Understand Match Actions in Routing Filters

By Walter J. Goralski, Cathy Gadecki, Michael Bushong

The match actions available to route filters are identical to those available for other routing policies in Junos. You can accept routes, reject routes, modify attributes that belong to a route, or perform flow control type functions. By far, the most common actions to use with route filters are accept and reject.

Typically, you want to block bad routes and advertise good routes, which you do using accept and reject.

Once you know how to construct a route filter, you need to know the routes you want to filter. Although you may not want some routes for any number of reasons, nobody wants the following routes in their routing tables:

  • 0.0.0.0/0: Nobody wants the default route advertised through their network. Advertising that route can change the default route for all routers that accepted the advertisement.

  • 127/8: Don’t route traffic to local loopback addresses, which is an internal address and not a next hop.

  • 1/8, 2/8, 5/8, 7/8, and 23/8: The addresses in these ranges haven’t been allocated by IANA (the organization that hands out IP addresses to Internet users). Because they shouldn’t be in use, you need to filter them.

Routes that should never be present in any routing table have taken on an interesting name. These types of routes are called Martian addresses, perhaps because they’re “out of this world.” The Junos OS software has a set of Martian addresses that are automatically blocked from appearing in your routing table:

  • 0.0.0.0/8

  • 127.0.0.0/8

  • 128.0.0.0/16

  • 191.255.0.0/16

  • 192.0.0.0/24

  • 223.255.255.0/24

  • 240.0.0.0/4

If you want to configure your router so that it doesn’t accept these unallocated routes, you need to create the route filter and then apply it to your protocols. Here’s how you create the filter:

[edit policy-options]
policy-statement filter-unwanted-routes {
  term bad-routes {
   from {
     route-filter 1.0.0.0/8 orlonger;
     route-filter 2.0.0.0/8 orlonger;
     route-filter 5.0.0.0/8 orlonger;
     route-filter 7.0.0.0/8 orlonger;
     route-filter 23.0.0.0/8 orlonger;
   }
   then reject;
  }
}

Now you must apply this policy to your router. Because you’re trying to prevent your router from importing these known “bad” routes from your neighboring routers, you want an import policy.

You can’t apply import policies to OSPF or IS-IS, but you usually have a great deal of control over an IGP. BGP routes, which come from another AS, are another story. You want to apply the policy as an import policy for your BGP routes:

[edit protocols]
bgp {
  import filter-unwanted-routes;

}