A route filter is a collection of match prefixes. When specifying a match prefix, you can specify an exact match with a particular route or a less precise match. You can configure either a common action that applies to the entire list or an action associated with each prefix. Note: Because the configuration of route filters includes setting up prefixes and prefix lengths, before proceeding with the configuration you should have a thorough understanding of IP addressing, including supernetting, and how route filters are evaluated (explained here: How Route Filters Are Evaluated in Routing Policy Match Conditions). This section discusses the following topics: To understand the operation of a route filter, you need to be familiar with a device used for binary number matching known as a radix tree (sometimes called a patricia trie or radix trie). A radix tree uses binary lookups to identify IP addresses (routes). Remember that an IP address is a 32-bit number represented in a dotted decimal format for easy comprehension by humans. These 8-bit groupings can each have a value between 0 and 255. A radix tree can be a graphical representation of these binary numbers. In Figure 1, the radix tree starts with no configured value (starts at 0) and is at the leftmost position of the binary IP address. This is shown as 0/0, which is often referred to as the default route. Figure 1: Beginning of a Radix Tree Because this is binary, each bit can have only one of two possible values—a 0 or a 1. Moving down the left branch represents a value of 0, while moving to the right represents a value of 1. The first step is shown in Figure 2. At the first position, the first octet of the IP address has a value of 00000000 or 10000000—a 0 or 128, respectively. This is represented in Figure 2 by the values 0/1 and 128/1. Figure 2: First Step of a Radix Tree The second step is shown in Figure 3. This second level of the tree has four possible binary values for the first octet: 00000000, 01000000, 10000000, and 11000000. These decimal values of 0, 64, 128, and 192 are represented by the IP addresses of 0/2, 64/2, 128/2, and 192/2 on the radix tree. Figure 3: Second Step of a Radix Tree This step-by-step process continues for 33 total levels to represent every possible IP address. The radix tree structure is helpful when locating a group of routes that all share the same most significant bits. Figure 4 shows the point in the radix tree that represents the 192.168.0.0/16 network. All of the routes that are more specific than 192.168.0.0/16 are shown in the highlighted section. Figure 4: Locating a Group of Routes Note: The topic, Configuring Route Filters, describes default Junos OS behavior. The walkup feature, which is not covered in this topic, alters the evaluation results discussed in this topic by allowing the router to consider shorter match conditions configured within the same term. See Walkup for Route Filters Overview for details. To configure a route filter, include one or more route-filter or source-address-filter statements: [edit policy-options policy-statement policy-name term term-name from] route-filter destination-prefix match-type { actions; }The route-filter option is typically used to match an incoming route address to destination match prefixes of any type except for unicast source addresses. The destination-prefix address is the IP version 4 (IPv4) or IP version 6 (IPv6) address prefix specified as prefix/prefix-length. If you omit prefix-length for an IPv4 prefix, the default is /32. If you omit prefix-length for an IPv6 prefix, the default is /128. Prefixes specified in a from statement must be either all IPv4 addresses or all IPv6 addresses. The source-address-filter option is typically used to match an incoming route address to unicast source addresses in multiprotocol BGP (MBGP) and Multicast Source Discovery Protocol (MSDP) environments. source-address-filter source-prefix match-type { actions; }source-prefix address is the IPv4 or IPv6 address prefix specified as prefix/prefix-length. If you omit prefix-length for an IPv4 prefix, the default is /32prefix-length. If you omit prefix-length for an IPv6 prefix, the default is /128. Prefixes specified in a from statement must be either all IPv4 addresses or all IPv6 addresses. match-type is the type of match to apply to the source or destination prefix. It can be one of the match types listed in Table 1. For examples of the match types and the results when presented with various routes, see Table 2. actions are the actions to take if a route address matches the criteria specified for a destination match prefix (specified as part of a route-filter option) or for a source match prefix (specified as part of a destination-address-filter option). The actions can consist of one or more of the actions described in Actions in Routing Policy Terms. In a route filter you can specify actions in two ways:
The upto and prefix-length-range match types are similar in that both specify the most-significant bits and provide a range of prefix lengths that can match. The difference is that upto allows you to specify an upper limit only for the prefix length range, whereas prefix-length-range allows you to specify both lower and upper limits. For more examples of these route filter match types, see Route Filter Examples.
Figure 5 shows the detailed radix tree for the route 192.168.0.0/16. Figure 5: Portion of the Radix Tree Figure 6 and Table 2 demonstrate the operation of the various route filter match types. Figure 6: Route Filter Match Types
During route filter evaluation, the policy framework software compares each route’s source address with the destination prefixes in the route filter. The evaluation occurs in two steps:
Note: When a route source address is evaluated against a match criteria that uses the address-mask match type, both steps of the evaluation include the configured netmask value. For more information, see How an Address Mask Match Type Is Evaluated. In Step 1, if route 192.168.1.0/24 were evaluated, it would fail to match. It matches the longest prefix of 192.168.0.0/15, but it does not match exact. The route filter is finished because it matched a prefix, but the result is a failed match because the match type failed. If a match occurs, the action specified with the prefix is taken. If an action is not specified with the prefix, the action in the then statement is taken. If neither action is specified, the software evaluates the next term or routing policy, if present, or takes the accept or reject action specified by the default policy. For more information about the default routing policies, see Default Routing Policies. Note: If you specify multiple prefixes in the route filter, only one prefix needs to match for a match to occur. The route filter matching is effectively a logical OR operation. If a match does not occur, the software evaluates the next term or routing policy, if present, or takes the accept or reject action specified by the default policy. For example, compare the prefix 192.168.254.0/24 against the following route filter: route-filter 192.168.0.0/16 orlonger; route-filter 192.168.254.0/23 exact;The prefix 192.168.254.0/23 is determined to be the longest prefix. When the software evaluates 192.168.254.0/24 against the longest prefix, a match occurs (192.168.254.0/24 is a subset of 192.168.254.0/23). Because of the match between 192.168.254.0/24 and the longest prefix, the evaluation continues. However, when the software evaluates the match type, a match does not occur between 192.168.254.0/24 and 192.168.254.0/23 exact. The software concludes that the term does not match and goes on to the next term or routing policy, if present, or takes the accept or reject action specified by the default policy. Note: The walkup feature allows terms with multiple route filters to “walk-up” the evaluation process to include less-specific routes as well as the longest match. In other words, enabling walkup changes the default behavior from “if one fails, then the term fails” to “if one matches, then the term matches.” For more information about the walkup feature, see Walkup for Route Filters Overview. A common problem when defining a route filter is including a shorter prefix that you want to match with a longer, similar prefix in the same list. For example, imagine that the prefix 192.168.254.0/24 is compared against the following route filter: route-filter 192.168.0.0/16 orlonger; route-filter 192.168.254.0/23 exact;Because the policy framework software performs longest-match lookup, the prefix 192.168.254.0/23 is determined to be the longest prefix. An exact match does not occur between 192.168.254.0/24 and 192.168.254.0/23 exact. The software determines that the term does not match and goes on to the next term or routing policy, if present, or takes the accept or reject action specified by the default policy. (For more information about the default routing policies, see Default Routing Policies.) The shorter prefix 192.168.0.0/16 orlonger that you wanted to match is inadvertently ignored. One solution to this problem is to remove the prefix 192.168.0.0/16 orlonger from the route filter in this term and move it to another term where it is the only prefix or the longest prefix in the list. Another solution is to enable the walkup feature. See Walkup for Route Filters Overview for details. |