Configuring Route Lists for Use in Routing Policy Match Conditions
A route list is a collection of match prefixes. When specifying a match prefix, you can specify an exact match with a particular route or a less precise match. You can configure either a common action that applies to the entire list or an action associated with each prefix.
![]() | Note: Because the configuration of route lists includes setting up prefixes and prefix lengths, we strongly recommend that you have a thorough understanding of IP addressing, including supernetting, before proceeding with the configuration. It is also important to understand how a route list is evaluated, particularly if the route list includes multiple route-filter options in a from statement. We strongly recommend that you read How Route Lists Are Evaluated in Routing Policy Match Conditions before proceeding with the configuration. Not fully understanding the evaluation process could result in faulty configuration and unexpected results. |
This section discusses the following topics:
Configuring Route Lists
To configure a route list, include one or more route-filter or source-address-filter statements:
You can include these statements at the following hierarchy levels:
- [edit policy-options policy-statement policy-name term term-name from]
- [edit logical-systems logical-system-name policy-options policy-statement policy-name term term-name from]
The route-filter option is typically used to match an incoming route address to destination match prefixes of any type except for unicast source addresses.
The destination-prefix address is the IP version 4 (IPv4) or IP version 6 (IPv6) address prefix specified as prefix/prefix-length. If you omit prefix-length for an IPv4 prefix, the default is /32. If you omit prefix-length for an IPv6 prefix, the default is /128. Prefixes specified in a from statement must be either all IPv4 addresses or all IPv6 addresses.
The source-address-filter option is typically used to match an incoming route address to unicast source addresses in multiprotocol BGP (MBGP) and Multicast Source Discovery Protocol (MSDP) environments.
source-prefix address is the IPv4 or IPv6 address prefix specified as prefix/prefix-length. If you omit prefix-length for an IPv4 prefix, the default is /32. If you omit prefix-length for an IPv6 prefix, the default is /128. Prefixes specified in a from statement must be either all IPv4 addresses or all IPv6 addresses.
match-type is the type of match to apply to the source or destination prefix. It can be one of the match types listed in Table 1. For examples of the match types and the results when presented with various routes, see Table 2.
actions are the actions to take if a route address matches the criteria specified for a destination match prefix (specified as part of a route-filter option) or for a source match prefix (specified as part of a destination-address-filter option). The actions can consist of one or more of the actions described in the following sections of Configuring Actions in Routing Policy Terms:
In a route list you can specify actions in two ways:
- In the route-filter or source-address-filter option—These actions are taken immediately after a match occurs, and the then statement is not evaluated.
- In the then statement—These actions are taken after a match occurs but no actions are specified for the route-filter or source-address-filter option.
The upto and prefix-length-range match types are similar in that both specify the most-significant bits and provide a range of prefix lengths that can match. The difference is that upto allows you to specify an upper limit only for the prefix length range, whereas prefix-length-range allows you to specify both lower and upper limits.
For more examples of these route list match types, see Route List Examples.
Table 1: Route List Match Types for a Prefix List
Match Type | Match Criteria |
---|---|
address-mask netmask-value | All of the following are true:
Note: The address-mask routing policy match type is valid only for matching an incoming IPv4 (family inet) route address to a list of destination match prefixes specified in a route-filter statement. The address-mask routing policy match type enables you to match an incoming IPv4 route address on a configured netmask address in addition to the length of a configured destination match prefix. The length of the route address must match exactly with the length of the configured destination match prefix, as the address-mask match type does not support prefix length variations for a range of prefix lengths. When the longest-match lookup is performed on a route list, the lookup evaluates an address-mask match type differently from other routing policy match types. The lookup does not consider the length of the destination match prefix. Instead, the lookup considers the number of contiguous high-order bits set in the netmask value. For more information about this route list match type, see How an Address Mask Match Type Is Evaluated. For example configurations showing route lists that contain the address-mask match type, see the following topics: |
exact | All of the following are true:
|
longer | All of the following are true:
|
orlonger | All of the following are true:
|
prefix-length-range prefix-length2-prefix-length3 | All of the following are true:
|
through {destination-prefix2 | source-prefix2} | All of the following are true:
You do not use the through match type in most routing policy configurations. For an example, see Example: Rejecting Routes from Specific Hosts. |
upto prefix-length2 | All of the following are true:
|
Table 2: Match Type Examples
Prefix | 192.168/16 | 192.168/16 | 192.168/16 | 192.168/16 | 192.168/16 | 192.168/16 | 192.168/19 |
---|---|---|---|---|---|---|---|
10.0.0.0/8 | – | – | – | – | – | – | – |
192.168.0.0/16 | Match | – | Match | Match | – | Match | – |
192.168.0.0/17 | – | Match | Match | Match | – | Match | – |
192.168.0.0/18 | – | Match | Match | Match | Match | Match | – |
192.168.0.0/19 | – | Match | Match | Match | Match | Match | Match |
192.168.4.0/24 | – | Match | Match | Match | – | – | – |
192.168.5.4/30 | – | Match | Match | – | – | – | – |
192.168.12.4/30 | – | Match | Match | – | – | – | – |
192.168.12.128/32 | – | Match | Match | – | – | – | – |
192.168.16.0/20 | – | Match | Match | Match | Match | Match | – |
192.168.192.0/18 | – | Match | Match | Match | Match | – | – |
192.168.224.0/19 | – | Match | Match | Match | Match | – | Match |
10.169.1.0/24 | – | – | – | – | – | – | – |
10.170.0.0/16 | – | – | – | – | – | – | – |
How Route Lists Are Evaluated in Routing Policy Match Conditions
During route list evaluation, the policy framework software compares each route’s source address with the destination prefixes in the route list. The evaluation occurs in two steps:
- The policy framework software performs a longest-match
lookup, which means that the software searches for the
prefix in the list with the longest length.
The longest-match lookup considers the prefix and prefix-length components of the configured match prefix only, and not the match-type component. The following sample route list illustrates this point:
from {route-filter 192.168.0.0/14 upto /24 reject;route-filter 192.168.0.0/15 exact;}then accept;The longest match for the candidate route 192.168.1.0/24 is the second route-filter, 192.168.0.0/15, which is based on prefix and prefix length only.
- Once an incoming route matches a prefix (longest first),
the following actions occur:
- The route filter stops evaluating other prefixes, even if the match type fails.
- The software examines the match type and action associated with that prefix.
![]() | Note: When a route source address is evaluated against a match criteria that uses the address-mask match type, both steps of the evaluation include the configured netmask value. For more information, see How an Address Mask Match Type Is Evaluated. |
In Step 1, if route 192.168.1.0/24 were evaluated, it would fail to match. It matches the longest prefix of 192.168.0.0/15, but it does not match exact. The route filter is finished because it matched a prefix, but the result is a failed match because the match type failed.
If a match occurs, the action specified with the prefix is taken. If an action is not specified with the prefix, the action in the then statement is taken. If neither action is specified, the software evaluates the next term or routing policy, if present, or takes the accept or reject action specified by the default policy. For more information about the default routing policies, see Default Routing Policies and Actions.
![]() | Note: If you specify multiple prefixes in the route list, only one prefix needs to match for a match to occur. The route list matching is effectively a logical OR operation. |
If a match does not occur, the software evaluates the next term or routing policy, if present, or takes the accept or reject action specified by the default policy.
For example, compare the prefix 192.168.254.0/24 against the following route list:
The prefix 192.168.254.0/23 is determined to be the longest prefix. When the software evaluates 192.168.254.0/24 against the longest prefix, a match occurs (192.168.254.0/24 is a subset of 192.168.254.0/23). Because of the match between 192.168.254.0/24 and the longest prefix, the evaluation continues. However, when the software evaluates the match type, a match does not occur between 192.168.254.0/24 and 192.168.254.0/23 exact. The software concludes that the term does not match and goes on to the next term or routing policy, if present, or takes the accept or reject action specified by the default policy.
How an Address Mask Match Type Is Evaluated
The address-mask routing policy match type enables you to match incoming IPv4 route addresses on a configured netmask value in addition to the length of a configured destination match prefix. During route list evaluation, an address-mask match type is processed differently from other routing policy match types, taking into consideration the configured netmask value:
- When a longest-match lookup evaluates an address-mask routing policy match type, the prefix-length component of the configured match prefix is not considered. Instead, the lookup considers the number of contiguous high-order bits set in the configured netmask value.
When an incoming IPv4 route address is evaluated against a route filter match criteria that uses the address-mask routing policy match type, the match succeeds if the following values are identical:
- The bit-wise logical AND of the configured netmask value and the incoming IPv4 route address
- The bit-wise logical AND of the configured netmask value and the configured destination match prefix
For an example configuration of a route list that contains two address-mask match types, see Example: Evaluation of an Address Mask Match Type with Longest-Match Lookup.
How Prefix Order Affects Route List Evaluation
The order in which the prefixes are specified (from top to bottom) typically does not matter, because the policy framework software scans the route list looking for the longest prefix during evaluation. An exception to this rule is when you use the same destination prefix multiple times in a list. In this case, the order of the prefixes is important, because the list of identical prefixes is scanned from top to bottom, and the first match type that matches the route applies.
In the following example, different match types are specified for the same prefix. The route 0.0.0.0/0 would be rejected, the route 0.0.0.0/8 would be marked with next-hop self, and the route 0.0.0.0/25 would be rejected.
Common Configuration Problem with the Longest-Match Lookup
A common problem when defining a route list is including a shorter prefix that you want to match with a longer, similar prefix in the same list. For example, imagine that the prefix 192.168.254.0/24 is compared against the following route list:
Because the policy framework software performs longest-match lookup, the prefix 192.168.254.0/23 is determined to be the longest prefix. An exact match does not occur between 192.168.254.0/24 and 192.168.254.0/23 exact. The software determines that the term does not match and goes on to the next term or routing policy, if present, or takes the accept or reject action specified by the default policy. (For more information about the default routing policies, see Default Routing Policies and Actions.) The shorter prefix 192.168.0.0/16 orlonger that you wanted to match is inadvertently ignored.
One solution to this problem is to remove the prefix 192.168.0.0/16 orlonger from the route list in this term and move it to another term where it is the only prefix or the longest prefix in the list.
Route List Examples
The examples in this section show only fragments of routing policies. Normally, you would combine these fragments with other terms or routing policies.
In all examples, remember that the following actions apply to nonmatching routes:
- Evaluate next term, if present.
- Evaluate next policy, if present.
- Take the accept or reject action specified by the default policy. For more information about the default routing policies, see Default Routing Policies and Actions.
The following examples show how to configure route lists for various purposes:
- Example: Rejecting Routes with Specific Destination Prefixes and Mask Lengths
- Example: Rejecting Routes with a Mask Length Greater than Eight
- Example: Rejecting Routes with Mask Length Between 26 and 29
- Example: Rejecting Routes from Specific Hosts
- Example: Accepting Routes with a Defined Set of Prefixes
- Example: Rejecting Routes with a Defined Set of Prefixes
- Example: Rejecting Routes with Prefixes Longer than 24 Bits
- Example: Rejecting PIM Multicast Traffic Joins
- Example: Rejecting PIM Traffic
- Example: Accepting Incoming IPv4 Routes by Applying an Address Mask to the Route Address and the Destination Match Prefix
- Example: Accepting Incoming IPv4 Routes with Similar Patterns But Different Prefix Lengths
- Example: Evaluation of an Address Mask Match Type with Longest-Match Lookup
Example: Rejecting Routes with Specific Destination Prefixes and Mask Lengths
Reject routes with a destination prefix of 0.0.0.0 and a mask length from 0 through 8, and accept all other routes:
Example: Rejecting Routes with a Mask Length Greater than Eight
Reject routes with a mask of /8 and greater (that is, /8, /9, /10, and so on) that have the first 8 bits set to 0 and accept routes less than 8 bits in length:
Example: Rejecting Routes with Mask Length Between 26 and 29
Reject routes with the destination prefix of 192.168.10/24 and a mask between /26 and /29 and accept all other routes:
Example: Rejecting Routes from Specific Hosts
Reject a range of routes from specific hosts, and accept all other routes:
You do not use the through match type in most routing policy configurations. You should think of through as a tool to group a contiguous set of exact matches. For example, instead of specifying four exact matches:
You could represent them with the following single match:
Example: Accepting Routes with a Defined Set of Prefixes
Explicitly accept a limited set of prefixes (in the first term) and reject all others (in the second term):
Example: Rejecting Routes with a Defined Set of Prefixes
Reject a few groups of prefixes, and accept the remaining prefixes:
Example: Rejecting Routes with Prefixes Longer than 24 Bits
Reject all prefixes longer than 24 bits. You would install this routing policy in a sequence of routing policies in an export statement. The first term in this filter passes on all routes with a prefix length of up to 24 bits. The second, unnamed term rejects everything else.
If, in this example, you were to specify route-filter 0.0.0.0/0 upto /24 accept, matching prefixes would be accepted immediately and the next routing policy in the export statement would never get evaluated.
If you were to include the then reject statement in the term acl20, prefixes greater than 24 bits would never get rejected because the policy framework software, when evaluating the term, would move on to evaluating the next statement before reaching the then reject statement.
Example: Rejecting PIM Multicast Traffic Joins
Configure a routing policy for rejecting Protocol Independent Multicast (PIM) multicast traffic joins for a source destination prefix from a neighbor:
Example: Rejecting PIM Traffic
Configure a routing policy for rejecting PIM traffic for a source destination prefix from an interface:
The following routing policy qualifiers apply to PIM:
- interface—Interface over which a join is received
- neighbor—Source from which a join originates
- route-filter—Group address
- source-address-filter—Source address for which to reject a join
For more information about importing a PIM join filter in a PIM protocol definition, see the Multicast Protocols Configuration Guide.
Example: Accepting Incoming IPv4 Routes by Applying an Address Mask to the Route Address and the Destination Match Prefix
Accept incoming IPv4 routes with a destination prefix of 10.1.0/24 and the third byte an even number from 0 to 14, inclusive:
The route list in routing policy term term_1 matches the following incoming IPv4 route addresses:
- 10.1.0.0/24
- 10.1.2.0/24
- 10.1.4.0/24
- 10.1.6.0/24
- 10.1.8.0/24
- 10.1.10.0/24
- 10.1.12.0/24
- 10.1.14.0/24
The bit-wise logical AND of the netmask value and the candidate route address must match the bit-wise logical AND of the netmask value and the match prefix address. That is, where the netmask bit pattern 255.255.241.0 contains a set bit, the incoming IPv4 route address being evaluated must match the value of the corresponding bit in the destination prefix address 10.1.0.0/24.
- The first two bytes of the netmask value are binary 1111 1111 1111 1111, which means that a candidate route address will fail the match if the first two bytes are not 10.1.
- The third byte of the netmask value is binary 1111 0001, which means that a candidate route address will fail the match if the third byte is greater than 15 (decimal), an odd number, or both.
- The prefix length of the match prefix address is 24 (decimal), which means that a candidate route address will fail the match if its prefix length is not exactly 24.
As an example, suppose that the candidate route address being tested in the policy is 10.1.8.0/24 (binary 0000 1010 0000 0001 0000 1000).
- When the netmask value is applied to this candidate route address, the result is binary 0000 1010 0000 0001 0000 0000.
- When the netmask value is applied to the configured destination prefix address, the result is also binary 0000 1010 0000 0001 0000 0000.
- Because the results of both AND operations are the same, the match continues to the second match criteria.
- Because the prefix lengths of the candidate address and the configured destination prefix address are the same (24 bits), the match succeeds.
As another example, suppose that the candidate route address being tested in the policy is 10.1.3.0/24 (binary 0000 1010 0000 0001 0000 0011).
- When the netmask value is applied to this candidate route address, the result is binary 0000 1010 0000 0001 0000 0001.
- However, when the netmask value is applied to the configured destination prefix address, the result is binary 0000 1010 0000 0001 0000 0000.
- Because the results of the two AND operations are different (in the third byte), the match fails.
Example: Accepting Incoming IPv4 Routes with Similar Patterns But Different Prefix Lengths
Accept incoming IPv4 route addresses of the form 10.*.1/24 or 10.*.1.*/32:
The route filter match criteria 10.0.1.0/24 address-mask 255.0.255.0 matches an incoming IPv4 route address of the form 10.*.1/24. The route’s prefix length must be exactly 24 bits long, and any value is acceptable in the second byte.
The route filter match criteria 10.0.1.0/32 address-mask 255.0.255.0 matches an incoming IPv4 route address of the form 10.*.1.*/32. The route’s prefix length must be exactly 32 bits long, and any value is acceptable in the second byte and the fourth byte.
Example: Evaluation of an Address Mask Match Type with Longest-Match Lookup
This example illustrates how a longest-match lookup evaluates a route list that contains two address-mask match types. Consider the route list configured in the routing policy term term_3 below:
Suppose that the incoming IPv4 route source address 10.1.1.0/24 is tested against the route list configured in the policy term term_3:
The longest-match lookup tree for routing policy term term_3 contains two match prefixes: one prefix for 10.0.1.0/24 address-mask 255.0.255.0 and one prefix for 10.0.2.0/24 address-mask 255.240.255.0. When searching the tree for the longest-prefix match for a candidate, the longest-match lookup considers the number of contiguous high-order bits in the configured netmask-value instead of the length of the configured destination-prefix:
- For the first route filter match criteria, the longest-match lookup entry is 10.0.0.0/8 because the netmask value contains 8 contiguous high-order bits.
- For second route filter match criteria, the longest-match lookup entry is 10.0.0.0/12 because the netmask value contains 12 contiguous high-order bits.
Now that the longest-match prefix in term_3 has been identified for the candidate route address, the candidate route address is evaluated against the route filter match criteria 10.0.2.0/24 address-mask 255.240.255.0:
- To test the incoming IPv4 route address 10.1.1.0/24, the netmask value 255.240.255.0 is applied to 10.1.1.0/24. The result is 10.0.1.0.
- To test the configured destination prefix address 10.0.2.0/24, the netmask value 255.240.255.0 is applied to 10.0.2.0/24. The result is 10.0.2.0.
- Because the results are different, the route filter match fails. No actions, whether specified with the match criteria or with the then statement, are taken. The incoming IPv4 route address is not evaluated against any other match criteria.