Configuring Route Policies with CLI
This section provides information to configure route policies using the command line interface.
Topics in this section include:
Route Policy Configuration Overview
Route policies allow you to configure routing according to specifically defined policies. You can create policies and entries to allow or deny paths based on various parameters such as destination address, protocol, packet size, and community list.
Policies can be as simple or complex as required. A simple policy can block routes for a specific location or IP address. More complex policies can be configured using numerous policy statement entries containing matching conditions to specify whether to accept or reject the route, control how a series of policies are evaluated, and manipulate the characteristics associated with a route.
When to Create Routing Policies
Route policies are created in the config>router context. There are no default route policies. Each route policy must be explicitly created and applied. Applying route policies can introduce more efficiency as well as more complexity to routers.
A route policy impacts the flow of routing information or packets within and through the router. A routing policy can be specified to prevent a particular customer’s routes to be placed in the route table which causes those routes to not forward traffic to various destinations and the routes are not advertised by the routing protocol to neighbors.
Route policies can be created to control:
- A protocol to export all the active routes learned by that protocol.
- Route characteristics to control which route is selected to act as the active route to reach a destination and advertise the route to neighbors.
- Protocol to import all routes into the routing table. A routing table must learn about particular routes to be able to forward packets and redistribute to other routing protocols.
- Damping.
Before a route policy is applied, analyze the policy’s purpose and be aware of the results (and consequences) when packets match the specified criteria and the associated actions and default actions, if specified, are executed. Membership reports can be filtered based on a specific source address.
Default Route Policy Actions
Each routing protocol has default behaviors for the import and export of routing information. Table 63 shows the default behavior for each routing protocol.
Table 63: Default Route Policy Actions
Protocol | Import | Export |
OSPF | Not applicable. All OSPF routes are accepted from OSPF neighbors and cannot be controlled via route policies. |
|
IS-IS | Not applicable. All IS-IS routes are accepted from IS-IS neighbors and can not be controlled via route policies |
|
RIP | By default, all RIP-learned routes are accepted. |
|
BGP | By default, all routes from BGP peers are accepted and passed to the BGP route selection process. |
|
Policy Evaluation
Routing policy statements can consist of as few as one or several entries. The entries specify the matching criteria. A route is compared to the first entry in the policy statement. If it matches, the specified entry action is taken, either accepted or rejected. If the action is to accept or reject the route, that action is taken and the evaluation of the route ends.
If the route does not match the first entry, the route is compared to the next entry (if more than one is configured) in the policy statement. If there is a match with the second entry, the specified action is taken. If the action is to accept or reject the route, that action is taken and the evaluation of the route ends, and so on.
Each route policy statement can have a default-action clause defined. If a default-action is defined for one or more of the configured route policies, then the default actions should be handled in the following ways:
- The process stops when the first complete match is found and executes the action defined in the entry.
- If the packet does not match any of the entries, the system executes the default action specified in the policy statement.
Figure 38 depicts an example of the route policy process.
Route policies can also match a given route policy entry and continue to search for other entries within either the same route policy or the next route policy by specifying the next-entry or next-policy option in the entry’s action command. Policies can be constructed to support multiple states to the evaluation and setting of various route attributes.
Figure 39 depicts the next-policy and next-entry route processes.
Figure 38: Route Policy Process Example
Note:
- See Table 63
Figure 39: Next Policy Logic Example
Damping
Damping initiates controls when routes flap. Route flapping can occur when an advertised route between nodes alternates (flaps) back and forth between two paths due to network problems which cause intermittent route failures. It is necessary to reduce the amount of routing state change updates propagated in order to limit processing requirements. Thus, when a route flaps beyond a configured value (the suppress value), then that route is removed from the routing tables and routing protocols until the value falls below the reuse value.
A route can be suppressed according to the Figure of Merit (FoM) value. The FoM is a value that is added to a route each time it flaps. A new route begins with an FoM value of 0.
Damping is optional. If damping is configured, the following parameter values must be explicitly specified as there are no default values:
When a route's FoM value exceeds the suppress value, then the route is removed from the routing table. The route is considered to be stable when the FoM drops below the reuse value by means of the specified half life parameter. The route is returned to the routing tables. When routes have higher FoM and half life values, they are suppressed for longer periods of time. Figure 40 depicts an example of a flapping route, the suppress threshold, the half life decay (time), and reuse threshold. The peaks represent route flaps, the slopes represent half life decay.
Figure 40: Damping Example
Basic Configurations
This section provides information to configure route policies and configuration examples of common tasks. The minimal route policy parameters that need to be configured are:
- Policy statement with the following parameters specified:
- At least one entry
- Entry action
Following is a sample route policy configuration:
Configuring Route Policy Components
Use the CLI syntax displayed below to configure:
Beginning the Policy Statement
Use the following CLI syntax to begin a policy statement configuration. In order for a policy statement to be complete an entry must be specified (see Configuring an Entry).
The following error message displays when the you try to modify a policy options command without entering begin first.
The following example displays policy statement configuration command usage. These commands are configured in the config>router context.
There are no default policy statement options. All parameters must be explicitly configured.
Creating a Route Policy
To enter the mode to create or edit route policies, you must enter the begin keyword at the config>router>policy-options prompt. Other editing commands include:
- The commit command saves changes made to route policies during a session.
- The abort command discards changes that have been made to route policies during a session.
The following error message displays when the you try to modify a policy options command without entering begin first.
Configuring a Default Action
Specifying a default action is optional. The default action controls those packets not matching any policy statement entries. If no default action is specified for the policy, then the action associated with the protocol to which the routing policy was applied is performed. The default action is applied only to those routes that do not match any policy entries.
A policy statement must include at least one entry (see Configuring an Entry).
To enter the mode to create or edit route policies, you must enter the begin keyword at the config>router>policy-options prompt. Other editing commands include:
- The commit command saves changes made to route policies during a session.
- The abort command discards changes that have been made to route policies during a session.
The following example displays the default action configuration:
Configuring an Entry
An entry action must be specified. The other parameters in the entry action context are optional. Refer to the Route Policy Command Reference for the commands and syntax.
The following example displays entry parameters and includes the default action parameters which were displayed in the previous section.
The following example displays entry parameters and includes the default action parameters which were displayed in the previous section.
Configuring a Community List
Community lists are composed of a group of destinations which share a common property. Community lists allow you to administer actions on a configured group instead of having to execute identical commands for each member.
The following example displays a community list configuration:
Configuring Damping
The following considerations apply.
- For each damping profile, all parameters must be configured.
- The suppress value must be greater than the reuse value (see Damping Example).
- Damping can be enabled in the config>router>bgp context on the BGP global, group, and neighbor levels. If damping is enabled, but route policy does not specify a damping profile, the default damping profile will be used. This profile is always present and consists of the following parameters:
- half-life: 15 minutes
- max-suppress: 60 minutes
- suppress: 3000
- reuse: 750
The following example displays a damping configuration:
Configuring a Prefix List
The following example displays a prefix list configuration:
Configuring PIM Join/Register Policies
Join policies are used in Protocol Independent Multicast (PIM) configurations to prevent the transportation of multicast traffic across a network and the dropping of packets at a scope at the edge of the network. PIM Join filters reduce the potential for denial of service (DoS) attacks and PIM state explosion—large numbers of Joins forwarded to each router on the RPT, resulting in memory consumption. Refer to the Importing PIM Join/Register Policies section of the Multicast Routing Guide for more information.
*,G or S,G is the information used to forward unicast or multicast packets.
- group-address matches the group address policy in join/prune messagesgroup-address “group-address-policy”
- source-address matches the source address in join/prune messagessource-address 192.168.0.1
- interface matches any join message received on the specified interfaceinterface port 1/1/1
- neighbor matches any join message received from the specified neighborneighbor 1.1.1.1
The following configuration example will not allow join messages for group 229.50.50.208/32 and source 192.168.0.1 but allows other join messages.
Configuring policy-statement
Configuring Bootstrap Message Import and Export Policies
Bootstrap import and export policies are used to control the flow of bootstrap messages to and from the RP.
The following configuration example specifies that no BSR messages received or sent out of interface port 1/1/1.
Route Policy Configuration Management Tasks
This section discusses the following route policy configuration management tasks:
Editing Policy Statements and Parameters
Route policy statements can be edited to modify, add, or delete parameters. To enter the mode to edit route policies, you must enter the begin keyword at the config>router> policy-options prompt. Other editing commands include:
- The commit command saves changes made to route policies during a session.
- The abort command discards changes that have been made to route policies during a session.
The following example displays a changed configuration:
Deleting an Entry
Use the following CLI syntax to delete a policy statement entry:
The following example displays the commands required to delete a policy statement entry.
Deleting a Policy Statement
Use the following CLI syntax to delete a policy statement:
The following example displays the commands required to delete a policy statement.