Route policies
This chapter provides information about configuring route policies.
Configuring route policies
The 7210 SAS devices support route policies to allow users to enable IGMP group membership report filtering. IGMP group membership report filtering allows the user to configure rules which can be used to restrict the IGMP groups that subscribers/hosts can enroll to. This is achieved by using route policies that specify the set of hosts whose group membership reports are to be accepted (and further processed appropriately by the system) or rejected.
There are no default route policies. Each policy must be created explicitly. Policy parameters are modifiable.
Policy statements
Route policies contain policy statements containing ordered entries containing match conditions and actions you specify. The entries should be sequenced from the most explicit to least explicit. IGMP group membership report processing can be implemented according to your defined policies. Policy-based routing allows you to dictate whether to process or drop the traffic. Route policies can match a specific route policy entry and continue searching for other matches within the same route policy.
The process can stop when the first complete match is found and executes the action defined in the entry, either to accept or reject packets that match the criteria or proceed to the next entry. You can specify matching criteria based on source or destination.
You can also provide more matching conditions by specifying criteria such as:
prefix list
A named list of prefixes.
From criteria
A source IP address and destination (for example, a destination IP multicast group address).
Default action behavior
The default action specifies how packets are to be processed when a policy related to the route is not explicitly configured. The default actions are applied in the following cases.
If a route policy does not specify a matching condition, all the routes being compared with the route policy are considered to be matches.
If a packet does not match any policy entries, then the next policy is evaluated. If a match does not occur then the last entry in the last policy is evaluated.
If no default action is specified, the default behavior of the protocol controls whether the routes match or not.
If a default action is defined for one or more of the configured route policies, then the default action is handled as follows:
The default action can be set to all available action states including accept, reject, next-entry, and next-policy.
If the action states accept or reject, the policy evaluation terminates and the appropriate result is returned.
If a default action is defined and no matches occurred with the entries in the policy, the default action is used.
If a default action is defined and one or more matches occurred with the entries of the policy, the default action is not used.
Denied IP prefixes
The following IP address prefixes are not allowed by the routing protocols and the Route Table Manager and are not be populated within the forwarding table:
0.0.0.0/8 or longer
127.0.0.0/8 or longer
224.0.0.0/4 or longer
240.0.0.0/4 or longer
Any other prefixes that need to be filtered can be filtered explicitly using route policies.
When to use route policies
Configure and apply unique route policies when you want unique behaviors to control route characteristics; for example, change the route preference.
Configuration notes
This section describes route policy configuration restrictions.
General
When configuring policy statements, the policy statement name must be unique.
Configuring route policies with CLI
This section provides information to configure route policies using the command line interface.
Route policy configuration overview
Route policies allow the configuration of IGMP group membership reports filtering rules.
When to create routing policies
Route policies are created in the config>router context. There are no default route policies. Each route policy must be explicitly created and applied.
A route policy impacts the flow of packets within and through the router.
Route policies can be created to control filter IGMP membership reports from specific hosts or specific multicast groups.
Before a route policy is applied, analyze the policy purpose and be aware of the results (and consequences) when packets match the specified criteria and the associated actions and default actions, if specified, are executed. Membership reports can be filtered based on a specific source address.
Default route policy actions
Each routing protocol has default behaviors for the import and export of routing information. The following table describes the default behavior for each routing protocol.
Protocol |
Import |
Export |
|---|---|---|
OSPF |
Not applicable. All OSPF routes are accepted from OSPF neighbors and cannot be controlled via route policies. |
|
Policy evaluation
Routing policy statements can consist of as few as one or several entries. The entries specify the matching criteria. The packet fields are compared to the first entry in the policy statement. If it matches, the specified entry action is taken, either accepted or rejected. If the action is to accept or reject the route, that action is taken and the evaluation of the route ends.
If the route does not match the first entry, the route is compared to the next entry (if more than one is configured) in the policy statement. If there is a match with the second entry, the specified action is taken. If the action is to accept or reject the route, that action is taken and the evaluation of the route ends, and so on.
Each route policy statement can have a default-action clause defined. If a default-action is defined for one or more of the configured route policies, the default actions should be handled in the following ways:
The process stops when the first complete match is found and executes the action defined in the entry.
If the packet does not match any of the entries, the system executes the default action specified in the policy statement.
The following figure shows an example of the route policy process.
Route policies can also match a specific route policy entry and continue to search for other entries within either the same route policy or the next route policy by specifying the next-entry option in the entry action command.
Basic configurations
This section provides information to configure route policies and configuration examples of common tasks. The minimal route policy parameters that need to be configured are described below.
Policy statement with the following parameters specified:
at least one entry
-
entry action
Route policy configuration output
A:ALA-B>config>router>policy-options# info
----------------------------------------------
A:ALA-B>config>router>policy-options#info
----------------------------------------------
prefix-list "host"
prefix 10.0.0.0/8 longer
exit
prefix-list "group"
prefix 10.6.6.6/32 exact
exit
policy-statement "block-igmp"
description "Reject-Reports-From-Specific-Group-And-Host"
entry 1
from
host-ip "host"
exit
action next-entry
exit
exit
entry 2
from
group-address "group"
exit
action reject
exit
default-action accept
exit
exit
policy-statement "permit-igmp"
description "Accept-Reports-From-Specific-Group-And-Host"
entry 1
from
host-ip "host3"
group-address "group3"
exit
action accept
exit
exit
default-action reject
exit
----------------------------------------------
A:ALA-B>config>router>policy-options#
Configuring route policy components
This section describes the syntax needed to configure the route policy components.
Beginning the policy statement
Use the following syntax to begin a policy statement configuration. In order for a policy statement to be complete an entry must be specified (see Configuring an entry).
config>router>policy-options
begin
policy-statement name
description textThe following error message displays when the you try to modify a policy options command without entering begin first.
A:ALA-B>config>router>policy-options# policy-statement ‟allow all”
MINOR: CLI The policy
-options must be in edit mode by calling begin before any changes can be made.
The following example displays policy statement configuration command usage. These commands are configured in the config>router context.
config>router# policy-options
policy-options# begin
There are no default policy statement options. All parameters must be explicitly configured.
Creating a route policy
To enter the mode to create or edit route policies, you must enter the begin keyword at the config>router>policy-options prompt. Other editing commands include the following:
The commit command saves changes made to route policies during a session.
The abort command discards changes that have been made to route policies during a session.
The following error message displays when the you try to modify a policy options command without entering begin first.
A:ALA-B>config>router>policy-options# policy-statement ‟allow all”
MINOR: CLI The policy
-options must be in edit mode by calling begin before any changes can
A:ALA-B>config>router>policy-options# info
#------------------------------------------
# Policy
#------------------------------------------
policy-options
begin
policy-statement "allow all"
description "General Policy"
...
exit
exit
----------------------------------------------
A:ALA-B>config>router>policy-options#
Configuring a default action
Specifying a default action is optional. The default action controls those packets not matching any policy statement entries. If no default action is specified for the policy, then the action associated with the protocol to which the routing policy was applied is performed.
A policy statement must include at least one entry (see Configuring an entry).
To enter the mode to create or edit route policies, you must enter the begin keyword at the config>router>policy-options prompt. Other editing commands include the following:
The commit command saves changes made to route policies during a session.
The abort command discards changes that have been made to route policies during a session.
Configuring an entry
An entry action must be specified. The other parameters in the entry>action context are optional. See Route policy command reference for the commands and syntax.
Entry configuration output
The following is a sample of entry parameters and includes the default action parameters which were displayed in Configuring a default action.
A:ALA-B>config>router>policy-options# info
----------------------------------------------
prefix-list "host"
prefix 10.0.0.0/8 longer
exit
prefix-list "group"
prefix 10.6.6.6/32 exact
exit
policy-statement "block-igmp"
description "Reject-Reports-From-Specific-Group-And-Host"
entry 1
from
host-ip "host"
exit
action next-entry
exit
exit
entry 2
from
group-address "group"
exit
action reject
exit
default-action accept
exit
exit
----------------------------------------------
A:ALA-B>config>router>policy-options#
A:ALA-B>config>router>policy-options# info
----------------------------------------------
prefix-list "host"
prefix 10.0.0.0/8 longer
exit
prefix-list "group"
prefix 10.6.6.6/32 exact
exit
----------------------------------------------
A:ALA-B>config>router>policy-options#
Route policy configuration management tasks
This section describes the route policy configuration management tasks.
Editing policy statements and parameters
Route policy statements can be edited to modify, add, or delete parameters. To enter the mode to edit route policies, you must enter the begin keyword at the config>router>policy-options prompt. Other editing commands include the following:
The commit command saves changes made to route policies during a session.
The abort command discards changes that have been made to route policies during a session.
Changed configuration output
A:ALA-B>config>router>policy-options# info
----------------------------------------------
prefix-list "host"
prefix 10.0.0.0/8 longer
exit
prefix-list "group1"
prefix 10.6.6.8/32 exact
exit
policy-statement "block-igmp"
description "Reject-Reports-From-Specific-Group-And-Host"
entry 1
from
host-ip "host"
exit
action next-entry
exit
exit
entry 2
from
group-address "group1"
exit
action reject
exit
default-action accept
exit
exit
Deleting an entry
Use the following syntax to delete a policy statement entry.
config>router>policy-options
begin
commit
abort
policy-statement name
no entry entry-idCommand usage to delete a policy statement entry
config>router>policy-options# begin
policy-options# policy-statement "1"
policy-options>policy-statement# no entry 4
policy-options>policy-statement# commitDeleting a policy statement
Use the following syntax to delete a policy statement.
config>router>policy-options
begin
commit
abort
no policy-statement name
Command usage to delete a policy statement
config>router>policy-options# begin
policy-options# no policy-statement 1
policy-options# commitRoute policy command reference
Command hierarchies
Route policy configuration commands
config
- [no] router [router-name]
- [no] policy-options
- abort
- begin
- commit
- [no] policy-statement name
- default-action {accept | next-entry | reject}
- no default-action
- description description-string
- no description
- [no] entry entry-id
- action {accept| next-entry | next-policyreject}
- no action
- description description-string
- no description
- [no] from
- family [ipv4] [ipv6] [vpn-ipv4] [vpn-ipv6] [l2-vpn] [ms-pw] [route-target]
- group-address prefix-list-name
- no group-address
- [no] host-ip prefix-list-name
- prefix-list name [name...(up to 5 max)]
- no prefix-list
- source-address ip-address
- no source-address
config
- [no] router
- [no] policy-options
- [no] prefix-list name
- prefix ip-prefix/prefix-length [exact | longer | through length | prefix-length-range length1-length2]
- no prefix [ipv-prefix/prefix-length] [exact | longer | through length | prefix-length-range length1-length2]
Show commands
show
- router
- policy [name | prefix-list name | admin]
Command descriptions
Configuration commands
Generic commands
abort
Syntax
abort
Context
config>router>policy-options
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command discards changes made to a route policy.
begin
Syntax
begin
Context
config>router>policy-options
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command creates or edits route policies.
commit
Syntax
commit
Context
config>router>policy-options
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command saves the changes made to a route policy.
description
Syntax
description string
no description
Context
config>router>policy-options>policy-statement
config>router>policy-options>policy-statement>entry
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command creates a text description which is stored in the configuration file to help identify the content of the entity.
The no form of this command removes the string from the configuration.
Parameters
- string
Specifies the description character string. Allowed values are any string up to 80 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.
Route policy options
policy-options
Syntax
[no] policy-options
Context
config>router
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
Commands in this context configure route policies. Route policies are used for IGMP group membership report filtering.
The no form of this command deletes the route policy configuration.
Route policy prefix commands
prefix-list
Syntax
[no] prefix-list name
Context
config>router>policy-options
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
Commands in this context configure a prefix list to use in route policy entries.
The no form of this command deletes the named prefix list.
Parameters
- name
Specifies the prefix list name. Allowed values are any string up to 32 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.
prefix
Syntax
[no] prefix [ipv-prefix/prefix-length] [exact | longer | through length | prefix-length-range length1-length2]
Context
config>router>policy-options>prefix-list
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command creates a prefix entry in the route policy prefix list.
The no form of this command deletes the prefix entry from the prefix list.
Parameters
- ip-prefix
Specifies the IP prefix for prefix list entry, in dotted-decimal notation.
- exact
Specifies the prefix list entry only matches the route with the specified ip-prefix and prefix mask (length) values.
- longer
Specifies the prefix list entry matches any route that matches the specified ip-prefix and prefix mask length values greater than the specified mask.
- through length
Specifies the prefix list entry matches any route that matches the specified ip-prefix and has a prefix length between the specified length values inclusive.
- prefix-length-range length1-length2
Specifies a route must match the most significant bits and have a prefix length with the specified range. The range is inclusive of start and end values.
Route policy entry match commands
entry
Syntax
entry entry-id
no entry
Context
config>router>policy-options>policy-statement
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
Commands in this context edit route policy entries within the route policy statement.
Multiple entries can be created using unique entries. The 7210 SAS OS exits the filter when the first match is found and executes the action specified. For this reason, entries must be sequenced properly from most to least explicit.
An entry does not require matching criteria defined (in which case, everything matches) but must have at least define an action to be considered complete. Entries without an action are considered incomplete and are rendered inactive.
The no form of this command removes the specified entry from the route policy statement.
Parameters
- entry-id
Specifies the entry ID expressed as a decimal integer. An entry-id uniquely identifies match criteria and the corresponding action. Nokia recommends that multiple entries be specified entry-ids in staggered increments. This allows users to insert a new entry in an existing policy without requiring renumbering of all the existing entries.
from
Syntax
[no] from
Context
config>router>policy-options>policy-statement>entry
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
Commands in this context configure policy match criteria based on a route source or the protocol from which the route is received.
If no condition is specified, all route sources are considered to match.
The no form of this command deletes the source match criteria for the route policy statement entry.
family
Syntax
family [ipv4] [ipv6] [vpn-ipv4] [vpn-ipv6] [l2-vpn] [ms-pw] [route-target]
no family
Context
config>router>policy-options>policy-statement>entry>from
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command specifies address families as matching conditions.
Parameters
- ipv4
Specifies IPv4 routing information.
- ipv6
Specifies IPv6 routing information.
- vpn-ipv4
Specifies IPv4 VPN routing information.
- vpn-ipv6
Specifies IPv6 VPN routing information.
- ms-pw
Specifies ms-pw routing information.
- l2-vpn
Exchanges Layer 2 VPN information.
- route-target
Specifies the route target to be accepted and advertised from/to route reflector clients.
group-address
Syntax
group-address prefix-list-name
no group-address
Context
config>router>policy-options>policy-statement>entry>from
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command specifies the multicast group-address prefix list containing multicast group-addresses that are embedded in the join or prune packet as a filter criterion. The prefix list must be configured before entering this command. Prefix lists are configured in the config>router>policy-options>prefix-list context.
The no form of this command removes the criterion from the configuration.
Default
no group-address
Parameters
- prefix-list-name
Specifies the prefix-list name. Allowed values are any string up to 32 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.
The prefix-list-name is defined in the config>router>policy-options>prefix-list context.
host-ip
Syntax
host-ip prefix-list-name
Context
config>router>policy-options>policy-statement>entry>from
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command specifies a prefix list host IP address as a match criterion for the route policy-statement entry.
Default
no host-ip
Parameters
- prefix-list-name
Specifies the prefix-list name. Allowed values are any string up to 32 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.
The prefix-list-name is defined in the config>router>policy-options>prefix-list context.
policy-statement
Syntax
[no] policy-statement name
Context
config>router>policy-options
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
Commands in this context configure a route policy statement.
Route policy statements enable appropriate processing of IGMP group membership reports received from hosts. The processing action taken is determined by the action associated with the entries configured in the policy statement.
The policy-statement is a logical grouping of match and action criteria.
The no form of this command deletes the policy statement.
Default
no policy-statement
Parameters
- name
Specifies the route policy statement name. Allowed values are any string up to 32 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.
prefix-list
Syntax
prefix-list name [name...up to 5 max]
no prefix-list
Context
config>router>policy-options>policy-statement>entry>from
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures a prefix list as a match criterion for a route policy statement entry.
If no prefix list is specified, any network prefix is considered a match.
The prefix lists specify the network prefix (this includes the prefix and length) a specific policy entry applies.
A maximum of five prefix names can be specified.
The no form of this command removes the prefix list match criterion.
Default
no prefix-list
Parameters
- name
Specifies the prefix list name. Allowed values are any string up to 32 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.
source-address
Syntax
source-address ip-address
no source-address
Context
config>router>policy-options>policy-statement>entry>from
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command specifies the source address that is embedded in the join or prune packet as a filter criterion. This command specifies a multicast data source address as a match criterion for this entry.
The no form of this command removes the criterion from the configuration.
Parameters
- ip-address
Specifies the IP prefix for the IP match criterion in dotted-decimal notation.
Route policy action commands
action
Syntax
action {accept | next-entry | next-policy | reject}
no action
Context
config>router>policy-options>policy-statement>entry
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures actions to take for routes matching a route policy statement entry.
This command is required and must be entered for the entry to be active.
A route policy entry without the action command is considered incomplete and is inactive.
The no form of this command deletes the action context from the entry.
Default
no action
Parameters
- accept
Specifies that packets matching the entry match criteria are accepted and processed appropriately.
- next-entry
Specifies that the actions specified would be taken and policy evaluation would continue with next policy entry (if any others are specified).
- next-policy
Specifies that the actions specified would be made to the route attributes and policy evaluation would continue with next route policy (if any others are specified).
- reject
Specifies that packets matching the entry match criteria would be rejected.
default-action
Syntax
default-action {accept | next-entry| reject}
no default-action
Context
config>router>policy-options>policy-statement
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
Commands in this context configure actions for packets that do not match any route policy statement entries when the accept parameter is specified.
The default action clause can be set to all available action states including: accept, reject, next-entry and next-policy. If the action states accept or reject then the policy evaluation terminates and the appropriate result is returned.
If a default action is defined and no match occurred with the entries in the policy, the default action clause is used.
If a default action is defined and one or more matches occurred with the entries of the policy, the default action is not used.
The no form of this command deletes the default-action context for the policy statement.
Default
no default-action
Parameters
- accept
Specifies that packets matching the entry match criteria are accepted and processed appropriately.
- next-entry
Specifies that the actions specified would be taken and policy evaluation would continue with next policy entry (if any others are specified).
- reject
Specifies that packets matching the entry match criteria would be rejected.
Show commands
policy
Syntax
policy [name | prefix-list [name] | admin]
Context
show>router
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command displays configured policy statement information.
Parameters
- policy name
Displays information similar to the info command, for a specific policy-statement. If a name is provided, the matching policy-statement displays. If no statement name is specified, a list of all policies statements and descriptions display.
- prefix-list name
Displays the prefix lists configured in the route policy.
- admin
Displayed the entire policy option configuration, including any un-committed configuration changes. This command is similar to the info command.
Output
The following outputs are examples of policy information, and Output fields: show route policy describes the output fields:
The show router policy command displays all configured route policies.
*A:7210-2# show router policy
===============================================================================
Route Policies
===============================================================================
Policy Description
-------------------------------------------------------------------------------
block-igmp Reject-Reports-From-Specific-Group-And-Host
permit-igmp Accept-Reports-From-Specific-Group-And-Host
-------------------------------------------------------------------------------
Policies : 2
===============================================================================
*A:7210-2#
The show router policy admin command is similar to the info command, which displays information about the route policies and parameters.
*A:7210-2# show router policy admin
prefix-list "host"
prefix 10.0.0.0/8 longer
exit
prefix-list "group"
prefix 10.6.6.6/32 exact
exit
policy-statement "block-igmp"
description "Reject-Reports-From-Specific-Group-And-Host"
entry 1
from
host-ip "host"
exit
action next-entry
exit
exit
entry 2
from
group-address "group"
exit
action reject
exit
default-action accept
exit
exit
policy-statement "permit-igmp"
description "Accept-Reports-From-Specific-Group-And-Host"
entry 1
from
host-ip "host1"
group-address "group1"
exit
action accept
exit
exit
default-action reject
The show router policy name command displays information about a specific route policy.
*A:7210-2# show router policy permit-igmp
description "Accept-Reports-From-Specific-Group-And-Host"
entry 1
from
host-ip "host1"
group-address "group1"
exit
action accept
exit
exit
default-action reject
*A:7210-2#
The show router policy prefix-list command, lists the prefix
-lists configured in the route policy.
*A:7210-2# show router policy prefix-list
==================================
Prefix Lists
==================================
Prefix List Name
----------------------------------
host
group
----------------------------------
Num Prefix Lists: 2
==================================
*A:7210-2#
|
Label |
Description |
|---|---|
|
Policy |
Displays a list of route policy names |
|
Description |
Displays the description of each route policy |
|
Policies |
The total number of policies configured |