MCR Route Filtering

This topic describes Megaport Cloud RouterA managed virtual router service that establishes Layer 3 connectivity on the worldwide Megaport software-defined network (SDN).
(MCR) route filtering. Route filtering provides selective control over which networks are discoverable between Border Gateway Protocol (BGP) neighbor routers. Route filtering is configured to influence the routing path and manage redundancy, while improving security.

Route filtering overview

Route filtering provides control over MCR route installation and propagation, typically between two or more networks. The networks can be either on-premises or a cloud service provider (CSP). You can use route filtering to:

• Redistribute or prevent redistribution of routes between Virtual Cross Connects (VXCs).
• Create a BGP prefix filter that includes a set of IPv4 or IPv6 CIDR blocks to manage as a group.
• Allow or deny specific routes on specific connections.

Default peering route advertisements

MCR uses Border Gateway Protocol (BGP) to exchange network reachability information with adjacent BGP systems, known as neighbors, or peers. MCR works in multi-cloud architectures that are connected using different combinations of peering types. In addition to private peering connectivity, the MCR can connect to public peering types such as AWS, Azure, Oracle, and other cloud service providers (CSPs).

BGP communicates between two neighbors using a standard TCP connection. By default, once the BGP neighbors are connected, they share routing information with each other. The connection between the neighbors is called a BGP connection or session.

Without using any route filters, Megaport advertises routes to BGP connections based on these peering types:

Peering Type	Routes Advertised	Advertised To
Non-cloud	Routes from the Border Gateway Protocol (BGP) peer behind a Port.	Non-cloud, private cloud, public cloud
Private cloud	Routes from AWS Private, Azure Private Peer, and Google Cloud Platform.	Non-cloud, private cloud
Public cloud	Routes from AWS Public, Azure MS Peer, Salesforce, and other cloud providers.	Non-cloud

As an example, a route received from a Public Cloud BGP connection will not be advertised to a Private Cloud BGP connection.

You cannot override or control the peering type route advertisement.

Route filtering doesn’t change this existing peer type policy but provides finer control when you need to filter specific routes or prefixes that would have otherwise been discovered and exchanged between BGP neighbors. Route filters are optional. Route filters cannot be used to advertise routes that are already filtered based on the peer type.

For the default route advertisement details, go to MCR Route Advertisement.

Using a route filter or peer policy

You can define which route advertisements MCR permits or denies from BGP neighbors. You can filter routes by BGP connection or by prefix. Route filtering supports IPv4 and/or IPv6 routes for each format. The two ways to control route advertisement are:

• BGP peer policy – A global all-or-nothing policy that permits or denies route exchange between BGP neighbors. You can also optionally override the default for a pair of BGP connections to fine-tune routing. For example, consider a network deployment with BGP neighbors A, B, and C. A and B are allowed to exchange routes with each other but not with C, while all neighbors can exchange routes with headquarters. BGP peer policies provide a simple and straightforward way to filter routes between the neighbors to meet these requirements.

• BGP prefix filter – An advanced filter that permits or denies specific routes using route prefixes (IP addresses or ranges) to identify individual neighbors. You can apply the same prefix filter to more than one BGP neighbor, eliminating the need to type manual, redundant prefix entries. You can specify a permit or deny action for each prefix in the filter list. You can apply different lists using import or export directions.

Before you begin

Before configuring a route filter, plan the implementation by determining your requirements. Then create a route filter based on these requirements.

Deployment considerations

• You need to create an MCR, as described in Creating an MCR.
• You can configure route filters before or after configuring BGP, as route filters work on existing or new BGP connections.
• You might want to shut down BGP route exchange if you plan to add a number of BGP sessions across your Virtual Cross Connects (VXCs) before they exchange route information and route filters are applied. When you are finished configuring, you can then go into the relevant BGP sessions and enable them. For details, go to Configuring an MCR.

Important

MCR route filtering supports and relies on the BGP Route Refresh mechanism to update routes using a soft reset when filters change the routing. If Route Refresh is not enabled on all active BGP connections, you need to shut down and re-enable the connection in the Megaport ONE Portal to update routes. If you have enabled the BGP Shut Down option, routes will be updated when you disable BGP Shut Down; that is, re-enable BGP.

Filtering by BGP peer

By default, MCR permits all routes unless otherwise filtered by the peer type policy, as described in Default Peering Route Advertisements. You can change this default policy for all peers and optionally override the default for a pair of BGP connections to fine-tune routing. The BGP pairings are unidirectional, meaning that each pair of BGP connections has two policies - one for A to B, and another for B to A.

A BGP peer policy has three possible actions:

• Default - Follows the default policy defined by the source peering type BGP connection.
• Permit - Allows routes received from neighbor A to be advertised to neighbor B.
• Deny - Prevents routes received from neighbor A being advertised to neighbor B.

BGP peer policy example

BGP connections A, B, and C are connected to the same MCR.

Connection A has a global permit policy. To filter routes toward connection B, the A to B policy can be set to Deny without affecting any routes advertised to C.

Connection C has a global deny policy. To allow routes to be advertised only to A, the C to A policy can be set to Permit. If a new BGP peer is added later, routes from C will follow the global policy and not be advertised.

Creating a BGP peer policy

A BGP peer policy sets the how routes are filtered globally for all peers. You can optionally override the default policy for a pair of BGP connections to fine-tune routing. This lets you limit the number of routes that have been advertised or received from BGP neighbors.

To create a global BGP peer route policy

1. Choose Networking > Services.
2. Locate the MCR, select the VXC attached to the MCR, and select the A-End Configuration tab.

3. Click Edit.

   

4. Select the BGP Peer Route Advertising tab.
   

5. Select a global action for the BGP peer from the Default Peer Route Advertising Policy drop-down list.

   • Permit – Allows routes received from neighbor A to be advertised to neighbor B.
   • Deny – Prevents routes received from neighbor A being advertised to neighbor B.

6. Click Confirm.

To create route advertisement policy for individual peers

1. Choose Networking > Services.
2. Locate the MCR, select the VXC attached to the MCR, and select the A-End Configuration tab.
3. Click Edit.
4. Click the gear icon next to the BGP connection and select Edit.

5. Select the BGP Peer Route Advertising tab.
   

6. Select an action from the Policy drop-down menu.

   • Use Default (Permit) – Follows the default policy defined by the source peering type BGP connection.
   • Permit – Allows routes received from neighbor A to be advertised to neighbor B.
   • Deny – Prevents routes received from neighbor A being advertised to neighbor B.

7. Click Confirm.

The MCR Looking Glass displays the routes received or sent after applying route filtering. For details, see Viewing Traffic Routing Through MCR Looking Glass.

Filtering by BGP prefix

A prefix is the destination network of the route. An IP network is a group of IP addresses. The network address is the prefix. For example:

• IPv4 address: 192.0.2.1
• IPv4 network prefix: 192.0.2.0/24 (includes 192.0.2.0 - 192.0.2.255)

A prefix filter is a named list of IP networks. Each entry consists of an IPv4 or IPv6 CIDR prefix or range of prefixes that you define and manage. A CIDR range means that you can filter several networks using a single routing entry.

A prefix filter list can be applied to a BGP connection to selectively identify routes to advertise or receive from neighboring routers. You can also make a list of routes not to advertise or receive, allowing everything else. When you define a prefix filter, the MCR accepts only routes matching the prefix information. This filter type is useful in environments with a large list of prefixes and peers to manage. You can apply the same prefix filter to more than one BGP peer, reducing manual work and eliminating potential errors.

A prefix filter list contains:

• A list of IPv4 or IPv6 prefixes (for example, 10.0.0.0/16) and a name associated with the list.
• A match condition. You can specify exact matches with specific routes or less precise matches based on prefix length.
• An action that is carried out if the prefix and the match condition are both true (for example, Permit).

In a prefix filter list, rules are evaluated from the top down. Evaluation stops with the first match. An implicit deny is applied to routes that don’t match any prefix list entry.

Creating a BGP prefix filter list

• Each MCR can manage up to 50 prefix filters.
• Each prefix filter list can contain up to 200 prefix entries. You can import prefixes in bulk using a CSV formatted file. For details, see Importing prefixes in bulk.
• Each prefix filter is independent and you can apply only one list per BGP neighbor at a time.
• You can apply a prefix filter multiple times to different BGP peers.

To create a prefix filter list

1. Choose Networking > Services.

2. Select an MCR or use the search filter to locate and select an MCR.
   The MCR Details page appears. MCR must have a Live provisioning status before you can create a prefix filter.

3. Select the Configuration tab.

   

4. Click Create New Prefix List.

   

5. Enter a unique descriptive name to identify the filter.
   The minimum description length is from 1 to 100 characters. The prefix filter name will appear in the drop-down list of existing prefixes on the MCR and on the BGP Prefix Filtering tab for a BGP connection.

   Note

   Prefix filter lists cannot be shared among MCRs. You must re-create prefix filters for each MCR.

6. Select either IPv4 or IPv6 format.
   A warning appears if you try to mix the two formats within the same list. All prefixes must use the same address format.

7. Select a position for the rule. The rule position is critical because evaluation stops with the first match and the rest of the list is ignored. If no conditions match, MCR applies an implicit deny.

8. Select the action to take for the filter: Permit or Deny.

9. Enter the prefix subnets in CIDR notation. For IPv4, use a.b.c.d/x, where a.b.c.d is the exact prefix and x is the exact prefix length.

   Note

   This field also accepts a dotted-quad notation for the subnet mask (for example, 255.255.255.0 instead of /24).

10. Prefixes can be exact-match-only or you can specify the number of bits in the mask to use as matching criteria. Select the subnet mask criteria:

    • Exact – Limits the filter to only this specific prefix. Any smaller prefixes contained within the prefix are not matched.

    • Min and Max – Specify a range of subnet mask lengths to match for more flexibility. Specify how many bits of the subnet mask the filter needs to match, starting with the most significant bit in the leftmost position of the address. When you specify a subnet mask range, the filter now has two conditions to match: the route must be within the a.b.c.d/x boundary and it must have a mask length between the minimum and maximum range. Shorter prefixes match more addresses, while longer prefixes match fewer.

    • Min – The minimum starting prefix length to be matched. Valid values are from 0 to 32 (IPv4), or 0 to 128 (IPv6). The Min must be no greater than or equal to the Max value.

    • Max – The maximum ending prefix length to be matched. The prefix length is greater than or equal to the Min value. Valid values are from 0 to 32 (IPv4), or 0 to 128 (IPv6), but the Max must be no less than the value of Min.

    For example, 10.0.0.0/8 Min 16 matches 10.0.0.0/16, 10.0.1.0/24, 10.0.0.1/30 but does not match 10.2.0.0/15.

    Note

    The Min and Max values on MCR are similar to Cisco’s ge and le values used with the ip prefix-list CLI command.

    When using the Min and Max values, you must satisfy this condition:

    Prefix length < Max <= Min

11. Click Save List.

    Note

    Use a CIDR calculator to ensure that all data is valid and within range.

The next step is to apply the filter to the BGP connection, as described in Applying a Prefix Filter to a BGP Connection.

Example prefix filter entries

• Exact match on 1.2.3.0/24 - exactly matches the prefix 1.2.3.0 with a subnet mask of 255.255.255.0
• Match 192.2.3.0/24 min 32 - checks the first 24 bits of the prefix 192.2.3.0 that have a subnet mask of 32
• Match 10.0.12.0/24 max 32 - matches all 10.0.12.x networks that have a subnet mask less than or equal to 32

Creating a prefix list filter based on an existing prefix list filter

If you want to create a filter that is similar to an existing filter, you can use the existing filter as the basis for the new one. This saves you the time of creating a new filter from scratch.

To create a prefix filter based on an existing filter

1. Choose Networking > Services.
2. Select an MCR or use the search filter to locate and select an MCR.
   The MCR Details page appears.
3. Select the Configuration tab.
4. Select Edit Existing Prefix List.
5. Select the prefix list you want to base the new list on.

6. Click Duplicate List.

   

7. Enter a unique descriptive name to identify the filter.

8. Make any changes to the parameters unique to this filter.
9. Click Update List.

Applying a prefix filter to a BGP connection

Prefix list filters are configured directly on MCR and then attached to a BGP connection.

To apply a prefix filter

1. Choose Networking > Services.
2. Locate the MCR.
3. Select the VXC attached to MCR and select A-End Configuration.
4. Click Edit.
5. Next to the BGP connection, click the gear icon and select Edit.

6. Select the BGP Prefix Filtering tab.

   

7. Under Received or Advertised Routes Filter, select the filter from the drop-down list.

   • Received - MCR applies the prefix filter to inbound advertisements from the neighbor.
   • Advertised - MCR applies the prefix filter to outbound advertisements to the neighbor.

8. Click Confirm.

After applying the filter, re-enable route exchange if it is disabled. See Editing an MCR.

A prefix filter can be attached to more than one BGP session.

Importing prefixes in bulk

Suppose you have a large number of prefixes to add to an MCR prefix list. To simplify the process, you can import the prefixes in bulk by loading data from a comma-separated values (CSV) formatted file into a prefix list. Megaport ONE provides a CSV template to format the prefix list details that map to a prefix list.

To import prefix list data in bulk

1. Choose Networking > Services.
2. Select an MCR or use the search filter to locate and select an MCR.
   The MCR Details page appears.
3. Select the Configuration tab.
4. Select the prefix list that will receive the data from the CSV file.
5. Click Download our Prefix List CSV Template to bulk import prefixes.
6. Open the downloaded prefix template.
7. Add the prefix list data to the sheet and save the file.
8. Select From File as the Import Method.
9. Click Choose File, select the CSV file, and click Open.
   The file rows appear in the list. Any invalid fields are flagged.
10. Click Save List.

Maintaining prefix filters

In a prefix filter list, rules can be added, deleted, and reordered.

Adding a rule to an existing prefix filter

Each prefix filter can contain up to 200 rules. Duplicate rules are not allowed.

To add a rule to an existing filter

1. Choose Networking > Services.
2. Select an MCR or use the search filter to locate and select an MCR.
   The MCR Details page appears.
3. Select the Configuration tab.

4. Select Edit Existing Prefix List.

   

5. Select a prefix list from the Existing Prefix Lists drop-down list.

6. Add the rule to the bottom of the list.
7. Click Update List.

Deleting a rule from a prefix filter

To delete a rule from a filter

1. Choose Networking > Services.
2. Select an MCR or use the search filter to locate and select an MCR.
   The MCR Details page appears.
3. Select the Configuration tab.
4. Select a rule.
5. Click the trash can icon.
6. Click Update List.

Reordering rules in a prefix filter

In a prefix filter list, the rule position is critical because rules are evaluated one at a time, starting at the top of the list down. Evaluation stops with the first match.

To reorder a rule position

• Drag the icon under the Position column to a different location and release.

  

Deleting a prefix filter

To delete a prefix list, you must first remove any other resources that reference it, such as VXCs. if you try to delete a prefix filter list before removing its resources, a dialog lists the resources in use.

Note

All prefix lists are automatically removed from an MCR when it is terminated or deprovisioned.

To delete a prefix filter

1. Choose Networking > Services.
2. Select an MCR or use the search filter to locate and select an MCR.
   The MCR Details page appears.
3. Under MCR Configuration, select the Edit Existing Prefix Filter List tab.
4. Select a prefix list from the Prefix List drop-down list.
5. Click Delete List.
6. Click Save.

Validating routes after applying filters

The MCR Looking Glass displays the routes received or sent after applying route filtering. For details, go to Viewing Traffic Routing Through MCR Looking Glass.

To view the routes after applying a route filter

1. Choose Tools > MCR Looking Glass.

   

2. Select an MCR from the MCR drop-down list.

3. Select the BGP Table tab.
4. Select Advertised Routes or Received Routes from the Show drop-down list to narrow the display.

---

Last update: 2023-03-20