Routing Policies

Route filtering, redistribution, and policy-based routing implementation.

Introduction: Why Networks Need Laws

Imagine a world with roads but no traffic laws, stop signs, or border control. Chaos would reign. Drivers would always take what seems to be the shortest path, leading to massive traffic jams on major roads while others remain empty. Some drivers might wander into private property, and there would be no way to control who enters or leaves a country.

The Internet, a global network of independent networks known as , faces a similar challenge. Protocols like OSPF are great at finding the mathematically shortest path within a single network, but the internet is not one network. It is a collection of business competitors, academic institutions, and government entities, each with its own interests. The "shortest" path might be through a competitor's network, which is undesirable, or through an insecure path, or through a connection that costs a lot of money.

This is where Routing Policies come in. They are the traffic laws of the internet. A routing policy is a set of rules configured by a network administrator that gives them fine-grained control over how their router learns about, advertises, and selects routes. Instead of blindly accepting every piece of routing information, a router with policies can act like a discerning border agent, checking the "passport" of each route and deciding whether to let it in, where to send it, and what information to stamp on it before passing it along. This control is the cornerstone of BGP and the key to maintaining a stable, secure, and economically viable global internet.

The Three Pillars of Routing Policy

A network administrator has three primary tools at their disposal to implement routing policies. These mechanisms work together to shape traffic flow.

  1. Route Filtering:

    This is the most fundamental policy tool. It is the act of creating "allow" and "deny" lists for routing updates. Just like a firewall filters data packets, route filters decide which routing advertisements are accepted from neighbors and which are announced to neighbors. This controls what information even enters the router's decision process.

  2. Attribute Manipulation:

    If a route is accepted, an administrator can then modify its properties, or BGP attributes. By changing attributes like LOCAL_PREF, MED, or AS_PATH, the administrator can make a route appear more or less desirable to their own routers (influencing outbound traffic) or to their neighbors' routers (influencing inbound traffic).

  3. Redistribution:

    This is the process of taking routes learned from one source (like an IGP such as OSPF, or static routes) and injecting them into another routing protocol (like BGP). This is the gateway between the internal network and the outside world. Policies here are critical to control exactly which internal networks are advertised to the internet.

Route Filtering: The Network's Bouncer

Route filtering is the first line of defense. Before a router even considers a route, it checks it against a filter. This is done in two directions:

Inbound Filtering

This is applied to routing updates received from a neighbor. It's the network's border control checking incoming passports. The administrator decides which routes from the outside world are trustworthy enough to be allowed into their network.

Outbound Filtering

This is applied to routing updates sent to a neighbor. It's the network deciding who is allowed to leave and what they can say. The administrator decides which of their internal routes should be advertised to the outside world.

Why is Filtering Crucial?

  • Security: The most important reason. Without inbound filtering, a misconfigured or malicious neighbor could advertise a route for a major website, hijacking traffic. Filtering also prevents advertising internal, private addresses to the global internet.
  • Policy Enforcement: A company may have a business agreement to only carry traffic destined for its own customers. Outbound filters ensure they do not accidentally advertise themselves as a transit path for their neighbors.
  • Stability: Filtering can prevent unstable or rapidly changing routes from a neighbor from causing constant recalculations in your own network.
  • Resource Management: The global BGP routing table is massive. By filtering out unnecessary routes, administrators can reduce the memory and CPU load on their routers.

Attribute Manipulation: The Art of Persuasion

After a route has passed through a filter, it enters the BGP decision process. Here, administrators can manipulate the BGP attributes of the route to influence which path is chosen as the best. This is how traffic engineering is accomplished in BGP.

Controlling Outbound Traffic with LOCAL_PREF

An AS with multiple connections to the internet needs a way to decide which connection its own users should use to send outbound traffic. The primary tool for this is the LOCAL_PREFERENCE attribute.

The rule is simple: a route with a higher LOCAL_PREF is always preferred. This attribute is only exchanged between iBGP routers within the same AS, so it's a purely internal decision-making tool.

Example: Choosing the Primary ISP

Your company (AS 65001) has a fast, expensive fiber connection to ISP-A (AS 65002) and a slower, cheaper backup connection to ISP-B (AS 65003). You want all outbound traffic to default to ISP-A.

  1. On your border router connected to ISP-A, you apply an inbound policy that sets the `LOCAL_PREF` for all routes learned from them to `200`.
  2. Routes learned from ISP-B are left with the default `LOCAL_PREF` of `100`.
  3. When these routes are advertised via iBGP to other routers inside your AS, all internal routers will see that routes via ISP-A have a higher preference (200>100)(200 > 100) and will exclusively choose them for sending outbound traffic.
  4. If the connection to ISP-A fails, its routes disappear, and the routers automatically fall back to using the routes via ISP-B.

Influencing Inbound Traffic with MED and AS_PATH Prepending

Controlling how others send traffic to you is much harder, as the final decision is made by their routers. However, you can send them hints or suggestions using specific attributes.

  • Multi-Exit Discriminator (MED): MED is an attribute you send to a single neighboring AS to indicate your preferred entry point. The rule is that a lower MED value is preferred. In our example, you could send routes with `MED 100` to ISP-A over your primary link and `MED 200` over your secondary link. If ISP-A's policy is to honor MED, they will prefer sending traffic to you via the primary link.
  • AS_PATH Prepending: This is a more widely used and reliable method. Since BGP prefers shorter AS_PATHs, you can intentionally make a path look longer and less attractive by artificially adding your own ASN multiple times. To make your backup link less appealing to the entire internet, you could advertise your routes to ISP-B with a prepended path, such as `(65001, 65001, 65001)`. Routers all over the internet will see this long path and naturally prefer the shorter path through ISP-A.

Redistribution: The Gateway Between Worlds

is a powerful but dangerous mechanism. It is the process that allows a BGP router to advertise internal networks: those learned via an IGP like OSPF or static routes, to its external BGP peers.

A Necessary But Careful Process

This process is how your company's web server, which has an internal IP address, becomes reachable from the global internet. The border router learns about the web server's network from your internal OSPF, and a redistribution policy tells BGP that it is okay to advertise this network to the world.

However, redistribution must be handled with extreme care. Without proper filtering, a router could accidentally advertise your entire private internal addressing scheme to the internet, causing major security vulnerabilities and routing instability. A core principle of secure routing is: filter everything by default, and only permit redistribution of exactly the prefixes you intend to make public.

Route Maps: The Ultimate Policy Tool

On most routing platforms, like Cisco IOS, the tool that brings all these mechanisms together is the route map. A route map is a sophisticated scripting tool that allows an administrator to create complex, conditional policies.

A route map is essentially an "If-Then" statement for routes. It consists of a series of sequenced entries. When a route is processed against a route map, the router checks each sequence in order:

  • Match Clause (The "If"): The router first checks if the route matches certain criteria. This is often done using an to identify specific networks.
  • Set Clause (The "Then"): If there is a match, the router applies a series of actions. These actions are typically the attribute manipulations we discussed, such as setting the LOCAL_PREF, setting the MED, or prepending the AS_PATH.
  • Permit/Deny: Finally, each sequence ends with either a permit (allow the route to pass) or a deny (filter the route out). If a route matches a sequence, the processing stops. If it does not match, the router moves to the next sequence in the map. An implicit "deny all" is at the end of every route map.

Pseudo-code of a Route Map Policy

ROUTE-MAP "ISP-A-INBOUND-POLICY" permit 10
  MATCH ip address prefix-list "CUSTOMER-ROUTES"
  SET local-preference 150

ROUTE-MAP "ISP-A-INBOUND-POLICY" permit 20
  MATCH ip address prefix-list "PEER-ROUTES"
  SET local-preference 100

ROUTE-MAP "ISP-A-INBOUND-POLICY" deny 30
  MATCH ip address prefix-list "BOGON-NETWORKS"

This example policy sets a high preference for routes learned from trusted customers, a normal preference for routes from peers, and explicitly denies known bogus networks. Route maps are applied to BGP neighbors in either the inbound or outbound direction to enforce these policies.

    Routing Policies | Teleinf Edu