MCR Route Filtering
This topic describes Megaport Cloud Router (MCR) route filtering. Route filtering provides selective control over which networks are discoverable between Border Gateway Protocol (BGP) neighbor routers. Route filtering is configured to influence the routing path and manage redundancy, while improving security.
This topic includes these sections:
- How routes are advertised without filters
- Selecting a filter type
- Creating BGP prefix filters using match criteria
- Maintaining prefix filters
- Validating routes after applying filters
Route filtering overview
Route filtering provides control over MCR route installation and propagation, typically between two or more networks. The networks can be either on-premises or a cloud service provider (CSP). You can use route filtering to:
- Redistribute or prevent redistribution of routes between Virtual Cross Connects (VXCs).
- Create a BGP prefix filter that includes a set of IPv4 or IPv6 CIDR blocks to manage as a group.
- Allow or deny specific routes on specific connections.
Default peering route advertisements
MCR uses Border Gateway Protocol (BGP)Border Gateway Protocol (BGP) is a standardized routing protocol designed to exchange route and reachability information among autonomous systems (AS) on the internet.
to exchange network reachability information with adjacent BGP systems, known as neighbors, or peers. MCR works in multicloudThe use of multiple cloud computing services in a single heterogeneous architecture. For example, an enterprise might use multiple cloud providers for infrastructure (IaaS) and software (SaaS) services. One of Megaport’s core value propositions is enabling multicloud connectivity.
architectures that are connected using different combinations of peering types. In addition to private peering connectivity, the MCR can connect to public peering types such as AWS, Azure, Oracle, and other cloud service providers (CSPs).
BGP communicates between two neighbors using a standard TCP connection. By default, once the BGP neighbors are connected, they share routing information with each other. The connection between the neighbors is called a BGP connection or session.
Without using any route filters, Megaport advertises routes to BGP connections based on these peering types:
Peering Type | Routes Advertised | Advertised To |
---|---|---|
Non-cloud | Routes from the Border Gateway Protocol (BGP) peer behind a Port. | Non-cloud, private cloud, public cloud |
Private cloud | Routes from AWS Private, Azure Private Peer, and Google Cloud Platform. | Non-cloud, private cloud |
Public cloud | Routes from AWS Public, Azure MS Peer, Salesforce, and other cloud providers. | Non-cloud |
As an example, a route received from a Public Cloud BGP connection will not be advertised to a Private Cloud BGP connection.
You cannot override or control the peering type route advertisement.
Route filtering doesn’t change this existing peer type policy but provides finer control when you need to filter specific routes or prefixes that would have otherwise been discovered and exchanged between BGP neighbors. Route filters are optional. Route filters cannot be used to advertise routes that are already filtered based on the peer type.
For the default route advertisement details, see MCR Route Advertisement.
Selecting a filter type
You can set a route filter to define which route advertisements MCR permits or denies from BGP neighbors. You can filter routes by BGP connection or by prefix. Route filtering supports IPv4 and/or IPv6 routes for each format. The two filter types are:
-
BGP peer filter - An all-or-nothing filter that permits or denies route exchange between BGP neighbors. For example, consider a network deployment with BGP neighbors A, B, and C. A and B are allowed to exchange routes with each other but not with C, while all neighbors can exchange routes with headquarters. BGP peer filtering provides a simple and straightforward way to filter routes between the neighbors to meet these requirements.
-
BGP prefix filter - An advanced filter that permits or denies specific routes using route prefixes (IP addresses or ranges) to identify individual neighbors. You can apply the same prefix filter to more than one BGP neighbor, eliminating the need to type manual, redundant prefix entries. You can specify a permit or deny action for each prefix in the filter list. You can apply different lists using import or export directions.
Before you begin
Before configuring a route filter, plan the implementation by determining your requirements. Then create a route filter based on these requirements.
Deployment considerations
- You need to create an MCR, as described in Creating an MCR.
- You can configure route filters before or after configuring BGP, as route filters work on existing or new BGP connections.
- You might want to shut down BGP route exchange if you plan to add a number of BGP sessions across your Virtual Cross Connects (VXCs) before they exchange route information and route filters are applied. When you are finished configuring, you can then go into the relevant BGP sessions and enable them. For more information, see Configuring an MCR.
Important
MCR route filtering supports and relies on the BGP Route Refresh mechanism to update routes using a soft reset when filters change the routing. If Route Refresh is not enabled on all active BGP connections, you need to shut down and re-enable the connection in the Megaport Portal to update routes. If you have enabled the BGP Shut Down option, routes will be updated when you disable BGP Shut Down; that is, re-enable BGP.
Filtering by BGP peer
By default, MCR permits all routes unless otherwise filtered by the peer type policy, as described in Default peering route advertisements.
You can configure a policy for each pair of BGP connections configured on the MCR to fine-tune routing. The BGP pairings are unidirectional, meaning that each pair of BGP connections has two policies - one for A to B, and another for B to A.
A BGP peer filter policy has three possible actions:
- Default - Follows the default policy defined by the source peering type BGP connection.
- Permit - Allows routes received from neighbor A to be advertised to neighbor B.
- Deny - Prevents routes received from neighbor A being advertised to neighbor B.
BGP peer filter example
BGP connections A, B, and C are connected to the same MCR.
Connection A has a global permit policy. To filter routes toward connection B, the A to B policy can be set to Deny without affecting any routes advertised to C.
Connection C has a global deny policy. To allow routes to be advertised only to A, the C to A policy can be set to Permit. If a new BGP peer is added later, routes from C will follow the global policy and not be advertised.
Creating a BGP peer filter
A BGP peer filter limits the number of routes that have been advertised or received from BGP neighbors.
To create a BGP peer filter
- Select the VXC attached to the MCR and select A End.
-
Next to the BGP connection, click Edit.
-
Select the Filters tab.
-
Under BGP Peer Filter, select whether the routes received by this BGP connection are advertised to BGP peers by default or by exception.
-
Select an Action for the BGP peer from the Action drop-down list.
- Click Update.
- Click Save.
The MCR Looking Glass displays the routes received or sent after applying route filtering. For more information, see Viewing Traffic Routing Through MCR Looking Glass.
Filtering by BGP prefix
A prefix is the destination network of the route. An IP network is a group of IP addresses. The network address is the prefix. For example:
- IPv4 address: 192.0.2.1
- IPv4 network prefix: 192.0.2.0/24 (includes 192.0.2.0 - 192.0.2.255)
A prefix filter is a named list of IP networks. Each entry consists of an IPv4 or IPv6 CIDR prefix or range of prefixes that you define and manage. A CIDR range means that you can filter several networks using a single routing entry.
A prefix filter can be applied to a BGP connection to selectively identify routes to advertise or receive from neighboring routers. You can also make a list of routes not to advertise or receive, allowing everything else. When you define a prefix filter, the MCR accepts only routes matching the prefix information. This filter type is useful in environments with a large list of prefixes and peers to manage. You can apply the same prefix filter to more than one BGP peer, reducing manual work and eliminating potential errors.
A prefix filter contains:
- A list of IPv4 or IPv6 prefixes (for example, 10.0.0.0/16) and a name associated with the list.
- A match condition. You can specify exact matches with specific routes or less precise matches based on prefix length.
- An action that is carried out if the prefix and the match condition are both true (for example, Permit).
In a prefix filter, rules are evaluated from the top down. Evaluation stops with the first match. An implicit deny is applied to routes that don’t match any prefix list entry.
Prefix filter list actions
-
Inbound prefix filtering using a permit action - MCR applies the prefix filter to inbound BGP route advertisements from the neighbor. Routes not matching the prefixes on this list are denied at the earliest possible point and are never used by the MCR.
-
Inbound prefix filtering using a deny action - MCR applies the prefix filter to inbound BGP route advertisements from the neighbor. Routes matching the prefixes on this list are blocked. All other prefixes are allowed to enter the MCR routing table.
-
Outbound prefix filtering using a permit action - MCR applies the prefix filter to outbound routes. Routes matching the prefix list are advertised to the BGP neighbor and all other routes are filtered.
-
Outbound prefix filtering using a deny action - MCR applies the prefix filter to outbound routes. Routes matching the prefix list are blocked from the BGP neighbor and all other routes are advertised.
Creating a BGP prefix filter
Each MCR can manage up to 50 prefix filters. Each prefix filter can contain up to 200 prefix entries. Each prefix filter is independent and you can apply only one list per BGP neighbor at a time.
To create a prefix filter
-
On the Megaport Portal Services page, select an MCR.
The MCR must have a Live status before you can create a prefix filter.
The MCR Details page appears. -
Under MCR Configuration, select the Prefix Filter Lists tab.
-
Click New List.
-
Enter a unique descriptive name to identify the filter. The minimum description length is from 1 to 100 characters.
This prefix name will appear in the drop-down list of prefix lists under the Filters section of the BGP Configuration tab.Note
Prefix filters cannot be shared among MCRs. You must re-create prefix filters for each MCR.
-
Select either IPv4 or IPv6 format.
The prefixes must use the same address format. A warning appears if you try to mix the two formats within the same list. - Select a position for the rule.
The rule position is critical because evaluation stops with the first match and the rest of the list is ignored. If no conditions match, MCR applies an implicit deny. -
Select the action to take for the filter: Match or Don’t Match.
-
Enter the prefix subnets in CIDR notation. For IPv4, use a.b.c.d/x, where a.b.c.d is the exact prefix and x is the exact prefix length.
Note
This field also accepts a dotted-quad notation for the subnet mask (for example, 255.255.255.0 instead of /24).
-
Prefixes can be exact-match-only or you can specify the number of bits in the mask to use as matching criteria. Select the subnet mask criteria:
-
Exact - Limits the filter to only this specific prefix. Any smaller prefixes contained within the prefix are not matched.
-
Min and Max - Specify a range of subnet mask lengths to match for more flexibility. Specify how many bits of the subnet mask the filter needs to match, starting with the most significant bit in the leftmost position of the address. When you specify a subnet mask range, the filter now has two conditions to match: the route must be within the a.b.c.d/x boundary and it must have a mask length between the minimum and maximum range. Shorter prefixes match more addresses, while longer prefixes match fewer.
-
Min - The minimum starting prefix length to be matched. Valid values are from 0 to 32 (IPv4), or 0 to 128 (IPv6). The Min must be no greater than or equal to the Max value.
-
Max - The maximum ending prefix length to be matched. The prefix length is greater than or equal to the Min value. Valid values are from 0 to 32 (IPv4), or 0 to 128 (IPv6), but the Max must be no less than the value of Min.
For example, 10.0.0.0/8 Min 16 matches 10.0.0.0/16, 10.0.1.0/24, 10.0.0.1/30 but does not match 10.2.0.0/15.
Note
The Min and Max values on an MCR are similar to Cisco’s ge and le values used with the ip prefix-list CLI command.
When using the Min and Max values, you must satisfy this condition:
Prefix length < Max <= Min
-
-
Click Save.
-
Click Next.
Note
Use a CIDR calculator to ensure that all data is valid and within range.
The next step is to apply the filter to the BGP connection, as described in Applying a prefix filter to a BGP connection.
Example filter entries
- Exact match on 1.2.3.0/24 - exactly matches the prefix 1.2.3.0 with a subnet mask of 255.255.255.0
- Match 192.2.3.0/24 min 32 - checks the first 24 bits of the prefix 192.2.3.0 that have a subnet mask of 32
- Match 10.0.12.0/24 max 32 - matches all 10.0.12.x networks that have a subnet mask less than or equal to 32
Creating a prefix filter based on an existing prefix filter
If you want to create a filter that is similar to an existing filter, you can use the existing filter as the basis for the new one. This saves you the time of creating a new filter from scratch.
To create a prefix filter based on an existing filter
- Select an MCR.
The MCR Details page appears. - Under MCR Configuration, select the Prefix Filter Lists tab.
- Click Duplicate List.
-
Select the filter list on which you want to base the new list.
-
Enter a unique descriptive name to identify the filter.
Prefix names will appear in the drop-down list of prefixes under the Filters tab for the BGP session. - Make any changes to the parameters unique to this filter.
- Click Save.
- Click Next.
Applying a prefix filter to a BGP connection
Prefix filters are configured directly on MCR and then attached to a BGP connection.
To apply a prefix filter
- Select the VXC attached to the MCR and select A End.
- Next to the BGP connection, click Edit.
-
Select the Filters tab.
-
Under BGP Prefix Filter, you can apply a predefined prefix filter to the BGP peer to limit the set of routes that will be received from, or advertised to the peer. These options are available:
- No Prefix Filter – Allows all routes. No routes will be filtered.
- Permit List – Allows only routes that match the prefix list. Other routes will be filtered.
- Deny List – Allows all routes except those that match the selected prefix list.
-
Under Import or Export Prefix Filter, select the filter from the drop-down list.
- Import – MCR applies the prefix filter to inbound advertisements from the neighbor.
- Export – MCR applies the prefix filter to outbound advertisements to the neighbor.
-
Click Update.
-
Click Save.
After applying the filter, re-enable route exchange if it is disabled. For more information, see Editing an MCR.
A prefix filter can be attached to more than one BGP session.
Maintaining prefix filters
In a prefix filter list, rules can be added, deleted, and reordered.
Adding a rule to an existing prefix filter
Each prefix filter can contain up to 200 rules. Duplicate rules are not allowed.
To add a rule to an existing filter
- Select an MCR on the Services page.
The MCR Details page appears. - Under MCR Configuration, select the Prefix Filter Lists tab.
- Select a prefix list from the Prefix List drop-down list.
- Add the rule.
-
Click Save.
You must click Save to apply rule changes. Switching to another list without saving prompts a warning that the changes will be lost.
Deleting a rule from a prefix filter
To delete a rule from a filter
- Select an MCR on the Services page.
The MCR Details page appears. - Under MCR Configuration, select the Prefix Filter Lists tab.
- Select a prefix list from the Prefix List drop-down list.
- Select a rule.
- Click Delete.
- Click Save.
Reordering rules in a prefix filter
In a prefix filter list, the rule position is critical because rules are evaluated one at a time, starting at the top of the list down. Evaluation stops with the first match.
To reorder a rule position
-
Drag the icon in the Position column to a different location and release.
Deleting a prefix filter list
To delete a prefix filter list, you must first remove any other resources that reference it, such as VXCs. If you try to delete a prefix filter list before removing its resources, a dialog lists the resources in use.
Note
All prefix lists are automatically removed from an MCR when it is terminated.
To delete a prefix filter
- Select an MCR on the Services page.
The MCR Details page appears. - Under MCR Configuration, select the Prefix Filter Lists tab.
- Select a prefix list from the Prefix List drop-down list.
- Click Delete List.
- Click Save.
Validating routes after applying filters
The MCR Looking Glass displays the routes received or sent after applying route filtering. For more information, see Viewing Traffic Routing Through MCR Looking Glass.
To view the routes after applying a route filter
-
Choose Tools > MCR Looking Glass.
-
Select an MCR from the MCR drop-down list.
- Next to the VXC, click Neighbour Routes.
- After Show, select the Advertised or Received tabs to narrow the list.