Policy Chaining and Logical Expressions
This chapter provides information about Policy Chaining and Logical Expressions.
Topics in this chapter include:
Applicability
This chapter was initially written for SR OS Release 14.0.R4, but the CLI in the current edition is based on SR OS Release 21.7.R1. In SR OS Releases earlier than 14.0.R1, only policy chaining was supported. SR OS Release 14.0.R1 introduced support for route policy logical expressions using the logical operators AND, OR, and NOT, and parentheses.
Overview
Multiple policies can be chained together for sequential evaluation. For more complex evaluation logic, logical expressions can be used with operators: AND, OR, and NOT, and with parentheses. A logical expression can be included in a larger policy chain. Route policy logical expressions are supported in the following contexts:
BGP export
BGP import
BGP leak-import (RIB leaking)
VRF import
VRF export
GRT export (GRT leaking)
Policy chaining versus policy logical expressions shows a comparison between examples of policy chaining and policy logical expressions.
Policy chaining example |
Policy logical expressions example |
---|---|
configure router bgp import "A" "B" "C" |
configure router bgp import "[A]OR[B]" |
For each route, policy A is evaluated first.
|
Several logical operators can be used. This example shows an OR relationship between policy A and policy B. For each route, policy A is evaluated first. A true/false result is determined for policy A:
The final result is mapped back to a policy action (accept, next-policy, and so on). |
In SR OS Release 14.0.R4, and later, the action drop replaces the action reject. The difference is that with action drop, it is possible to modify attributes in the same way as for action accept. This behavior is useful when a NOT operation makes a false expression true and the attributes are required. In a similar way, it is possible that an OR operation is true, even though the first policies that were evaluated were false. Routes are accepted when the final result is true and all policies that were evaluated will modify the route attributes. Examples of this behavior are included in the Configuration section.
To configure policy chaining that may or may not include a policy logical expression, the syntax is:
# on PE-1:
configure router "Base" bgp export ?
*A:PE-1# configure router "Base" bgp export
- export <plcy-or-long-expr> [<plcy-or-expr> [<plcy-or-expr>...(up to 14 max)]]
- no export
<plcy-or-long-expr> : <policy-name> | <long-expr>
<policy-name> - [64 chars max]
<long-expr> - [255 chars max]
<plcy-or-expr> : <policy-name> | <expr>
<policy-name> - [64 chars max]
<expr> - [64 chars max]
When the import/export command has a single value, the value is either a policy or a logical expression. The policy may or may not be enclosed in double quotes. When enclosed in double quotes, all characters (including blanks) are considered part of the policy. The logical expression may or may not be enclosed in double quotes. When not enclosed in double quotes, the operand must not be separated from the policies. The logical expression accepts between 1 and 16 policies. In the logical expression:
each policy must be enclosed in square brackets and must not be enclosed in double quotes.
the operand may or may not be separated with spaces from the policies. When separated, the logical expression must be enclosed in double quotes.
the operand must be in uppercase (AND, OR, NOT).
parentheses may be used to influence the logic. When used, nesting is limited to a maximum of 3 levels.
A policy is accepted with and without double quotes enclosing it. When a policy is enclosed in square brackets, the square brackets are part of the policy.
# on PE-1:
configure router "Base" bgp import A
(leads to: "A")
configure router "Base" bgp import "A"
(leads to: "A")
configure router "Base" bgp import [A]
(leads to: "[A]")
configure router "Base" bgp import "[A]"
(leads to: "[A]")
In a policy that is enclosed in double quotes, spaces before and after the policy are not allowed, as they are considered part of the policy name. The following message is raised when spaces are present before and after a policy that is enclosed in double quotes.
# on PE-1:
configure router "Base" bgp import " A "
WARNING: CLI Policy " A " does not exist.
A policy that is enclosed in double quotes must not be enclosed in square brackets.
# on PE-1:
configure router "Base" bgp import ["A"]
*A:PE-1>config>router>bgp# import ["A"]
^
Error: Invalid syntax.
A logical expression is accepted only when each policy is enclosed in square brackets and not in double quotes, while the logical expression itself may or may not be enclosed in double quotes.
# on PE-1:
configure router "Base" bgp import [A]AND[B]
(leads to: "[A]AND[B]")
configure router "Base" bgp import "[A]AND[B]"
(leads to: "[A]AND[B]")
In a logical expression, spaces before and after the operand are allowed only when the logical expression is enclosed in double quotes.
# on PE-1:
configure router "Base" bgp import "[A] AND [B]"
(leads to: "[A] AND [B]")
The following message is raised when, in a logical expression that is not enclosed in double quotes, there are spaces before and after the operand.
# on PE-1:
configure router "Base" bgp import [A] AND [B]
WARNING: CLI Policy "AND" does not exist.
INFO: BGP #1001 Configuration failed because of inconsistent values - BGP [VR 1] Policy stmts expression format error
In a logical expression, spaces before and after the square brackets that enclose a policy are allowed only when the logical expression is enclosed in double quotes.
# on PE-1:
configure router "Base" bgp import " [A] AND [B] "
(leads to: " [A] AND [B] ")
The following message is raised when, in a logical expression that is not enclosed in double quotes, there are spaces before and after the square brackets that enclose a policy.
# on PE-1:
configure router "Base" bgp import [A] AND [B]
WARNING: CLI Policy "AND" does not exist.
INFO: BGP #1001 Configuration failed because of inconsistent values - BGP [VR 1] Policy stmts expression format error
In a logical expression, spaces inside the square brackets that enclose a policy are allowed only when the logical expression is enclosed in double quotes.
# on PE-1:
configure router "Base" bgp import "[ A ]AND[ B ]"
(leads to: "[ A ]AND[ B ]")
The following message is raised when there are spaces inside the square brackets that enclose a policy in a logical expression that is not enclosed in double quotes.
configure router "Base" bgp import [ A ]AND[ B ]
WARNING: CLI Policy "[" does not exist.
WARNING: CLI Policy "]" does not exist.
INFO: BGP #1001 Configuration failed because of inconsistent values - BGP [VR 1] Policy stmts expression format error
The following message is raised when there are double quotes inside the square brackets that enclose a policy in a logical expression that is not enclosed in double quotes.
# on PE-1:
configure router "Base" bgp import ["A"]AND["B"]
*A:PE-1>config>router>bgp# import ["A"]AND["B"]
^
Error: Invalid syntax.
The following message is raised when a policy is enclosed in double quotes instead of square brackets in a logical expression that is not enclosed in double quotes.
# on PE-1:
configure router "Base" bgp import "A"AND"B"
*A:PE-1>config>router>bgp# import "A"AND"B"
^
Error: Invalid syntax.
The following message is raised when there are double quotes inside the square brackets that enclose a policy in a logical expression that is enclosed in double quotes.
# on PE-1:
configure router "Base" bgp import "["A"]AND["B"]"
*A:PE-1>config>router>bgp# import "["A"]AND["B"]"
^
Error: Invalid syntax.
The following message is raised when a policy is enclosed in double quotes instead of square brackets in a logical expression that is enclosed in double quotes.
# on PE-1:
configure router "Base" bgp import ""A"AND"B""
*A:PE-1>config>router>bgp# import ""A"AND"B""
^
Error: Invalid syntax.
The operand in a logical expression must be in uppercase.
# on PE-1:
configure router "Base" bgp import "[A]AND[B]"
(leads to: "[A]AND[B]")
The following message is raised when an operand in a logical expression is not in uppercase.
# on PE-1:
configure router "Base" bgp import "[A]and[B]"
INFO: BGP #1001 Configuration failed because of inconsistent values - BGP [VR 1] Policy stmts expression format error
A logical expression may use parentheses (nesting up to a maximum of 3 levels) to influence the logic.
# on PE-1:
configure router "Base" bgp import "((([P1]AND[P2])OR[P3])AND[P4])OR[P5]"
(leads to: "((([P1]AND[P2])OR[P3])AND[P4])OR[P5]")
The following message is raised when the parentheses nesting exceeds 3 levels.
# on PE-1:
configure router "Base" bgp import "(((([P1]AND[P2])OR[P3])AND[P4])OR[P5])AND[P6]"
INFO: BGP #1001 Configuration failed because of inconsistent values - BGP [VR 1] Policy stmts expression format error
The following message is raised when the parentheses are not balanced.
# on PE-1:
configure router "Base" bgp import "((([P1]AND[P2])OR[P3])AND[P4]"
INFO: BGP #1001 Configuration failed because of inconsistent values - BGP [VR 1] Policy stmts expression format error
A logical expression accepts a maximum of 16 policies.
# on PE-1:
configure router "Base" bgp import "[P1]AND[P2]AND[P3]AND[P4]AND[P5]AND[P6]AND[P7]AND[P8]AND[P9] AND[P10]AND[P11]AND[P12]AND[P13]AND[P14]AND[P15]AND[P16]"
(leads to: "[P1]AND[P2]AND[P3]AND[P4]AND[P5]AND[P6]AND[P7]AND[P8]AND[P9]AND[P10]AND[P11]AND[P12] AND[P13]AND[P14]AND[P15]AND[P16]")
The following message is raised when there are too many policies in the logical expression.
# on PE-1:
configure router "Base" bgp import "[P1]AND[P2]AND[P3]AND[P4]AND[P5]AND[P6]AND[P7]AND[P8]AND[P9] AND[P10]AND[P11]AND[P12]AND[P13]AND[P14]AND[P15]AND[P16]AND[P17]"
INFO: BGP #1001 Configuration failed because of inconsistent values - BGP [VR 1] Policy stmts expression format error
When the import/export command has multiple values, the values are separated with spaces and ordered in a policy chain. The policy chain accepts between 1 and 15 values. In the policy chain:
each value is either a policy or a logical expression and must be formatted in the same way as the single value above.
only 1 logical expression is allowed.
policies and the logical expression must not be repeated.
a logical expression with a length that does not exceed 64 characters may be in any location. Otherwise, the logical expression with a length that does not exceed 255 characters must be in the first location.
A policy chain must not be enclosed in square brackets.
# on PE-1:
configure router "Base" bgp import A B
(leads to: "A" "B")
The following message is raised when the policy chain is enclosed in square brackets.
# on PE-1:
configure router "Base" bgp import [A B]
WARNING: CLI Policy "[A" does not exist.
WARNING: CLI Policy "B]" does not exist.
A policy chain is accepted with and without double quotes enclosing the policies.
# on PE-1:
configure router "Base" bgp import A B
(leads to: "A" "B")
configure router "Base" bgp import "A" B
(leads to: "A" "B")
configure router "Base" bgp import A "B"
(leads to: "A" "B")
configure router "Base" bgp import "A" "B"
(leads to: "A" "B")
A policy chain can contain policies and a logical expression.
# on PE-1:
configure router "Base" bgp import A B [C]OR[A]
(leads to: "A" "B" "[C]OR[A]")
In a policy chain, policies and the logical expression must not be repeated. The following message is raised when the policy chain has duplicate policies or logical expressions.
# on PE-1:
configure router "Base" bgp import A A "A"
INFO: BGP #1001 Configuration failed because of inconsistent values - BGP [VR 1] Policy stmts should be unique and set in order!
A policy chain accepts a maximum of 15 policies.
# on PE-1:
configure router "Base" bgp import P1 P2 P3 P4 P5 P6 P7 P8 P9 P10 P11 P12 P13 P14 P15
(leads to: "P1" "P2" "P3" "P4" "P5" "P6" "P7" "P8" "P9" "P10" "P11" "P12" "P13" "P14" "P15")
The following message is raised when there are too many policies in the policy chain.
# on PE-1:
configure router "Base" bgp import P1 P2 P3 P4 P5 P6 P7 P8 P9 P10 P11 P12 P13 P14 P15 P16
*A:PE-1>config>router>bgp# import "P1" "P2" "P3" "P4" "P5" "P6" "P7" "P8" "P9" "P10" "P11" "P12" "P13" "P14" "P15" P16
^
Error: Invalid parameter.
A policy chain has 1 logical expression at maximum. The following message is raised when the policy chain has more than 1 (different) logical expression.
# on PE-1:
configure router "Base" bgp import "[A]AND[B]" C "[B]OR[C]"
INFO: BGP #1001 Configuration failed because of inconsistent values - BGP [VR 1] Policy stmts expression format error
A logical expression with a length that does not exceed 64 characters can be anywhere in the policy chain (but the result can be different).
# on PE-1:
configure router "Base" bgp import A B "[C]AND[A]"
(leads to: "A" "B" "[C]AND[A]")
configure router "Base" bgp import A "[C]AND[A]" B
(leads to: "A" "[C]AND[A]" "B")
configure router "Base" bgp import "[C]AND[A]" A B
(leads to: "[C]AND[A]" "A" "B")
When the length of the logical expression exceeds 64 characters, the logical expression must be at the start of the policy chain.
# on PE-1:
configure router "Base" bgp import "[A]AND[B]AND[C]AND[A]AND[B]AND[C]AND[A]AND[B]AND[C]AND[A]AND[B]AND[C]" A B
(leads to: "[A]AND[B]AND[C]AND[A]AND[B]AND[C]AND[A]AND[B]AND[C]AND[A]AND[B]AND[C]" "A" "B")
The following message is raised when a logical expression with a length that exceeds 64 characters is not at the start of a policy chain.
# on PE-1:
configure router "Base" bgp import A B "[A]AND[B]AND[C]AND[A]AND[B]AND[C]AND[A]AND[B]AND[C]AND[A]AND[B]AND[C]"
*A:PE-1>config>router>bgp# import "A" "B" "[A]AND[B]AND[C]AND[A]AND[B]AND[C]AND[A]AND[B]AND[C]AND[A]AND[B]AND[C]"
^
Error: String too long
The following message is raised when a logical expression with a length that exceeds 255 characters is at the start of a policy chain.
# on PE-1:
configure router "Base" bgp import "[A]AND[B]AND[C]AND[A]AND[B]AND[C]AND[A]AND[B]AND[C]AND[A]AND[B]AND[C]AND[A]A
ND[B]AND[C]AND[A]AND[B]AND[C]AND[A]AND[B]AND[C]AND[A]AND[B]AND[C]AND[A]AND[B]A
ND[C]AND[A]AND[B]AND[C]AND[A]AND[B]AND[C]AND[A]AND[B]AND[C]AND[A]AND[B]AND[C]A
ND[A]AND[B]AND[C]AND[A]AND[B]AND[C]AND[A]AND[B]AND[C]"
A B
*A:PE-1>config>router>bgp# import "[A]AND[B]AND[C]AND[A]AND[B]AND[C]AND[A]AND[B]AND[C]AND[A]AND[B]AND[C]AND[A
]AND[B]AND[C]AND[A]AND[B]AND[C]AND[A]AND[B]AND[C]AND[A]AND[B]AND[C]AND[A]AND[B
]AND[C]AND[A]AND[B]AND[C]AND[A]AND[B]AND[C]AND[A]AND[B]AND[C]AND[A]AND[B]AND[C
]AND[A]AND[B]AND[C]AND[A]AND[B]AND[C]AND[A]AND[B]AND[C]"
A B
^
Error: String too long
Route policy logical expressions
Logical expressions are evaluated to be true or false. Boolean values for the policy actions shows the mapping of policy actions to Boolean values.
Policy action |
Boolean value |
---|---|
Accept |
True |
Next-entry |
True |
Next-policy |
True |
Reject |
False |
Drop |
False |
: The policy action drop replaces action reject in Release 14.0.R4, and later. The action drop supports route attribute modifications while action reject does not. SR OS automatically converts reject actions to drop actions.
Actions for the logical operators shows the evaluation actions for the logical operators NOT, OR, and AND.
Logical operator |
Action |
---|---|
NOT <expr> |
Swaps the true/false result of the expression. |
<expr1> OR <expr2> |
If expr1 is true, the result is true and expr2 is not evaluated. If expr1 is false, expr2 must be evaluated. The final result is true if either expression is true; otherwise, it is false. |
<expr1> AND <expr2> |
If expr1 is false, the result is false and expr2 is not evaluated. If expr1 is true, expr2 must be evaluated. The final result is true only if both expressions are true. |
Mapping the final result of an expression to a policy action shows the mapping of the final result of an expression to a policy action. Routes are dropped when the entire expression is false.
Final result |
Action |
---|---|
True |
accept, next-entry, or next-policy (depending on the last entry evaluated) |
False |
drop/reject |
Configuration
Example topology shows the example topology including the advertised route.
The initial configuration of the routers includes:
Cards, MDAs, ports
Router interfaces
IS-IS
LDP
BGP
Export policy "export-bgp" accepting routes for prefix 2.2.2.2/32 on PE-2.
It is possible to configure VPRNs and assign policies to BGP in the VPRN, although in this chapter, all the examples are for BGP in the base router.
Policy chaining and policy logical expressions
In this section, three route policies are configured that will add a community and set the local-preference (LP): only policy C does not set LP. Policy C has action next-policy, and policies A and B have action accept. The configuration is:
# on PE-1, PE-2:
configure
router "Base"
policy-options
begin
community "A"
members "1:1"
exit
community "B"
members "2:2"
exit
community "C"
members "3:3"
exit
policy-statement "A"
entry 10
action accept
community add "A"
local-preference 110
exit
exit
exit
policy-statement "B"
entry 10
action accept
community add "B"
local-preference 220
exit
exit
exit
policy-statement "C"
entry 10
action next-policy
community add "C"
exit
exit
exit
commit
exit all
Initially, policy chaining is configured without a logical expression. Subsequently, policy chaining is configured with only one policy logical expression and no other policies in the chain, as described in the following sections.
Policy chaining without logical expression
Policy chaining may include one logical expression, except in this example, there is no policy logical expression in the chain.
Policy chaining is configured on PE-1:
# on PE-1:
configure
router "Base"
bgp
import "C" "A" "B"
exit all
PE-1 receives route 2.2.2.2/32 from PE-2. For each route, PE-1 evaluates policy C first. This policy adds community C (3:3) and has action next-policy, which implies that the next policy must also be evaluated. Policy A adds community A (1:1) and sets the LP to a value of 110 (by default, the local-preference equals 100). Policy A has action accept and, therefore, the evaluation is completed. The local-preference and the community are shown in the following output:
*A:PE-1# show router bgp routes hunt brief
===============================================================================
BGP Router ID:192.0.2.1 AS:64500 Local AS:64500
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
-------------------------------------------------------------------------------
RIB In Entries
-------------------------------------------------------------------------------
Network : 2.2.2.2/32
Nexthop : 192.0.2.2
Path Id : None
From : 192.0.2.2
Res. Protocol : ISIS Res. Metric : 10
Res. Nexthop : 192.168.12.2
Local Pref. : 110 Interface Name : int-PE-1-PE-2
Aggregator AS : None Aggregator : None
Atomic Aggr. : Not Atomic MED : None
AIGP Metric : None IGP Cost : 10
Connector : None
Community : 1:1 3:3
---snip---
Policy logical expressions with two policies
In the following examples, the policy chain contains only a policy logical expression. When both policy A and policy B must be executed, the logical operator used is: AND. The sequence is important in this case, because both policies A and B set the LP and the last executed policy will set the final value for the LP. The following import policy expression is configured on PE-1:
# on PE-1:
configure
router ‟Base”
bgp
import "[A]AND[B]"
exit all
Policy A is evaluated first and it adds community A (1:1) and sets LP 110. Then, policy B is evaluated, which adds community B (2:2) and sets LP 220.
*A:PE-1# show router bgp routes hunt brief | match "Local Pref."
Local Pref. : 220 Interface Name : int-PE-1-PE-2
*A:PE-1# show router bgp routes hunt brief | match "Community"
Community : 2:2 1:1
When the policy expression is [B]AND[A], the order is reversed. First, policy B sets LP 220, then policy A sets LP 110:
*A:PE-1# show router bgp routes hunt brief | match "Local Pref."
Local Pref. : 110 Interface Name : int-PE-1-PE-2
*A:PE-1# show router bgp routes hunt brief | match "Community"
Community : 1:1 2:2
When the policy expression contains operator OR instead of AND, the first true expression results in a completed evaluation. Because both policy A and policy B result in a true expression, whichever policy is evaluated first is executed and the second one is skipped. For example, when policy A is evaluated first and the result is true, policy B is skipped. Therefore, the community is A (1:1) and the LP 110:
# on PE-1:
configure
router "Base"
bgp
import "[A]OR[B]"
exit all
*A:PE-1# show router bgp routes hunt brief | match "Local Pref."
Local Pref. : 110 Interface Name : int-PE-1-PE-2
*A:PE-1# show router bgp routes hunt brief | match "Community"
Community : 1:1
Likewise, when policy B is evaluated first and the result is true, policy A is skipped. The added community is B (2:2) and the LP 220:
# on PE-1:
configure
router "Base"
bgp
import "[B]OR[A]"
exit all
*A:PE-1# show router bgp routes hunt brief | match "Local Pref."
Local Pref. : 220 Interface Name : int-PE-1-PE-2
*A:PE-1# show router bgp routes hunt brief | match "Community"
Community : 2:2
The logical operator NOT swaps the result from true to false, and vice versa. When policy A is evaluated as true, NOT[A] is false. A false expression in an AND relationship leads to a false result. The next policy in the logical expression is not evaluated. No communities are added and no LP is set (the default value for LP is 100). The route is rejected as invalid:
# on PE-1:
configure
router "Base"
bgp
import "NOT[A]AND[B]"
exit all
*A:PE-1# show router bgp routes hunt brief
===============================================================================
BGP Router ID:192.0.2.1 AS:64500 Local AS:64500
===============================================================================
---snip---
-------------------------------------------------------------------------------
RIB In Entries
-------------------------------------------------------------------------------
Network : 2.2.2.2/32
Nexthop : 192.0.2.2
Path Id : None
From : 192.0.2.2
Res. Protocol : ISIS Res. Metric : 10
Res. Nexthop : 192.168.12.2
Local Pref. : 100 Interface Name : int-PE-1-PE-2
Aggregator AS : None Aggregator : None
Atomic Aggr. : Not Atomic MED : None
AIGP Metric : None IGP Cost : 10
Connector : None
Community : No Community Members
Cluster : No Cluster Members
Originator Id : None Peer Router Id : 192.0.2.2
Fwd Class : None Priority : None
Flags : Invalid IGP Rejected
---snip---
However, a false NOT[A] expression in an OR relationship may still lead to the expression being evaluated to true:
# on PE-1:
configure
router "Base"
bgp
import "NOT[A]OR[B]"
exit all
*A:PE-1# show router bgp routes hunt brief
===============================================================================
BGP Router ID:192.0.2.1 AS:64500 Local AS:64500
===============================================================================
---snip---
-------------------------------------------------------------------------------
RIB In Entries
-------------------------------------------------------------------------------
Network : 2.2.2.2/32
Nexthop : 192.0.2.2
Path Id : None
From : 192.0.2.2
Res. Protocol : ISIS Res. Metric : 10
Res. Nexthop : 192.168.12.2
Local Pref. : 220 Interface Name : int-PE-1-PE-2
Aggregator AS : None Aggregator : None
Atomic Aggr. : Not Atomic MED : None
AIGP Metric : None IGP Cost : 10
Connector : None
Community : 2:2 1:1
Cluster : No Cluster Members
Originator Id : None Peer Router Id : 192.0.2.2
Fwd Class : None Priority : None
Flags : Used Valid Best IGP In-RTM
---snip---
Policy B is evaluated as true for the route and, therefore, the entire logical expression "NOT[A]OR[B]" is true, and the route is accepted. Every policy in the expression that was evaluated, before the entire logical expression was recognized to be true, is executed, including policy A. This implies that policy A adds community A (1:1) to the route and sets LP to a value of 110. Then, policy B adds community B (2:2) to the route and overwrites the LP to a value of 220.
The import policy "[B] OR NOT[A]" is true after the first policy is evaluated as true. Only policy B is executed, the assigned community is B (2:2) and the LP is 220:
# on PE-1:
configure
router "Base"
bgp
import "[B] OR NOT[A]"
exit all
*A:PE-1# show router bgp routes hunt brief
===============================================================================
BGP Router ID:192.0.2.1 AS:64500 Local AS:64500
===============================================================================
---snip---
-------------------------------------------------------------------------------
RIB In Entries
-------------------------------------------------------------------------------
Network : 2.2.2.2/32
Nexthop : 192.0.2.2
Path Id : None
From : 192.0.2.2
Res. Protocol : ISIS Res. Metric : 10
Res. Nexthop : 192.168.12.2
Local Pref. : 220 Interface Name : int-PE-1-PE-2
Aggregator AS : None Aggregator : None
Atomic Aggr. : Not Atomic MED : None
AIGP Metric : None IGP Cost : 10
Connector : None
Community : 2:2
Cluster : No Cluster Members
Originator Id : None Peer Router Id : 192.0.2.2
Fwd Class : None Priority : None
Flags : Used Valid Best IGP In-RTM
---snip---
Assigned LP and communities for the import logical expressions summarizes the results for these different scenarios.
Import logical expression |
Assigned LP |
Assigned community |
---|---|---|
import "[A]AND[B]" |
220 |
2:2 1:1 |
import "[B]AND[A]" |
110 |
1:1 2:2 |
import "[A]OR[B]" |
110 |
1:1 |
import "[B]OR[A]" |
220 |
2:2 |
import "NOT[A]AND[B]" |
None |
None (Route rejected) |
import "NOT[A]OR[B]" |
220 |
2:2 1:1 |
Import "[B] OR NOT[A]" |
220 |
2:2 |
Policy logical expressions with three policies
In policy chaining, the next policy in the chain is evaluated when the action is next-policy. In policy logical expressions, the next policy is evaluated depending on the logical operator and the Boolean value for the previous policies in the expression.
Policy C has action next-policy instead of accept and adds community C (3:3), but does not set the LP.
Several logical expressions can be made with policies A, B, and C. The following import policy has all three policies in an AND relationship. The expression is evaluated as true and all policies are executed: three communities are added and the LP is set.
# on PE-1:
configure
router "Base"
bgp
import "[C]AND[A]AND[B]"
exit all
The first policy adds community C (3:3), the second policy adds community A (1:1) and sets LP 110, and the third policy adds community B (2:2) and sets LP 220:
*A:PE-1# show router bgp routes hunt brief
===============================================================================
BGP Router ID:192.0.2.1 AS:64500 Local AS:64500
===============================================================================
---snip---
-------------------------------------------------------------------------------
RIB In Entries
-------------------------------------------------------------------------------
Network : 2.2.2.2/32
Nexthop : 192.0.2.2
Path Id : None
From : 192.0.2.2
Res. Protocol : ISIS Res. Metric : 10
Res. Nexthop : 192.168.12.2
Local Pref. : 220 Interface Name : int-PE-1-PE-2
Aggregator AS : None Aggregator : None
Atomic Aggr. : Not Atomic MED : None
AIGP Metric : None IGP Cost : 10
Connector : None
Community : 2:2 1:1 3:3
Cluster : No Cluster Members
Originator Id : None Peer Router Id : 192.0.2.2
Fwd Class : None Priority : None
Flags : Used Valid Best IGP In-RTM
---snip---
The import policy "[C]AND[A]OR[B]" results in the first two being executed. Policy C is evaluated as true, and the logical operation is AND. Therefore, the next policy must be evaluated too. Policy A is also evaluated as true and the next operation is OR. The final result is evaluated as true without evaluating policy B. The communities added are C and A (3:3 and later 1:1) and the LP is 110.
# on PE-1:
configure
router "Base"
bgp
import "[C]AND[A]OR[B]"
exit all
*A:PE-1# show router bgp routes hunt brief
===============================================================================
BGP Router ID:192.0.2.1 AS:64500 Local AS:64500
===============================================================================
---snip---
-------------------------------------------------------------------------------
RIB In Entries
-------------------------------------------------------------------------------
Network : 2.2.2.2/32
Nexthop : 192.0.2.2
Path Id : None
From : 192.0.2.2
Res. Protocol : ISIS Res. Metric : 10
Res. Nexthop : 192.168.12.2
Local Pref. : 110 Interface Name : int-PE-1-PE-2
Aggregator AS : None Aggregator : None
Atomic Aggr. : Not Atomic MED : None
AIGP Metric : None IGP Cost : 10
Connector : None
Community : 1:1 3:3
Cluster : No Cluster Members
Originator Id : None Peer Router Id : 192.0.2.2
Fwd Class : None Priority : None
Flags : Used Valid Best IGP In-RTM
---snip---
The import policy "[C]OR[A]OR[B]" is evaluated as true after the first policy is evaluated as true. Even though the action in policy C is next-policy, the next policy in this expression is not evaluated, because the expression is already true. Only policy C is executed and it adds the community C (3:3), but does not configure the LP:
# on PE-1:
configure
router "Base"
bgp
import "[C]OR[A]OR[B]"
exit all
*A:PE-1# show router bgp routes hunt brief
===============================================================================
BGP Router ID:192.0.2.1 AS:64500 Local AS:64500
===============================================================================
---snip---
-------------------------------------------------------------------------------
RIB In Entries
-------------------------------------------------------------------------------
Network : 2.2.2.2/32
Nexthop : 192.0.2.2
Path Id : None
From : 192.0.2.2
Res. Protocol : ISIS Res. Metric : 10
Res. Nexthop : 192.168.12.2
Local Pref. : 100 Interface Name : int-PE-1-PE-2
Aggregator AS : None Aggregator : None
Atomic Aggr. : Not Atomic MED : None
AIGP Metric : None IGP Cost : 10
Connector : None
Community : 3:3
Cluster : No Cluster Members
Originator Id : None Peer Router Id : 192.0.2.2
Fwd Class : None Priority : None
Flags : Used Valid Best IGP In-RTM
---snip---
However, if the policy chain contains not only a logical expression, but also single policies, the action next-policy ensures that a following policy in the chain is executed; for example, policy D in the following policy chain:
# on PE-1:
configure
router "Base"
bgp
import "[C]OR[A]OR[B]" "D"
exit all
The expression "[C]OR[A]OR[B]" is true after policy C has been evaluated, but policy C has action next-policy and policy D is the next policy to be evaluated.
The import policy "[C]OR[A]AND[B]" expression evaluates policy C as true. Policy C has an OR relationship with policy A in the logical expression ‟[C]OR[A]”, and therefore, policy A is not evaluated. There is an AND relationship with policy B and policy B is evaluated as true. Therefore, the entire logical expression "[C]OR[A]AND[B]" is true and the route is accepted. Both policy C and B are executed. First, policy C adds community C (3:3), then policy B adds community B (2:2) and sets LP 220:
# on PE-1:
configure
router "Base"
bgp
import "[C]OR[A]AND[B]"
exit all
*A:PE-1# show router bgp routes hunt brief
===============================================================================
BGP Router ID:192.0.2.1 AS:64500 Local AS:64500
===============================================================================
---snip---
-------------------------------------------------------------------------------
RIB In Entries
-------------------------------------------------------------------------------
Network : 2.2.2.2/32
Nexthop : 192.0.2.2
Path Id : None
From : 192.0.2.2
Res. Protocol : ISIS Res. Metric : 10
Res. Nexthop : 192.168.12.2
Local Pref. : 220 Interface Name : int-PE-1-PE-2
Aggregator AS : None Aggregator : None
Atomic Aggr. : Not Atomic MED : None
AIGP Metric : None IGP Cost : 10
Connector : None
Community : 2:2 3:3
Cluster : No Cluster Members
Originator Id : None Peer Router Id : 192.0.2.2
Fwd Class : None Priority : None
Flags : Used Valid Best IGP In-RTM
---snip---
Assigned LP and communities for the import logical expressions summarizes the results for these different scenarios.
Import logical expression |
Assigned LP |
Assigned community |
---|---|---|
import "[C]AND[A]AND[B]" |
220 |
2:2 1:1 3:3 |
import "[C]AND[A]OR[B]" |
110 |
1:1 3:3 |
import "[C]OR[A]OR[B]" |
None |
3:3 |
import "[C]OR[A]AND[B]" |
220 |
2:2 3:3 |
Combinations of policy logical operations using brackets
For this section, the following communities and policies are configured on PE-1. All these policies have a from condition that matches a community (D, E, F, G). Besides these policies, there are also export policies on PE-2 that add one or more communities (D, E, F, G) to the advertised routes. On PE-1, incoming route 2.2.2.2/32 will have one or more communities that may or may not match the from condition in the following route policies.
# on PE-1 and PE-2:
configure
router "Base"
policy-options
begin
community "D"
members "4:4"
exit
community "E"
members "5:5"
exit
community "F"
members "6:6"
exit
community "G"
members "7:7"
exit
policy-statement "D"
entry 10
from
community "D"
exit
action accept
local-preference 4
exit
exit
default-action drop
exit
exit
policy-statement "E"
entry 10
from
community "E"
exit
action accept
local-preference 5
exit
exit
default-action drop
exit
exit
policy-statement "F"
entry 10
from
community "F"
exit
action accept
local-preference 6
exit
exit
default-action drop
exit
exit
policy-statement "G"
entry 10
from
community "G"
exit
action accept
local-preference 7
exit
exit
default-action drop
exit
exit
commit
exit all
The received routes have community E (5:5) present. The following import policy is configured on PE-1:
# on PE-1:
configure
router "Base"
bgp
import "([D]AND[E])OR([F]AND[G])"
exit all
The first policy that is evaluated requires community D (4:4) to be present. This is not the case and the expression between brackets, ([D]AND[E]), is false. Policy E is not evaluated. The next policy to be evaluated is F and it requires community F (6:6), which is not present. The second expression between brackets, ([F]AND[G]), is therefore also false and policy G is not evaluated. The entire policy logical expression is false and the route is rejected.
The following commands show what policy evaluation caused the route to be rejected. For the entire logical expression "([D]AND[E])OR([F]AND[G])", the last policy that was evaluated, and that caused the route to be rejected, was policy F:
*A:PE-1# show router bgp policy-test "([D]AND[E])OR([F]AND[G])" family ipv4 prefix 0.0.0.0/0 longer display-rejects brief
===============================================================================
BGP Router ID:192.0.2.1 AS:64500 Local AS:64500
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Network
-------------------------------------------------------------------------------
Rejected by Logical expression last policy F Default action
2.2.2.2/32
-------------------------------------------------------------------------------
Total Routes : 1 Routes rejected : 1
===============================================================================
For the logical expression "[D]AND[E]", the last policy that was evaluated, and that led to the conclusion that the expression was false, was policy D:
*A:PE-1# show router bgp policy-test "[D]AND[E]" family ipv4 prefix 0.0.0.0/0 longer display-rejects brief
===============================================================================
BGP Router ID:192.0.2.1 AS:64500 Local AS:64500
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Network
-------------------------------------------------------------------------------
Rejected by Logical expression last policy D Default action
2.2.2.2/32
-------------------------------------------------------------------------------
Total Routes : 1 Routes rejected : 1
===============================================================================
For the logical expression "[F]AND[G]", the last policy that was evaluated, and that led to the conclusion that the expression was false, was policy F:
*A:PE-1# show router bgp policy-test "[F]AND[G]" family ipv4 prefix 0.0.0.0/0 longer display-rejects brief
===============================================================================
BGP Router ID:192.0.2.1 AS:64500 Local AS:64500
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Network
-------------------------------------------------------------------------------
Rejected by Logical expression last policy F Default action
2.2.2.2/32
-------------------------------------------------------------------------------
Total Routes : 1 Routes rejected : 1
===============================================================================
The logical expression "([D]AND[E])OR([F]AND[G])" is false and, therefore, the route is rejected. No LP is set. Community E (5:5) was already present in the incoming route.
*A:PE-1# show router bgp routes hunt brief
===============================================================================
BGP Router ID:192.0.2.1 AS:64500 Local AS:64500
===============================================================================
---snip---
-------------------------------------------------------------------------------
RIB In Entries
-------------------------------------------------------------------------------
Network : 2.2.2.2/32
Nexthop : 192.0.2.2
Path Id : None
From : 192.0.2.2
Res. Protocol : ISIS Res. Metric : 10
Res. Nexthop : 192.168.12.2
Local Pref. : 100 Interface Name : int-PE-1-PE-2
Aggregator AS : None Aggregator : None
Atomic Aggr. : Not Atomic MED : None
AIGP Metric : None IGP Cost : 10
Connector : None
Community : 5:5
Cluster : No Cluster Members
Originator Id : None Peer Router Id : 192.0.2.2
Fwd Class : None Priority : None
Flags : Invalid IGP Rejected
---snip---
In the second example, the incoming route contains communities D (4:4) and E (5:5). The same policy logical expression "([D]AND[E])OR([F]AND[G])" is evaluated as true because both policy D and policy E are true. There is an OR relationship with the rest of the expression and, therefore, the entire logical expression is true. Policy E is the last policy to be evaluated:
*A:PE-1# show router bgp policy-test "([D]AND[E])OR([F]AND[G])" family ipv4 prefix 0.0.0.0/0 longer display-rejects brief
===============================================================================
BGP Router ID:192.0.2.1 AS:64500 Local AS:64500
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Network
-------------------------------------------------------------------------------
Accepted by Logical expression last policy E Entry 10
2.2.2.2/32
-------------------------------------------------------------------------------
Routes : 1
===============================================================================
The route is accepted as valid and gets LP 5. The communities D (4:4) and E (5:5) were already present for the incoming route. The first policy that was executed, was policy D and it set the LP to a value of 4. Policy E was the second and last policy that was executed and it set the LP to a value of 5:
*A:PE-1# show router bgp routes hunt brief
===============================================================================
BGP Router ID:192.0.2.1 AS:64500 Local AS:64500
===============================================================================
---snip---
-------------------------------------------------------------------------------
RIB In Entries
-------------------------------------------------------------------------------
Network : 2.2.2.2/32
Nexthop : 192.0.2.2
Path Id : None
From : 192.0.2.2
Res. Protocol : ISIS Res. Metric : 10
Res. Nexthop : 192.168.12.2
Local Pref. : 5 Interface Name : int-PE-1-PE-2
Aggregator AS : None Aggregator : None
Atomic Aggr. : Not Atomic MED : None
AIGP Metric : None IGP Cost : 10
Connector : None
Community : 5:5 4:4
Cluster : No Cluster Members
Originator Id : None Peer Router Id : 192.0.2.2
Fwd Class : None Priority : None
Flags : Used Valid Best IGP In-RTM
---snip---
For the third example, the incoming route contains communities D (4:4) and E (5:5). The logical expression "([D]OR[E])AND([F]OR[G])" is evaluated as false and the route is rejected:
# on PE-1:
configure
router "Base"
bgp
import "([D]OR[E])AND([F]OR[G])"
exit all
First, policy D is evaluated as true because community D (4:4) is present. Policy D has an OR relationship with policy E, which is true without the need to evaluate policy E. The next policy to be evaluated is F. Policy F requires the community F (6:6) to be present, which is not the case. The logical expression ‟[F]OR[G]” can only be true if policy G is true. Policy G requires community G (7:7) to be present, which is false. The last policy that was evaluated before the route was rejected was policy G:
*A:PE-1# show router bgp policy-test "([D]OR[E])AND([F]OR[G])" family ipv4 prefix 0.0.0.0/0 longer display-rejects brief
===============================================================================
BGP Router ID:192.0.2.1 AS:64500 Local AS:64500
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Network
-------------------------------------------------------------------------------
Rejected by Logical expression last policy G Default action
2.2.2.2/32
-------------------------------------------------------------------------------
Routes : 1
===============================================================================
The route was rejected and, therefore, no policy was executed. The LP kept its default value of 100:
*A:PE-1# show router bgp routes hunt brief
===============================================================================
BGP Router ID:192.0.2.1 AS:64500 Local AS:64500
===============================================================================
---snip---
-------------------------------------------------------------------------------
RIB In Entries
-------------------------------------------------------------------------------
Network : 2.2.2.2/32
Nexthop : 192.0.2.2
Path Id : None
From : 192.0.2.2
Res. Protocol : ISIS Res. Metric : 10
Res. Nexthop : 192.168.12.2
Local Pref. : 100 Interface Name : int-PE-1-PE-2
Aggregator AS : None Aggregator : None
Atomic Aggr. : Not Atomic MED : None
AIGP Metric : None IGP Cost : 10
Connector : None
Community : 5:5 4:4
Cluster : No Cluster Members
Originator Id : None Peer Router Id : 192.0.2.2
Fwd Class : None Priority : None
Flags : Invalid IGP Rejected
---snip---
For the fourth example, the incoming route has communities E (5:5) and G (7:7). The logical expression "([D]OR[E])AND([F]OR[G])" is evaluated as true and the route is accepted. First, policy D is evaluated as false. Policy D has an OR relationship with policy E, which is evaluated as true. Consequently, the expression ‟[D]OR[E]” is true. This expression has an AND relationship with the expression ‟[F]OR[G]”.
The next policy to be evaluated is F. Policy F requires the community F (6:6) to be present, which is false. The logical expression ‟[F]OR[G]” can only be true if policy G is true. Policy G requires community G (7:7) to be present, which is true. This makes [F]OR[G] true as well as the entire expression "([D]OR[E])AND([F]OR[G])".
The last policy that was evaluated before the route was accepted was policy G:
*A:PE-1# show router bgp policy-test "([D]OR[E])AND([F]OR[G])" family ipv4 prefix 0.0.0.0/0 longer display-rejects brief
===============================================================================
BGP Router ID:192.0.2.1 AS:64500 Local AS:64500
===============================================================================
Legend -
Status codes : u - used, s - suppressed, h - history, d - decayed, * - valid
l - leaked, x - stale, > - best, b - backup, p - purge
Origin codes : i - IGP, e - EGP, ? - incomplete
===============================================================================
BGP IPv4 Routes
===============================================================================
Network
-------------------------------------------------------------------------------
Rejected by Logical expression last policy G Default action
2.2.2.2/32
-------------------------------------------------------------------------------
Total Routes : 1 Routes rejected : 1
===============================================================================
The route was accepted and has the changes of all policies that were evaluated: initially, policy D set the LP to 4. This value was overwritten by policy E to 5, by policy F to 6, and finally by policy G to a value of 7:
*A:PE-2# show router bgp routes hunt brief
===============================================================================
BGP Router ID:192.0.2.2 AS:64500 Local AS:64500
===============================================================================
---snip---
-------------------------------------------------------------------------------
RIB In Entries
-------------------------------------------------------------------------------
Network : 1.1.1.1/32
Nexthop : 192.0.2.1
Path Id : None
From : 192.0.2.1
Res. Protocol : ISIS Res. Metric : 10
Res. Nexthop : 192.168.12.1
Local Pref. : 7 Interface Name : int-PE-2-PE-1
Aggregator AS : None Aggregator : None
Atomic Aggr. : Not Atomic MED : None
AIGP Metric : None IGP Cost : 10
Connector : None
Community : 5:5 7:7
Cluster : No Cluster Members
Originator Id : None Peer Router Id : 192.0.2.1
Fwd Class : None Priority : None
Flags : Used Valid Best IGP In-RTM
---snip---
Assigned LP for the import logical expressions summarizes the results for these different scenarios.
Ingress community |
Import logical expression |
Assigned LP |
---|---|---|
5:5 |
import "([D]AND[E])OR([F]AND[G])" |
Prefix rejected |
5:5 4:4 |
import "([D]AND[E])OR([F]AND[G])" |
5 |
5:5 4:4 |
import "([D]OR[E])AND([F]OR[G])" |
Prefix rejected |
5:5 7:7 |
import "([D]OR[E])AND([F]OR[G])" |
7 |
Modification of attributes while processing
During the policy evaluation process, some prefix attributes can be modified while processing, and these modified attributes can be used as criteria for other policies in the logical expression.
In the following example, two route policies are configured:
Policy X adds a new community Y (11:11) to the incoming route update.
Policy Y uses community Y (11:11) as the only match criterion and removes communities X and Y. Policy Y also sets the LP to a value of 9, which is used here as an indication that policy Y was executed.
An export policy on PE-2 adds community X (10:10) to prefix 2.2.2.2/32 (not shown here).
Route policies X and Y are configured on PE-1:
# on PE-1:
configure
router "Base"
policy-options
begin
community "X"
members "10:10"
exit
community "Y"
members "11:11"
exit
policy-statement "X"
entry 10
from
community "X"
exit
action accept
community add "Y"
exit
exit
exit
policy-statement "Y"
entry 10
from
community "Y"
exit
action accept
community remove "X" "Y"
local-preference 9
exit
exit
exit
commit
exit all
When no import policy is applied on PE-1, the received route 2.2.2.2/32 has community 10:10 and the default LP:
*A:PE-1# show router bgp routes hunt brief
===============================================================================
BGP Router ID:192.0.2.1 AS:64500 Local AS:64500
===============================================================================
---snip---
-------------------------------------------------------------------------------
RIB In Entries
-------------------------------------------------------------------------------
Network : 2.2.2.2/32
Nexthop : 192.0.2.2
Path Id : None
From : 192.0.2.2
Res. Protocol : ISIS Res. Metric : 10
Res. Nexthop : 192.168.12.2
Local Pref. : 100 Interface Name : int-PE-1-PE-2
Aggregator AS : None Aggregator : None
Atomic Aggr. : Not Atomic MED : None
AIGP Metric : None IGP Cost : 10
Connector : None
Community : 10:10
Cluster : No Cluster Members
Originator Id : None Peer Router Id : 192.0.2.2
Fwd Class : None Priority : None
Flags : Used Valid Best IGP In-RTM
---snip---
The import policy "[X]AND[Y]" is configured on PE-1:
# on PE-1:
configure
router "Base"
bgp
import "[X]AND[Y]"
exit all
The route update contains community X (10:10) and policy X is evaluated as true. Policy X adds community Y (11:11) to the route. Policy Y requires this community and is evaluated as true. Therefore, the entire logical expression "[X]AND[Y]" is true and the route is accepted. Policy Y removes communities X (10:10) and Y (11:11), and sets the LP to a value of 9:
*A:PE-1# show router bgp routes hunt brief
===============================================================================
BGP Router ID:192.0.2.1 AS:64500 Local AS:64500
===============================================================================
---snip---
-------------------------------------------------------------------------------
RIB In Entries
-------------------------------------------------------------------------------
Network : 2.2.2.2/32
Nexthop : 192.0.2.2
Path Id : None
From : 192.0.2.2
Res. Protocol : ISIS Res. Metric : 10
Res. Nexthop : 192.168.12.2
Local Pref. : 9 Interface Name : int-PE-1-PE-2
Aggregator AS : None Aggregator : None
Atomic Aggr. : Not Atomic MED : None
AIGP Metric : None IGP Cost : 10
Connector : None
Community : No Community Members
Cluster : No Cluster Members
Originator Id : None Peer Router Id : 192.0.2.2
Fwd Class : None Priority : None
Flags : Used Valid Best IGP In-RTM
---snip---
Conclusion
Route policy chaining and logical expressions allow complex route processing logic to be broken into smaller components. These policy components are reusable and facilitate the process of updating route control logic. Logical expressions offer more flexible combinations of policy statements.