14.1.2 Filtering method

A filter is a list of conditions to be fulfilled. You apply a learned route or advertised route filter to routing traffic by specifying a filter ID in the route filtering configuration.

There are two main filter types you can use to filter routes in the Switches: prefix-list and access-list, which filter routing traffic based only on the destination network, and route-map, which filters by using most of the key route attributes and allows those attributes to be modified. Other filters include ip as-path access-list and ip community-list, which filter routes based on BGP4 routing attributes. The ip as-path access-list and ip community-list filters are called from within route-map.

To configure a filter, a filter ID, filter conditions, and the action to take when the conditions are met need to be specified. The actions are permit or deny.

You can assign multiple filters to a single filter ID. When filtering a piece of routing information, the switch evaluates the filters that match the specified ID in the order in which they appear in the configuration, and then adopts the action of the first filter whose conditions match the route. Filters that can be assigned a sequence number are evaluated in sequence number order. Filters that lack a sequence number are evaluated in the order in which they are configured.

If none of the filter conditions associated with the specified ID match, the process ends with a deny action. This is called an implicit deny. Filters that specify conditions always end with an implicit deny statement.

Filters that do not specify any conditions end with a permit action.

<Structure of this section>

(1) Filtering by Destination Network

(a) ip prefix-list

The ip prefix-list filter specifies a list of prefixes as filter conditions. When ip prefix-list is used as a route filter, the destination network of the route is compared with the prefixes in the filter.

In addition to prefixes, you can specify minimum and maximum mask lengths in the filter conditions. A route matches the conditions if its destination network is within the address range specified in the filter and the mask length of the address is within the specified mask length range. If you do not specify a mask length range, a route matches the filter conditions only when the mask length of the prefix matches exactly. The following table describes examples of ip prefix-list comparisons.

Table 14-1 Comparison of ip prefix-list and Prefix
Comparative object Prefix	Conditions of ip prefix-list
Comparative object Prefix	192.168.0.0/16 Matching mask length of 16	192.168.0.0/16 ge 16 le 24 Mask length 16 or more Matches 24 or less	192.168.0.0/16 ge 8 le 24 Mask length 8 or more Matches 24 or less
0.0.0.0/0	NG	NG	NG
192.0.0.0/8	NG	NG	OK
193.0.0.0/8	NG	NG	NG
192.168.0.0/16	OK	OK	OK
192.169.0.0/16	NG	NG	NG
192.168.43.0/24	NG	OK	OK
192.168.42.3/32	NG	NG	NG

Legend: OK: Matches, NG: Does not match

An ip prefix-list filter can also be referenced as route destination conditions from the match ip address command in route-map. The same method of comparison applies as if it were used as a standalone route filter.

The match ip route-source command in route-map can invoke an ip prefix-list filter as conditions for the learning source router. In this case, the conditions are the IPv4 address of the learning source router with a 32-bit mask applied.

(b) ip access-list standard

Ip access-list standard and access-list names 1-99 or 1300-1999 are filtering settings mainly for filtering packets, login access, etc., but can also be used for route filtering.

When ip access-list standard is used for route filtering, the address portion of the destination network is compared with the address conditions.

An ip access-list standard filter can be referenced by the match ip address command in route-map. The same method of comparison applies as if it were used as a standalone route filter.

Moreover, the match ip route source command in route-map can invoke an ip access-list standard filter as conditions for the learning source router. In this case, the conditions are compared against the IPv4 address of the learning source router.

(c) ip access-list extended

Ip access-list extended and access-list names 100-199 or 2000-2699 are the primary filtering settings for filtering packets. However, they can also be used for route filtering.

When you use ip access-list extended for route filtering, the address portion of the destination network is compared with the destination address conditions. All non-address conditions such as upper-layer protocols and port numbers are ignored.

You can reference an ip access-list extended filter as route destination conditions from the match ip address command in route-map. The same method of comparison applies as if it were used as a standalone route filter.

The match ip route-source command in route-map can invoke an ip access-list extended filter as conditions for the learning source router. In this case, the IPv4 address of the route source router is compared with the destination address conditions, and compares the 32-bit mask 255.255.255.255 against the source address conditions.

(2) route-map

A route-map filter is used to specify a number of different conditions. This kind of filter can also change route attributes when certain conditions are met.

Statements in route-map each have a sequence number. For each sequence number, you can specify one line of filter conditions for each condition. Multiple filter conditions can be specified in that line. The conditions within a given line are related by an OR condition. Conditions that share the same sequence number but appear on different lines are subject to an AND condition.

The statement represented by a sequence number is considered to be satisfied when the route matches every one of its filter conditions. When the conditions are satisfied, the action associated with the sequence number is taken and route-map terminates the filter.

If there is even one type of filter conditions for which none of the conditions match, the statement represented by the sequence number is considered not to be satisfied. In this case, the next sequence number in the route-map is evaluated.

The tables below list the types of filter conditions you can specify in a route-map filter and the attributes the filter can change.

Notes

When the switch applies a series of route-map filters to a route in succession, changes to route attributes will affect route filtering by subsequent route-map filters.

Suppose you use the RIP redistribute command to apply a route-map filter that changes a tag value, and then use the RIP distribute-list out command to apply a route-map filter that uses that tag value as a condition.First, the tag is modified by the redistribute command, and then a comparison is made using the modified tag value when the route-map filter of the distribute-list out command is applied.

Table 14-2 Types of route-map Filtering Criteria
Route attribute used as conditions	Description	Configuration commands
Destination network	With the ID of a prefix-list or access-list filter specified as filter conditions, uses the specified filter to filter the destination network of a route. A match is assumed if the filter action is permit. If the action is deny, the attribute is assumed not to match.	match ip address ip prefix-list ip access-list
Protocol type	Uses the specified routing protocol name as match conditions for the learning source protocol type of the route.	match protocol
Neighboring routers	With the ID of a prefix list or access list specified as filter conditions, uses the specified filter to filter the address of the learning source router. A match is assumed if the filter action is permit. If the action is deny, the attribute is assumed not to match. Only RIP routes and BGP4 routes include the address of the learning source router. Other route types cannot match these conditions.	match ip route-source ip access-list ip prefix-list
interface	Uses interfaces as conditions, and compares the interface with the interface of the next routing network hop. Routes with no next hop do not match the conditions. With BGP4 learned route filtering, routes do not match any interface.	match interface
Tag value	Uses the specified tag value as match conditions for a tag value of the route. Routes with no tags are assumed to have a tag value of 0.	match tag
AS_PATH attribute	With the ID of ip as-path access-list specified as filter conditions, uses the specified ip as-path access-list to filter the AS_PATH attribute of the route. A match is assumed if the action is permit. If the action is deny, the attribute is assumed not to match. Routes with no AS_PATH attribute are assumed to have an AS_PATH length of 0.	match as-path ip as-path access-list
COMMUNITIES attribute	With the ID of ip community-list specified as filter conditions, uses the specified ip community-list to filter the COMMUNITIES attribute of the route. A match is assumed if the action is permit. If the action is deny, the attribute is assumed not to match. Routes with no COMMUNITIES attribute are assumed to lack community affiliations.	match community ip community-list
ORIGIN attribute	Uses the specified value (IGP, EGP, or INCOMPLETE) as match conditions for the ORIGIN attribute of the route. Routes with no ORIGIN attribute are assumed to have an IGP origin.	match origin
Route type	Specifies an OSPF route type or local (indicating a route generated by the BGP network command) as filter conditions and compares with the route's protocol-dependent route type.	match route-type
VRF ID	Uses the specified VRF ID as a match condition for a VRF ID of the route.	match vrf

Note: If the conditions for an interface condition specify an interface that is not used for IPv4 or IPv6, the interface conditions match any route.

Table 14-3 Route attributes that can be changed by route-map
Changeable attribute	Description	Configuration commands
Distance	Changes the route priority (distance) in the routing table. Valid only for learned route filtering.	set distance
Metric	Changes the metric or MED attribute. Values can be added to or subtracted from as well as replaced. For route filtering in BGP4, the route can inherit the metric of the route to the BGP NEXT_HOP attribute.	set metric set metric-type internal (inherits the metric of the route to the NEXT_HOP attribute)
MED attribute
Tag value	Changes the tag value of the route.	set tag
LOCAL_PREF attribute	Changes the LOCAL_PREF attribute of the route. Values can be added to or subtracted from as well as replaced. Used with BGP4 route filtering.	set local-preference
AS_PATH attribute	Changes the AS_PATH attribute of the route. The filter is limited to adding the AS number of the sending peer. Used with route filtering for BGP4 routes learned and advertised by external peers.	set as-path prepend count
COMMUNITIES attribute	Changes the COMMUNITIES attribute of the route. The filter can replace, add, and delete communities. Used with BGP4 route filtering.	set community set community-delete
ORIGIN attribute	Changes the ORIGIN attribute of the route. Used with BGP4 route filtering.	set origin
OSPF metric type	Changes the metric type. Used with OSPF advertised route filtering.	set metric-type

(3) Other Filters

In addition to the filters above, you can apply filters that use BGP4 route attributes as conditions. You use the filters below by referencing them as filter conditions in route-map.

(a) ip as-path access-list

This filter applies exclusively to the AS_PATH attribute. It compares the string representation of the AS_PATH attribute against conditions specified by a regular expression. You call this filter with the match as-path command in route-map. For information about regular expressions, see (d) Regular Expressions.

The AS_PATH attribute is a string of decimal AS numbers separated by spaces.

You cannot specify the path type with the AS_PATH attribute as a filter condition. Filtering performed on all path types included in the AS_PATH attribute for the AS number is specified as a filter condition. In the following example, a route with the following AS_PATH attribute is filtered:

AS_PATH attribute

AS_SEQ: 100 200 300, AS_SET: 1000 2000 3000, AS_CONFED_SEQUENCE: 65001 65002

Display format of the AS_PATH attribute for operation commands

100 200 300 {1000 2000 3000} (65001 65002)

With the above AS_PATH attribute, any of the following AS numbers will match the filter:

"100 200 300"
"1000 2000 3000"
"65001 65002"
"300 1000"

Note that special characters such as curly brackets ({}) and parentheses (()) are used as regular expressions of path type notation for operation commands and cannot be used to specify a path type.

Because the AS_SET attributes are sorted in ascending order when receiving a BGP4 route, the sorting result is filtered.

(b) ip community-list standard

This filter applies exclusively to the COMMUNITIES attribute. You can specify multiple communities as filter conditions.The filter matches if the COMMUNITIES attribute of the route contains every community you specify. You call this filter with the match community command in route-map.

(c) ip community-list expanded

This filter applies exclusively to the COMMUNITIES attribute. It compares the string representation of the COMMUNITIES attribute against conditions specified by a regular expression. You call this filter with the match community command in route-map. For information about regular expressions, see (d) Regular Expressions.

The string representation of the COMMUNITIES attribute consists of community values converted to character strings and separated by spaces. The values appear in order from smallest to largest. The following table describes the notation used for community values:

Table 14-4 String representation of COMMUNITIES attributes
Community value	Character string
0xFFFFFF01 (hexadecimal)	no-export
0xFFFFFF02 (hexadecimal)	no-advertise
0xFFFFFF03 (hexadecimal)	local-AS
All other cases	<AS number>:<last 2 octets> <AS number> and <last 2 octets> are both written in decimal notation.

(d) Regular expression

A regular expression is a means of describing a text pattern. You can use regular expressions to represent patterns like repeating strings. Regular expressions can be used as filter conditions for the AS_PATH and COMMUNITIES attributes.

In regular expressions, you can use simple characters such as numerals, upper- and lower-case letters, and symbols (excluding double quotation marks), and special characters. Regular characters, and special characters in combination with \, match the same characters in the string. Each special character represents a pattern. The following table describes the special characters and the patterns they represent:

Table 14-5: Special characters and their patterns
Special character	Pattern
.	Represents any single character including spaces.
*	Indicates that the preceding character or set of characters repeats zero or more times.
+	Indicates that the preceding character or set of characters repeats one or more times.
?	Represents 0 or 1 occurrence of the preceding character or set of characters (press Ctrl + V, and then enter ? during command entry).
^	Indicates the first character in the string.
$	Indicates the last character in the string.
_	Represents the first or last character of a string, a space, an underscore (_), a comma (,), a left parenthesis (() and a simple character, a right parenthesis ()) and a simple character, a left curly bracket ({), a right curly bracket (}), a left angled bracket (<), or a right angled bracket (>).
[ ]	Represents any single character from the character range inside []. Except for the following, special characters act as simple characters within square brackets. ^: When a caret is used as the first character in square brackets, the expression matches any character except those in the brackets. -: Indicates the beginning and end of a character range. Make sure that the character before the hyphen has a lower character code than the character after it. For details about character codes, see "Configuration Command Reference Vol.1" and "Table 1-3 Character Codes". Example: [6-8] matches any one of 6, 7, or 8. [^6-8] matches any single character other than 6, 7, or 8.
( )	Indicates a group of characters. You can specify a maximum of nine character groups in a nested structure.
`\|`	Represents an OR condition.
`\`	Treats a special character preceded by a backslash as a simple character.

The following characters are used in regular expressions in order of join priority:

( )
* + ?
Simple characters, ., [, ], ^, and $
|

When you specify a regular expression in a configuration command or operation command, enclose it in double quotation marks (").

Example 1:

> show ip bgp aspath-regexp "^$"

Example 2

(config)# ip as-path access-list 10 permit "_100_"