Escolar Documentos
Profissional Documentos
Cultura Documentos
Presentation_ID
Cisco Confidential
Why RPL
Scaling
Using route-maps on IOX scale could lead to configs in the several 100k lines to over a million depending on number of peers this doesnt scale. How do we solve the scaling problem. Rewrote a major isps 15k lines of route-maps in 1k lines of RPL wont always get this kind of reduction :-{
Presentation_ID
Cisco Confidential
Parameterization
For elements which are not exact copies of each other we can add parameterization ( think variables ) to get further re-use.
Presentation_ID
Cisco Confidential
User defined control flow -- no forced structure to match statements All elements should have meaningful names Inline lists where needed
Presentation_ID
Cisco Confidential
RPL Definitions
AttachPoint
Any place in the system that binds the use of a specific policy for a specific purpose.
Example: router bgp 2 neighbor 1.2.3.3 address-family ipv4 unicast policy foo in policy bar out
Presentation_ID
Cisco Confidential
RPL Definitions
continued
Hierarchical policy
A policy which refers to another policy with an apply statement Example:
route-policy one set med 100 end-policy route-policy two apply one set community (10:100) end-policy
Presentation_ID
Cisco Confidential
RPL Definitions
continued
Parameterized policy
A hierarchical policy that passes values e.g.
route-policy one ($med) set med $med end-policy route-policy two apply one (10) end-policy
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
RPL Lexicon
BGP Attribute(s)
next-hop
weight
RPL Attribute(s)
source
destination
RPL Operation(s)
pass / drop
suppress-route
local-preference
med
route-type
rib-has-route
unsuppress-route
length, uniquelength
Presentation_ID
Cisco Confidential
The if statement also permits an else clause, which is executed if the expression is false.
if med eq 150 then set local-preference 10 elseif med eq 200 then set local-preference 60 else set local-preference 0 endif
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
10
if community matches-every(12:34, 56:78) then if med eq 8 then drop endif set local-preference 100 endif
Presentation_ID
Cisco Confidential
11
Boolean Expressions
Boolean expressions evaluate as either true or false. The routing policy language provides means to build compound conditions from simple conditions by means of Boolean operators. There are three Boolean operators : negation ( not), conjunction (and), and disjunction (or).
Presentation_ID
Cisco Confidential
12
Compound Booleans
The RPL provides means to build compound conditions from simple conditions by means of Boolean operators. There are three Boolean operators: negation (not), conjunction (and), and disjunction (or).
Presentation_ID
Cisco Confidential
13
Sets
The term set is used in its mathematical sense to mean an unordered collection of unique elements. The policy language provides sets as a container for groups of values for matching purposes. They are used in conditional expressions. The elements of the set are separated by commas. There are four kinds of sets as-path-set, community-set, extcommunity-set and prefix-set .
Presentation_ID
Cisco Confidential
14
Presentation_ID
Cisco Confidential
15
Prefix Sets (prefix, mask length, minimum match length, maximum match length)
A prefix-set holds IPv4 and v6 prefix match specifications, each of which has four parts: an address, a mask length, a minimum matching length, and a maximum matching length.
The address is required, but the other three parts are optional. Address: a standard format IPV4 or IPV6 address
mask length : is a nonnegative decimal integer in the range from 0 to 32 following the address and separated from it by a slash.
minimum matching length : is expressed as the keyword ge (mnemonic for greater than or equal to).
maximum matching length : is expressed by the keyword le (mnemonic for less than or equal to).
16
AS-PATH Sets
An as-path-set comprises operations for matching an AS path attribute. The only matching operation is a regular expression match, compatible with the as-regexp provided by IOS in ip as-path access-list
Presentation_ID
Cisco Confidential
17
Community Sets
A community-set holds community values for matching against the BGP community attribute. A community is a 2*16-bit quantity. For notational convenience, each community value is expressed as two unsigned decimal integers in the range 0 to 65535, separated by a colon.
Presentation_ID
Cisco Confidential
18
extcommunity-set ? cost EIGRP Cost Community type extended community rt BGP Route Target (RT) extended community soo BGP Site of Origin (SoO) extended community
Presentation_ID
Cisco Confidential
19
20
Presentation_ID
Cisco Confidential
21
AS-PATH
AS-PATH -- Match
if as-path in as-path-set-1 then drop endif
AS-PATH -- Assignment
Presentation_ID
Cisco Confidential
22
AS-PATH contd..
AS-PATH is-local
if (as-path is-local) then set local-preference 100 endif
AS-PATH neighbor-is
if as-path neighbor-is 10 then ... if as-path neighbor-is $asnum then ... if as-path neighbor-is 10 20 then ..
Presentation_ID
Cisco Confidential
23
AS-PATH contd..
AS-PATH Passes-through
if as-path passes-through 10 then ... if as-path passes-through $asnum then ... if as-path passes-through 10 11 then ... if as-path passes-through 10 $asnum 12 then
AS-PATH Originates-from
if as-path originates-from 10 then if as-path originates-from 11 10 then if as-path originates-from $asnum then
Presentation_ID
Cisco Confidential
24
AS-Path continued
as-path length unique-length
if as-path length is 10 then ... if as-path length ge 10 and destination in (0.0.0.0/0 ge 24 le 32) then ... if as-path unique-length is 10 then ... if as-path uniquelength ge 10 and destination in (0.0.0.0/0 ge 24 le 32) then ...
Presentation_ID
Cisco Confidential
25
Community
Community -- Match
if community matches-any cs2 then set med 12 Endif if community matches-every (10:12, internet, 10:33) then set med 33 endif
Community -- Assignment
set community (10:12) set community (10:12) additive
Presentation_ID
Cisco Confidential
26
Dampening
Dampening -- Assignment
route-policy foo-damp if destination in (0.0.0.0/0 ge 25) then set dampening halflife 42 others default set dampening max-suppress 15 halflife 42 others default else set dampening halflife 15 max-suppress 60 reuse 750 suppress 2000 endif end-policy
Presentation_ID
Cisco Confidential
27
Destination
Destination -- Match
if destination in (10.0.0.0/8 ge 8 le 32) then set local-preference 200 endif
Presentation_ID
Cisco Confidential
28
Extcommunity
Extended Community -- Match
Presentation_ID
Cisco Confidential
29
Local-Preference - Assignment
Local-Preference assignment
set local-preference 200
Presentation_ID
Cisco Confidential
30
MED
MED -- Match
if (med eq 10) then ...
MED -- Assignment
set med 10
MED -- Increment/Decrement
set med +5 set med -2
31
Next-Hop
Next-Hop -- Match
Presentation_ID
Cisco Confidential
32
Origin
Origin -- Match BGP origin attribute
if origin is igp or origin is incomplete then
Origin -- Assignment
set origin [incomplete| igp | egp]
Presentation_ID
Cisco Confidential
33
Rib-has-route
Rib-has-route -- check if rib has route (default origination)
Presentation_ID
Cisco Confidential
34
Route-Distinguisher
Compare against VPN-IPv4 routes.
Presentation_ID
Cisco Confidential
35
Source
Presentation_ID
Cisco Confidential
36
Suppress-route
Suppress-route is an action used to suppress more specific routes when an aggregate is built
If (destination in 10.0.0.0/16 ge 24 le 32) then suppress-route endif
Presentation_ID
Cisco Confidential
37
Unsuppress-route
unsuppress-route is an action used to override the suppression of more-specific routes when an aggregate is built.
If (destination in 10.0.0.0/16 ge 16 le 24) then unsuppress-route endif
Presentation_ID
Cisco Confidential
38
Tag
Tag -- Match used in route redistribution
if tag eq 10 then
Tag -- Assignment
set tag 20
Presentation_ID
Cisco Confidential
39
Traffic-Index
Traffic-Index -- Assignment supports bgp policy accounting feature
set traffic-index 10
Presentation_ID
Cisco Confidential
40
Weight
Weight -- Assignment
set weight 100
Presentation_ID
Cisco Confidential
41
Presentation_ID
Cisco Confidential
42
example_one set-comms Sets referenced directly and indirectly ---------------------------------------(via applied policies) in this policy: type prefix-set: ten-net too-specific
Presentation_ID
Cisco Confidential
43
----------------------------------------
Presentation_ID
Cisco Confidential
44
RP/0/0/CPU0:ios#show rpl route-policy my_policy route-policy my_policy set local-preference 150 set community (1276:4, 1276:1000, 1276:1009, no-export) additive end-policy !
Presentation_ID
Cisco Confidential
45
The following policies are (INACTIVE) -----------------------------------------None found with this status.
The following policies are (UNUSED) -----------------------------------------route-policy FR_STATIC # Customer Global aggregation
46
Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path * 10.13.0.0/16 192.168.40.24 0 1878 704 701 200 ? * 10.16.0.0/16 192.168.40.24 0 1878 704 701 i
NOTE only prefixes already installed in the BRIB that match the policy will be shown
47
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
48
Rules of RPL
Presentation_ID
Cisco Confidential
49
RPL
Verification
Control Flow
Default-Drop Semantics to be aware of
Presentation_ID
Cisco Confidential
50
RPL Verification
Verification
Beyond syntax verification
Per attachpoint verification ensures all statements in a policy are sane for this protocol.
Statements which cannot be executed are not silently skipped
Presentation_ID
Cisco Confidential
51
RPL Verification
continued
When does verification occur
At policy definition time incomplete policies are allowed for user input At AttachPoint bind time Policy must be completely defined no incomplete references. All statements must be valid for protocol and AttachPoint
Presentation_ID
Cisco Confidential
52
RPL Verification
continued
Policy Definition change
When a policy definition is changed or a component of the policy is changed, the change must be acceptable for all locations in the system where the policy is currently in use The change is verified against all existing attachpoints, and any failure causes the change to be rejected
Presentation_ID
Cisco Confidential
53
With route-maps typically you have the strictest match cases followed by more and more general cases due to the first match clause wins rule. This can lead to inefficient configs
Presentation_ID
Cisco Confidential
54
Control Flow
continued
Nesting ifs allows preconditions to be specified once. May allow faster execution as well.
If ((destination in allowed-prefixes) and (not destination in rfc-1918)) then If (community matches-any (10:102)) then set local-preference 102 elseif (community matches-any (10:103)) then set local-preference 103 elseif (community matches-any (10:104) then set local-preference 104 endif
endif
Presentation_ID
Cisco Confidential
55
Control Flow
continued
All statements are executed unless a drop is encountered. Drop is the only statement that stops continued execution of the policy Applied policies are analogous to an inline insertion of the policy text A given attribute can be set more than once, which allows one to override previous values for attributes which can only take on a single value
Presentation_ID
Cisco Confidential
56
Default Drop
Like route-maps, RPL has a default drop condition.
In general if the route is not accepted it is dropped. In route-maps this is controlled by a successful match.
In RPL this is controlled by an attempt to modify a route attribute or hitting the pass statement. Any attribute set at any level of hierarchy is sufficient to defeat default drop. An explicit drop is always honored.
Processing stops at an explicit drop.
Presentation_ID
Cisco Confidential
57
RPL Semantics
continued
MED/cost/metric
In RPL, the attribute metric is NOT overloaded in each protocol. PerProtocol metrics are specified explicitly.
EIGRP RIP
Presentation_ID
Cisco Confidential
58
RPL Semantics
continued
All matches are performed on original route data not intermediate results Thus a policy which sets the med to 42 and then checks to see if the med is 42 in the next statement, will only execute the true branch of the if statement if the route originally had a med of 42 before any policy was applied
if med eq 12 then set med 42 if med eq 42 then drop endif endif
This policy will never execute the drop statement, because the second test (med eq 42) sees the original, unmodified value (med eq 12) of the MED in the route.
Presentation_ID
Cisco Confidential
59
Thus changing a martians policy which may be used at several attachpoints can have a large effect on the box
Presentation_ID
Cisco Confidential
60
As many layers of hierarchy or parameters that you want Parameters can be passed through a policy block
Parameters are passed by value only (passed by reference in 3.5)
Presentation_ID
Cisco Confidential
61
Presentation_ID
Cisco Confidential
62
Presentation_ID
Cisco Confidential
63
No Nested Denies
Sets in RPL dont carry the notion of permit and deny
Permit and deny are controlled explicitly by policy execution You cant have something like a route -map with a deny clause in it that refers to a prefix-list with both permit and denies in the prefix-list
Sets are simply containers of data which are referred to by policies
Presentation_ID
Cisco Confidential
64
RPL AttachPoints
Presentation_ID
Cisco Confidential
65
For example:
Setting traffic-index can only be done at the table-policy AttachPoint rib-has-route can only be used at the default-origination AttachPoint Next-hop is the only attribute that can be set within a VRF-import policy.
Presentation_ID
Cisco Confidential
66
address-family ipv4 unicast import route-policy GRX!!% Could not find entry in list: Policy [GRX] uses 'assign local-preference'. 'set' is not a valid operator for the 'local-preference' attribute at the BGP import attach point.
Presentation_ID
Cisco Confidential
67
BGP Attachpoints
BGP Process
Network command Aggregation Default-originate Dampening Redistribution
MPLS/VPN
VRF Import VRF Export Label-Allocate
BGP Neighbor
Neighbor inbound Neighbor outbound Neighbor ORF
Presentation_ID
Cisco Confidential
68
pass / drop
*
destination
orf-prefix
next-hop
w eight
local-preference
med
origin
as-path
as-path length
community
suppress
unsuppress
dampening
traffic-index
source
route-type
rib-has-route
label
AttachPoint/ Attribute
m = match
s = set * = supported
neighbor in
m/s
m/s
m/s
m/s
m/s
m/s
neighbor out neighbor orf netw ork aggregation default originate redistribute
dampening table policy
* * * * * *
* *
m m m m
m/s
m/s
m/s
m/s
m/s
m/s
s m/s
s s
s s
s m/s s
s m/s
m/s m m
s m/s
s s
s
m m m m
s
m m
s
m m
s
m m m m
s
m m
s
s s m m
VRF import
VRF export allocate-label Show cmd
*
* * *
m
m m m
m/s
m m m s s
m
m m m
m
m m m
m
m m m
m
m m m
m
m/s m m
m
m/s
m
m
m
m s
Presentation_ID
Cisco Confidential
69
IGP Attachpoints
OSPF, OSPFv3
Default originate
EIGRP
Default (in/out) IPV4 Redistribution Global (in/out) Interface (in/out)
ISIS
Default originate IPV4 Redistribution
RIP
Default originate IPV4 Redistribution Global (in/out) Interface (in/out)
Presentation_ID
Cisco Confidential
70
tag
ospf-cost
rip-metric
isis-metric
eigrp-metric
level
metric-type
protocol
route-type
rib-has-route
AttachPoint/Attribute
OSPF
default originate * s s m
redistribute
area-in area-out
*
* *
m
m m
m/s
ISIS
default originate redistribute * * m m m s m m s s s s s s m m m m
Presentation_ID
Cisco Confidential
71
destination
next-hop
tag
ospf-cost
rip-metric
isis-metric
eigrp-metric
level
metric-type
protocol
route-type
rib-has-route
AttachPoint/Attribute
EIGRP
redistribute default accept-in
default accept-out global-inbound
* *
* *
m m
m m
m/s
m/s
global-outbound Interface-in
Interface-out
* *
*
m m
m
m m
m
m/s
s s
m/s
RIP
default originate redistribute
global-inbound global-outbound
* *
* * m m
s s
m m/s m/s
s s
s s m
Interface-in Interface-out
Presentation_ID
* *
m m
m/s m/s
Cisco Confidential
s s m
72
Route-Maps at AttachPoints
IOS-style Route-maps used to be allowed at AttachPoints.
Presentation_ID
Cisco Confidential
73
Exploiting RPL
Presentation_ID
Cisco Confidential
74
Exploiting RPL
To get the best advantages of RPL youll need to spend some time looking at your router configs
Look for common subtasks that can exploit the power of parameterization and/or reuse
Convert them to hierarchical policy blocks or parameterized policy blocks which can be reused
Presentation_ID
Cisco Confidential
75
Exploiting RPL
Replace small lists of prefixes or communities with inline forms Look for ways of eliminating repeated matches by using nested if then else structures
Presentation_ID
Cisco Confidential
76
Exploiting RPL
Look at control flow issues. Can a given policy be re-arranged to be more easily understood and/or require less repetition? RPL allows you to set an attribute value more than once Therefore you can set a default local preference and further in the policy change the local preference for a specific case which requires a different value
Presentation_ID
Cisco Confidential
77
Exploiting RPL
Reevaluate the items within your access-lists, prefix-lists, as-pathlists, etc. Remove those that are no longer relevant. To get the best conversions think about what does the policy do and what does it share in common with other policies Dont be afraid to write the policies that you need rather than just doing a simple line for line translation of your route-maps Youll be surprised about the historical cruft you may find
Presentation_ID
Cisco Confidential
78
Presentation_ID
Cisco Confidential
79
Do a simple syntax translation Nest Conditionals to Reduce Repetitive Comparisons Use Inline Sets to Remove Small Indirect Set References Parameterize to Reuse Common Structures
Presentation_ID
Cisco Confidential
80
route-policy PROCESS_INBOUND if (as-path in aspath_150) then drop elseif ((community matches-any comm_1) and (as-path in aspath_10)) then set local-preference 70 set community (100:500, 100:505, 100:999) additive elseif ((community matches-any comm_2) and (as-path in aspath_10)) then set local-preference 80 set community (100:500, 100:505, 100:999) additive
else set local-preference 90 set community (100:500, 100:505, 100:999) additive endif end-policy
Presentation_ID
Cisco Confidential
81
endif
else set local-preference 90 set community (100:500, 100:505, 100:999) additive
endif end-policy
Presentation_ID
Cisco Confidential
82
elseif (as-path in '^21409_') then if (community matches-any 5511:70) then set local-preference 70 set community (100:500, 100:505, 100:999) additive elseif (community matches-any 5511:80) then set local-preference 80 set community (100:500, 100:505, 100:999) additive
endif
else set local-preference 90 set community (100:500, 100:505, 100:999) additive endif end-policy
Presentation_ID
Cisco Confidential
83
Step 4: Parameterize
Similar actions can be grouped into a common policy with parameters.
route-policy set_attributes ($pref) set local-preference $pref set community (100:500:, 100:505, 100:999) additive end-policy ! route-policy PROCESS_INBOUND if (as-path in '_701_, '_3561_) then drop elseif (as-path in '^21409_') then if (community matches-any 5511:70) then apply set_attributes (70) elseif (community matches-any 5511:80) then apply set_attributes (80)
endif
84
prefix-set foo 10.0.3.0/24 ge 28, 10.0.4.0/24 le 28, 10.0.5.0/24 ge 26 le 30 end-set route-policy my-neighbor apply do-filtering(foo)
apply other-stuff
end-policy
route-policy do-filtering($set)
85
We are targeting 3.5.0 for adding $PEERAS (for BGP attach points) the peer AS number, for use in community expressions (limited to 16 bit communities). NOTE: Extending RPL to support parameters can break BGP internal update grouping. These changes ARE coordinated with changes in BGP code, however, customers should verify the affects on convergence of parameters by comparing with nonPresentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
86
Points to Ponder
When converting route-maps, some items require special consideration:
Route-Maps which reference access-list(s) Route-Maps that reference policy-list(s) [Community, AS-Path, Prefix-List] with mixed entries. Combinations of policies specified via BGP cli & Route-Map(s).
Presentation_ID
Cisco Confidential
87
There is no direct-equivalent to an ACL in RPL. The clause must be converted to something RPL can use:
prefix-set
prefix-set pfx_acl_199 0.0.0.0/32, 127.0.0.0/8 ge 8, 10.0.0.0/8 ge 8, 172.16.0.0/12 ge 12, 192.168.0.0/16 ge 16, 128.0.0.0/16 ge 16, 223.255.255.0/24 ge 24, 224.0.0.0/3 ge 3 end-set ! route-policy BLOCK_BOGON if (not destination in pfx_acl_199) then pass endif end-policy ! 88
Presentation_ID
Cisco Confidential
ip prefix-list martians seq 10 permit 0.0.0.0/0 ip prefix-list martians seq 20 permit 127.0.0.0/8 le 32 ip prefix-list martians seq 30 deny 10.192.0.0/10 ge 12 le 21 ip prefix-list martians seq 40 permit 10.0.0.0/8 le 32 ip prefix-list martians seq 50 permit 172.16.0.0/12 le 32 ip prefix-list martians seq 60 permit 192.168.0.0/16 le 32 ip prefix-list martians seq 70 permit 128.0.0.0/16 le 32 ip prefix-list martians seq 80 permit 192.0.0.0/24 le 32 ip prefix-list martians seq 90 permit 223.255.255.0/24 le 32 ip prefix-list martians seq 100 permit 224.0.0.0/3 le 32 ip prefix-list martians seq 110 permit 192.157.69.0/24 le 32
route-map CUST-FACE deny 10 match ip address prefix-list martians
Presentation_ID
Cisco Confidential
89
Presentation_ID
Cisco Confidential
90
2) 3)
prefix-set pfx_martians_p1_permit 0.0.0.0/0 127.0.0.0/8 le 32 end-set ! prefix-set pfx_martians_p2_deny 10.192.0.0/10 ge 12 le 21 end-set ! prefix-set pfx_martians_p3_permit 10.0.0.0/8 le 32, 172.16.0.0/12 le 32, 192.168.0.0/16 le 32, 128.0.0.0/16 le 32, 191.255.0.0/16 le 32, 192.0.0.0/24 le 32, 223.255.255.0/24 le 32, 224.0.0.0/3 le 32, 192.157.69.0/24 le 32 end-set ! route-policy CUST_FACE if (destination in pfx_martians_p1_permit) then drop elseif (destination in pfx_martians_p2_deny) then pass elseif (destination in pfx_martians_p3_permit) then drop endif end-policy
91
Presentation_ID
Cisco Confidential
92
Presentation_ID
Cisco Confidential
RPL Scale
RPL configuration:
Up to 5,000 policies Up to 128K lines of configuration
Per if statement:
Up to 16 conditions Up to 512 elseif clauses
Presentation_ID
Cisco Confidential
94
Presentation_ID
Cisco Confidential
95
Presentation_ID
96