Loading learning content...
In an ideal world, packets would always take the shortest path to their destination. But the internet isn't just a technical system—it's an economic and political ecosystem where routing decisions must reflect business relationships, contractual obligations, regulatory requirements, and security policies.
A large enterprise might prefer routing traffic through a more expensive but faster provider for latency-sensitive applications. A European bank might be legally required to avoid routing customer data through certain jurisdictions. A content provider might want to utilize paid peering agreements before falling back to transit providers.
Policy routing enables these decisions. Path vector routing's visibility into the complete AS path empowers operators to implement sophisticated policies that align network behavior with organizational objectives—something impossible with simple hop-count or cost-based routing.
By the end of this page, you will understand what policy routing is and why it's essential for inter-domain routing, how path vector enables policy implementation, the hierarchy of BGP attributes for policy control, common policy patterns used in production networks, and how communities enable cross-AS policy signaling.
Policy routing is the practice of making routing decisions based on criteria other than—or in addition to—the destination address and shortest path. In the context of BGP and path vector protocols, policy routing means controlling which routes are accepted, preferred, and advertised based on organizational requirements.
Why Policy Routing Exists:
The internet is not a homogeneous network with a single objective (like minimizing latency). It's a collection of autonomous systems with diverse and sometimes conflicting goals:
| Organization Type | Routing Priority | Example Policy |
|---|---|---|
| Transit Provider | Maximize revenue, minimize transit costs | Prefer customers over peers over transit |
| Content Provider | Minimize latency to end users | Prefer paths through known-fast providers |
| Enterprise | Balance cost and performance | Use expensive link for critical traffic only |
| Government | Data sovereignty compliance | Never route through certain countries |
| Financial Institution | Security and compliance | Avoid networks with poor security records |
The Policy Dimension:
Traditional IGP routing asks: "What's the shortest path to this destination?"
Policy routing asks: "What's the best path considering:
The "best" path may not be the shortest. An organization might deliberately choose a longer path that costs less, performs better, or complies with regulations.
Path Vector Enables Policy:
Path vector routing is uniquely suited to policy implementation because it provides:
It's important to distinguish between policy routing (making decisions based on business logic) and policy verification (ensuring routes comply with organizational rules). BGP excels at both: it enables implementing policies and enforces them through import/export filters.
BGP provides multiple points where policy can be applied. Understanding these control points is essential for implementing effective routing policies.
Import Policy (Inbound):
Applied to routes received from neighbors before they enter the routing table:
Neighbor → [Import Filter] → Adj-RIB-In → [Best Path Selection] → Loc-RIB
Import policies can:
Export Policy (Outbound):
Applied to routes advertised to neighbors after selection:
Loc-RIB → [Export Filter] → Adj-RIB-Out → Neighbor
Export policies can:
Controlling Traffic Direction:
A critical concept is understanding that BGP policy controls route advertisements, not packets directly. This creates an asymmetric relationship:
| Traffic Direction | Control Via | Effectiveness |
|---|---|---|
| Outbound (your traffic leaving) | Import policy (which routes you learn) | High |
| Inbound (traffic coming to you) | Export policy (what you advertise) | Moderate |
Why the asymmetry?
This is why inbound traffic engineering is more complex—you're trying to influence others' routing decisions through advertisements, not direct control.
Attribute Modification Scope:
| Attribute | Import Modify | Export Modify | Scope |
|---|---|---|---|
| Weight | ✓ Yes | N/A | Local router only |
| Local Preference | ✓ Yes | N/A (iBGP only) | Within AS |
| AS Path | Limited | ✓ Prepend | Global (transitive) |
| MED | ✓ Yes | ✓ Yes | Neighbor AS |
| Community | ✓ Yes | ✓ Yes | Based on transitivity |
Best practice is to structure policies as: (1) filter out routes you should never use or advertise, then (2) modify attributes for accepted routes. This ensures unwanted routes are rejected early, reducing processing overhead and preventing accidental attribute leakage.
BGP's path selection algorithm evaluates attributes in a strict order. Understanding this hierarchy is crucial for implementing policies that behave as expected.
The Decision Hierarchy:
When comparing paths to the same prefix, BGP evaluates in order (simplified):
Policy Implementation Strategy:
Knowing the hierarchy guides which attributes to manipulate:
| Policy Goal | Attribute to Use | Why |
|---|---|---|
| Override all other preferences | Weight | Highest priority, local scope |
| Standard outbound preference | Local Preference | AS-wide, evaluated before AS path |
| Influence external networks | AS Path Prepending | Visible to all; affects their selection |
| Suggest entry point to neighbor | MED | Hint to direct neighbor only |
| Signal policy to transit providers | Community | Action tags that providers interpret |
Example: Preferring Customer Routes:
A transit provider wants traffic to exit toward customers (paying them) rather than peers (free) or upstream transit (costs them):
Import from customer: set local-preference 150
Import from peer: set local-preference 100 (default)
Import from transit: set local-preference 80
Result: Customer routes always preferred (150 > 100 > 80), regardless of AS path length.
12345678910111213141516171819202122232425262728
! Route-map for customer routes (highest preference)route-map CUSTOMER-IN permit 10 set local-preference 150 set community 65001:100 additive ! Route-map for peer routes (standard preference)route-map PEER-IN permit 10 set local-preference 100 set community 65001:200 additive ! Route-map for transit routes (lowest preference)route-map TRANSIT-IN permit 10 set local-preference 80 set community 65001:300 additive ! Apply to BGP neighborsrouter bgp 65001 neighbor 192.168.1.1 remote-as 65010 neighbor 192.168.1.1 description CUSTOMER-ACME neighbor 192.168.1.1 route-map CUSTOMER-IN in neighbor 192.168.2.1 remote-as 65020 neighbor 192.168.2.1 description PEER-BIGNET neighbor 192.168.2.1 route-map PEER-IN in neighbor 192.168.3.1 remote-as 65030 neighbor 192.168.3.1 description TRANSIT-UPSTREAM neighbor 192.168.3.1 route-map TRANSIT-IN inBy default, MED is only compared for routes from the same neighboring AS. A MED of 10 from AS 65010 is not compared against a MED of 5 from AS 65020. Enable 'bgp always-compare-med' to compare across ASNs, but be aware this can create unexpected behavior if MEDs aren't consistently set.
Real-world BGP policies follow well-established patterns. Understanding these patterns accelerates policy design and helps avoid common mistakes.
Pattern 1: Customer/Peer/Transit Preference
The most fundamental policy for any multi-homed network:
Business Relationship → Local Preference
Customer (pays you) → 150 (highest)
Peer (free exchange) → 100 (default)
Transit (you pay) → 80 (lowest)
This ensures traffic exits toward paying customers first, maximizing revenue while minimizing transit costs.
Pattern 2: Primary/Backup Links
Using local preference to designate primary and backup connections:
Primary link: local-preference 120
Backup link: local-preference 80
Failover: When primary fails, backup takes over automatically
More sophisticated implementations use BFD for sub-second failover detection.
Pattern 3: AS Path Filtering
Reject routes based on AS path content—essential for security and policy compliance:
Deny if AS path contains:
- Your own AS (loop prevention, standard)
- Sanctioned countries' AS ranges
- Known bogon/hijacked ASNs
- Specific competitor ASNs (rare, controversial)
Pattern 4: Prefix Filtering
Control route acceptance based on prefix characteristics:
Deny:
- RFC 1918 private addresses (10.0.0.0/8, etc.)
- Bogon prefixes (not allocated by RIRs)
- Prefixes > /24 (too specific for global table)
- Default route (0.0.0.0/0) unless explicitly expected
Allow:
- Prefixes documented in customer agreements
- Prefixes in IRR/RPKI with valid authorization
| Pattern | Control Via | Use Case | Complexity |
|---|---|---|---|
| Customer/Peer/Transit | Local preference | Business relationship preference | Low |
| Primary/Backup | Local preference | Link redundancy | Low |
| AS Path Filter | AS-path ACL/regex | Security, compliance | Medium |
| Prefix Filter | Prefix list | Route hygiene | Low |
| Traffic Engineering | Multiple attributes | Performance optimization | High |
| Selective Transit | Export policy | Control customer visibility | Medium |
Pattern 5: Selective Advertisement
Control which routes are advertised to which neighbors:
To Customers: Advertise all routes (customer pays for transit)
To Peers: Advertise own + customer routes (no transit to peers)
To Transit: Advertise own + customer routes (don't pay for others)
This prevents paying transit costs for traffic that should flow through peers, and prevents peers from using you as free transit.
12345678910111213141516171819202122232425262728293031323334353637383940
"""Selective Advertisement Policy Implementation Communities mark route origin: 65001:100 - Customer route 65001:200 - Peer route 65001:300 - Transit route 65001:1000 - Our own routes""" def export_policy(route, neighbor_type): """ Determine if route should be advertised to neighbor. """ communities = route.communities if neighbor_type == "customer": # Customers pay for transit - give them everything return PERMIT elif neighbor_type == "peer": # Peers get our routes and customer routes only # Don't send them routes from other peers or transit if "65001:200" in communities: # Learned from peer return DENY if "65001:300" in communities: # Learned from transit return DENY return PERMIT elif neighbor_type == "transit": # Transit provider gets our routes and customer routes only # Don't pay transit costs for peer/transit routes if "65001:200" in communities: return DENY if "65001:300" in communities: return DENY return PERMIT # Result: Peers and transit only see routes you originate# or routes from your customers - never from other peers/transitComplex policies become debugging nightmares without documentation. Maintain a policy document that explains: (1) the business requirement, (2) the technical implementation, (3) expected behavior, and (4) verification commands. Update it whenever policies change.
BGP communities are the Swiss Army knife of policy routing. These 32-bit tags (or 96-bit for large communities) travel with routes across AS boundaries, enabling sophisticated policy signaling between organizations.
Community Structure:
Standard Community: 16-bit ASN : 16-bit value
Example: 65001:100 means "AS 65001, tag 100"
Large Community: 32-bit ASN : 32-bit value : 32-bit value
Example: 136907:100:200 (for 4-byte ASNs)
Well-Known Communities:
RFC defines special communities with universal meaning:
| Community | Value | Action |
|---|---|---|
| NO_EXPORT | 0xFFFFFF01 | Don't advertise outside confederation |
| NO_ADVERTISE | 0xFFFFFF02 | Don't advertise to any peer |
| NO_EXPORT_SUBCONFED | 0xFFFFFF03 | Don't advertise outside local AS |
| NO_PEER | 0xFFFFFF04 | Don't advertise to peers (RFC 3765) |
These are honored by most BGP implementations without configuration.
Operator-Defined Communities:
Most communities are defined by individual operators. Common patterns:
Informational (marking):
ASN:100 - Route learned from customer
ASN:200 - Route learned from peer
ASN:300 - Route learned from transit
ASN:1XX - Route learned in region XX
Actionable (requesting action):
ASN:0 - Blackhole this prefix (DDoS mitigation)
ASN:666 - Blackhole (alternative convention)
ASN:1000 - Prepend 1x to all peers
ASN:2000 - Prepend 2x to all peers
ASN:10XX - Prepend to specific AS (10 + AS suffix)
1234567891011121314151617181920212223242526272829303132333435
! Define community listsip community-list standard BLACKHOLE permit 65001:666ip community-list standard PREPEND-1X permit 65001:1000ip community-list standard PREPEND-2X permit 65001:2000ip community-list standard PREPEND-3X permit 65001:3000ip community-list standard NO-EXPORT-PEER permit 65001:5000 ! Route-map to act on communitiesroute-map EXPORT-TO-PEERS permit 10 ! Blackhole routes - advertise with standard blackhole community match community BLACKHOLE set community no-export 65535:666 additive route-map EXPORT-TO-PEERS permit 20 ! Prepend once for routes tagged accordingly match community PREPEND-1X set as-path prepend 65001 route-map EXPORT-TO-PEERS permit 30 ! Prepend twice match community PREPEND-2X set as-path prepend 65001 65001 route-map EXPORT-TO-PEERS permit 40 ! Don't advertise to peers if tagged match community NO-EXPORT-PEER ! (simply not having a permit here would deny) deny route-map EXPORT-TO-PEERS permit 100 ! Allow all other routes unchanged ! Apply to peer sessionsrouter bgp 65001 neighbor 192.168.1.1 route-map EXPORT-TO-PEERS outMajor transit providers publish their community meanings on their websites and in IRR databases. This allows customers to influence the provider's routing behavior through community tags. Always check your upstream's documentation—they may offer sophisticated traffic engineering options via communities.
Controlling inbound traffic—packets destined to your network—is one of the most challenging aspects of BGP operations. Unlike outbound traffic where you control route selection, inbound traffic is determined by other networks' routing decisions.
The Fundamental Challenge:
You can influence, but not directly control, how others route to you:
┌─────────────┐
│ Your │
│ Network │
│ (AS 65001)│
┌────────────┴──────┬──────┴────────────┐
│ │ │
┌────▼────┐ ┌────▼────┐ ┌────▼────┐
│ Transit │ │ Peer │ │ Peer │
│ ISP │ │ A │ │ B │
└────┬────┘ └────┬────┘ └────┬────┘
│ │ │
└───────────────────▼───────────────────┘
Internet
"Where does inbound traffic enter?"
You want traffic to enter via the peers (free) rather than transit (costs money). How do you convince the rest of the internet?
Technique 1: AS Path Prepending
Make certain paths appear longer (less attractive):
Current advertisement:
Via Transit: 192.0.2.0/24, AS_PATH: 65010 65001
Via Peer-A: 192.0.2.0/24, AS_PATH: 65020 65001
After prepending via Transit:
Via Transit: 192.0.2.0/24, AS_PATH: 65010 65001 65001 65001
Via Peer-A: 192.0.2.0/24, AS_PATH: 65020 65001
Result: AS path via Transit is now 4 vs 2 for Peer-A
Remote networks will prefer Peer-A
Prepending Considerations:
Technique 2: Selective Advertisement
Advertise specific prefixes only via preferred links:
Your prefix: 192.0.2.0/24 (customer allocation)
Option A: Advertise only via peers
→ Traffic MUST come via peers
→ Transit won't know about your prefix
→ Risk: Reduced reachability if peers fail
Option B: More specific via peers, aggregate via transit
Peers: 192.0.2.0/25 + 192.0.2.128/25
Transit: 192.0.2.0/24
→ More-specific prefixes preferred
→ Fallback to transit if peers fail
Technique 3: MED (Multi-Exit Discriminator)
Suggest your preferred entry point to neighbors:
Advertise to peer with multiple connections:
Chicago link: MED 100 (prefer this)
Denver link: MED 200 (less preferred)
Neighbor may honor this if they:
- Compare MED at all (some don't)
- Haven't set higher-priority attributes
MED is a hint, not a directive. Many networks ignore or filter MED.
| Technique | Mechanism | Effectiveness | Considerations |
|---|---|---|---|
| AS Path Prepending | Lengthen path to make less attractive | Moderate | Evaluated after local-pref; diminishing returns |
| Selective Advertisement | Advertise only via preferred links | High | Reduces redundancy if preferred links fail |
| More-Specific Prefixes | Advertise /25s via preferred, /24 via backup | High | Some networks filter prefixes longer than /24 |
| MED | Hint preferred entry to neighbor | Low-Moderate | Often ignored; only same-AS comparison by default |
| Community Signaling | Request upstream to prepend/filter | Varies | Depends on upstream's community support |
Remember: every AS makes independent routing decisions. Your AS path prepending is meaningless if a remote network has set high local-preference on routes through your transit. Inbound TE provides statistical influence over traffic patterns, not deterministic control.
Policy routing's flexibility comes with security responsibilities. Misconfigured policies can expose networks to hijacking, leak routes inappropriately, or cause widespread reachability problems.
Route Hijacking:
Malicious or misconfigured networks can advertise prefixes they don't own:
Legitimate owner (AS 65030): 192.0.2.0/24 with AS_PATH 65030
Hijacker (AS 65999): 192.0.2.0/24 with AS_PATH 65999
If hijacker's path looks shorter or more attractive to your
upstreams, traffic to 192.0.2.0/24 goes to the hijacker.
Defense: Prefix Filtering
Always filter what you accept from customers and peers:
For each customer:
- Document their assigned prefixes
- Filter import to ONLY those prefixes
- Verify via IRR/RPKI before accepting
For peers:
- Use IRR data (RADB, RIPE, etc.) for prefix lists
- Implement RPKI ROA validation
- Reject bogon prefixes unconditionally
Route Leaks:
Route leaks occur when routes are advertised to neighbors that shouldn't receive them:
Example: Customer learns full table from you (transit)
Customer accidentally advertises full table to peer
Peer thinks customer is transit for entire internet
Traffic blackholes or takes suboptimal paths
Famous incidents (YouTube 2008, Google 2017, Cloudflare 2019) caused widespread outages due to route leaks.
Defense: Export Filtering
To peers: ONLY advertise your prefixes + customer prefixes
To customers: Advertise full table or customer-specific
To transit: ONLY advertise your prefixes + customer prefixes
NEVER: Advertise routes learned from peers to other peers
NEVER: Advertise routes from transit to peers
NEVER: Accept more-specific prefixes for your own space
MANRS (Mutually Agreed Norms for Routing Security) provides a framework of commitments for network operators: filtering, anti-spoofing, coordination, and validation. Joining MANRS signals commitment to routing security best practices and provides operational guidance.
Policy routing transforms BGP from a simple path-exchange protocol into a sophisticated business logic engine. Understanding how to leverage BGP attributes, communities, and filtering enables you to align network behavior with organizational objectives while maintaining security.
Key Concepts Mastered:
What's Next:
With policy routing foundations established, we turn to the protocol that embodies path vector routing: BGP (Border Gateway Protocol). The next page explores BGP's architecture, operation, and how it implements the path vector concepts we've covered.
You now understand how path vector routing enables sophisticated policy implementation, the mechanics of BGP attribute manipulation, common policy patterns, and the security responsibilities that accompany policy flexibility.