Cloud Enterprise Network (CEN) supports route maps. You can use route maps to filter and modify routes. This helps you manage the communication between network instances attached to a CEN instance.

Features

A regional gateway is deployed in each region supported by a CEN instance. Regional gateways allow network instances that are attached to the CEN instance to communicate with each other. Network instances that can be attached to CEN instances are virtual private clouds (VPCs), virtual border routers (VBRs), and Cloud Connect Network (CCN) instances. Routes are advertised among the attached network instances within the same region or across regions through regional gateways in two directions: RegionIn and RegionOut.Route maps

Each route map is a collection of statements that include match conditions of routes and actions to perform on routes. You can add route maps of two directions to each regional gateway to manage the inbound and outbound routes. Route maps are sorted in ascending order of priority values. The system matches routes against match conditions starting from the route map with the lowest priority value. If a route meets the match conditions in a route map, the system permits or denies the route based on the action policy that you set. You can modify the attributes of permitted routes.

Elements of route maps

A route map consists of basic information, match conditions, and policy entries.
Note You can configure policy entries only when the action policy is set to permit.
  • The following table describes the basic information of a route map.
    Element Description
    Route Map Priority The priority of the route map. A lower value indicates a higher priority.

    After you specify a priority value for a route map, you cannot set the same priority value for another route map that is applied in the same region and direction. The system matches routes against match conditions starting from the route map with the lowest priority value. Therefore, set appropriate priority values to sort the route maps in the desired order.

    Description The description of the route map.
    Region The region to which the route map is applied.
    Transmit Direction The direction to which the route map is applied.
    • Import to Regional Gateway: Routes are imported to a regional gateway. For example, routes are imported to a regional gateway from a network instance in the same region, or from a network instance that is created in a different region.
    • Export from Regional Gateway: Routes are exported from a regional gateway. For example, routes are exported from a regional gateway to a network instance in the same region, or to a regional gateway in another region.
    Action Policy The action that you want to perform to a route if the route meets all match conditions. The following actions are supported:
    • Permit: Routes that meet all match conditions are permitted.
    • Deny: Routes that meet all match conditions are denied.
    Associated Priority Optional. The priority value of the next route map that is associated with the current route map. Valid values : 1 to 100.
    • If Associated Priority is not set, the current route map is not associated with another route map.
    • If the value is set to 1, the current route map is associated with the next route map.
    • If the associated priority is set to a value other than 1, it must be greater than the priority value that you set for the current route map. This means that the priority of the associated route map must be lower than that of the current route map.

    Only when you set the action policy to Permit, routes that meet all match conditions can be evaluated by the associated route map.

  • The following table describes the elements of a match condition.
    Element Description
    Source Region The system evaluates all routes that are advertised from a specified region.

    You can specify only the source region of routes. The destination region of routes cannot be specified as a match condition.

    Source Instance IDs The system evaluates all routes that are advertised from the specified network instances. You can specify IDs of VPCs, VBRs, CCN instances, or Smart Access Gateway (SAG) instances.

    You can select Exclude Specified IDs to exclude specified network instances. After you specify IDs of the network instances that you want to exclude, the system evaluates only routes from network instances that are not on the list.

    Destination Instance IDs The system evaluates all routes that are advertised to the specified network instances. You can specify IDs of VPCs, VBRs, CCN instances, or SAG instances.

    You can select Exclude Specified IDs to exclude the specified network instances. After you specify IDs of the network instances that you want to exclude, the system evaluates only routes to network instances that are not on the list.

    Note This element is valid only when the direction is set to Export from Regional Gateway. In addition, the specified network instances must be deployed in the same region as the regional gateway.
    Source Route Table The system evaluates all routes that are advertised from the specified route table.
    Destination Route Table The system evaluates all routes that are advertised to the specified route table.
    Note This element is valid only when the direction is set to Export from Regional Gateway. In addition, the specified destination route table must be in the same region as the regional gateway.
    Source Instance Type The system evaluates all routes that are advertised from the specified type of network instance. You can specify VPC, VBR, or CCN for this element.
    Destination Instance Type The system evaluates all routes that are advertised to the specified type of network instance. You can specify VPC, VBR, or CCN for this element.
    Note This match condition is valid only when the direction of the route map is set to Export from Regional Gateway. In addition, the destination instance type must be the same as the source instance type.
    Route Type The system evaluates the specified types of routes. The following route types are supported:
    • System: routes that are generated by the system.
    • Custom: routes that are manually added.
    • BGP: routes that are advertised to BGP.
    Route Prefix The system evaluates routes with the specified prefix. The following methods are supported:
    • Fuzzy Match: If the prefix of a route is within the prefix scope set in the match condition, the route meets the match condition.

      For example, if the match value is set to 1.1.0.0/16 and the match method is set to Fuzzy Match, the route with the prefix 1.1.1.0/24 matches the condition.

    • Exact Match: A route matches the condition only when the prefix of the route is the same as the prefix set in the match condition.

      For example, if the match value is set to 1.1.0.0/16 and the match method is set to Exact Match, only the route with the prefix 1.1.1.0/16 meets the match condition.

    AS Path The system evaluates routes based on the AS path. The following match methods are supported:
    • Fuzzy Match: A route meets the match condition if the AS path of the route overlaps with the AS path set in the match condition.

      For example, if the AS path in the match condition is set to [65001,65002] and the match method is set to Fuzzy Match, the route with the AS path [65501,65001] meets the condition.

    • Exact Match: A route meets the match condition only when the AS path of the route is the same as the AS path in the match condition.

      For example, if the AS path in the match condition is set to [65501,65001,60011] and the match method is set to Exact Match, only the route with the AS path [65501,65001,60011] meets the match condition.

    Note AS path is a well-known mandatory attribute, which is a list of ASNs that a BGP route passes through to reach the local router.
    Community The system evaluates routes based on the community values. The following match methods are supported:
    • Fuzzy Match: A route meets the condition if the community of the route overlaps with the community in the match condition.

      For example, if the community in the match condition is set to [65001:1000,65002:2000] and the match method is set to Fuzzy Match, the route with the community [65501:1000,65001:1000] meets the condition.

    • Exact Match: A route meets the condition only when the community of the route is the same as the community in the match condition.

      For example, if the community in the match condition is set to [65001:65001,65002:65005,65003:65001] and the match method is set to Exact Match, only the route with the community [65001:65001,65002:65005,65003:65001] meets the condition.

    Note Community is an optional transitive attribute. You can set different community values for different routes. Downstream routers can use community values to match routes.
  • The following table describes the elements of a policy entry.
    Element Description
    Route Preference Set the preference of the routes to be permitted.
    Community Set the community value. The following settings are supported:
    • Add
    • Replace
    Prepended AS Path An AS path is prepended when the regional gateway receives or advertises a route.
    An AS path is prepended based on whether routes are imported to or exported from the regional gateway.
    • If the direction of a route map is set to Import to Regional Gateway and you want to configure AS Path prepending, you must specify Source Instance IDs and Source Region as match conditions. The Source Region that you specify must be the same region to which the route map is applied.
    • If the direction of a route map is set to Export from Regional Gateway and you want to configure AS Path prepending, the match conditions must include Destination Instance IDs.

Evaluation of route maps

Route maps evaluate routes in match-action mode. Actions are performed after conditions are matched. The system matches conditions with routes in descending order of route map priority.

  • If a route meets all conditions in a route map, an action is performed to the route.
    • If you set the action policy to Permit, routes that meet the match conditions are permitted. By default, after a route is evaluated by a route map, the route is not evaluated by the next route map. However, if an associated priority value is configured for a route map, after a route is evaluated by the route map, the route is evaluated by another route map with the configured priority.
    • If you set the action policy to Deny, routes that meet the match conditions are denied. The denied routes are not evaluated by the next route map. The evaluation process is ended.
  • If a route fails to meet all conditions in a route map, the route is evaluated by the next route map.
  • If the route meets all conditions in the next route map, an action is performed to the route.
    • If you set the action policy to Permit, routes that meet the match conditions are permitted. By default, after a route is evaluated by a route map, the route is not evaluated by the next route map. However, if an associated priority value is configured for a route map, after a route is evaluated by the route map, the route is evaluated by another route map with the configured priority.
    • If you set the action policy to Deny, routes that meet the match conditions are denied. The denied routes are not evaluated by the next route map.
  • If a route fails to meet all match conditions in a route map, the route is evaluated by the next route map.
  • If a route fails to meet all match conditions in all route maps, the route is permitted by the last route map that evaluates the route.
Evaluation of route maps

Limits

Before you use route maps, take note of the following limits:
Item Limit Adjustable
Number of route maps that can be created in the Import to Regional Gateway direction for each regional gateway 100 N/A
Number of route maps that can be created in the Export to Regional Gateway direction for each regional gateway 100 N/A

Scenarios

Route maps can be used in the following scenarios:
  • Manage the communication between VPCs, between a VPC and a VBR, and between a VPC and a CCN instance
    By default, the communication between two VPCs, between a VPC and a VBR, and between a VPC and a CCN instance are not blocked. However, in some scenarios, you may need to block the communication between certain network instances as show in the following figure.Manage the communication between VPCs, between a VPC and a VBR, and between a VPC and a CCN instance

    You can use route maps to block the communication between VPC 1 and VPC 2, while maintain the communication between VPC 1 and CCN 1, between VPC 1 and VBR 1, between VPC 2 and CCN 1, and between VPC 2 and VBR 1.

  • Manage the communication between VBRs, between a VBR and a VPC, between a VBR and a CCN instance
    By default, the communication between VBRs, and the communication between a VBR and a CCN instance attached to a CEN instance are blocked. However, in some scenarios, you may need to allow the VBRs to communicate with each other, and the VBR and the CCN instance to communicate with each other.Manage the communication between VBRs, between a VBR and a VPC, between a VBR and a CCN instance

    In this case, you can use route maps to allow VBR 1 and VBR 2 to communicate with each other. But VBR 1 and CCN 1 cannot communicate with each other. VBR 2 and CCN 1 cannot communicate with each other.

  • Manage the communication between a CCN instance and a VPC, between a CCN instance and a VBR, and between CCN instances
    By default, the communication between CCN instances and the communication between a CCN instance and a VBR attached to a CEN instance are blocked. However, in some scenarios, you may need to allow a CCN instance to communicate with another CCN instance or with a VBR as shown in the following figure.Manage the communication between a CCN instance and a VPC, between a CCN instance and a VBR, and between CCN instances

    In this case, you can use route maps to allow CCN 1 and CCN 2 to communicate with each other. CCN 1 and VBR 1 cannot communicate with each other. CCN 2 and VBR 1 cannot communicate with each other.

References

Add a route map

Modify a route map

Delete route maps

Route map API