Configuring Inbound Route Filters in Gaia Portal

Important - In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.

Procedure

From the left navigation tree, click Advanced Routing > Inbound Route Filters.

In the Inbound Route Filters section, click Add and select the type of the Route Filter:

Add BGP Policy Filter (Based on AS-PATH) - To filter BGP routes based on the AS-PATH attribute.
Add BGP Policy Filter (Based on AS) - To filter BGP routes based on the AS attribute.
Add Individual IPv4 Route Filter - To filter IPv4 routes.
Add Individual IPv6 Route Filter - To filter IPv6 routes.

Note - For BGP, no routes are accepted from a peer by default. You must configure an explicit Inbound BGP Route Filter to accept a BGP route from a peer.

Configure the applicable settings.

See the sections below.
Click Save.

Configuring the "Add BGP Policy Filter (Based on AS-PATH)"

Configures a new policy to import BGP routes, whose AS-PATH matches a particular regular expression.

In the Policy Filter section, in the Add BGP Policy fields:

In left field, enter the unique identifier from 1 to 511.

Description

An autonomous system can control BGP import.

BGP supports propagation control through the use of AS-PATH regular expressions.

BGPv4 supports the propagation of any destination along a contiguous network mask.

Range: 1-511

Default: None

In the middle field, enter the AS_PATH Regular Expression.

Description

A valid AS_PATH regular expression contains only digits and these special characters:

Operator	Description
.	The period character matches any single character.
\	The backslash character matches the character right after the backslash. For pattern recall, match the pattern indicated by the digit following the backslash.
^	The circumflex character matches the characters or null string at the beginning of the AS path.
$	The dollar character matches the characters or null string at the end of the AS path.
?	The question mark matches zero or one occurrence of the pattern before "`?`".
*	The asterisk character matches zero or more occurrences of the pattern before "`*`".
+	The plus character matches one or more occurrences of the pattern before "`+`".
\|	The pipeline (vertical line) character matches one of the patterns on either side of the "`\|`" character.
_	The underscore character matches comma (`,`), left brace (`{`), right brace (`}`), beginning of ASPath (`^`), end of ASPath (`$`), or a whitespace (space or tabulation).
[ ]	The square brackets match the set of characters or range of characters separated by a hyphen (`-`) within the brackets.
( )	The round brackets group one or more patterns into a single pattern.
{m n}	Matches at least "`m`" and at most "`n`" repetitions of the pattern before `{m,n}`. Both "`m`" and "`n`" are positive integers, and "`m`" is less than or equal to "`n`".
{m}	Matches exactly "`m`" repetitions of the pattern before `{m}`. The "`m`" is a positive integer.
{m,}	Matches "`m`" or more repetitions of the pattern before `{m}`. The "`m`" is a positive integer.

In the right field, select the route origin.
Description
- Any - A route was learned from any protocol and the path is probably complete.
- IGP - A route was learned from an interior routing protocol and the path is probably complete.
- EGP - A route was learned from an exterior routing protocol that does not support AS-PATH, and the path is probably incomplete.
- Incomplete - The route path information is incomplete.

In the Policy Filter section, in the Action field, select which routes to accept or reject.

Description

Action	Description
Accept IPv4 & IPv6	Accepts all IPv4 and IPv6 routes that match this filter, except those route that are explicitly restricted by a more specific rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.. Accepting routes is the default behavior, unless the "restrict" option is configured.
Restrict IPv4 & IPv6	Rejects all IPv4 and IPv6 routes that match this filter, except those that match a more specific filter that is set to "accept".
Accept IPv4, Restrict IPv6	Rejects all IPv6 routes that match this filter, except those that match a more specific filter that is set to "accept". Accepts all IPv4 routes.
Restrict IPv4, Accept IPv6	Rejects all IPv4 routes that match this filter, except those that match a more specific filter that is set to "accept". Accepts all IPv6 routes.

In the Policy Default Modifiers section, in the Local Preference field, enter the default local preference for the route.

Description

Assigns a BGP local preference to all routes that match this filter, except those that match a more specific filter with a different local preference value configured.

The local preference value is sent automatically when redistributing external BGP routes to an internal BGP route.

The local preference parameter is ignored if used on internal BGP import statements.

greater values are preferred by the routing system when it selects between competing BGP routes.

>	Best Practice - The local preference configuration is the recommended way to bias the preference for BGP routes.

Important - Do not use the local preference parameter when importing BGP.

Note - The local preference cannot be configured in a policy rule that is set to "restrict".

Range: 0-4294967295

Default: None

In the Policy Default Modifiers section, in the Weight field, enter the default route weight.

Click Save.

Configuring the "Add BGP Policy Filter (Based on AS)"

Configures a new policy to import BGP routes from a particular peer Autonomous System.

In the Policy Filter section, in the Add BGP Policy fields:
1. In left field, enter the unique identifier from 512 to 1024.
  
  Description
  
  An autonomous system can control BGP import.
  
  BGP can accept routes from different BGP peers based on the peer AS number.
  
  Range: 512-1024
  
  Default: None
2. In the right-most field, select the peer BGP AS number.
  
  Description
  
  Enter a valid ASPLAIN number or ASDOT number that specifies the BGP Autonomous System (AS), to which this BGP import policy is applied.
  
  Range: 1 - 4294967295 (ASPLAIN), or 0.1 - 65535.6553 (ASDOT)
  
  Default: None

In the Policy Filter section, in the Action field, select which routes to accept or reject.

Description

Action	Description
Accept IPv4 & IPv6	Accepts all IPv4 and IPv6 routes that match this filter, except those route that are explicitly restricted by a more specific rule. Accepting routes is the default behavior, unless the "restrict" option is configured.
Restrict IPv4 & IPv6	Rejects all IPv4 and IPv6 routes that match this filter, except those that match a more specific filter that is set to "accept".
Accept IPv4, Restrict IPv6	Rejects all IPv6 routes that match this filter, except those that match a more specific filter that is set to "accept". Accepts all IPv4 routes.
Restrict IPv4, Accept IPv6	Rejects all IPv4 routes that match this filter, except those that match a more specific filter that is set to "accept". Accepts all IPv6 routes.

In the Policy Default Modifiers section, in the Local Preference field, enter the default local preference for the route.

Description

Assigns a BGP local preference to all routes that match this filter, except those that match a more specific filter with a different local preference value configured.

The local preference value is sent automatically when redistributing external BGP routes to an internal BGP route.

The local preference parameter is ignored if used on internal BGP import statements.

greater values are preferred by the routing system when it selects between competing BGP routes.

>	Best Practice - The local preference configuration is the recommended way to bias the preference for BGP routes.

Important - Do not use the local preference parameter when importing BGP.

Note - The local preference cannot be configured in a policy rule that is set to "restrict".

Range: 0-4294967295

Default: None

In the Policy Default Modifiers section, in the Weight field, enter the default route weight.

Click Save.

Configuring the "Add Individual IPv4 Route Filter"

In the Route Filter section, in the Import From field, select the protocol.

Description

Protocol	Description
OSPFv2	Configures inbound filtering of IPv4 routes learned from OSPFv2. OSPF inbound route filters only apply to OSPF ASE routes. Intra-area and inter-area OSPF routes are always installed. The default behavior is to accept all OSPF ASE routes.
RIP	Configures inbound filtering of IPv4 routes learned from RIP.
BGP Policy <ID>	Configures inbound filtering of IPv4 routes learned from BGP. This menu shows the BGP Policy Filters you configured "Based on AS-PATH" or "Based on AS". See the sections above.

Protocol

Description

OSPFv2

Configures inbound filtering of IPv4 routes learned from OSPFv2.

OSPF inbound route filters only apply to OSPF ASE routes.

Intra-area and inter-area OSPF routes are always installed.

The default behavior is to accept all OSPF ASE routes.

RIP

Configures inbound filtering of IPv4 routes learned from RIP.

BGP Policy <ID>

Configures inbound filtering of IPv4 routes learned from BGP.

This menu shows the BGP Policy Filters you configured "Based on AS-PATH" or "Based on AS". See the sections above.

In the Route Filter section, in the Route field, enter the IPv4 address and the Mask length of the address range.

Description

Configures policy for importing routes from the given protocol that match a specific address range in CIDR notation.

Range: Dotted-quad ([0-255].[0-255].[0-255].[0-255]) / [0-32]

Default: None

In the Route Filter section, in the Match Type field, select how to match the routes.

Description

There are different mechanisms, by which routes can be matched against the configured subnet.

A match type must be configured following the subnet.

The different match types are:

Step	Instructions
Exact	Matches only routes with prefix and mask length exactly equal to the specified network.
Normal	Matches any route contained within the specified network.
Refines	Matches only routes that are contained within, but more specific than, the specified network. For example, with a greater mask length.
Range	Matches any route with prefix equal to the specified network, whose mask length falls within a particular range. Range: 1-32

In the Route Filter section, in the Action field, select whether to accept or reject this route.

Description

Action	Description
Accept	Accepts this route.
Restrict	Rejects this route.

In the Policy Modifiers section, configure the applicable settings.

If in the Import From field you selected OSPFv2 or RIP:

In the Rank field, enter the default route rank.

If in the Import From field you selected BGP:

In the Local Preference field, enter the route local preference.

Description

Assigns a BGP local preference to all routes that match this filter, except those that match a more specific filter with a different local preference value configured.

The local preference value is sent automatically when redistributing external BGP routes to an internal BGP route.

The local preference parameter is ignored if used on internal BGP import statements.

greater values are preferred by the routing system when it selects between competing BGP routes.

>	Best Practice - The local preference configuration is the recommended way to bias the preference for BGP routes.

Important - Do not use the local preference parameter when importing BGP.

Note - The local preference cannot be configured in a policy rule that is set to "restrict".

Range: 0-4294967295

Default: None

In the Weight field, enter the route weight.

Description

Assigns a BGP weight to all routes that match this filter, except those that match a more specific filter with a different weight value configured.

BGP stores any routes that are rejected by not mentioning them in a route filter.

BGP explicitly mentions these rejected routes in the routing table and assigns them a "restrict" keyword with a negative weight.

A negative weight prevents a route from becoming active, which means that it is not installed in the forwarding table or exported to other protocols.

This feature eliminates the need to break and re-establish a session upon reconfiguration if import policy is changed.

Note - The route weight cannot be configured in a policy rule that is set to "restrict".

Range: 0-65535

Default: None

Click Save.

Configuring the "Add Individual IPv6 Route Filter"

In the Route Filter section, in the Import From field, select the protocol.

Description

(This is the Drop-down text)

Protocol	Description
OSPFv3	Configures inbound filtering of IPv6 routes learned from OSPFv3.
BGP Policy <ID>	Configures inbound filtering of IPv6 routes learned from BGP. This menu shows the BGP Policy Filters you configured "Based on AS-PATH" or "Based on AS". See the sections above.

Protocol

Description

OSPFv3

Configures inbound filtering of IPv6 routes learned from OSPFv3.

BGP Policy <ID>

Configures inbound filtering of IPv6 routes learned from BGP.

This menu shows the BGP Policy Filters you configured "Based on AS-PATH" or "Based on AS". See the sections above.

In the Route Filter section, in the Route field, enter the IPv6 address and the Mask length of the address range.

Description

Configures policy for importing routes from the given protocol that match a specific address range in CIDR notation.

Range: Dotted-quad ([0-F]:[0-F]:...:[0-F]) / [0-128]

Default: None

In the Route Filter section, in the Match Type field, select how to match the routes.

Description

There are different mechanisms, by which routes can be matched against the configured subnet.

A match type must be configured following the subnet.

The different match types are:

Step	Instructions
Exact	Matches only routes with prefix and mask length exactly equal to the specified network.
Normal	Matches any route contained within the specified network.
Refines	Matches only routes that are contained within, but more specific than, the specified network. For example, with a greater mask length.
Range	Matches any route with prefix equal to the specified network, whose mask length falls within a particular range. Range: 1-32

In the Route Filter section, in the Action field, select whether to accept or reject this route.

Description

Action	Description
Accept	Accepts this route.
Restrict	Rejects this route.

In the Policy Modifiers section, configure the applicable settings.

If in the Import From field you selected OSPFv2 or RIP:

In the Rank field, enter the default route rank.

If in the Import From field you selected BGP:

In the Local Preference field, enter the route local preference.

Description

Assigns a BGP local preference to all routes that match this filter, except those that match a more specific filter with a different local preference value configured.

The local preference value is sent automatically when redistributing external BGP routes to an internal BGP route.

The local preference parameter is ignored if used on internal BGP import statements.

greater values are preferred by the routing system when it selects between competing BGP routes.

>	Best Practice - The local preference configuration is the recommended way to bias the preference for BGP routes.

Important - Do not use the local preference parameter when importing BGP.

Note - The local preference cannot be configured in a policy rule that is set to "restrict".

Range: 0-4294967295

Default: None

In the Weight field, enter the route weight.

Description

Assigns a BGP weight to all routes that match this filter, except those that match a more specific filter with a different weight value configured.

BGP stores any routes that are rejected by not mentioning them in a route filter.

BGP explicitly mentions these rejected routes in the routing table and assigns them a "restrict" keyword with a negative weight.

A negative weight prevents a route from becoming active, which means that it is not installed in the forwarding table or exported to other protocols.

This feature eliminates the need to break and re-establish a session upon reconfiguration if import policy is changed.

Note - The route weight cannot be configured in a policy rule that is set to "restrict".

Range: 0-65535

Default: None

Click Save.