additive}
switch(config-route-map)# set large-community
                        1000:1235:7629 200:30048:234 additive

This command sets the large-community attribute for a BGP route update.

  • The 'XX:YY:ZZ' option represents the large-community attribute in XX:YY:ZZ format and sets that value alone for a BGP route update. A maximum of 32 large-community attributes can be added in one set command.

  • The 'additive' option represents an addition to the existing large-community attribute, and is used along with the XX:YY:ZZ option. When used in this manner, it adds the XX:YY:ZZ attribute to the existing large-community attribute.

  • The 'none' option represents that no large-community attribute will be set.

Example:
switch(config-route-map)# sh run rpm
                        route-map test permit 10
                        set large-community additive
switch(config-route-map)# sh run rpm
                        route-map test permit 10
                        set large-community 1000300:123:456
switch(config-route-map)# sh run rpm
                        route-map test permit 10
                        set large-community none

Route redistribution and route maps

Route redistribution with route maps is a process that controls which routes are redistributed between routing domains and how their attributes are modified.

  • Route maps match on route attributes to selectively redistribute routes that meet specific criteria.

  • Route maps can modify route attributes during redistribution using set actions.

  • Routes are evaluated against each route map entry or sequence until a match is found or all entries are processed.

How route maps control route redistribution

Route maps provide granular control over which routes are redistributed and how their attributes are set during the redistribution process.

  • Routes are matched against each route map entry or sequence.

  • If multiple match statements exist under a route-map sequence, the route must satisfy all match criteria.

  • If a route matches the criteria, the set actions are executed.

  • If a route does not match, it is compared against subsequent route map entries or sequences.

  • If no match is found after all entries are processed, the route is denied (either acceptance for inbound or forwarding for outbound route maps).


Note

When redistributing BGP to IGP, iBGP routes are redistributed by default. To override this behavior, insert an additional deny statement into the route map.

Route map support matrix for routing protocols

The item is a category - name that includes configurable match and set statements for routing protocols on Cisco Nexus 9000 Series switches.

  • Yes—The statement is supported for the protocol.

  • No—The statement is not supported for the protocol.

  • If a statement does not apply for the protocol, there is an em dash (—) in the column next to the statement.

  • Where clarification is required, information is added in the appropriate row/column.

Table 1. SET route map statements by protocol

SET Route Map Statement

OSPF Redistribution

EIGRP Redistribution

ISIS Redistribution

RIP Redistribution

BGP Redistribution

Forwarding-address

Yes

—

—

—

—

Standard/Extended Community

—

—

—

—

Standard community only

Site of Origin (SOO)

—

—

—

—

No

Routing Protocol Metric

Yes

Yes

Yes

Yes

Yes

Routing Protocol Metric Type

Yes

—

No

—

—

Route Tag

Yes

Yes

No

Yes

—

NSSA Only

Yes

—

—

—

—

Orgin

—

—

—

—

Yes

Level

—

—

Yes

—

—

Weight

—

—

—

—

Yes

Table 2. SET route map statements by protocol

SET Route Map Statement

BGP Neighbor

BGP Table Map

OSPF Table Map

EIGRP Table Map

ISIS Table Map

EIGRP Distribute List

Standard/Extended Community

Yes

No

—

—

—

—

Standard/Extended Community-List Deletion

Yes

No

—

—

—

—

Site of Origin (SOO)

No

—

—

—

—

—

Routing Protocol Metric

No

No

—

—

—

Yes

Routing Protocol Metric Type

Yes

No

—

—

—

—

IPv4 Next Hop

Yes

—

—

—

—

—

IPv6 Next Hop

Yes

—

—

—

—

—

IPv4 Prefix list

Yes

—

—

—

—

—

IPv6 Prefix list

Yes

—

—

—

—

—

Interface

No

—

—

—

—

—

Route Tag

—

—

—

—

—

Yes

AS PATH

Yes

No

—

—

—

—

Orgin

Yes

No

—

—

—

—

All Path Advertisement

Yes

No

—

—

—

—

Distance

—

Yes

Yes

Yes

Yes

—

Dampening

No

No

—

—

—

—

Level

No

No

—

—

—

—

Weight

Yes

Yes

No

—

—

—

Table 3. MATCH route map statements by protocol

MATCH Route Map Statement

OSPF Redistribution

EIGRP Redistribution

ISIS Redistribution

RIP Redistribution

BGP Redistribution

Community List

OSPFv2 only

Yes

yes

Yes

—

Ext Community List

OSPFv2 only

Yes

—

Yes

—

Interface

Yes

Yes

Yes

Yes

Yes

IPv4 Next Hop

Yes

Yes

Yes

Yes

Yes

IPv6 Next Hop

Yes

Yes

Yes

No

Yes

Metric

Yes

Yes

Yes

Yes

Yes

Route Type

Yes

Yes

Yes

Yes

Yes

Tag

Yes

Yes

Yes

Yes

Yes

IPv6 Prefix List

Yes

Yes

Yes

No

Yes

IPv4 Prefix list

Yes

Yes

Yes

Yes

Yes

IP ACL

No

No

No

No

No

Source Protocol

Yes

Yes

Yes

Yes

—

AS Path

No

No

No

No

—

AS Number

No

No

No

No

—

Table 4. MATCH route map statements by protocol

MATCH Route Map Statement

BGP Neighbor

BGP Table Map

OSPF Table Map

EIGRP Table Map

ISIS Table Map

EIGRP Distribute List

Community List

Yes

Yes

—

—

—

—

Ext Community List

Yes

Yes

—

—

—

—

Interface

—

No

Yes

Yes

Yes

—

IPv4 Next Hop

Yes

Yes

Yes

Yes

Yes

Yes

IPv6 Next Hop

Yes

Yes

Yes

Yes

Yes

Yes

Metric

Yes

Yes

Yes

No

No

No

Route Type

Yes

Yes

Yes

Yes

Yes

No

Tag

—

Yes

Yes

Yes

No

Yes

IPv6 Prefix List

Yes

Yes

Yes

Yes

Yes

Yes

IPv4 Prefix list

Yes

Yes

Yes

Yes

Yes

Yes

IP ACL

No

No

No

No

No

No

AS Path

Yes

Yes

—

—

—

—

AS Number

Yes

No

—

—

—

—

IPv4 Route Source

—

—

Yes

—

—

—

Guidelines and limitations for route policy manager

Route Policy Manager enforces configuration guidelines and limitations to ensure correct routing policy behavior. Improper use of unsupported commands or ambiguous configurations can result in unintended routing outcomes. Specific behaviors apply to route-maps, prefix lists, ACLs, and policy application in Cisco NX-OS.

Configuration guidelines and limitations

  • Although the command allows set or match on route-tag , it is not supported and will cause unintended behavior for that particular route-map sequence.

  • Names in the prefix-list are case-insensitive. It is recommended to use unique names. Do not use the same name by modifying upper-case and lowercase characters. For example, CTCPrimaryNetworks and CtcPrimaryNetworks are two different entries.

  • If no route map exists, all routes are denied.

  • If no prefix list exists, all routes are permitted.

  • When matching two irrelevant entities in the route-map entry, the permission (permit or deny) of the route-map entry decides the result for all the routes or packets. It also applies the set criteria of the route-map entry. For example, the following route-map, when associated with the BGP configuration, tries to match the ospf-area which results in permitting the irrelevant match and sets the metric to 100: 

    route-map abc permit seq 10
match ospf-area 2
set metric 100

  • Without any match statement in a route-map entry, the permission (permit or deny) of the route-map entry decides the result for all the routes or packets.

  • If referred policies (for example, prefix lists) within a match statement of a route-map entry return either a no-match or a deny-match, Cisco NX-OS fails the match statement and processes the next route-map entry.

  • When you change a route map, Cisco NX-OS holds all the changes until you exit from the route-map configuration submode. Cisco NX-OS then sends all the changes to the protocol clients to take effect.

  • Cisco recommends that you do not have both IPv4 and IPv6 match statements in the same route-map sequence. If both are required, they should be specified in different sequences in the same route-map.

  • Because you can use a route map before you define it, verify that all your route maps exist when you finish a configuration change.

  • You can view the route-map usage for redistribution and filtering. Each individual routing protocol provides a way to display these statistics.

  • When you redistribute BGP to IGP, iBGP is redistributed as well. To override this behavior, you must insert an additional deny statement into the route map.

  • Route Policy Manager does not support MAC lists.

  • The maximum number of characters for ACL names in the ip access-list name command is 64. However, ACL names that are associated with RPM commands (such as ip prefix-list and match ip address) accept a maximum of only 63 characters.

  • BGP supports only specific match commands. For details, see the match commands table in the Configuring Route Maps section.

  • If you create an ACL named "prefix-list," it cannot be associated with a route map that is created using the match ip address command. The RPM command match ip address prefix-list makes the previous command (with the "prefix-list" ACL name) ambiguous.

  • You can configure only one ACL when using the match ip address command.

  • If you configure standard ip community-list and ip large-community-list in multiple lines in config-profile, only the last configured line of that sequence persists. To execute these 2 commands, you need to configure all the community values and execute as a single command in config-profile.

  • If policy is applied via config profile, it is not preferred to attempt unconfiguration (with short no form) of the particular CLI via normal CLI configuration mode. If any changes are required, unapply the profile first, and then modify the profile and apply again.

  • For any RPM profile, if you're planning to configure and apply the config profile ensure not to configure and unconfigure (with short no form) the same profile, if you wish to use "config profile" later.

  • Beginning with Cisco NX-OS Release 10.2(2)F, matching on tags for BGP NLRI (for inbound and outbound facing route-maps) is now supported. However, this is only intended for the use of the L2VPN EVPN address family in L4-7 service integration in VXLAN.

Default settings for route policy manager parameters

The following table lists the default settings for Route Policy Manager.

Table 5. Default route policy manager parameters

Parameters

Default

Route Policy Manager

Enabled

Administrative distance

115

Configure route policy manager

The route policy manager is a feature whose configuration commands in Cisco NX-OS may differ from those in Cisco IOS.

If you are familiar with the Cisco IOS commands, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.

Configure IP prefix lists

IP prefix lists match the IP packet or route against a list of prefixes and prefix lengths. You can create an IP prefix list for IPv4 and create an IPv6 prefix list for IPv6.

You can configure the prefix list entry to match the prefix length exactly or to match any prefix with a length that matches the configured range of prefix lengths.

Beginning with Cisco NX-OS Release 9.3(9), make sure to add the sequence number when configuring the prefix-list in the NDFC/config-profile/dual-stage configuration modes. Also, when modifying a sequence or inserting a new one, ensure that there is a gap in the sequence number, preferably in increments of 5 or 10, instead of assigning a continuous number.

For example: 

                    ip prefix-list allowprefix seq 
                    
                        10
                     
                     permit 192.0.2.0/23 eq 24
ip prefix-list allowprefix seq 
                    
                        20
                     
                     permit 209.165.201.0/27 eq 28

Note

Beginning with Cisco NX-OS Release 9.3.9, if prefix-list does not have sequence numbers in the config-profile ensure to add the sequence numbers before upgrading to that release or higher.

Use the ge and lt keywords to create a range of possible prefix lengths. The incoming packet or route matches the prefix list if the prefix matches and if the prefix length is greater than or equal to the ge keyword value (if configured) and less than or equal to the lt keyword value (if configured). When using the eq keyword, the value you set must be greater than the mask length for the prefix.

Use the mask keyword to define a range of possible contiguous or non-contiguous routes to be compared to the prefix address.

Procedure

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

{ ip | ipv6 } prefix-list name description string

Example:

switch(config)# ip prefix-list
AllowPrefix description allows
engineering server

Adds an information string about the prefix list.

Step 3

{ ip | ipv6 } prefix-list name [ seq number ] [{ permit | deny } prefix {[ eq prefix-length ] | [ ge prefix-length ] [ le prefix-length ]}] [ mask mask ]

Example:

switch(config)# ip prefix-list
AllowPrefix seq 10 permit 192.0.2.0/23 eq 24

switch(config)# ipv6 prefix-list
AllowIPv6Prefix seq 10 permit 2001:0DB8:: le 32
switch(config)# ip prefix-list
even permit 0.0.0.0/32 mask 0.0.0.1
switch(config)# ipv6 prefix-list
even permit 2001:0DB8::/64 mask ffff:1::

Creates an IPv4 or IPv6 prefix list or adds a prefix to an existing prefix list. The prefix-length is matched as follows:

  • eq —Matches the exact prefix-length . This value must be greater than the mask length.

  • ge —Matches a prefix length that is equal to or greater than the configured prefix-length .

  • le —Matches a prefix length that is equal to or less than the configured prefix-length .

  • mask —Specifies the bits of a prefix address in a prefix list that are compared to the bits of the prefix address used in routing protocols. This option is available for IPv6 prefix lists beginning with Cisco NX-OS Release 9.3(3) for Cisco Nexus 9200, 9300-EX, and 9300-FX platform switches and 9700-EX and 9700-FX line cards .

Step 4

(Optional) show { ip | ipv6 } prefix-list name

Example:

switch(config)# show ip prefix-list
AllowPrefix

Displays information about prefix lists.

Step 5

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config
startup-config

Saves this configuration change.

This example shows how to create an IPv4 prefix list with two entries and apply the prefix list to a BGP neighbor:


                switch# 
                configure terminal
switch(config)# 
                ip prefix-list allowprefix seq 10 permit 192.0.2.0/23 eq 24
switch(config)# 
                ip prefix-list allowprefix seq 20 permit 209.165.201.0/27 eq 28
switch(config)# 
                router bgp 65535
switch(config-router)# 
                neighbor 192.0.2.1/16 remote-as 65534
switch(config-router-neighbor)# 
                address-family ipv4 unicast
switch(config-router-neighbor-af)# 
                prefix-list allowprefix in

This example shows how to create an IPv4 prefix list with a match mask for all /24 odd IP addresses:

switch# configure terminal
switch(config)# ip prefix-list list1 seq 7 permit 22.1.1.0/24 mask 255.255.1.0
switch(config)# show route-map test
route-map test, permit, sequence 7
Match clauses:
ip address prefix-lists: list1
Set clauses:
extcommunity COST:igp:10:20
switch(config)# show ip prefix-list list1
ip prefix-list list1: 1 entries
seq 7 permit 22.1.1.0/24 mask 255.255.1.0

This example shows how to create an IPv4 prefix list that matches all subnets of 21.1.0.0/16 where the subnet prefix is 17 or greater. Due to the mask option, only those incoming prefixes where the first bit in the third octet is unset (even) will be matched. 

switch# configure terminal
switch(config)# ip prefix-list list1 seq 10 permit 21.1.0.0/16 ge 17 mask 255.255.1.0

Configure MAC lists

You can configure a MAC list to permit or deny a range of MAC addresses.

Beginning with Cisco NX-OS Release 10.4(2)F, make sure to add the sequence number when configuring the prefix-list in the NDFC/config-profile/dual-stage configuration modes. Also, when modifying a sequence or inserting a new one, ensure that there is a gap in the sequence number, preferably in increments of 5 or 10, instead of assigning a continuous number.

For example: 

                    mac-list AllowMac seq 
                    
                        5
                     
                    permit 0022.5579.a4c1 ffff.ffff.0000
                    mac-list AllowMac seq 
                    
                        10
                     
                    permit 0033.5510.a4c1 ffff.ffff.0000

Note

Beginning with Cisco NX-OS Release 10.4(2)F, if mac-list does not have sequence numbers in the config-profile ensure to add the sequence numbers before upgrading to that release or higher.

Procedure

Step 1

configure terminal

Example:

switch# configure terminal
                        switch(config)#

Enters global configuration mode.

Step 2

mac-list name seq number { permit | deny } mac-address [ mac-mask ]

Example:

switch(config)# mac-list AllowMac seq 5 permit 0022.5579.a4c1 ffff.ffff.0000

Creates a MAC list or adds a MAC address to an existing MAC list. The seq range is from 1 to 4294967294. The mac-mask specifies the portion of the MAC address to match against and is in MAC address format.

Step 3

(Optional) show mac-list name

Example:

switch(config)# show mac-list name

Displays information about prefix lists.

Step 4

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config
                        startup-config

Saves this configuration change.

Configure AS-path lists

You can specify an AS-path list filter on both inbound and outbound BGP routes. Each filter is an access list based on regular expressions. If the regular expression matches the representation of the AS-path attribute of the route as an ASCII string, the permit or deny condition applies.

Procedure

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

ip as-path access-list name { deny | permit } expression

Example:

switch(config)# ip as-path access-list Allow40 permit 40

Creates a BGP AS-path list using a regular expression.

Step 3

(Optional) show { ip | ipv6 } as-path-access-list name

Example:

switch(config)# show ip as-path-access-list Allow40

Displays information about as-path access lists.

Step 4

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config

Saves this configuration change.

This example shows how to create an AS-path list with two entries and apply the AS path list to a BGP neighbor:


switch# configure terminal
switch(config)# ip as-path access-list AllowAS permit 64510
switch(config)# ip as-path access-list AllowAS permit 64496
switch(config)# copy running-config startup-config
switch(config)# router bgp 65535:20
switch(config-router)# neighbor 192.0.2.1/16 remote-as 65535:20
switch(config-router-neighbor)# address-family ipv4 unicast
switch(config-router-neighbor-af)# filter-list AllowAS in

Replace BGP AS-path attribute

The Replace BGP AS-path attribute feature enables modification of the BGP as-path attribute in route maps to influence routing policy for eBGP neighbors.

  • Applicable only to eBGP neighbors on a per address family identifier (AFI) basis; configuration on iBGP neighbors is ignored.

  • Supports any combination of AS_SET, AS_SEQUENCE, CONFED_SET, and CONFED_SEQUENCE.

  • Allows a maximum of 32 AS numbers in a set as-path or set as-path replace command.

Guidelines for replacing the BGP AS-path attribute

The following guidelines should be considered when replacing the BGP as-path attribute:

  • A route map with this feature can be applied to both the inbound and outbound sides of a BGP neighbor.

  • When interacting with a BGP speaker that supports only a 2-byte AS, the 4-byte AS number is replaced by the reserved 2-byte AS number 23456.

  • If a confederation identifier is configured, use the confederation identifier as the local ASN in the CLI when interacting with a peer outside the confederation. For peers within the same confederation, use the process ASN in the router bgp asn command.

  • When the BGP local-as feature is configured, the configured local-as will be considered as local ASN in the CLI.

  • For outbound route-maps, the local ASN will always be prepended to the resulting as_path from the CLI.

  • Only one of these options can be configured under one route-map sequence: set as-path , set as-path prepend , and set as-path replace .

  • If remove-private-as is configured, it will be applied before applying the new route-map commands on the outbound side.

  • If as-override is configured, it will be applied after applying the new route-map commands on the outbound side.

  • AS_PATH loop checks execute on the original AS_PATH before the new route-map commands are applied on both inbound and outbound sides. These checks can be relaxed by using allow-as in on the inbound side and disable-peer-as-check on the outbound side.

Replace the complete AS-path

Use this procedure to modify the AS-path in an incoming or outgoing BGP update to a custom AS-path. You can also remove the AS-path completely.

Procedure

Step 1

configure terminal

Example:
switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

route-map map-name [ permit | deny ] [ seq ]

Example:
switch(config)# route-map Testmap permit 10
switch(config-route-map)#

Creates a route map or enters route-map configuration mode for an existing route map. Use seq to order the entries in a route map.

Step 3

[ no ] set as-path { none | { as-number | remote-as | local-as } + ] }

Example:
switch(config-route-map)# set as-path 11 local-as remote-as 13

Replaces AS_PATH with a list of custom ASNs or clears the AS_PATH. The command options are:

  • as-number : The specified AS number.

  • remote-as : The AS number of the BGP peer.

  • local-as : The local AS number.

The none keyword removes the AS-path completely.

In the following examples, these values are assumed:

  • The original AS_PATH is 10 20 30 40 50 60 .

  • The local-as is 100 .

  • The remote-as is 200 .

This example shows how to specify a custom AS-path. This command will change the AS-path to 11 100 200 13 200 10.10 65535 . 

switch# configure terminal
switch(config)# route-map Testmap permit 10
switch(config-route-map)# set as-path 11 local-as remote-as 13 remote-as 10.10 65535

This example shows how to clear the AS-path. This command will cause the AS-path to be empty.

switch# configure terminal
switch(config)# route-map Testmap permit 10
switch(config-route-map)# set as-path none

Replace selected AS numbers in the AS-path

Use this procedure to replace specific AS numbers in the AS-path and replace them with custom AS numbers in an incoming or outgoing BGP update. You can also specify private-as as a match keyword. In this case, any instance of a private-as is matched and can be replaced or removed.

Procedure

Step 1

configure terminal

Example:
switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

route-map map-name [ permit | deny ] [ seq ]

Example:
switch(config)# route-map Testmap permit 10
switch(config-route-map)#

Creates a route map or enters route-map configuration mode for an existing route map. Use seq to order the entries in a route map.

Step 3

[ no ] set as-path replace { asn_list | private-as } [ with { as-number | remote-as | none }]

Example:
switch(config-route-map)# set as-path replace 1, 2, private-as with remote-as

If the with keyword is not specified, substitute the local-as for any instance of an ASN mentioned in the comma separated asn_list , or for any private-as if the private-as keyword is specified.

If the with keyword is specified, substitute the value after the with keyword for any matched ASN, or any private-as if the private-as keyword is specified.

The command options following the with keyword are:

  • as-number : The matched values are replaced by the specified AS number.

  • remote-as : The matched values are replaced by the AS number of the BGP peer.

  • none : The matched values are removed from the AS-path.

In the following examples, these values are assumed:

  • The original AS_PATH is 1 5 2 10.10 65534 20 .

  • The local-as is 100 .

  • The remote-as is 200 .

This example shows how to replace two specific ASNs and a private-as with the local-as. This command will change the AS-path to 100 5 100 10.10 100 20 . 

switch# configure terminal
switch(config)# route-map Testmap permit 10
switch(config-route-map)# set as-path replace 1, 2, private-as

This example shows how to replace two specific ASNs and a private-as with the neighbor's ASN (remote-as). This command will change the AS-path to 200 5 200 10.10 200 20 . 


switch# configure terminal
switch(config)# route-map Testmap permit 10
switch(config-route-map)# set as-path replace 1, 2, private-as with remote-as

This example shows how to remove two specific ASNs and a private-as. This command will change the AS-path to 5 10.10 20 . 

switch# configure terminal
switch(config)# route-map Testmap permit 10
switch(config-route-map)# set as-path replace 1, 2, private-as with none

Configure community lists

You can use community lists to filter BGP routes based on the community attribute. The community number consists of a 4-byte value in the aa:nn format. The first two bytes represent the autonomous system number, and the last two bytes represent a user-defined network number.

When you configure multiple values in the same community list statement, all community values must match to satisfy the community list filter. When you configure multiple values in separate community list statements, the first list that matches a condition is processed.

Use community lists in a match statement to filter BGP routes based on the community attribute.

Procedure

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

Enter one of the following:

  • ip community-list standard list-name { deny | permit } [ community-list ] [ internet ] [ local-AS ] [ no-advertise ] [ no-export ] [ graceful-shutdown ] [ blackhole ]

    or

  • ip community-list expanded list-name { deny | permit } expression

Example:

switch(config)# ip community-list standard BGPCommunity permit no-advertise 65535:20

or 

switch(config)# ip community-list expanded BGPComplex deny 50000:[0-9][0-9]

The first option creates a standard BGP community list. The list-name can be any case-sensitive, alphanumeric string up to 63 characters. The community-list can be one or more communities in the aa:nn format.

The second option creates an expanded BGP community list using a regular expression.

Step 3

(Optional) show ip community list name

Example:

switch(config)# show ip community-list BGPCommunity

Displays information about community lists.

Step 4

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config

Saves this configuration change.

This example shows how to create a community list with two entries:

switch# configure terminal
switch(config)# ip community-list standard BGPCommunity permit no-advertise 65535:20
switch(config)# ip community-list standard BGPCommunity permit local-AS no-export
switch(config)# copy running-config startup-config

Configure extended community lists

You can use extended community lists to filter BGP routes based on the community attribute. The community number consists of a 6-byte value in the aa4:nn format. The first four bytes represent the autonomous system number, and the last two bytes represent a user-defined network number.

When you configure multiple values in the same extended community list statement, all extended community values must match to satisfy the extended community list filter. When you configure multiple values in separate extended community list statements, the first list that matches a condition is processed.

Use extended community lists in a match statement to filter BGP routes based on the extended community attribute.


Note

Configure extcommunity in AS2:NN or AS4:NN (as-plain) formats always.

Beginning with NX-OS release 10.4(3)F, you can configure extcommunity in AS.dot format.

Procedure

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

Enter one of the following:

  • ip extcommunity-list standard list-name { deny | permit } seq 5 4byteas-generic { transitive | nontransitive } community1 [ community2... ] rt 2:2 soo 3:3

    or

  • ip extcommunity-list expanded list-name seq 5 { deny | permit } expression

Example:

switch(config)# ip extcommunity-list
standard BGPExtCommunity seq 5 permit
4byteas-generic transitive 65535:20 rt 2:2 soo 3:3

or 

switch(config)# ip extcommunity-list
expanded BGPExtComplex seq 5 deny
1.5:[0-9][0-9]

The first option creates a standard BGP extended community list. The community can be one or more extended communities in the aa4:nn format.

The second option creates an expanded BGP extended community list using a regular expression.

Step 3

ip extcommunity-list standard commext seq 5 permit 4byteas-generic transitive 1:1 rt 2:2 soo 3:3

Sequence number is added as an input parameter to the CLI.

Henceforth, you must enter the input sequence number while configuring extcommunity lists.

Example:

switch(config)# ip extcommunity-list standard commext seq 5 permit 4byteas-generic transitive 1:1 rt 2:2 soo 3:3

Note

 

For config replace, the user config file must contain a valid running configuration collected from a device. It can be collected from a device running any NX-OS image label. It must be a valid file that which is not tampered manually.

Step 4

(Optional) show ip community-list name

Example:

switch(config)# show ip community-list
BGPCommunity

Displays information about extended community lists.

Step 5

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config
startup-config

Saves this configuration change.

This example shows how to create a generic specific extended community list:

switch# configure terminal
switch(config)# ip extcommunity-list standard test1 seq 5 permit 4byteas-generic transitive
65535:40 65535:60
switch(config)# copy running-config startup-config

Configure route maps

Configuring a route map for BGP triggers an automatic soft clear or refresh of BGP neighbor sessions.

Use this block to include any additional information that helps orient the reader to the task, aiding in successful task completion.

Before you begin

Follow these steps to configure route maps.

Procedure

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

route-map map-name [ permit | deny ] [ seq ]

Example:

switch(config)# route-map Testmap permit 10
switch(config-route-map)#

Creates a route map or enters route-map configuration mode for an existing route map. Use seq to order the entries in a route map.

Step 3

(Optional) continue seq

Example:

switch(config-route-map)# continue 10

Determines what sequence statement to process next in the route map. Used only for filtering and redistribution.

Step 4

(Optional) exit

Example:

switch(config-route-map)# exit

Exits route-map configuration mode.

Step 5

(Optional) copy running-config startup-config

Example:

switch(config-route-map)# copy running-config startup-config

Copies the running configuration to the startup configuration.

You can configure the following optional match parameters for route maps in route-map configuration mode:

You can configure the following optional match parameters for route maps in route-map configuration mode:

Command

Purpose

match as-path name [ name... ]

Example: 

switch(config-route-map)# match as-path Allow40

Matches against one or more AS-path lists. Create the AS-path list with the ip as-path access-list command.

match as-number { number [, number... ] | as-path-list name [ name... ]}

Example: 

switch(config-route-map)# match as-number 33,50-60

Matches against one or more AS numbers or AS-path lists. Create the AS-path list with the ip as-path access-list command. The number range is from 1 to 65535. The AS-path list name can be any case-sensitive, alphanumeric string up to 63 characters.

match community name [ name... ][ exact-match ]

Example: 

switch(config-route-map)# match community BGPCommunity

Matches against one or more community lists. Create the community list with the ip community-list command.

match extcommunity name [ name... ][ exact-match ]

Example: 

switch(config-route-map)# match extcommunity BGPextCommunity

Matches against one or more extended community lists. Create the community list with the ip extcommunity-list command.

match interface interface-type number [ interface-type number... ]

Example: 

switch(config-route-map)# match interface e 1/2

Matches any routes that have their next hop out one of the configured interfaces. Use ? to find a list of supported interface types.

Note

 

BGP does not support this command.

Global commands to block the deletion of route-map

The global commands are by default generic. Beginning with Cisco NX-OS release 10.2(2)F, the functionality to block the route-map deletion, if used by client is applicable only for BGP.

  • Use the system default route-map validate-applied command to enable the blocking of the deletion of route-map.

  • Use the no system default route-map validate-applied command to disable the blocking of the deletion of route-map.

  • Use the show running-config rpm command to view the non-default configuration.

  • Use the show running-config rpm all command to view the default configuration.

  • By default this command is in default state.

Verify the route policy manager configuration

To display route policy manager configuration information, perform one of the following tasks.

Command

Purpose

show ip community-list [ name ]

Displays information about a community list.

show ip ext community-list [ name ]

Displays information about an extended community list.

show [ ip | ipv6 ] prefix-list [ name ]

Displays information about an IPv4 or IPv6 prefix list.

show route-map [ name ]

Displays information about a route map.

show route-map [ name ] brief

Provides information about blocking route-map deletion functionality and the list of clients associated with the route-map.

Configuration examples for route policy manager

This topic provides configuration examples for creating IPv4 prefix lists, AS-path lists, and using address families with Route Policy Manager.

This example shows how to use an address family to configure Route Policy Manager so that any unicast and multicast routes from neighbor 172.16.0.1 are accepted if they match prefix-list AllowPrefix: 

router bgp 64496
neighbor 172.16.0.1 remote-as 64497
address-family ipv4 unicast
route-map filterBGP in
route-map filterBGP
match ip address prefix-list AllowPrefix
ip prefix-list AllowPrefix 10 permit 192.0.2.0/24
ip prefix-list AllowPrefix 20 permit 172.16.201.0/27

Related topics

The following topics can give more information on Route Policy Manager.

  • Related topic: Configuring Basic BGP