Embedding SPZ, PAG, and SPN values in device configuration

What Values are Statically Configured?

Each node/router/BGP-speaker in this reference implementation will have administratively defined values for each of the following:

OSPZ: The value (an integer between 0 and 100) of the Symmetric Perimeter Zone (SPZ) of which the node/router/BGP-speaker is a member

OPAG: The value (an integer between 0 and 100) of the Path Affinity Group (PAG) of which the node/router/BGP-speaker is a member

SPN: The value (a boolean type, expressed as 0 or 1) of the node/router’s Symmetric Perimeter Node (SPN) property. “0” if the node is not an SPN, and “1” if the node “is” an SPN.

How are the values encoded?

We will be using the BGP large community attribute to signal SPZ, PAG, and SPN information in BGP route updates, but every node/router in the network must be explicitly configured with the administratively assigned values of its own SPZ, PAG, and SPN properties. Those values must also be accessible to the logic in the BGP policy configuration of the routers. We will use a cobination of route-map configuration and large-community-list configuration to encode each device’s values.

n this reference implemenation, we will use autonomous system number 64496 for the Global Administrator Field in the BGP Large Community Attributes.

Symmetric Perimeter Zone (SPZ)

As previously described, each node/router will have an administratively assigned SPZ value. We will record that value within the node/router’s configuration using the “large-community-list” feature, so as expose the value to the router’s BGP policy configuration mechanism. We use large-communities with Local Data Part 1 values of 122881 and 122885 (as per the schema presented in the previous section) and Local Data Part 2 values selected during the design of the network.

There are two distinct IP prefix lists (“…OSPZ…”, “…PSPZ…”) defined, both evaluating against the same SPZ value. This is because we will need to differentiate BGP policy behavior later based on whether the router is originating or propagating a route. This is demonstrated in the following configuration template/snippet.

1 2	ip large-community-list OSPZ permit 64496:122881:[$mySPZ] ip large-community-list PSPZ permit 64496:122885:[$mySPZ]

For a router “in” SPZ “8”, that rendered configuration would be:

1 2	ip large-community-list OSPZ permit 64496:122881:8 ip large-community-list PSPZ permit 64496:122885:8

Path Affinity Group (PAG)

A router’s PAG property is configured using the same mechanism as the SPZ value, but with large-communities using LD Part 1 values of “2” and “4” (instead of “1” and “5”; as per the schema presented in the previous section):

1 2	ip large-community-list OPAG permit 64496:122882:[$my-SPZid] ip large-community-list PPAG permit 64496:122884:[$my-SPZid]

Symmetric Perimeter Node (SPN)

As previously described, some nodes on the network will execute services that cause traffic to be discarded if only one of a set of source/destination-inverted flow-pairs between two endpoints traverses the node (as with network firewalls.) Nodes that do execute such services are assigned an SPN value of “1” (true), while nodes that do not execute such services are assigned an SPN value of “0” (false). The routing policy framework that we are implementing here executes different logic based on whether the router propagating the route is an SPN or is not an SPN, so we will need to encode that in a manner accessible to the routing-policy engine.

1	ip large-community-list am-I-SPN permit 64496:122886:[$mySPN]

What Operations Are Performed on These Values?

The path selection algorithm that we are implementing requires the following operations/evaluations:

Is the $OPAG value of a learned BGP route the same as the learning router’s PAG value?
- Trivial to implement with route-map logic
Is the $OSPZ value of a learned BGP route the same as the learning router’s SPZ value?
- Trivial to implement with route-map logic
Is the router’s SPN value true or false?
- Trivial to implement with route-map logic
Numerical comparison of router’s SPZ value to route-advertisement’s $OSPZ
- Klunky, but feasible, to implement with route-map logic

How Are These Operations Are Performed?

Finding matches for $OPAG and $OSPZ values

The path selection algorithm that we are implementing requires the following operations/evaluations:

Device Configuration Template

BGP Neighbor Group Configuration

enable
config t
!router bgp ____
neighbor msmz-policy peer group
neighbor msmz-policy route-map symmetry-policy-receiving-map in
neighbor msmz-policy route-map symmetry-policy-sending-map out
neighbor msmz-policy send-community extended large
neighbor msmz-policy additional-paths receive
neighbor msmz-policy additional-paths send any

Variable Substitutions

!New-routing-policy; v3.
!Find/replace the values below. (Make a working-copy of this file first.)
!That will handle all of the simple string-substition customization
! Find / Replace-with
! [$my-zoneid]  [$my-zoneid]
!! Security-zone of THIS router
! [$my-siteid]  [$my-siteid]
!! Site-ID of THIS router
! [$am-i-stateful] [$am-i-stateful] !! Is this router running stateful services? (0/1 = no/yes)

Manually Modify This List

!====================================READ THIS SECTION CAREFULLY - MANUAL MODIFICATION REQUIRED====================================!
! Comment/un-comment lines in this list, based on THIS routers' security-zone ID
! E.g., if router's SPZ is "3", lines ""..:4" through "..:10" should be included in the "OSPZ-gt-mySPZ" list,
!   and lines "...1" through "...3" should be removed.
!
ip large-community-list OSPZ-gt-mySPZ permit 64496:128881:1
ip large-community-list OSPZ-gt-mySPZ permit 64496:128881:2
ip large-community-list OSPZ-gt-mySPZ permit 64496:128881:3
ip large-community-list OSPZ-gt-mySPZ permit 64496:128881:4
ip large-community-list OSPZ-gt-mySPZ permit 64496:128881:5
ip large-community-list OSPZ-gt-mySPZ permit 64496:128881:6
ip large-community-list OSPZ-gt-mySPZ permit 64496:128881:7
ip large-community-list OSPZ-gt-mySPZ permit 64496:128881:8
ip large-community-list OSPZ-gt-mySPZ permit 64496:128881:9
ip large-community-list OSPZ-gt-mySPZ permit 64496:128881:10
!
route-map symmetry-policy-sending-map permit 4000
! Manually un-comment or comment the following line based on whether THIS router is running stateful services or not.
! sub-route-map yes-i-am-stateful-map
    continue
!==========================================END OF MANUAL MODIFICATION SECTION==========================================!

Variable Substitutions

!New-routing-policy; v3.
!Find/replace the values below. (Make a working-copy of this file first.)
!That will handle all of the simple string-substition customization
! Find / Replace-with
! [$my-zoneid]  [$my-zoneid]
!! Security-zone of THIS router
! [$my-siteid]  [$my-siteid]
!! Site-ID of THIS router
! [$am-i-stateful] [$am-i-stateful] !! Is this router running stateful services? (0/1 = no/yes)

Perform Variable Substitution on This Section

!====================================READ THIS SECTION CAREFULLY - FIND/REPLACE MODIFICATION REQUIRED====================================!
ip large-community-list am-i-stateful permit 64496:128886:[$am-i-stateful]
ip large-community-list mySPZasOSPZ permit 64496:128881:[$my-zoneid]
ip large-community-list myPAGasOPAG permit 64496:128882:[$my-siteid]
ip large-community-list myPAGasPPAG permit 64496:128884:[$my-siteid]
ip large-community-list mySPZasPSPZ permit 64496:128885:[$my-zoneid]
!
!==========================================END OF FIND/REPLACE MODIFICATION SECTION==========================================!
!
!====================================UNIFORM/CONSISTENT CONFIGURATON FOR ALL DEVICES IN ROUTING POLICY DOMAIN====================================!
service routing protocols model multi-agent
service routing configuration route-map set-operations sequential
ip large-community-list 64496:128881:0 permit 64496:128881:0
ip large-community-list 64496:128881:1 permit 64496:128881:1
ip large-community-list 64496:128881:2 permit 64496:128881:2
ip large-community-list 64496:128881:3 permit 64496:128881:3
ip large-community-list 64496:128881:4 permit 64496:128881:4
ip large-community-list 64496:128881:5 permit 64496:128881:5
ip large-community-list 64496:128881:6 permit 64496:128881:6
ip large-community-list 64496:128881:7 permit 64496:128881:7
ip large-community-list 64496:128881:8 permit 64496:128881:8
ip large-community-list 64496:128881:9 permit 64496:128881:9
ip large-community-list 64496:128882:0 permit 64496:128882:0
ip large-community-list 64496:128882:1 permit 64496:128882:1
ip large-community-list 64496:128882:2 permit 64496:128882:2
ip large-community-list 64496:128882:3 permit 64496:128882:3
ip large-community-list 64496:128882:4 permit 64496:128882:4
ip large-community-list 64496:128882:5 permit 64496:128882:5
ip large-community-list 64496:128882:6 permit 64496:128882:6
ip large-community-list 64496:128882:7 permit 64496:128882:7
ip large-community-list 64496:128882:8 permit 64496:128882:8
ip large-community-list 64496:128882:9 permit 64496:128882:9
ip large-community-list 64496:128883:0 permit 64496:128883:0
ip large-community-list 64496:128883:1 permit 64496:128883:1
ip large-community-list 64496:128883:2 permit 64496:128883:2
ip large-community-list 64496:128883:3 permit 64496:128883:3
ip large-community-list 64496:128883:4 permit 64496:128883:4
ip large-community-list 64496:128883:5 permit 64496:128883:5
ip large-community-list 64496:128883:6 permit 64496:128883:6
ip large-community-list 64496:128883:7 permit 64496:128883:7
ip large-community-list 64496:128883:8 permit 64496:128883:8
ip large-community-list 64496:128883:9 permit 64496:128883:9
ip large-community-list 64496:128884:0 permit 64496:128884:0
ip large-community-list 64496:128884:1 permit 64496:128884:1
ip large-community-list 64496:128884:2 permit 64496:128884:2
ip large-community-list 64496:128884:3 permit 64496:128884:3
ip large-community-list 64496:128884:4 permit 64496:128884:4
ip large-community-list 64496:128884:5 permit 64496:128884:5
ip large-community-list 64496:128884:6 permit 64496:128884:6
ip large-community-list 64496:128884:7 permit 64496:128884:7
ip large-community-list 64496:128884:8 permit 64496:128884:8
ip large-community-list 64496:128884:9 permit 64496:128884:9
ip large-community-list 64496:128885:0 permit 64496:128885:0
ip large-community-list 64496:128885:1 permit 64496:128885:1
ip large-community-list 64496:128885:2 permit 64496:128885:2
ip large-community-list 64496:128885:3 permit 64496:128885:3
ip large-community-list 64496:128885:4 permit 64496:128885:4
ip large-community-list 64496:128885:5 permit 64496:128885:5
ip large-community-list 64496:128885:6 permit 64496:128885:6
ip large-community-list 64496:128885:7 permit 64496:128885:7
ip large-community-list 64496:128885:8 permit 64496:128885:8
ip large-community-list 64496:128885:9 permit 64496:128885:9
ip large-community-list 64496:128886:0 permit 64496:128886:0
ip large-community-list 64496:128886:1 permit 64496:128886:1
ip large-community-list 64496:128886:2 permit 64496:128886:2
ip large-community-list 64496:128886:3 permit 64496:128886:3
ip large-community-list 64496:128886:4 permit 64496:128886:4
ip large-community-list 64496:128886:5 permit 64496:128886:5
ip large-community-list 64496:128886:6 permit 64496:128886:6
ip large-community-list 64496:128886:7 permit 64496:128886:7
ip large-community-list 64496:128886:8 permit 64496:128886:8
ip large-community-list 64496:128886:9 permit 64496:128886:9
!
ip large-community-list regexp pr-purge permit 64496:128884:.+
ip large-community-list regexp pr-purge permit 64496:128885:.+
ip large-community-list regexp pr-purge permit 64496:128886:.+
!
route-map tag-originated-routes-for-symmetric-policy permit 1000
    set large-community large-community-list mySPZasOSPZ
    continue
route-map tag-originated-routes-for-symmetric-policy permit 2000
    set large-community large-community-list myPAGasOPAG additive
    continue
route-map tag-originated-routes-for-symmetric-policy permit 3000
    set large-community large-community-list originating-stateful-hop additive
    continue
route-map tag-originated-routes-for-symmetric-policy permit 4000
    set large-community large-community-list myPAGasPPAG additive
    continue
route-map tag-originated-routes-for-symmetric-policy permit 100000
!
route-map OSPZ-GT-MYSPZ permit 1000
    sub-route-map set-med-to-OSSHC-inverse
    continue
route-map OSPZ-GT-MYSPZ permit 100000
!
route-map OSPZ-LT-MYSPZ permit 1000
    sub-route-map set-med-to-OSSHC
    continue
route-map OSPZ-LT-MYSPZ permit 100000
!
route-map am-i-stateful-map permit 100000
!
route-map if-ORSITE-is-mysite-and-i-am-stateful permit 1000
    sub-route-map osshc-increment
    continue
route-map if-ORSITE-is-mysite-and-i-am-stateful permit 100000
!
route-map if-PRSITEID-and-PRSECZID-are-0 permit 1000
    match large-community 64496:128885:0
    set metric 1000
!
route-map osshc-increment permit 1000
    match large-community 64496:128883:8
    continue
    set large-community 64496:128883:9 additive
route-map osshc-increment permit 2000
    match large-community 64496:128883:8
    continue
    set large-community 64496:128883:8 delete
route-map osshc-increment permit 3000
    match large-community 64496:128883:7
    continue
    set large-community 64496:128883:8 additive
route-map osshc-increment permit 4000
    match large-community 64496:128883:7
    continue
    set large-community 64496:128883:7 delete
route-map osshc-increment permit 5000
    match large-community 64496:128883:6
    continue
    set large-community 64496:128883:7 additive
route-map osshc-increment permit 6000
    match large-community 64496:128883:6
    continue
    set large-community 64496:128883:6 delete
route-map osshc-increment permit 7000
    match large-community 64496:128883:5
    continue
    set large-community 64496:128883:6 additive
route-map osshc-increment permit 8000
    match large-community 64496:128883:5
    continue
    set large-community 64496:128883:5 delete
route-map osshc-increment permit 9000
    match large-community 64496:128883:4
    continue
    set large-community 64496:128883:5 additive
route-map osshc-increment permit 10000
    match large-community 64496:128883:4
    continue
    set large-community 64496:128883:4 delete
route-map osshc-increment permit 11000
    match large-community 64496:128883:3
    continue
    set large-community 64496:128883:4 additive
route-map osshc-increment permit 11800
    match large-community 64496:128883:0
    continue
    set large-community 64496:128883:0 delete
route-map osshc-increment permit 12000
    match large-community 64496:128883:3
    continue
    set large-community 64496:128883:3 delete
route-map osshc-increment permit 13000
    match large-community 64496:128883:2
    continue
    set large-community 64496:128883:3 additive
route-map osshc-increment permit 14000
    match large-community 64496:128883:1
    continue
    set large-community 64496:128883:2 additive
route-map osshc-increment permit 15000
    match large-community 64496:128883:1
    continue
    set large-community 64496:128883:2 additive
route-map osshc-increment permit 16000
    match large-community 64496:128883:1
    continue
    set large-community 64496:128883:1 delete
route-map osshc-increment permit 17000
    match large-community 64496:128883:0
    continue
    set large-community 64496:128883:1 additive
route-map osshc-increment permit 100000
!
route-map set-med-to-OSSHC permit 1000
    match large-community 64496:128883:0
    continue
    set metric 0
route-map set-med-to-OSSHC permit 2000
    match large-community 64496:128883:1
    continue
    set metric 1
route-map set-med-to-OSSHC permit 3000
    match large-community 64496:128883:2
    continue
    set metric 2
route-map set-med-to-OSSHC permit 4000
    match large-community 64496:128883:3
    continue
    set metric 3
route-map set-med-to-OSSHC permit 5000
    match large-community 64496:128883:4
    continue
    set metric 4
route-map set-med-to-OSSHC permit 6000
    match large-community 64496:128883:5
    continue
    set metric 5
route-map set-med-to-OSSHC permit 7000
    match large-community 64496:128883:6
    continue
    set metric 6
route-map set-med-to-OSSHC permit 8000
    match large-community 64496:128883:7
    continue
    set metric 7
route-map set-med-to-OSSHC permit 9000
    match large-community 64496:128883:8
    continue
    set metric 8
route-map set-med-to-OSSHC permit 10000
    match large-community 64496:128883:9
    continue
    set metric 9
route-map set-med-to-OSSHC permit 100000
!
route-map symmetry-policy-receiving-map permit 1000
    continue
route-map symmetry-policy-receiving-map permit 2000
    match large-community OSPZ-gt-mySPZ
    sub-route-map OSPZ-GT-MYSPZ
    continue
route-map symmetry-policy-receiving-map permit 3000
    match invert-result large-community OSPZ-gt-mySPZ
    sub-route-map OSPZ-LT-MYSPZ
    continue
route-map symmetry-policy-receiving-map permit 4000
    match large-community 64496:128884:0
    sub-route-map if-PRSITEID-and-PRSECZID-are-0
    continue
route-map symmetry-policy-receiving-map permit 100000
!
route-map symmetry-policy-sending-map permit 1000
    continue
route-map symmetry-policy-sending-map permit 3000
    sub-route-map update-pr-tags
    continue
route-map symmetry-policy-sending-map permit 100000
!
route-map update-pr-tags permit 1000
    continue
    set large-community large-community-list pr-purge delete
route-map update-pr-tags permit 2000
    continue
    set large-community large-community-list myPAGasPPAG additive
route-map update-pr-tags permit 3000
    continue
    set large-community large-community-list mySPZasPSPZ additive
route-map update-pr-tags permit 4000
    continue
    set large-community large-community-list am-i-stateful additive
route-map update-pr-tags permit 100000
!
route-map yes-i-am-stateful-map permit 1000
    match large-community myPAGasOPAG
    sub-route-map if-ORSITE-is-mysite-and-i-am-stateful
    continue
route-map yes-i-am-stateful-map permit 100000
!
route-map set-med-to-OSSHC-inverse permit 1000
    match large-community 64496:128883:0
    continue
    set metric 9
route-map set-med-to-OSSHC-inverse permit 2000
    match large-community 64496:128883:1
    continue
    set metric 8
route-map set-med-to-OSSHC-inverse permit 3000
    match large-community 64496:128883:2
    continue
    set metric 7
route-map set-med-to-OSSHC-inverse permit 4000
    match large-community 64496:128883:3
    continue
    set metric 6
route-map set-med-to-OSSHC-inverse permit 5000
    match large-community 64496:128883:4
    continue
    set metric 5
route-map set-med-to-OSSHC-inverse permit 6000
    match large-community 64496:128883:5
    continue
    set metric 4
route-map set-med-to-OSSHC-inverse permit 7000
    match large-community 64496:128883:6
    continue
    set metric 3
route-map set-med-to-OSSHC-inverse permit 8000
    match large-community 64496:128883:7
    continue
    set metric 2
route-map set-med-to-OSSHC-inverse permit 9000
    match large-community 64496:128883:8
    continue
    set metric 1
route-map set-med-to-OSSHC-inverse permit 10000
    match large-community 64496:128883:9
    continue
    set metric 0
route-map set-med-to-OSSHC-inverse permit 100000