mirror of
https://git.proxmox.com/git/mirror_frr
synced 2025-07-02 14:45:09 +00:00
1bb550b63c
When a route imported from l3vpn is analysed, the nexthop from default
VRF is looked up against a valid MPLS path. Generally, this is done on
backbones with a MPLS signalisation transport layer like LDP. Generally,
the BGP connection is multiple hops away. That scenario is already
working.
There is case where it is possible to run L3VPN over GRE interfaces, and
where there is no LSP path over that GRE interface: GRE is just here to
tunnel MPLS traffic. On that case, the nexthop given in the path does not
have MPLS path, but should be authorized to convey MPLS traffic provided
that the user permits it via a configuration command.
That commit introduces a new command that can be activated in route-map:
> set l3vpn next-hop encapsulation gre
That command authorizes the nexthop tracking engine to accept paths that
o have a GRE interface as output, independently of the presence of an LSP
path or not.
A configuration example is given below. When bgp incoming vpnv4 updates
are received, the nexthop of NLRI is 192.168.0.2. Based on nexthop
tracking service from zebra, BGP knows that the output interface to reach
192.168.0.2 is r1-gre0. Because that interface is not MPLS based, but is
a GRE tunnel, then the update will be using that nexthop to be installed.
interface r1-gre0
ip address 192.168.0.1/24
exit
router bgp 65500
bgp router-id 1.1.1.1
neighbor 192.168.0.2 remote-as 65500
!
address-family ipv4 unicast
no neighbor 192.168.0.2 activate
exit-address-family
!
address-family ipv4 vpn
neighbor 192.168.0.2 activate
neighbor 192.168.0.2 route-map rmap in
exit-address-family
exit
!
router bgp 65500 vrf vrf1
bgp router-id 1.1.1.1
no bgp network import-check
!
address-family ipv4 unicast
network 10.201.0.0/24
redistribute connected
label vpn export 101
rd vpn export 444:1
rt vpn both 52:100
export vpn
import vpn
exit-address-family
exit
!
route-map rmap permit 1
set l3vpn next-hop encapsulation gre
exit
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
410 lines
12 KiB
ReStructuredText
410 lines
12 KiB
ReStructuredText
.. _route-map:
|
|
|
|
**********
|
|
Route Maps
|
|
**********
|
|
|
|
Route maps provide a means to both filter and/or apply actions to route, hence
|
|
allowing policy to be applied to routes.
|
|
|
|
For a route reflector to apply a ``route-map`` to reflected routes, be sure to
|
|
include ``bgp route-reflector allow-outbound-policy`` in ``router bgp`` mode.
|
|
|
|
Route maps are an ordered list of route map entries. Each entry may specify up
|
|
to four distinct sets of clauses:
|
|
|
|
.. glossary::
|
|
|
|
Matching Conditions
|
|
A route-map entry may, optionally, specify one or more conditions which
|
|
must be matched if the entry is to be considered further, as governed by
|
|
the Match Policy. If a route-map entry does not explicitly specify any
|
|
matching conditions, then it always matches.
|
|
|
|
Set Actions
|
|
A route-map entry may, optionally, specify one or more Set Actions to set
|
|
or modify attributes of the route.
|
|
|
|
Matching Policy
|
|
This specifies the policy implied if the :term:`Matching Conditions` are
|
|
met or not met, and which actions of the route-map are to be taken, if
|
|
any. The two possibilities are:
|
|
|
|
- :dfn:`permit`: If the entry matches, then carry out the
|
|
:term:`Set Actions`. Then finish processing the route-map, permitting
|
|
the route, unless an :term:`Exit Policy` action indicates otherwise.
|
|
|
|
- :dfn:`deny`: If the entry matches, then finish processing the route-map and
|
|
deny the route (return `deny`).
|
|
|
|
The `Matching Policy` is specified as part of the command which defines
|
|
the ordered entry in the route-map. See below.
|
|
|
|
Call Action
|
|
Call to another route-map, after any :term:`Set Actions` have been
|
|
carried out. If the route-map called returns `deny` then processing of
|
|
the route-map finishes and the route is denied, regardless of the
|
|
:term:`Matching Policy` or the :term:`Exit Policy`. If the called
|
|
route-map returns `permit`, then :term:`Matching Policy` and :term:`Exit
|
|
Policy` govern further behaviour, as normal.
|
|
|
|
Exit Policy
|
|
An entry may, optionally, specify an alternative :dfn:`Exit Policy` to
|
|
take if the entry matched, rather than the normal policy of exiting the
|
|
route-map and permitting the route. The two possibilities are:
|
|
|
|
- :dfn:`next`: Continue on with processing of the route-map entries.
|
|
|
|
- :dfn:`goto N`: Jump ahead to the first route-map entry whose order in
|
|
the route-map is >= N. Jumping to a previous entry is not permitted.
|
|
|
|
The default action of a route-map, if no entries match, is to deny. I.e. a
|
|
route-map essentially has as its last entry an empty *deny* entry, which
|
|
matches all routes. To change this behaviour, one must specify an empty
|
|
*permit* entry as the last entry in the route-map.
|
|
|
|
To summarise the above:
|
|
|
|
+--------+--------+----------+
|
|
| | Match | No Match |
|
|
+========+========+==========+
|
|
| Permit | action | cont |
|
|
+--------+--------+----------+
|
|
| Deny | deny | cont |
|
|
+--------+--------+----------+
|
|
|
|
action
|
|
- Apply *set* statements
|
|
- If *call* is present, call given route-map. If that returns a ``deny``,
|
|
finish processing and return ``deny``.
|
|
- If *Exit Policy* is *next*, goto next route-map entry
|
|
- If *Exit Policy* is *goto*, goto first entry whose order in the
|
|
list is >= the given order.
|
|
- Finish processing the route-map and permit the route.
|
|
|
|
deny
|
|
The route is denied by the route-map (return ``deny``).
|
|
|
|
cont
|
|
goto next route-map entry
|
|
|
|
.. _route-map-show-command:
|
|
|
|
.. clicmd:: show route-map [WORD] [json]
|
|
|
|
Display data about each daemons knowledge of individual route-maps.
|
|
If WORD is supplied narrow choice to that particular route-map.
|
|
|
|
If the ``json`` option is specified, output is displayed in JSON format.
|
|
|
|
.. _route-map-clear-counter-command:
|
|
|
|
.. clicmd:: clear route-map counter [WORD]
|
|
|
|
Clear counters that are being stored about the route-map utilization
|
|
so that subsuquent show commands will indicate since the last clear.
|
|
If WORD is specified clear just that particular route-map's counters.
|
|
|
|
.. _route-map-command:
|
|
|
|
Route Map Command
|
|
=================
|
|
|
|
.. clicmd:: route-map ROUTE-MAP-NAME (permit|deny) ORDER
|
|
|
|
Configure the `order`'th entry in `route-map-name` with ``Match Policy`` of
|
|
either *permit* or *deny*.
|
|
|
|
.. _route-map-match-command:
|
|
|
|
Route Map Match Command
|
|
=======================
|
|
|
|
.. clicmd:: match ip address ACCESS_LIST
|
|
|
|
Matches the specified `access_list`
|
|
|
|
.. clicmd:: match ip address prefix-list PREFIX_LIST
|
|
|
|
Matches the specified `PREFIX_LIST`
|
|
|
|
.. clicmd:: match ip address prefix-len 0-32
|
|
|
|
Matches the specified `prefix-len`. This is a Zebra specific command.
|
|
|
|
.. clicmd:: match ipv6 address ACCESS_LIST
|
|
|
|
Matches the specified `access_list`
|
|
|
|
.. clicmd:: match ipv6 address prefix-list PREFIX_LIST
|
|
|
|
Matches the specified `PREFIX_LIST`
|
|
|
|
.. clicmd:: match ipv6 address prefix-len 0-128
|
|
|
|
Matches the specified `prefix-len`. This is a Zebra specific command.
|
|
|
|
.. clicmd:: match ip next-hop ACCESS_LIST
|
|
|
|
Match the next-hop according to the given access-list.
|
|
|
|
.. clicmd:: match ip next-hop address IPV4_ADDR
|
|
|
|
This is a BGP specific match command. Matches the specified `ipv4_addr`.
|
|
|
|
.. clicmd:: match ip next-hop prefix-list PREFIX_LIST
|
|
|
|
Match the next-hop according to the given prefix-list.
|
|
|
|
.. clicmd:: match ipv6 next-hop ACCESS_LIST
|
|
|
|
Match the next-hop according to the given access-list.
|
|
|
|
.. clicmd:: match ipv6 next-hop address IPV6_ADDR
|
|
|
|
This is a BGP specific match command. Matches the specified `ipv6_addr`.
|
|
|
|
.. clicmd:: match ipv6 next-hop prefix-list PREFIX_LIST
|
|
|
|
Match the next-hop according to the given prefix-list.
|
|
|
|
.. clicmd:: match as-path AS_PATH
|
|
|
|
Matches the specified `as_path`.
|
|
|
|
.. clicmd:: match metric METRIC
|
|
|
|
Matches the specified `metric`.
|
|
|
|
.. clicmd:: match tag TAG
|
|
|
|
Matches the specified tag value associated with the route. This tag value
|
|
can be in the range of (1-4294967295).
|
|
|
|
.. clicmd:: match local-preference METRIC
|
|
|
|
Matches the specified `local-preference`.
|
|
|
|
.. clicmd:: match community COMMUNITY_LIST
|
|
|
|
Matches the specified `community_list`
|
|
|
|
.. clicmd:: match peer IPV4_ADDR
|
|
|
|
This is a BGP specific match command. Matches the peer ip address
|
|
if the neighbor was specified in this manner.
|
|
|
|
.. clicmd:: match peer IPV6_ADDR
|
|
|
|
This is a BGP specific match command. Matches the peer ipv6
|
|
address if the neighbor was specified in this manner.
|
|
|
|
.. clicmd:: match peer INTERFACE_NAME
|
|
|
|
This is a BGP specific match command. Matches the peer
|
|
interface name specified if the neighbor was specified
|
|
in this manner.
|
|
|
|
.. clicmd:: match peer PEER_GROUP_NAME
|
|
|
|
This is a BGP specific match command. Matches the peer
|
|
group name specified for the peer in question.
|
|
|
|
.. clicmd:: match source-protocol PROTOCOL_NAME
|
|
|
|
This is a ZEBRA specific match command. Matches the
|
|
originating protocol specified.
|
|
|
|
.. clicmd:: match source-instance NUMBER
|
|
|
|
This is a ZEBRA specific match command. The number is a range from (0-255).
|
|
Matches the originating protocols instance specified.
|
|
|
|
.. clicmd:: match evpn route-type ROUTE_TYPE_NAME
|
|
|
|
This is a BGP EVPN specific match command. It matches to EVPN route-type
|
|
from type-1 (EAD route-type) to type-5 (Prefix route-type).
|
|
User can provide in an integral form (1-5) or string form of route-type
|
|
(i.e ead, macip, multicast, es, prefix).
|
|
|
|
.. clicmd:: match evpn vni NUMBER
|
|
|
|
This is a BGP EVPN specific match command which matches to EVPN VNI id.
|
|
The number is a range from (1-6777215).
|
|
|
|
.. _route-map-set-command:
|
|
|
|
Route Map Set Command
|
|
=====================
|
|
|
|
.. program:: configure
|
|
|
|
.. clicmd:: set tag TAG
|
|
|
|
Set a tag on the matched route. This tag value can be from (1-4294967295).
|
|
Additionally if you have compiled with the :option:`--enable-realms`
|
|
configure option. Tag values from (1-255) are sent to the Linux kernel as a
|
|
realm value. Then route policy can be applied. See the tc man page. As
|
|
a note realms cannot currently be used with the installation of nexthops
|
|
as nexthop groups in the linux kernel.
|
|
|
|
.. clicmd:: set ip next-hop IPV4_ADDRESS
|
|
|
|
Set the BGP nexthop address to the specified IPV4_ADDRESS. For both
|
|
incoming and outgoing route-maps.
|
|
|
|
.. clicmd:: set ip next-hop peer-address
|
|
|
|
Set the BGP nexthop address to the address of the peer. For an incoming
|
|
route-map this means the ip address of our peer is used. For an outgoing
|
|
route-map this means the ip address of our self is used to establish the
|
|
peering with our neighbor.
|
|
|
|
.. clicmd:: set ip next-hop unchanged
|
|
|
|
Set the route-map as unchanged. Pass the route-map through without
|
|
changing it's value.
|
|
|
|
.. clicmd:: set ipv6 next-hop peer-address
|
|
|
|
Set the BGP nexthop address to the address of the peer. For an incoming
|
|
route-map this means the ipv6 address of our peer is used. For an outgoing
|
|
route-map this means the ip address of our self is used to establish the
|
|
peering with our neighbor.
|
|
|
|
.. clicmd:: set ipv6 next-hop prefer-global
|
|
|
|
For Incoming and Import Route-maps if we receive a v6 global and v6 LL
|
|
address for the route, then prefer to use the global address as the nexthop.
|
|
|
|
.. clicmd:: set ipv6 next-hop global IPV6_ADDRESS
|
|
|
|
Set the next-hop to the specified IPV6_ADDRESS for both incoming and
|
|
outgoing route-maps.
|
|
|
|
.. clicmd:: set local-preference LOCAL_PREF
|
|
|
|
Set the BGP local preference to `local_pref`.
|
|
|
|
.. clicmd:: set local-preference +LOCAL_PREF
|
|
|
|
Add the BGP local preference to an existing `local_pref`.
|
|
|
|
.. clicmd:: set local-preference -LOCAL_PREF
|
|
|
|
Subtract the BGP local preference from an existing `local_pref`.
|
|
|
|
.. clicmd:: set distance DISTANCE
|
|
|
|
Set the Administrative distance to DISTANCE to use for the route.
|
|
This is only locally significant and will not be dispersed to peers.
|
|
|
|
.. clicmd:: set weight WEIGHT
|
|
|
|
Set the route's weight.
|
|
|
|
.. clicmd:: set metric <[+|-](1-4294967295)|rtt|+rtt|-rtt>
|
|
|
|
Set the BGP attribute MED to a specific value. Use `+`/`-` to add or subtract
|
|
the specified value to/from the MED. Use `rtt` to set the MED to the round
|
|
trip time or `+rtt`/`-rtt` to add/subtract the round trip time to/from the
|
|
MED.
|
|
|
|
.. clicmd:: set as-path prepend AS_PATH
|
|
|
|
Set the BGP AS path to prepend.
|
|
|
|
.. clicmd:: set as-path exclude AS-NUMBER...
|
|
|
|
Drop AS-NUMBER from the BGP AS path.
|
|
|
|
.. clicmd:: set community COMMUNITY
|
|
|
|
Set the BGP community attribute.
|
|
|
|
.. clicmd:: set ipv6 next-hop local IPV6_ADDRESS
|
|
|
|
Set the BGP-4+ link local IPv6 nexthop address.
|
|
|
|
.. clicmd:: set origin ORIGIN <egp|igp|incomplete>
|
|
|
|
Set BGP route origin.
|
|
|
|
.. clicmd:: set table (1-4294967295)
|
|
|
|
Set the BGP table to a given table identifier
|
|
|
|
.. clicmd:: set sr-te color (1-4294967295)
|
|
|
|
Set the color of a SR-TE Policy to be applied to a learned route. The SR-TE
|
|
Policy is uniquely determined by the color and the BGP nexthop.
|
|
|
|
.. clicmd:: set l3vpn next-hop encapsulation gre
|
|
|
|
Accept L3VPN traffic over GRE encapsulation.
|
|
|
|
.. _route-map-call-command:
|
|
|
|
Route Map Call Command
|
|
======================
|
|
|
|
.. clicmd:: call NAME
|
|
|
|
Call route-map `name`. If it returns deny, deny the route and
|
|
finish processing the route-map.
|
|
|
|
|
|
.. _route-map-exit-action-command:
|
|
|
|
Route Map Exit Action Command
|
|
=============================
|
|
|
|
.. clicmd:: on-match next
|
|
|
|
.. clicmd:: continue
|
|
|
|
Proceed on to the next entry in the route-map.
|
|
|
|
.. clicmd:: on-match goto N
|
|
|
|
.. clicmd:: continue N
|
|
|
|
Proceed processing the route-map at the first entry whose order is >= N
|
|
|
|
|
|
.. _route-map-optimization-command:
|
|
|
|
Route Map Optimization Command
|
|
==============================
|
|
|
|
.. clicmd:: route-map ROUTE-MAP-NAME optimization
|
|
|
|
Enable route-map processing optimization for `route-map-name`.
|
|
The optimization is enabled by default.
|
|
Instead of sequentially passing through all the route-map indexes
|
|
until a match is found, the search for the best-match index will be
|
|
based on a look-up in a prefix-tree. A per-route-map prefix-tree
|
|
will be constructed for this purpose. The prefix-tree will compose
|
|
of all the prefixes in all the prefix-lists that are included in the
|
|
match rule of all the sequences of a route-map.
|
|
|
|
|
|
Route Map Examples
|
|
==================
|
|
|
|
A simple example of a route-map:
|
|
|
|
.. code-block:: frr
|
|
|
|
route-map test permit 10
|
|
match ip address 10
|
|
set local-preference 200
|
|
|
|
|
|
This means that if a route matches ip access-list number 10 it's
|
|
local-preference value is set to 200.
|
|
|
|
See :ref:`bgp-configuration-examples` for examples of more sophisticated
|
|
usage of route-maps, including of the ``call`` action.
|
|
|