In This Section: |
You can configure routing policy for RIP, OSPFv2 and BGP in these ways:
Routing Policy Configuration |
Description |
Configured Using |
---|---|---|
Inbound Route filters |
Restrict or constrain the set of routes accepted by a given routing protocol. Inbound Route filters are similar to route maps for an import policy. |
Gaia Portal |
Route Redistribution |
Allow routes learned from one routing protocol to be propagated to another routing protocol. It is also useful for advertising static routes, such as the default route, or aggregates into a protocol. Route Redistribution are similar to route maps for an export policy. |
Gaia Portal |
Routemaps |
Control which routes are accepted and announced. Used to configure inbound route filters, outbound route filters, and to redistribute routes from one protocol to another. Route maps offer more configuration options than the Portal options. However, they are not functionally equivalent. If one or more route maps are assigned to a protocol (for import or export), any corresponding Portal configuration is ignored. |
Gaia Clish |
Inbound route filters let you define which external to a routing protocol routes are accepted by that protocol.
By default, all external to RIP and OSPF routes are accepted by these protocols. BGP requires an explicit policy to accept routes.
You can configure RIP, OSPF, and BGP inbound filters to accept or restrict routes for specific network addresses. These filters are configured in the same way as the filters for route redistribution.
You can use the Match Type criteria to specify precision with which the network addresses are matched:
For example, if the network address 10.0.0.0/8 is specified in the filter, then any route with the prefix 10 and the mask length greater than 8 is matched, but those with the mask length of exactly 8 are not matched.
For example, if the network address 10.0.0.0/8 is specified in the filter, then any route with the prefix 10 and the mask length equal to or greater than 8 is matched.
For example, if the network address 10.0.0.0/8 and the mask range 16 to 8 are specified in the filter, then any route with the prefix 10 and the mask length between 8 and 16 is matched.
You can define Inbound Route Filters through the Portal only. The same functionality can be configured in the CLI through the routemap
command.
To configure a policy for OSPF routes:
The Add Route window opens.
To configure a policy for RIP routes:
The Add Route window opens.
To configure a policy for BGP routes:
The Add Route window opens.
Note - For BGP, no routes are accepted from a peer by default. You must configure an explicit Inbound BGP Route Filter to accept a route from a peer. |
Parameter |
Description |
---|---|
BGP Type: |
An autonomous system can control BGP importation. BGP supports propagation control through the use of AS-PATH regular expressions. BGP version 4 supports the propagation of any destination along a contiguous network mask. |
BGP Type: |
An autonomous system can control BGP importation. BGP can accept routes from different BGP peers based on the peer AS number. |
Import ID |
The order in which the import lists are applied to each route.
|
AS Number |
Autonomous system number of the peer AS.
|
AS-PATH Regular Expression |
The following definitions describe how to create regular expressions. AS-PATH operators are one of the following:
|
Origin |
The completeness of AS-PATH information.
|
Weight |
BGP stores any routes that are rejected by not mentioning them in a route filter. BGP explicitly mentions these rejected routes in the routing table and assigns them a restrict keyword with a negative weight. A negative weight prevents a route from becoming active, which means that it is not installed in the forwarding table or exported to other protocols. This feature eliminates the need to break and re-establish a session upon reconfiguration if importation policy is changed.
|
Local Pref. |
The BGP local preference to the imported route. Check Point recommends that you configure this value to bias the preference of Note: Do not use the local preference parameter when importing BGP. The local preference value is sent automatically when redistributing external BGP routes to an internal BGP route. The local preference parameter is ignored if used on internal BGP import statements.
|
All Routes: Action |
Whether the routing protocol should accept or restrict the All Routes route, equivalent to 0.0.0.0/0, from the given AS-Path or AS. If set to Accept, you can specify a Rank for all routes.
|
All Routes: Rank |
If All Routes: Action is set to Accept, you can specify a Rank for all routes.
|
To fine tune your OSPF, RIP or BGP Policy:
Do these steps by configuring the parameters in the Add Route window.
Add Route Window
Parameter |
Description |
---|---|
Protocol |
The protocol for which you want to create the inbound route filter. |
Address Subnet mask |
A baseline route that specifies a route filter. This route is the specified route in the context of a single route filter. |
Matchtype |
The routes that are filtered for the From Address and Subnet mask. These are the ways to compare other routes against it:
|
Action |
What to do with the routes that match the filter that is defined by the From Address, Subnet mask and Matchtype.
|
Weight |
BGP stores any routes that are rejected by not mentioning them in a route filter. BGP explicitly mentions these rejected routes in the routing table and assigns them a restrict keyword with a negative weight. A negative weight prevents a route from becoming active, which means that it is not installed in the forwarding table or exported to other protocols. This feature eliminates the need to break and re-establish a session upon reconfiguration if importation policy is changed.
|
Local Pref |
The BGP local preference to the imported route. Check Point recommends that you configure this value to bias the preference of Note: Do not use the local preference parameter when importing BGP. The local preference value is sent automatically when redistributing external BGP routes to an internal BGP route. The local preference parameter is ignored if used on internal BGP import statements.
|
Route redistribution allows routes learned from one routing protocol to be propagated to another routing protocol. This is necessary when routes from one protocol such as RIP, OSPF, or BGP need to be advertised into another protocol. Route redistribution is also useful for advertising static routes, such as the default route, or aggregates into a protocol.
You can define Route Redistribution only using the Portal. Route Redistribution is not available in Clish. To configure Route Redistribution using the CLI use routemaps.
To Configure Route Redistribution
Redistributed Interfaces
Parameter |
Description |
---|---|
To Protocol |
The destination protocol. |
From Interface |
The interface from which to distribute the routes |
Metric |
The cost of the created routes in the destination protocol. |
Redistributed Static Routes
Parameter |
Description |
---|---|
To Protocol |
The destination protocol. |
From Static Route |
The static route to be distributed to the protocol |
Metric |
The cost of the created routes in the destination protocol. Note - This is mandatory when configuring redistributions to RIP. |
Redistributed Aggregate Routes
Parameter |
Description |
---|---|
To Protocol |
Redistribute all active aggregate routes into the selected protocol. |
From Aggregate Route |
The aggregate route to be distributed to the protocol |
Metric |
The cost of the created routes in the destination protocol. Note - This is mandatory when configuring redistributions to RIP. |
Redistributed RIP Routes
Parameter |
Description |
---|---|
To Protocol |
The destination protocol. |
All RIP Routes |
Choose which RIP routes to redistribute into the To Protocol.
|
From Address |
The network for the destination to redistribute.
|
Subnet mask |
The subnet mask for the destination to redistribute.
|
Matchtype |
The routes that are filtered for the From Address and Subnet mask. These are the ways to compare other routes against it:
|
Action |
What to do with the routes that match the filter that is defined by the From Address, Subnet mask and Matchtype.
|
Metric |
The cost of the created routes in the destination protocol. |
Redistributed OSPF2 Routes
Parameter |
Description |
---|---|
To Protocol |
The destination protocol. |
All OSPF2 Routes |
Choose which OSPFv2 routes to redistribute into the To Protocol.
|
From Address |
The network for the destination to redistribute.
|
Subnet mask |
The subnet mask for the destination to redistribute.
|
Matchtype |
The routes that are filtered for the From Address and Subnet mask. These are the ways to compare other routes against it:
|
Action |
What to do with the routes that match the filter that is defined by the From Address, Subnet mask and Matchtype.
|
Metric |
The cost of the created routes in the destination protocol. Note - This is mandatory when configuring redistributions to RIP. |
Redistributed OSPF2 External Routes
Parameter |
Description |
---|---|
To Protocol |
The destination protocol. |
All OSPF2 Ex Routes |
Choose which OSPFv2 External routes to redistribute into the To Protocol.
|
From Address |
The network for the destination to redistribute.
|
Subnet mask |
The subnet mask for the destination to redistribute.
|
Matchtype |
The routes that are filtered for the From Address and Subnet mask. These are the ways to compare other routes against it:
|
Action |
What to do with the routes that match the filter that is defined by the From Address, Subnet mask and Matchtype.
|
Metric |
The cost of the created routes in the destination protocol. Note - This is mandatory when configuring redistributions to RIP. |
Redistributed BGP AS Path Routes
Parameter |
Description |
---|---|
To Protocol |
The destination protocol. |
AS Path RegEx |
The following definitions describe how to create regular expressions. AS-PATH operators are one of the following:
|
Origin |
The completeness of AS-PATH information.
|
All Routes |
Choose which BGP AS Path routes to redistribute into the To Protocol.
|
From Address |
The network for the destination to redistribute.
|
Subnet mask |
The subnet mask for the destination to redistribute.
|
Matchtype |
The routes that are filtered for the From Address and Subnet mask. These are the ways to compare other routes against it:
Default: Normal. |
Action |
What to do with the routes that match the filter that is defined by the From Address, Subnet mask and Matchtype.
|
Metric |
The cost of the created routes in the destination protocol. |
Redistributed BGP AS Routes
Parameter |
Description |
---|---|
To Protocol |
The destination protocol. |
From BGP AS |
The BGP AS routes to be distributed to the protocol |
All Routes |
Choose which BGP AS routes to redistribute into the To Protocol.
|
From Address |
The network for the destination to redistribute.
|
Subnet mask |
The subnet mask for the destination to redistribute.
|
Matchtype |
The routes that are filtered for the From Address and Subnet mask. These are the ways to compare other routes against it:
|
Action |
What to do with the routes that match the filter that is defined by the From Address, Subnet mask and Matchtype.
|
Metric |
The cost of the created routes in the destination protocol. |
Redistribute BGP Default Routes
Parameter |
Description |
---|---|
To Protocol |
The destination protocol. |
Redistribute All |
Choose which BGP default routes to redistribute into the To Protocol.
|
Metric |
The cost of the created routes in the destination protocol. |
BGP Redistribution Settings
Parameter |
Description |
---|---|
To Protocol |
The destination protocol. |
MED |
BGP 4 metrics (Multi-Exit Discriminator or MED) are 32-bit unsigned quantities (that is they range from 0 to 4294967295 inclusive, with 0 being the most attractive). If the metric is specified as IGP, any existing metric on the route is sent as the MED. This setting can allow, for example, OSPF costs to be exported as BGP MEDs. Note: If this capability is used, any change in the metric causes a new BGP update. The MED is a metric that defines the cost of using this route. The range of values is 1 to 16. |
Local Preference |
The BGP local preference to the imported route. Check Point recommends that you configure this value to bias the preference of Note: Do not use the local preference parameter when importing BGP. The local preference value is sent automatically when redistributing external BGP routes to an internal BGP route. The local preference parameter is ignored if used on internal BGP import statements.
|
Route maps support both IPv4 and IPv6 protocols, which includes RIP, RIPng, BGP, OSPFv2, and OSPFv3. You can only define BGP-4 Multiprotocol Extensions policy with route maps. For the other protocols, you can use route maps or the Route Redistribution and Inbound Route Filters features that you configure on the Portal.
Each route map includes a list of criteria and statements. You can apply route maps to inbound, outbound, or redistribution routes. Routes are compared to the match criteria, and all the actions defined in the criteria are applied to those routes which match all the criteria. You can set the match criteria in any order. If you do not define match criteria in a route map, the route map matches all routes.
You define route maps, then assign them to protocols for export or import policy for that protocol. Route maps override Portal based configuration.
To create a route map, use CLI commands to define a set of criteria that must be matched for the command to run. If the criteria are matched, then the system runs the actions you define. A route map is identified by a name and a number, an Allow or Restrict clause, and a collection of match and set statements.
There can be more than one instance of a route map (same name, different ID). The lowest numbered instance of a route map is checked first. Route map processing stops when all the criteria of a route map instance are matched, or all the instances of a route map are exhausted. If the criteria are matched, the actions in the section are run.
Routing protocols can use more than one route map when you set clear preference values for each. The applicable route map with lowest preference value is checked first.
To set a route map:
set routemap <rm_name> id <1-65535> <off|on> allow inactive restrict |
Parameter |
Description |
---|---|
|
The name of the routemap. |
|
The ID of the routemap. You can enter the keyword |
|
|
|
Allow routes that match the routemap. |
|
Temporarily disable a routemap. To activate the routemap, use the allow or restrict arguments. |
|
Routes that match the routemap are not allowed. |
To specify actions for a routemap:
Note - Some statements affect only a particular protocol. |
||
---|---|---|
set routemap <rm_name> id <id_number> action aspath-prepend-count <1-25> community <append | replace | delete> [on|off] community <1-65535> as <1-65535> [on|off] community no-export [on|off] community no-advertise [on|off] community no-export-subconfed [on|off] community none [on|off] localpref <1-65535> metric <add|subtract> <1-16> metric igp [<add | subtract>] <1-4294967295> metric value <1-4294967295> nexthop <ip ipv4_address> precedence <1-65535> preference <1-65535> route-type <type-1 | type-2> remove <action_name> ospfautomatictag tag ospfmanualtag tag riptag tag |
Parameter |
Description |
---|---|
|
Specifies the name of the routemap. |
|
Specifies the ID of the routemap. You can enter the keyword |
|
Specifies to affix AS numbers at the beginning of the AS path. It indicates the number of times the local AS number should be prepended to the ASPATH before sending out an update. BGP only. |
|
Operate on a BGP community string. A community string can be formed using multiple community action statements. You can specify keywords append, replace, or delete for the kind of operation to be performed using the community string. The default operation is append. BGP only. |
|
Specifies a BGP community value. |
|
Routes received that carry a communities attribute containing this value must not be advertised outside a BGP confederation boundary (a stand-alone autonomous system that is not part of a confederation should be considered a confederation itself) |
|
Routes received that carry a communities attribute containing this value must not be advertised to other BGP peers. |
|
All routes received carrying a communities attribute containing this value MUST NOT be advertised to external BGP peers (this includes peers inside a BGP confederation that belong to the autonomous systems of other members). |
|
In action statement, this statement makes sense only if used with replace. This deletes all communities associated with a route so that the route has no communities associated with it. Using it with append or delete would be a no-operation. The CLI returns an error if you turn "none" on and other community values already defined or if "none" is defined and you add some other community value. |
|
Set the local preference for BGP route. BGP only. |
|
Add to or subtract from the metric value. RIP only. |
|
Set metric to IGP metric value or add to or subtract from the IGP metric value. RIP only. |
|
Set the metric value. For RIP the metric is metric, for OSPF the metric is cost, and for BGP the metric is MED. |
|
Set IPv4 Nexthop Address. BGP only. Note: The ipv6 address should not be a link-local address. |
|
Sets the rank of the route. Precedence works across protocols. Use this setting to bias routes of one protocol over the other. The lower value has priority. |
|
Applies only to BGP. This is equivalent to the bgp weight (in Cisco terms) of the route. However, unlike Cisco, the route with lower value will be preferred. This value is only relevant for the local router. |
|
Type of OSPF external route. The metric type of AS External route is set to the specified value. Only applies to routes redistributed to OSPF. |
|
Remove the specified action from the routemap. For community, it removes all community statements. Allowed values for action_name are:
|
|
Creates an automatic OSPF route tag. |
|
Creates a manual OSPF route tag. |
|
Creates a RIP route tag. |
To specify the criteria that must be matched for the routemap to take effect:
Note - Some statements affect only a particular protocol. |
||
---|---|---|
set routemap <rm_name> id <1-65535> match as <1-65535> [on | off] aspath-regex ["regular_expression" | empty] origin <any | igp | incomplete> community <1-65535> as <1-65535> [on|off] community exact [on|off] community no-export [on|off] community no-advertise [on|off] community no-export-subconfed [on|off] community none [on|off] ifaddress <IPv4_addr> [on | off] interface <interface_name> [on | off] metric value <1-4294967295> neighbor <IPv4_addr> [on | off] network <IPv4_network / masklength> <all | exact | off | refines | between masklength1
|
Parameter |
Description |
---|---|
|
Match the specified autonomous system number with the AS number of a BGP peer. For BGP only. |
|
Match the specified aspath regular expression. For BGP only. Note: Enter the regular expression in quotation marks. Use the empty keyword to match a null ASpath. |
|
Specify the BGP community value. |
|
Specify that the communities present in the route must exactly match all the communities in the routemap. In absence of the exact clause, the route can have other community values associated with it in addition to the ones contained in the routemap. You can have multiple community statements in a route map to form a community string. |
|
All routes received that carry a communities attribute containing this value must not be advertised outside a BGP confederation boundary (a stand-alone AS that is not part of a confederation should be considered a confederation itself). |
|
All routes received carrying a communities attribute containing this value must not be advertised to other BGP peers. |
|
All routes received carrying a communities attribute containing this value must not be advertised to external BGP peers (this includes peers in other members autonomous systems inside a BGP confederation). |
|
Matches an empty community string, i.e. a route which does not have any communities associated with it. The CLI returns an error if you turn "none" on and other community values already defined, or if "none" is defined and you add some other community value. |
|
Match the specified interface address. There can be multiple if address statements. |
|
Match the route if the nexthop lies on the specified interface name. There can be multiple interface statements. |
|
Match the specified metric value. |
|
Match the neighbors IP address. BGP or RIP. There can be multiple neighbor statements. |
|
Use with the following keywords:
There can be multiple network match statements in a route map. |
|
Match the specified nexthop address. |
|
Match the specified protocol. Use this for route redistribution. |
|
As a match statement in routemap for export policy, it can be used by any protocol to redistribute OSPF routes. If route-type of inter-area or intra-area is specified, the protocol match condition should be set to ospf2 and if route-type of type-1 or type-2 is specified, then protocol match condition should be set to ospf2ase. While exporting OSPF ASE routes to other protocol, if metric match condition is set but route-type match condition is not set, it will try to match the metric value for both type-1 and type-2 routes. There can be multiple route-type match statements. |
|
Remove the specified match condition from the routemap. For match conditions which can have multiple match statements (such as network, neighbor), this argument removes all of them. |
show routemap <rm_name> {all | <id VALUE>}
show routemaps
To assign routemaps to protocols:
The preference value specifies which order the protocol will use each routemap.
set <ospf | ipv6 ospfv3 | rip > export-routemap rm_name preference VALUE on import-routemap rm_name preference VALUE on |
To turn a routemap off:
|
To view routemaps assigned to protocols:
show <ospf | rip> routemap |
To set BGP routemaps for export and import policies:
set bgp external remote-as <1-65535> export-routemap rm_name off preference <1-65535> [family inet] on set bgp external remote-as <1-65535> import-routemap rm_name off preference <1-65535> [family inet] on set bgp internal export-routemap rm_name off preference <1-65535> [family inet] on set bgp internal import-routemap rm_name off preference <1-65535> [family inet] on show bgp routemap |
||
Note - You cannot use routemaps in BGP confederations. To configure route filters and redistribution for BGP confederations, use the Inbound Route Filters and Route Redistribution pages in the Portal. |
Some statements affect only a particular protocol, for example, matching the Autonomous System Number is applicable only to BGP. If such a condition is in a routemap used by OSPF, the match condition is ignored. Any non-applicable match conditions or actions are ignored and processing is done as if they do not exist. A log message is generated in /var/log/messages
for any such statements.
Note - The same parameter cannot appear both as a match and action statement in a routemap. These include Community, Metric, and Nexthop.
Neighbor, Network, Interface, Ifaddress, Metric, Neighbor, Nexthop
.Precedence, Metric Add/Subtract
Interface, Ifaddress, Metric, Network, Nexthop
Metric Add/Subtract
Metric Set
Network
(Route Prefix)Precedence
Network, Interface, Ifaddress, Metric, Route-type, Nexthop
Metric, Route-type
When you do initial configuration, set the router ID. You can also use the following command to change the router ID.
set router-id [default | <ip_address>]
Parameter |
Description |
|
---|---|---|
|
Selects the highest interface address when OSPF is enabled. |
|
|
The Router ID uniquely identifies the router in the autonomous system. The router ID is used by the BGP and OSPF protocols. We recommend setting the router ID rather than relying on the default setting. This prevents the router ID from changing if the interface used for the router ID goes down. Use an address on a loopback interface that is not the loopback address (127.0.0.1). Note - In a cluster, you must select a router ID and make sure that it is the same on all cluster members.
|
Use the following group of commands to set and view parameters for BGP.
set as [<as_number> | off] |
Parameter |
Description |
---|---|
|
The local autonomous system number of the router. This number is mutually exclusive from the confederation and routing domain identifier. The router can be configured with either the autonomous system number or confederation number, not both. Caution: When you change the autonomous system number, all current peer sessions are reset and all BGP routes are deleted. |
|
Disables the configured local autonomous system number. |
When redistributing static routes into BGP, OSPFv2 or RIP the following match conditions are supported:
When redistributing interface/direct routes into BGP, OSPFv2 or RIP the following match conditions are supported:
When redistributing aggregate routes into BGP, OSPFv2 or RIP the following match conditions are supported:
Redistribute interface route for eth3 into OSPF, and set the OSPF route-type to AS type-2 with cost 20.
set routemap direct-to-ospf id 10 on
set routemap direct-to-ospf id 10 match interface eth3
set routemap direct-to-ospf id 10 match protocol direct
set routemap direct-to-ospf id 10 action route-type type-2
set routemap direct-to-ospf id 10 action metric value 20
set ospf export-routemap direct-to-ospf preference 1 on
Do not accept routes from RIP neighbor 192.0.2.3, accept routes from neighbor 192.0.2.4 as is, and for all other routes increment the metric by 2.
set routemap rip-in id 10 on
set routemap rip-in id 10 restrict
set routemap rip-in id 10 match neighbor 192.0.2.3
set routemap rip-in id 15 on
set routemap rip-in id 15 match neighbor 192.0.2.4
set routemap rip-in id 20 on
set routemap rip-in id 20 action metric add 2
set rip import-routemap rip-in preference 1 on
Redistribute all static routes into BGP AS group 400. Set the MED value to 100, prepend our AS number to the aspath 4 times. If the route belongs to the prefix 192.0.2.0/8, do not redistribute. Send all BGP routes whose aspath matches the regular expression (100 200+) and set the MED value to 200.
set routemap static-to-bgp id 10 on
set routemap static-to-bgp id 10 restrict
set routemap static-to-bgp id 10 match protocol static
set routemap static-to-bgp id 10 match network 192.0.2.0/8 all
set routemap static-to-bgp id 15 on
set routemap static-to-bgp id 15 match protocol static
set routemap static-to-bgp id 15 action metric 100
set routemap static-to-bgp id 15 action aspath-prepend-count 4
set routemap bgp-out id 10 on
set routemap bgp-out id 10 match aspath-regex "(100 200+)" origin any
set routemap bgp-out id 10 action metric 200
set bgp external remote-as 400 export-routemap bgp-out preference 1 family inet on
set bgp external remote-as 400 export-routemap static-to-bgp preference 2 family inet on
Note - There is no need for a match protocol statement for routes belonging to the same protocol. |
---|