Configuration Guide Vol. 3

30.1.2 Filtering method

A filter is a list of conditions to be fulfilled. You apply a learned route or advertised route filter to routing traffic by specifying a filter ID in the route filtering configuration.

There are two main filter types you can use to filter routes in the Switches: prefix-list, which filters routing traffic based only on the destination network, and route-map, which allows filtering by most key route attributes and allows those attributes to be modified. Other filters include ipv6 access-list, which filters routes based on IPv6 addresses, and ip as-path access-list and ip community-list, which filter routes based on BGP routing attributes. The ipv6 access-list, ip as-path access-list, and ip community-list filters are called from within route-map.

To configure a filter, a filter ID, filter conditions, and the action to take when the conditions are met need to be specified. The actions are permit or deny.

You can assign multiple filters to a single filter ID. When filtering a piece of routing information, the switch evaluates the filters that match the specified ID in the order in which they appear in the configuration, and then adopts the action of the first filter whose conditions match the route. Filters that lack a sequence number are evaluated in the order in which they are configured.

If none of the filter conditions associated with the specified ID match, the process ends with a deny action. This is called an implicit deny. Filters that specify conditions always end with an implicit deny statement.

Filters that do not specify any conditions end with a permit action.

<Structure of this section>

(1) Filtering by Destination Network

(a) ipv6 prefix-list

The ipv6 prefix-list filter specifies a list of prefixes as its conditions. When ipv6 prefix-list is used as a route filter, the destination network of the route is compared with the prefixes in the filter.

In addition to prefixes, you can specify minimum and maximum mask lengths in the filter conditions. A route matches the conditions if its destination network is within the address range specified in the filter, and the mask length of the address is within the specified mask length range. If you do not specify a mask length range, a route matches the filter conditions only when the mask length of the prefix matches exactly. The following table describes examples of ipv6 prefix-list comparisons:

Table 30-1 Comparison of ipv6 prefix-list and Prefix

Compared prefix

Conditions for ipv6 prefix-list

3ffe:5555::/32

Matches when mask length is 32

3ffe:5555::/32 ge 32 le 48

Matches mask length of 32 to 48

3ffe:5555::/32 ge 16 le 48

Matches when mask length is between 16 and 48

::/0

NG

NG

NG

3ffe::/16

NG

NG

OK

3fff::/16

NG

NG

NG

3ffe:5555::/32

OK

OK

OK

3ffe:5556::/32

NG

NG

NG

3ffe:5555:feed::/48

NG

OK

OK

3ffe:5555:feed:beef::/64

NG

NG

NG

Legend: Y: Matches, N: Does not match

An ipv6 prefix-list filter can also be referenced as route destination conditions from the match ipv6 address command in route-map. The same method of comparison applies as if it were used as a standalone route filter.

A match ipv6 route-source command in route-map can invoke an ipv6 prefix-list filter as conditions for the learning source router. In this case, the conditions are the prefix (the learning source router's IPv6 address with a 128-bit mask applied) and the prefix destination.

(2) route-map

A route-map filter is used to specify a number of different conditions. This kind of filter can also change route attributes when certain conditions are met.

Statements in route-map each have a sequence number. For each sequence number, you can specify one line of filter conditions for each condition. Multiple filter conditions can be specified in that line. The conditions within a given line are related by an OR condition. Conditions that share the same sequence number but appear on different lines are subject to an AND condition.

The statement represented by a sequence number is considered satisfied when the route matches every one of its filter conditions. When the conditions are satisfied, the action associated with the sequence number is taken, and route-map terminates the filter.

If there is even one type of filter conditions for which none of the conditions match, the statement represented by the sequence number is considered not to be satisfied. In this case, the next sequence number in the route-map is evaluated.

The tables below list the types of filter conditions you can specify in a route-map filter and the attributes the filter can change.

Notes

When the switch applies a series of route-map filters to a route in succession, changes to route attributes will affect route filtering by subsequent route-map filters.

Suppose you use the RIPng redistribute command to apply a route-map filter that changes a tag value, and then use the RIPng distribute-list out command to apply a route-map filter that uses that tag value as a condition.First, the tag is modified by the redistribute command, and then a comparison is made using the modified tag value when the route-map filter of the distribute-list out command is applied.

Table 30-2 Route-map Filtering Criteria

Route attribute used as conditions

Description

Configuration commands

Destination network

With the ID of a prefix-list or access-list filter specified as filter conditions, uses the specified filter to filter the destination network of a route. A match is assumed if the filter action is permit. If the action is deny, the attribute is assumed not to match.

match ipv6 address

ipv6 prefix-list

ipv6 access-list

Protocol type

Uses the specified routing protocol name as match conditions for the learning source protocol type of the route.

match protocol

Neighboring routers

With the ID of a prefix list or access list specified as filter conditions, uses the specified filter to filter the address of the learning source router. A match is assumed if the filter action is permit. If the action is deny, the attribute is assumed not to match.

Only RIPng routes and BGP4+ routes include the address of the learning source router. Other route types cannot match these conditions.

match ipv6 route-source

ipv6 access-list

ipv6 prefix-list

interface

Uses interfaces as conditions, and compares the interface with the interface of the next routing network hop.

Routes with no next hop do not match the conditions.

With BGP4+ learned route filtering, routes do not match any interface.

match interface

Tag value

Uses the specified tag value as match conditions for a tag value of the route.

Routes with no tags are assumed to have a tag value of 0.

match tag

AS_PATH attribute

With the ID of ip as-path access-list specified as filter conditions, uses the specified ip as-path access-list to filter the AS_PATH attribute of the route. A match is assumed if the action is permit. If the action is deny, the attribute is assumed not to match.

Routes with no AS_PATH attribute are assumed to have an AS_PATH length of 0.

match as-path

ip as-path access-list

COMMUNITIES attribute

With the ID of ip community-list specified as filter conditions, uses the specified ip community-list to filter the COMMUNITIES attribute of the route.

A match is assumed if the action is permit. If the action is deny, the attribute is assumed not to match.

Routes with no COMMUNITIES attribute are assumed to lack community affiliations.

match community

ip community-list

ORIGIN attribute

Uses the specified value (IGP, EGP, or INCOMPLETE) as match conditions for the ORIGIN attribute of the route.

Routes with no ORIGIN attribute are assumed to have an IGP origin.

match origin

Route type

Specifies an OSPFv3 route type or local (indicating a route generated by the BGP network command) as filter conditions and compares with the route's protocol-dependent route type.

match route-type

VRF ID

Uses the specified VRF ID as a match condition for a VRF ID of the route.

match vrf

Note: If the conditions for an interface condition specify an interface that is not used for IPv4 or IPv6, the interface conditions match any route.

Table 30-3 Route attributes that can be changed by route-map

Changeable attribute

Description

Configuration commands

Distance

Changes the route priority (distance) in the routing table. Valid only for learned route filtering.

set distance

Metric

Changes the metric or MED attribute. Values can be added to or subtracted from as well as replaced.

For route filtering in BGP4+, the route can inherit the metric of the route to the BGP NEXT_HOP attribute.

set metric

set metric-type internal (inherits the metric of the route to the NEXT_HOP attribute)

MED attribute

Tag value

Changes the tag value of the route.

set tag

LOCAL_PREF attribute

Changes the LOCAL_PREF attribute of the route. Values can be added to or subtracted from as well as replaced.

Used with BGP4+ route filtering.

set local-preference

AS_PATH attribute

Changes the AS_PATH attribute of the route. You can only add a AS number. of the sending peer.

Used with route filtering for BGP4+ routes learned and advertised by external peers.

set as-path prepend count

COMMUNITIES attribute

Changes the COMMUNITIES attribute of the route. The filter can replace, add, and delete communities.

Used with BGP4+ route filtering.

set community

set community-delete

ORIGIN attribute

Changes the ORIGIN attribute of the route.

Used with BGP4+ route filtering.

set origin

OSPF metric type

Changes the metric type.

Used with OSPFv3 advertised route filtering.

set metric-type

(3) Other Filters

In addition to the filters above, you can use the filters below for route filtering. You use the filters below by referencing them as filter conditions in route-map.

(a) ipv6 access-list

The main purpose of the ipv6 access-list filter is to filter packets.However, the filter can also be used to filter routes.

If the match ipv6 address command in route-map is used to invoke an ipv6 access-list filter as route destination conditions, the route destination network address is compared against the destination address in the conditions. The other conditions, such as the sender address, the type of the upper layer protocol, and the port number, are ignored.

If the match ipv6 route-source command in route-map is used to invoke an ipv6 access-list filter as learning source router conditions, the IPv6 address of the learning source router is compared against the destination address in the conditions. The other conditions, such as the sender address, the type of the upper layer protocol, and the port number, are ignored.

(b) ip as-path access-list

This filter applies exclusively to the AS_PATH attribute. It compares the string representation of the AS_PATH attribute against conditions specified by a regular expression. You call this filter with the match as-path command in route-map. For information about regular expressions, see (e) Regular Expressions.

The AS_PATH attribute is a string of decimal AS numbers separated by spaces.

You cannot specify the path type with the AS_PATH attribute as a filter condition. Filtering performed on all path types included in the AS_PATH attribute for the AS number is specified as a filter condition. In the following example, a route with the following AS_PATH attribute is filtered:

AS_PATH attribute
AS_SEQ: 100 200 300, AS_SET: 1000 2000 3000, AS_CONFED_SEQUENCE: 65001 65002
Display format of the AS_PATH attribute for operation commands
100 200 300 {1000 2000 3000} (65001 65002)

With the above AS_PATH attribute, any of the following AS numbers will match the filter:

  • "100 200 300"

  • "1000 2000 3000"

  • "65001 65002"

  • "300 1000"

Note that special characters such as curly brackets ({}) and parentheses (()) are used as regular expressions of path type notation for operation commands and cannot be used to specify a path type.

Because the AS_SET attributes are sorted in ascending order when receiving a BGP4+ route, the sorting result is filtered.

(c) ip community-list standard

This filter applies exclusively to the COMMUNITIES attribute. You can specify multiple communities as filter conditions.The filter matches if the COMMUNITIES attribute of the route contains every community you specify. You call this filter with the match community command in route-map.

(d) ip community-list expanded

This filter applies exclusively to the COMMUNITIES attribute. It compares the string representation of the COMMUNITIES attribute against conditions specified by a regular expression. You call this filter with the match community command in route-map. For information about regular expressions, see (e) Regular Expressions.

The string representation of the COMMUNITIES attribute consists of community values converted to character strings and separated by spaces. The values appear in order from smallest to largest. The following table describes the notation used for community values:

Table 30-4 String representation of COMMUNITIES attributes

Community value

Character string

0xFFFFFF01 (hexadecimal)

no-export

0xFFFFFF02 (hexadecimal)

no-advertise

0xFFFFFF03 (hexadecimal)

local-AS

All other cases

<AS number>:<last 2 octets>

<AS number> and <last 2 octets> are both written in decimal notation.

(e) Regular expression

A regular expression is a means of describing a text pattern. You can use regular expressions to represent patterns like repeating strings. Regular expressions can be used to specify the filter conditions for the AS_PATH and COMMUNITIES attributes.

In regular expressions, you can use simple characters such as numerals, upper and lower case letters, symbols (excluding double-quotation marks), and special characters. Regular characters, and special characters in combination with \, match the same characters in the string. Each special character represents a pattern. The following table describes the special characters and the patterns they represent:

Table 30-5: Special characters and their patterns

Special character

Pattern

.

Represents any single character including spaces.

*

Indicates that the preceding character or set of characters repeats zero or more times.

+

Indicates that the preceding character or set of characters repeats one or more times.

?

Represents 0 or 1 occurrence of the preceding character or set of characters (press Ctrl + V, and then enter ? during command entry).

^

Indicates the first character in the string.

$

Indicates the last character in the string.

_

Represents the first or last character of a string, a space, an underscore (_), a comma (,), a left parenthesis (() and a simple character, a right parenthesis ()) and a simple character, a left curly bracket ({), a right curly bracket (}), a left angled bracket (<), or a right angled bracket (>).

[ ]

Represents any single character from the character range inside []. Except for the following, special characters act as simple characters within square brackets.

^: When a caret is used as the first character in square brackets, the expression matches any character except those in the brackets.

-: Indicates the beginning and end of a character range. Make sure that the character before the hyphen has a lower character code than the character after it.

For details about character codes, see "Configuration Command Reference Vol.1" and "Table 1-3 Character Codes".

Example: [6-8] matches any one of 6, 7, or 8. [^6-8] matches any single character other than 6, 7, or 8.

( )

Indicates a group of characters. You can specify a maximum of nine character groups in a nested structure.

|

Represents an OR condition.

\

Treats a special character preceded by a backslash as a simple character.

The following characters are used in regular expressions in order of join priority:

  1. ( )

  2. * + ?

  3. Simple characters, ., [, ], ^, and $

  4. |

When you specify a regular expression in a configuration command or operation command, enclose it in double quotation marks (").

Example 1:
> show ipv6 bgp aspath-regexp "^$"
Example 2
(config)# ip as-path access-list 10 permit "_100_"

[Product name label]

All Rights Reserved, Copyright(C), 2017, 2023, ALAXALA Networks, Corp.