Routing Policy Configuration

In This Section:

You can configure routing policy for RIP, OSPFv2 and BGP in these ways:

Routing Policy Configuration	Description	Configured In
Inbound Route filters	Define filters for routes accepted by a given routing protocol. Inbound Route filters are similar to route maps for an import policy.	Gaia Portal
Route Redistribution	Redistribute routes learned from one routing protocol into another routing protocol. It is also useful for advertising static routes, such as the default route, or aggregate routes. Route Redistribution is similar to route maps for an export policy.	Gaia Portal, or Gaia Clish
Routemaps	Control which routes are accepted and announced. Used to configure inbound route filters, outbound route filters, and to redistribute routes from one protocol to another. Route maps offer more configuration options than the Portal options. However, they are not functionally equivalent. Routemaps assigned to a protocol for import or export override corresponding filters and route redistribution rules.	Gaia Clish

Description

Configured In

Inbound Route filters

Define filters for routes accepted by a given routing protocol.

Inbound Route filters are similar to route maps for an import policy.

Gaia Portal

Route Redistribution

Redistribute routes learned from one routing protocol into another routing protocol. It is also useful for advertising static routes, such as the default route, or aggregate routes.

Route Redistribution is similar to route maps for an export policy.

Gaia Portal,

Gaia Clish

Routemaps

Control which routes are accepted and announced. Used to configure inbound route filters, outbound route filters, and to redistribute routes from one protocol to another.

Route maps offer more configuration options than the Portal options. However, they are not functionally equivalent.

Routemaps assigned to a protocol for import or export override corresponding filters and route redistribution rules.

Gaia Clish

Configuring Inbound Route Filters - Gaia Portal

Inbound Route Filters let you define which external to a routing protocol routes are accepted by that protocol. You can define Inbound Route Filters through the Portal or through the CLI.

By default, all routes, external to RIP, OSPFv2 (IPv4), and OSPFv3 (IPv6), are accepted by these protocols. To narrow down the selection of accepted routes, you can edit the default policies and configure new policies.

By default, BGP does not accept any routes. You must configure explicit policies for BGP to accept routes.

When you configure Inbound Route Filters, to specify precision with which the network addresses are matched, use the same Match Type criteria rules as for route redistribution:

The prefix and the mask length are matched exactly.
The prefix is matched exactly, and the mask length is greater than the one specified.
For example, if the network address 10.0.0.0/8 is specified in the filter, then any route with the prefix 10 and the mask length greater than 8 is matched, but those with the mask length of exactly 8 are not matched.
The prefix is matched exactly, and the mask length is equal to or greater than the one specified.
For example, if the network address 10.0.0.0/8 is specified in the filter, then any route with the prefix 10 and the mask length equal to or greater than 8 is matched.
The prefix is matched exactly, and the mask length is within the specified range of masks. The mask range values must be equal to or greater than the network mask.
For example, if the network address 10.0.0.0/8 and the mask range 16 to 8 are specified in the filter, then any route with the prefix 10 and the mask length between 8 and 16 is matched.

Note - routemap import configuration overrides the Inbound Route Filters configuration.

To change a default Inbound Router Filter policy :

Click the Advanced Routing > Inbound Route Filters page.
Select a default Inbound Route Filter policy
- OSPFv2 (IPv4 routes)
- RIP
- OSPFv3 (IPv6 routes)
Click Edit.
In the window that opens, do one of these:
- Select Action > Accept (default) and enter the Rank from 0 to 255 (the default value for RIP is 10, for OSPFv3 - 150, and for OSPFv2 - 200)
- Select Action > Restrict
Click Save.

To configure an Inbound Route Filter for an individual route:

Click the Advanced Routing > Inbound Route Filters page.
Click Add and select one of these:
- Add Individual IPv4 Route
- Add Individual IPv6 Route
In the Add IPv4/IPv6 Route window that opens, set the route parameters:
- Import To - select the routing protocol for which you want to add the inbound route filter
- Route - enter the network prefix and mask
- Match Type - set the precision with which you want the network addresses in the routes to be matched against the filter criteria
- Action - choose to Accept or to Restrict the routes that match the filter criteria
- Rank - assign a rank to the route
Click Save.
Add Route window opens.

To configure a policy for RIP routes:

Click the Advanced Routing > Inbound Route Filters page.
In the Inbound Route Protocols and BGP Policies section, select RIP Routes.
Click Edit.
In the Configure RIP All Routes window, select the Action:
- Options: Accept or Restrict
- Default: Accept
If you selected Accept, change the Rank:
- Range: 0-255
- Default: 100
You can fine tune the policy for RIP routes. In the Individual Routes section click Add.
The Add Route window opens.

To configure a policy for BGP routes:

Click the Advanced Routing > Inbound Route Filters page.
In the Inbound Route Protocols and BGP Policies section, click Add BGP Policy.
The Add BGP Policy window opens.
You can fine tune the policy for BGP routes. In the Individual Routes section click Add.
The Add Route window opens.

Note - For BGP, no routes are accepted from a peer by default. You must configure an explicit Inbound BGP Route Filter to accept a route from a peer.

Add BGP Policy Window

Parameters

Parameter	Description
BGP Type: Based on AS_PATH Regular Expression (1-511)	An autonomous system can control BGP importation. BGP supports propagation control through the use of AS-PATH regular expressions. BGP version 4 supports the propagation of any destination along a contiguous network mask.
BGP Type: Based on Autonomous System Number (512-1024)	An autonomous system can control BGP importation. BGP can accept routes from different BGP peers based on the peer AS number.
Import ID	The order in which the import lists are applied to each route. Range for BGP Type based on AS_PATH Regular Expression: 1-511 Range for BGP Type based on Autonomous System Number: 512-1024 Default: No default
AS Number	Autonomous system number of the peer AS. Range: 0-65535
AS-PATH Regular Expression	The following definitions describe how to create regular expressions. AS-PATH operators are one of the following: aspath_term (m n) A regular expression followed by (m n), where m and n are both non-negative integers and m is less than or equal to n. This expression means that there are at least m, and at most, n repetitions. aspath_term m A regular expression followed by m, where m is a positive integer and means exactly m repetitions. aspath_term (m) A regular expression followed by m, where m is a positive integer. This expression means that there are exactly m repetitions. aspath_term * A regular expression followed by , which means zero or more repetitions. aspath_term +* A regular expression followed by +, which means one or more repetitions. aspath_term ? A regular expression followed by ?, which means zero or one repetition. aspath_term \| aspath_term Match either the AS term on the left or the AS term on the right of the pipe.
Origin	The completeness of AS-PATH information. Any - IGP - A route was learned from an interior routing protocol and is probably complete. EGP - The route was learned from an exterior routing protocol that does not support AS-PATHs, and the path is probably incomplete. Incomplete - The path information is incomplete. Options: Any / IGP / EGP / Incomplete Default: No default
Weight	BGP stores any routes that are rejected by not mentioning them in a route filter. BGP explicitly mentions these rejected routes in the routing table and assigns them a restrict keyword with a negative weight. A negative weight prevents a route from becoming active, which means that it is not installed in the forwarding table or exported to other protocols. This feature eliminates the need to break and re-establish a session upon reconfiguration if importation policy is changed. Range: 0-65535 Default: No default
Local Pref.	The BGP local preference to the imported route. Check Point recommends that you configure this value to bias the preference of `routed` for BGP routes. Note: Do not use the local preference parameter when importing BGP. The local preference value is sent automatically when redistributing external BGP routes to an internal BGP route. The local preference parameter is ignored if used on internal BGP import statements. Range: 0-65535. Larger values are preferred Default: No default
All Routes: Action	Whether the routing protocol should accept or restrict the All Routes route, equivalent to 0.0.0.0/0, from the given AS-Path or AS. If set to Accept, you can specify a Rank for all routes. Options: Accept / Restrict Default: Restrict
All Routes: Rank	If All Routes: Action is set to Accept, you can specify a Rank for all routes. Range: 0 - 65535 Default: no default.

Fine Tuning Policies

To fine tune your OSPF, RIP or BGP Policy:

Specify which routes should be filtered by:
- IP address
- Subnet mask
- Match type
- Optional: Parameters that depend on the match type. For routes that match a filter, you can select Accept or Restrict. If the route is accepted, you can specify its rank.
Specify what actions to perform on a route if it matches the route filter.

Do these steps by configuring the parameters in the Add Route window.

Add Route Window

Parameter	Description
Protocol	The protocol for which you want to create the inbound route filter.
Address Subnet mask	A baseline route that specifies a route filter. This route is the specified route in the context of a single route filter.
Matchtype	The routes that are filtered for the From Address and Subnet mask. These are the ways to compare other routes against it: Normal - matches any route that equals the specified route or is more specific than the specified route. Exact - matches a route only if it equals the From Address and Subnet mask of the specified route. Refines - matches a route only if it is more specific than the specified route. Range - matches any route whose Ip prefix equals the specified route's From Address and whose Subnet Mask falls within the specified Subnet Mask length range. Options: Normal, Exact, Refines, Range. Default: Normal.
Action	What to do with the routes that match the filter that is defined by the From Address, Subnet mask and Matchtype. Options: Accept, Restrict. Default: Accept.
Weight	BGP stores any routes that are rejected by not mentioning them in a route filter. BGP explicitly mentions these rejected routes in the routing table and assigns them a restrict keyword with a negative weight. A negative weight prevents a route from becoming active, which means that it is not installed in the forwarding table or exported to other protocols. This feature eliminates the need to break and re-establish a session upon reconfiguration if importation policy is changed. Range: 0-65535 Default: No default
Local Pref	The BGP local preference to the imported route. Check Point recommends that you configure this value to bias the preference of `routed` for BGP routes. Note: Do not use the local preference parameter when importing BGP. The local preference value is sent automatically when redistributing external BGP routes to an internal BGP route. The local preference parameter is ignored if used on internal BGP import statements. Range: 0-65535. Larger values are preferred Default: No default