Routing policies
Routing policies allow detailed control of IP routes learned and advertised by routing protocols such as BGP, IS-IS, or OSPF.
Each routing policy has a sequence of rules (called entries or statements) and a default action. Each policy statement has zero or more match conditions, such as whether a route is owned by a specific protocol, and a main action, such as to accept or reject the routes; the statement may also have route-modifying actions. A route matches a statement if it meets all of the specified match conditions.
Each statement has a specified position in the policy. If a policy has multiple statements, they are processed in the order they are put in the policy. In addition, you can specify a default action that applies to routes that do not match any statement in the policy.
The first statement that matches the route determines the actions that are applied to the route. If the route is not matched by any statements, the default action of the policy is applied. If there is no default action, then a protocol- and context-specific default action is applied.
All routes match a statement with no match conditions. When a route fulfills the match conditions of a statement, the base action of the statement is applied, along with all of its route-modifying actions.
Routing policy match conditions
The following table summarizes the match conditions supported in SR Linux routing policies.
| Match condition | Description |
|---|---|
protocol |
Test if the route is owned by a specific protocol. The following options are supported:
|
family |
Test if the prefix is associated with any of the AFI/SAFI (address families) listed. The following options are supported:
|
call-policy |
Call another routing policy as a subroutine. See Routing policy subroutines. |
prefix.prefix-set |
Test if the route matches any entry in a configured prefix-set. See Prefix sets. |
internal-tags.tag-set |
Test if the route contains members of a configured tag-set. See "Configuring route internal tags" in the SR Linux VPN Services Guide. |
bgp.as-path.as-path-set |
Test if the route has an AS path that matches the regular expression in the configured AS-path set. See AS path sets. |
bgp.as-path-length |
Test if the AS-path length of the route is a specific value or in a range. |
bgp.community-set |
Test if a BGP community attached to the route matches the list of member elements and match-set-option in the BGP community-set. See BGP community-sets. |
bgp.evpn.route-type |
Test if the EVPN route type is a specific type (1-8). |
bgp.extended-community.extended-community-set |
Test if a BGP extended community attached to the route matches the list of member elements and match-set-option in the BGP extended community-set. See BGP community-sets. |
bgp.standard-community.standard-community-set |
Test if a BGP standard community attached to the route matches the list of member elements and match-set-option in the BGP standard community-set. See BGP community-sets. |
isis.level |
Test if the IS-IS route is associated with Level 1 or Level 2. |
isis.route-type |
Test if the IS-IS route is internal or external (redistributed from another protocol). An IPv4 prefix is external if it is signaled in TLV 130 or TLV135 with RFC 7794 X flag=1. An IPv6 prefix is external if TLV 236/TLV 237 external bit = 1. |
ospf.area-id |
Test if the OSPFv2 or OSPFv3 route is associated with the specified area ID. |
ospf.route-type |
Test if the OSPFv2 or OSPFV3 route is a specific route type: any of intra-area, inter-area, type-1-ext, type-2-ext, type-1-nssa, type-2-nssa, summary-aggregate, or nssa-aggregate. |
ospf.instance-id |
Test if the OSPFv2 or OSPFv3 route is associated with the specified instance ID. |
multicast.group-address.prefix-set |
Test if the multicast group address matches any entry in a configured prefix-set. See Prefix sets. |
multicast.source-address.prefix-set |
Test if the multicast source address matches any entry in a configured prefix-set. See Prefix sets. |
Specifying match conditions in a routing policy
You can specify the match conditions listed in Match conditions for routing policies in a policy statement. If a statement has no match conditions defined, all routes evaluated by the policy are considered to be matches.
Test if the route is owned by BGP
The following example specifies BGP protocol as a match condition in a policy statement:
--{ candidate shared default }--[ ]--
# info routing-policy policy policy01
routing-policy {
policy policy01 {
statement 100 {
match {
protocol bgp
}
}
}
}
Test if the route prefix is associated with an address family
The following example matches routes with a prefix belonging to the IPv4 or IPv6 labeled unicast address family:
--{ candidate shared default }--[ ]--
# info routing-policy policy policy02
routing-policy {
policy policy02 {
statement 100 {
match {
family [
ipv4-labeled-unicast
ipv6-labeled-unicast
]
}
}
}
}Test if an OSPF route is a specific route type
The following example matches OSPF type 2 external routes:
--{ candidate shared default }--[ ]--
# info routing-policy policy policy03
routing-policy {
policy policy03 {
statement 100 {
match {
protocol ospfv2
ospf {
route-type type-2-ext
}
}
}
}
}Routing policy subroutines
A match condition in a routing policy can call another routing policy as a subroutine.
SR Linux supports up to three levels of policy subroutines. For example, a main policy P0 can call a P1 policy. The P1 policy can call a P2 policy, and the P2 policy can call a P3 policy.
A route that is accepted by a Pn subroutine policy matches the Pn-1 policy statement that called policy Pn.
The subroutine policies (P1-P3) can modify the attributes
of matched routes. These modifications can happen in statements with action
accept or action next-statement or where the
default-action is accept.
The subroutine policy match can be combined with other match conditions in the same statement of a policy. Logically, the subroutine is evaluated after all other match conditions in the statement.
If the subroutine policy has a statement with action next-policy or
default-action next-policy, it is considered the same as
reject.
If a route that does not match any terminating entry of a subroutine (that is, the route does
not match any statement with an action of accept or
reject or next-policy), it is considered to be
accepted by the subroutine if the default-action of the subroutine
policy is accept. Otherwise, the route is considered to be rejected by
the subroutine.
The following example shows a routing policy P1 that uses policy P2 as a subroutine.
--{ +* candidate shared default }--[ ]--
# info routing-policy
routing-policy {
policy P1 {
statement 10 {
match {
call-policy [
P2
]
bgp {
as-path {
as-path-set downstream
}
}
}
action {
policy-result accept
}
}
}
policy p2 {
statement 10 {
match {
prefix {
prefix-set selected
}
}
action {
policy-result accept
}
}
}
}Routing policy actions
If a route matches a policy statement, the actions configured in the policy are applied to the route, including route property modifications. Depending on the configured action, the route may continue to be analyzed by further routing policy statements (if any), or the final disposition (either accept or reject) of the route is determined.
Default routing policy action
Each routing policy can optionally be configured with a
default action, which is applied to routes that do not match any policy statement. The
default action specifies a main action and optionally one or more route property
modification actions. The default action is applied to all routes evaluated by the policy
that do not match any statement or are only matched by statements that are non-terminating,
such as next-statement.
If the default action is explicitly configured as
accept or reject, evaluation ends at the current policy
even if there are further policies in the chain. If a policy does not have a configured
default action, or the default action for the policy is next-policy or
next-statement, then routes that do not match any statement in the policy
are automatically evaluated by the next policy in the chained list. See Specifying a default action for a configuration example.
Main routing policy actions
policy-result of the default action
or at the statement action level in a routing policy.| Action | Description |
|---|---|
accept |
The route is accepted, route property modifications are applied, and evaluation stops immediately; further statements and policies are not considered. |
reject |
The route is dropped and evaluation stops immediately; further statements and policies are not considered. |
next-statement |
No immediate decision is made about whether to accept or reject the route. Route policy modifications are applied, and evaluation continues automatically to the next statement. If there are no further statements in this policy, the default action of the current policy applies. |
next-policy |
No immediate decision is made about whether to accept or reject the route. Route policy modifications are applied, and evaluation skips the remainder of the statements in the current policy continuing automatically to the first statement in the next policy in the chained list. If there are no further policies, then the default action of the last policy in the chain applies. |
If no value is configured for policy-result,
the implicit default is next-statement (if not configured at the statement
action level) or next-policy (if not configured at the default-action
level).
Route property modification actions
The following table lists the route property modification actions that can be specified in a routing policy.
| Action | Description |
|---|---|
bgp.as-path.prepend |
Prepend a specific AS number one or more times to the AS path. |
bgp.as-path.remove |
Clear the AS path to make it empty. |
bgp.as-path.replace |
Clear the existing AS path and replace it with a new AS_SEQUENCE containing the listed AS numbers. |
bgp.communities.add |
Add all of the non-regex community members in the referenced community-set. Note: New communities are prepended before existing
communities, as shown in BGP RIB state information and in the advertised
UPDATE.
|
bgp.communities.remove |
Remove all communities that match any regex or non-regex member in the referenced community-set. |
bgp.communities.replace |
Delete all existing communities and add all non-regex community members in the referenced community-set. |
bgp.disable-ip-route-install |
Accept the route, allowing its re-advertisement, but do not install the route to the IP FIB. See Policy action to disable IP FIB installation. |
bgp.extended-community.method |
Indicate the method used to specify the extended communities for the action.
The only supported value is reference. |
bgp.extended-community.operation |
Add, remove, or replace extended communities in matched routes. The
The The Note that new communities are prepended before existing communities, as shown in BGP RIB state information and in the advertised UPDATE. |
bgp.extended-community.referenced-sets |
Indicate the extended community sets to perform the add, remove, or replace operation. |
bgp.standard-community.method |
Indicate the method used to specify the standard communities for the action.
The only supported value is reference. |
bgp.standard-community.operation |
Add, remove, or replace standard communities in matched routes. The
The The Note: New communities are prepended before existing communities,
as shown in BGP RIB state information and in the advertised UPDATE. |
bgp.standard-community.referenced-sets |
Indicate the standard community sets to perform the add, remove, or replace operation. |
bgp.label-allocation.prefix-sid.use-igp |
Use the programmed SR-IGP label index for the matching prefix, resulting in a stitch to the IGP segment routing tunnel. |
bgp.local-preference.set |
Set or modify the LOCAL_PREF to the specified value in matching BGP routes. |
bgp.med.operation |
Set or modify the MED according to the |
bgp.med.value |
Set or modify the MED to the specified value in matching BGP routes. See Policy actions for setting MED in BGP routes. |
bgp.next-hop-resolution.set-tag-set |
Reference a tag-set to be used for controlling next-hop resolution. |
bgp.next-hop.set |
Set or modify the BGP next-hop address to a specified IPv4 or IPv6 address or
to the keyword self. |
bgp.origin.set |
Set or modify the BGP ORIGIN attribute value to the specified value. |
isis.level |
Add the redistributed route to the specified level database. Supported values are 1 or 2. |
isis.metric.set-style |
Explicitly encode the metric of the matched IS-IS route as a wide metric in the appropriate IS-IS TLV that supports wide metrics. |
isis.metric.set-value |
Set the IS-IS metric value of the redistributed route to a number between 1 and 16777215. |
internal-tags.tag-set |
Add the tags in the tag-set as internal tags. |
route-preference.set |
Overwrite the route preference with the specified value. |
Specifying actions in a routing policy
You can specify the actions listed in Routing policy actions to routes that match a policy statement.
Accept static routes
The following example configures a routing policy statement to accept static routes.
--{ +* candidate shared default }--[ ]--
# info routing-policy policy policy01
routing-policy {
policy policy01 {
statement st1 {
match {
protocol static
}
action {
policy-result accept
}
}
}
}Set origin attribute for matching BGP routes
The following example specifies a policy with two statements. If a BGP route matches the first statement, the action is to proceed to the next statement. If the route matches the second statement, the action is to specify a new value for the origin attribute of the BGP route.
--{ candidate shared default }--[ ]--
# info routing-policy
routing-policy {
policy policy02 {
statement 100 {
match {
protocol bgp
}
action {
policy-result next-statement
}
}
statement 101 {
match {
prefix-set western
}
action {
bgp {
origin {
set egp
}
}
}
}
}
}
Add communities from BGP standard-community set to matched routes
The following example matches BGP routes and adds every non-regex member of standard-community set st1 to the COMMUNITIES attribute of the matched routes.
--{ candidate shared default }--[ ]--
# info routing-policy
routing-policy {
standard-community-set st1 {
member [
668$
^65100
]
}
policy p1 {
statement 100 {
match {
protocol bgp
}
action {
bgp {
standard-community {
operation add
referenced-sets [
st1
]
}
}
}
}
}
}Replace communities in matched routes with communities in a BGP extended-community set
The following example removes every existing extended community from matching BGP routes, then adds every non-regex member of extended-community set ex1 to the EXT_COMMUNITIES attribute of the matched routes.
--{ candidate shared default }--[ ]--
# info routing-policy
routing-policy {
extended-community-set ex1 {
member [
target:10.1.1.1:.*
]
}
policy p2 {
statement 100 {
match {
protocol bgp
}
action {
bgp {
extended-community {
operation replace
referenced-sets [
ex1
]
}
}
}
}
}
}Specifying a default action
You can optionally specify the policy action for routes that do not match the conditions defined in the policy statements. The default action can be set to all available action states including accept, reject, next-entry, and next-policy.
-
If a default action is defined, and no matches occur with the statements in the policy, the default action is used.
-
If no default action is specified, the default behavior of the protocol controls whether the routes match.
For BGP, the default import action is to accept all routes from BGP. For internal routes, the default export action is to advertise them to BGP peers. For external routes, the default export action is not to advertise them to BGP peers.
The following example defines a policy where the default action for non-matching routes is to reject them:
--{ candidate shared default }--[ ]--
# info routing-policy
routing-policy {
policy policy01 {
default-action {
policy-result reject
}
}
}
Policy actions for setting MED in BGP routes
The following describes the supported policy actions for received BGP routes based on the contents of the MED attribute in the route (if any).
When a BGP export policy matches a non-BGP route for advertisement to neighbors:
- If the route is matched by an export policy statement that applies the action bgp med set route-table-cost, then a MED attribute is added to the BGP route and its value is the route-table metric for the non-BGP route.
- If the route is matched by an export policy statement that applies the action bgp med set <number>, then a MED attribute is added to the BGP route and its value is <number>.
- If neither case applies, no MED is added to the route.
When a BGP route is received with a MED attribute:
- If the route is matched by an import policy statement that applies the action bgp med set route-table-cost, then the MED attribute is replaced and the new value is the route-table metric of the route that resolves the BGP next-hop.
- If the route is matched by an import policy statement that applies the action bgp med set <number>, then the MED attribute is replaced and the new value is <number>.
- If neither case applies, the RIB-IN MED attribute is unmodified.
When a BGP route is received without a MED attribute:
- If the route is matched by an import policy statement that applies the action bgp med set route-table-cost, then a MED attribute is added to the BGP route and the new value is the route-table metric of the route that resolves the BGP next-hop.
- If the route is matched by an import policy statement that applies the action bgp med set <number>, then a MED attribute is added to the BGP route and its value is <number>.
- If neither case applies, no MED attribute is added to the route.
When a BGP route is received with a MED attribute from one eBGP peer, and the route must be advertised to other eBGP peers:
- If the route is matched by an export policy statement that applies the action bgp med set route-table-cost, then the MED attribute is replaced and the new value is the route-table metric of the route that resolves the BGP next-hop (0 when receiving a route from a single hop eBGP peer)
- If the route is matched by an export policy statement that applies the action bgp med set <number>, then the MED attribute is replaced and the new value is <number>.
- If neither case applies, the MED is stripped.
When a BGP route is received without a MED attribute from one eBGP peer, and the route must be advertised to other eBGP peers:
- If the route is matched by an export policy statement that applies the action bgp med set route-table-cost, then a MED attribute is added to the BGP route and its value is the route-table metric of the route that resolves the BGP next-hop (0 when receiving a route from a single hop eBGP peer).
- If the route is matched by an export policy statement that applies the action bgp med set <number>, then a MED attribute is added to the BGP route and its value is <number>.
- If neither case applies, no MED is added to the route.
When a BGP route is received with a MED attribute from one eBGP peer, and the route must be advertised to iBGP peers, or else the route was received with a MED attribute from an iBGP peer for propagation to other iBGP peers:
- If the route is matched by an export policy statement that applies the action bgp med set route-table-cost, then the MED attribute is replaced and the new value is the route-table metric of the route that resolves the BGP next-hop.
- If the route is matched by an export policy statement that applies the action bgp med set <number>, then the MED attribute is replaced and the new value is <number>.
- If neither case applies, the MED is unmodified.
When a BGP route is received with a MED attribute from one eBGP/iBGP peer, and the route must be advertised to other eBGP peers, the MED is stripped by default (if the route is not matched by a policy).
When a BGP route is received without a MED attribute from one eBGP peer, and the route must be advertised to iBGP peers, or else the route was received without a MED attribute from an iBGP peer for propagation to other eBGP or iBGP peers:
- If the route is matched by an export policy statement that applies the action bgp med set route-table-cost, then a MED attribute is added to the BGP route and its value is the route-table metric of the route that resolves the BGP next-hop.
- If the route is matched by an export policy statement that applies the action bgp med set <number>, then a MED attribute is added to the BGP route and its value is <number>.
- If neither case applies, no MED is added to the route.
Route property operation action for setting MED
The bgp.med.operation action can set or modify the MED according to
the bgp.med.value action in matching BGP routes, as described in
the following table:
| Operation | Value | Result |
|---|---|---|
set |
Unsigned 32-bit integer | Overwrite the current MED with the specified value. |
route-table-cost |
Overwrite the current MED with the metric of the resolving route. | |
add |
Unsigned 32-bit integer | Increment the current MED by the specified value. |
route-table-cost |
Increment the current MED by the metric of the resolving route. | |
subtract |
Unsigned 32-bit integer | Decrement the current MED by the specified value. |
route-table-cost |
Decrement the current MED by the metric of the resolving route. |
Policy action to disable IP FIB installation
Some data center switches have limited IP FIB capacity. It is possible these switches could receive more BGP routes than they have room for in their IP FIB tables. In such cases, you may want to suppress the IP FIB installation of some or all of the BGP routes the switch does not require for forwarding (for example, because the switch is not in the forwarding path, as in the case of a non-next-hop-self route reflector, or because the switch can fall back to less specific routes, such as a default route).
Matching and rejecting a BGP route in a BGP import policy prevents the route from being
installed in the IP FIB, but it also prevents the route from being re-advertised to
other BGP peers, which could be unacceptable. For these cases, you can configure the
disable-ip-route-install policy action. This policy action works as
follows:
For unlabeled IPv4 and IPv6 routes matched and accepted by a BGP import policy with a
disable-ip-route-install action:
- Routes are re-advertisable to other peers per normal BGP rules, even if
advertise-inactiveis not configured ornext-hop-selfis enabled. - Routes are less preferred by the BGP decision process than any installed route for
the same prefix. For these routes,
fib-install-disabledis displayed as thetie-break-reasonin state information. - Routes do not contribute toward and activate a covering aggregate route.
For unlabeled IPv4 and IPv6 routes matched and accepted by a BGP import policy with a disable-ip-route-install action:
- Host routes do not create/program tunnels.
- Re-advertisement with next-hop self does create/program ILM entries.
- Routes are re-advertisable to other peers per normal BGP rules, even if
advertise-inactiveis not configured ornext-hop-selfis enabled. - Routes are less preferred by the BGP decision process than any installed route for
the same prefix. For these routes,
fib-install-disabledis displayed as thetie-break-reasonin state information. - Routes do not contribute toward and activate a covering aggregate route.
BGP does not publish routes to fib_mgr that have been matched and accepted by a BGP
import policy with a disable-ip-route-install action. This means they
are not be re-advertisable by other protocols. In BGP RIB state information,
FIB-suppressed routes display used-route false and fib-disabled
true.
Applying a routing policy
Routing policies can be applied to routes received from other routers (imported routes), as well as routes advertised to other routers (exported routes). Routing policies can be applied at the network-instance level, peer-group level, and neighbor level.
Apply a routing policy to imported routes
The following example specifies that BGP in the default network-instance applies
policy01 to imported routes:
--{ candidate shared default }--[ ]--
# info network-instance default protocols bgp import-policy
network-instance default {
protocols {
bgp {
import-policy [
policy01
]
}
}
}Apply a routing policy to BGP routes exported from a peer-group
The following example applies policy02 to BGP routes exported from
the peers in peer-group headquarters1:
--{ candidate shared default }--[ ]--
# info network-instance default protocols bgp group headquarters1
network-instance default {
protocols {
bgp {
group headquarters1 {
export-policy [
policy02
]
}
}
}
}Apply a routing policy to BGP routes exported from a BGP neighbor
The following example applies policy02 to BGP routes exported from a
specific BGP neighbor:
--{ * candidate shared default }--[ ]--
# info network-instance default protocols bgp neighbor 192.168.11.1
network-instance default {
protocols {
bgp {
neighbor 192.168.11.1 {
export-policy [
policy02
]
}
}
}
}Applying a default policy to eBGP sessions
You can specify the action to take for routes exported to or imported from eBGP peers to which no configured policy applies. This is set with the ebgp-default-policy command and the export-reject-all and import-reject-all parameters.
-
The export-reject-all parameter, when set to true, causes all outbound routes that do not match a configured export policy to be rejected as if they had been rejected by a configured export policy. The default is true.
-
The import-reject-all parameter, when set to true, causes all inbound routes that do not match a configured import policy to be rejected as if they had been rejected by a configured import policy. The default is true.
The following example allows a BGP neighbor to export a default route even though the route is not subject to any configured policy:
--{ * candidate shared default }--[ ]--
# info network-instance default
network-instance default {
protocols {
bgp {
ebgp-default-policy {
export-reject-all false
}
neighbor 2001:db8::c11 {
send-default-route {
ipv6-unicast true
}
}
}
}
}Replacing an AS path
You can configure a routing policy where the AS path in matching routes is replaced by a list of AS numbers specified in the policy. For routes that match the policy, the current AS path is deleted and replaced with an AS_SEQ element containing the AS numbers listed in the policy in their configured sequence.
If you configure an empty AS list in the policy, then the current AS path in a matching route is deleted, and it would then have a null AS_PATH attribute.
The following is an example of a routing policy that matches BGP routes. The action for the
policy is next-policy, so routes that match the first policy are
evaluated by the second policy, whose action is to replace the AS path in matching
routes.
--{ candidate shared default }--[ ]--
# info routing-policy
routing-policy {
policy policy01 {
statement 100 {
match {
protocol bgp
}
action {
policy-result next-policy
}
}
}
policy policy02 {
statement 100 {
match {
prefix-set western
}
action {
bgp {
as-path {
replace [
12
13
14
]
}
}
}
}
}
}Resequencing statements in a routing policy
Each routing policy statement has a numerical sequence identifier that determines its order relative to other statements in that policy. When a route is analyzed by a policy, it is evaluated by each statement in sequential order.
The definition of the sequence of statements is fully flexible and can be defined as required using the insert command. If the insert command is not used, new statements are added to the end of the policy.
In the following examples, routing policy policy01 consists of three statements: red, green, and blue.
--{ +* candidate shared default }--[ ]--
# info routing-policy policy policy01
routing-policy {
policy policy01 {
statement red {
match {
protocol bgp
}
action {
policy-result accept
}
}
statement green {
match {
prefix-set pset1
}
action {
policy-result reject
}
}
statement blue {
match {
family [
ipv4-unicast
ipv6-unicast
]
}
action {
policy-result next-policy
}
}
}
}Move a statement to the end of a routing policy
The following example moves statement red to the end of the routing policy:
--{ +* candidate shared default }--[ ]--
# routing-policy policy policy01
--{ +* candidate shared default }--[ routing-policy policy policy01 ]--
# insert statement red last
--{ +* candidate shared default }--[ routing-policy policy policy01 ]--
# info
statement green {
match {
prefix-set pset1
}
action {
policy-result reject
}
}
statement blue {
match {
family [
ipv4-unicast
ipv6-unicast
]
}
action {
policy-result next-policy
}
}
statement red {
match {
protocol bgp
}
action {
policy-result accept
}
}Move a statement to the beginning of a routing policy
The following example moves statement blue to the beginning of the routing policy:
--{ +* candidate shared default }--[ ]--
# routing-policy policy policy01
--{ +* candidate shared default }--[ routing-policy policy policy01 ]--
# insert statement blue first
--{ +* candidate shared default }--[ routing-policy policy policy01 ]--
# info
statement blue {
match {
family [
ipv4-unicast
ipv6-unicast
]
}
action {
policy-result next-policy
}
}
statement red {
match {
protocol bgp
}
action {
policy-result accept
}
}
statement green {
match {
prefix-set pset1
}
action {
policy-result reject
}
}Move a statement before an existing statement
The following example moves statement blue before statement green:
--{ +* candidate shared default }--[ ]--
# routing-policy policy policy01
--{ +* candidate shared default }--[ routing-policy policy policy01 ]--
# insert statement blue before green
--{ +* candidate shared default }--[ routing-policy policy policy01 ]--
# info
statement red {
match {
protocol bgp
}
action {
policy-result accept
}
}
statement blue {
match {
family [
ipv4-unicast
ipv6-unicast
]
}
action {
policy-result next-policy
}
}
statement green {
match {
prefix-set pset1
}
action {
policy-result reject
}
}Move a statement after an existing statement
The following example moves statement red after statement green:
--{ +* candidate shared default }--[ ]--
# routing-policy policy policy01
--{ +* candidate shared default }--[ routing-policy policy policy01 ]--
# insert statement red after green
--{ +* candidate shared default }--[ routing-policy policy policy01 ]--
# info
statement green {
match {
prefix-set pset1
}
action {
policy-result reject
}
}
statement red {
match {
protocol bgp
}
action {
policy-result accept
}
}
statement blue {
match {
family [
ipv4-unicast
ipv6-unicast
]
}
action {
policy-result next-policy
}
}AS path sets
In a routing policy, an AS path set groups one or more AS paths using regular expressions. An AS path regular expression is a string consisting of AS numbers and (usually) one or more regular expression operators to be searched within the complete AS_PATH attribute. AS path sets can be referenced in match conditions and actions in routing policy statements.
An AS path set can have up to 32 member elements, each up to 255 characters in length.
Match-set-options for AS path sets
When used as a match condition in a policy statement, an AS path set containing multiple
elements matches a route based on its configured match-set-option, which
can be one of the following:
-
any: a route is considered a match if its AS_PATH is matched by any of the member strings in the AS path set; if you do not specify a match-set-option, this is the default.
- all: a route is considered a match if its AS_PATH is matched by all of the member strings in the AS path set.
- invert:a route is considered a match if its AS_PATH is matched by none of the member strings in the AS path set.
Regex modes for AS path sets
A regular expression is a sequence of symbols and characters expressing a pattern to be searched within the complete AS_PATH attribute. The symbols are operators that imply a matching logic with respect to terms that precede or follow them. The smallest term that can be matched is the elementary term. Elementary terms can be combined to create more complex terms, and these can be collated to create even more complex terms.
In SR Linux, the regex mode configured for an AS path set determines the elementary term and the set of operator symbols that are supported. SR Linux supports the following regex modes:
-
The AS path is converted to a string and the string is matched one complete AS number at a time. AS-path sets are in ASN mode by default.
-
The AS path is converted to a string and the string is matched one character at a time.
ASN mode
When an AS path set is configured in ASN mode, the string is matched by treating each AS number as an elementary term. When a route is compared to an AS path regular expression, each 4-byte AS number is extracted, one-by-one from the AS path, starting with the most recent AS and proceeding to the oldest or originating AS, and checked for a match against the regular expression. If there is any AS number that does not match the pattern, then the route is considered not a match for the AS path regular expression, and therefore not a match for the policy statement where this match condition is used.
SR Linux supports the following regex operations for strings in an AS path set configured in ASN mode:
| Operation | Meaning |
|---|---|
| null | Keyword equivalent to "^$" |
| |
Matches the term on alternate sides of the pipe. |
* |
Matches multiple occurrences of the term. |
? |
Matches 0 or 1 occurrence of the term. |
+ |
Matches 1 or more occurrence of the term. |
( ) |
Used to parenthesize so a regular expression is considered as one term. |
[ ] |
Used to demarcate a set of elementary or range terms. |
[^ ] |
Used to demarcate a set of elementary or range terms that are explicitly non-matching. |
- |
Used between the start and end of a range. |
{m,n} |
Matches at least m and at most n repetitions
of the term. |
{m} |
Matches exactly m repetitions of the term. |
{m,} |
Matches m or more repetitions of the term. |
^ |
Asserts that the following term appears at the beginning of the AS path. |
$ |
Asserts that the preceding term appears at the end of the AS path. |
_ |
Matches one or more non-word characters, beginning of string, or end of string. |
< > |
Matches any AS path numbers containing a confederation SET or SEQ. |
The following table shows examples of valid regex strings for AS path sets in ASN mode.
| Regex string | Meaning | AS_PATH examples that match | AS_PATH examples that do not match |
|---|---|---|---|
"null" |
Match empty AS path. | empty | "100" |
"< 100 >" |
Match AS path that has only ASN 100 in a confed-sequence or confed-set. | "(100)" |
"100""(100 200)" |
"100 | 200" |
Match AS path has only ASN 100 or ASN 200. |
|
empty
|
"(50 50){1,2}" |
Match any AS path with 2 or 4 repetitions of 50. |
|
|
"^[100-109]" |
Match any AS path with single AS in the range 100-109 inclusive. |
|
|
"[^100] 200$" |
Match any AS path with two ASNs – the first must not be 100 and the second must be 200. | "105 200" |
empty
|
Character mode
When an AS path set is configured in character mode, the string is matched by treating each character in the string as an elementary term.
SR Linux supports the following regex operations for strings in an AS path set configured in character mode:
| Operation | Meaning |
|---|---|
| |
Matches the term on alternate sides of the pipe. |
* |
Matches 0, 1, or more occurrences of the term. |
? |
Matches 0 or 1 occurrence of the term. |
+ |
Matches 1 or more occurrence of the term. |
( ) |
Used to parenthesize so a regular expression is considered as one term. |
[ ] |
Used to demarcate a set of elementary terms, range terms, or character class. |
[^ ] |
Used to demarcate a set of elementary or range terms that are explicitly not matching. |
- |
Used between the start and end of a range. |
{m,n} |
Matches at least m and at most n repetitions
of the term. |
{m} |
Matches exactly m repetitions of the term. |
{m,} |
Matches m or more repetitions of the term. |
^ |
Matches the beginning of the string. |
$ |
Matches the end of the string. |
_ |
Match one or more non-word characters, beginning of string, or end of string. |
\[ |
Match left bracket (start of set). |
\] |
Match right brace (end of set). |
\( |
Match left parentheses (start of confed). |
\) |
Match right parentheses (end of confed). |
The following table shows examples of valid regex strings for AS path sets in character mode.
| Regex string | Meaning | AS_PATH examples that match | AS_PATH examples that do not match |
|---|---|---|---|
"^$" |
Match empty AS path. | empty | "100" |
"\(.*_100_.*\)" |
Match any AS path with an AS confed sequence that includes 100. | "50 (100 200)" |
"100" |
"(_100_)|(_200_)" |
Match any AS path that includes 100 or 200 at any location. |
|
empty
|
"^100_" |
Match any AS path that starts with 100 (most recent). | "100 500 600" |
"50 100" |
"_100$" |
Match any AS path that ends with 100 (origin). |
|
empty
|
"(_50_50_){1,2}" |
Match any AS path with 2 or 4 repetitions of 50 at any location. |
|
" |
"^10[0-9]_" |
Match any AS path with a leading AS in the range 100-109 inclusive. |
|
"200 100" |
Configuring an AS path set
Configure an AS path set in ASN mode
The following example configures an AS path set that consists of three regular expressions. The AS path set is configured in ASN mode, so when the AS_PATH attribute is converted to a string, the string is matched one complete AS number at a time. The match-set-option any is configured in the policy statement, so a route is considered a match if its AS_PATH is matched by any of the member strings in the AS path set.
--{ candidate shared default }--[ ]--
# info routing-policy
routing-policy {
as-path-set asps1 {
regex-mode asn
as-path-set-member [
"(50 50){1,2}"
"100 | 200"
"[^100] 200$"
]
}
policy p1 {
statement 100 {
match {
bgp {
as-path {
as-path-set asps1
match-set-options any
}
}
}
}
}
}Configure an AS path set in character mode
The following example configures an AS path set in character mode. When the AS_PATH attribute is converted to a string, the string is matched one character at a time. The match-set-option all is configured in the policy statement, so a route is considered a match only if its AS_PATH is matched by all of the member strings in the AS path set.
--{ candidate shared default }--[ ]--
# info routing-policy
routing-policy {
as-path-set asps2 {
regex-mode character
as-path-set-member [
"(_100_)|(_200_)"
"^10[0-9]_"
]
}
policy p2 {
statement 100 {
match {
bgp {
as-path {
as-path-set asps2
match-set-options all
}
}
}
}
}
}BGP community-sets
A BGP community-set is a policy construct that groups one or more BGP communities into a list of member elements, each representing either a specific community value or a regular expression that is parsed one character at a time. Community-sets can be referenced in match conditions and actions in routing policy statements.
SR Linux supports the following types of community sets:
-
A hybrid community-set can contain any mix of the following:
- standard 4-byte BGP community values or regular expressions (as defined in RFC 1997)
- extended 8-byte BGP community values or regular expressions (as defined in RFC 4360)
- large 12-byte BGP community values or regular expressions (as defined in RFC 8092)
Hybrid community-sets are configured using
routing-policy.community-set. -
Standard (maps to OpenConfig)
A standard community-set can only contain standard 4-byte BGP community values or regular expressions (as defined in RFC 1997). Standard community-sets are configured using
routing-policy.standard-community-set. -
Extended (maps to OpenConfig)
An extended community-set can only contain extended 8-byte BGP community values or regular expressions (as defined in RFC 4360). Extended community-sets are configured using
routing-policy.extended-community-set.
Match-set-options for community-sets
When used as a match condition in a policy statement, a community set containing multiple elements matches a route based on its configured match-set-option, which can be one of the following:
- all: a route matches the community-set if every element in the community-set is matched by a community attached to the route. If you do not specify a match-set-option, this is the default.
-
any: a route matches the community-set if there is at least one element in the community-set that is matched by a community attached to the route.
- invert: a route matches the community-set if none of the elements in the community-set are matched by a community attached to the route.
For hybrid community sets, the match-set-option is configured as part of the community set. All policy statements that reference a hybrid community-set use the match-set-option configured for that community-set.
For standard and extended community-sets, the match-set-option is configured within the policy statement itself.
Using hybrid and standard/extended community-sets in one policy statement
The match container of a single policy statement can reference a hybrid community-set, a standard-community-set and, or an extended community-set. The policy statement does not apply to a route unless all the community-set matches return a TRUE result.
The action.bgp container of a single policy statement can reference a
hybrid community-set, a standard-community-set and, or an extended-community-set. In this
case, the hybrid community actions are applied first, before any of the processing (match or
action) of the standard community-set or extended community-set is applied. This means that
a community added by a hybrid community action can be matched by standard community-set or
extended community-set.
Hybrid community-sets
In a routing policy, a policy statement can refer to a hybrid community set by making it the
target of the leaf routing-policy.policy.statement.match.bgp.community-set.
If the hybrid community-set contains multiple elements, then the matching behavior is
controlled by routing-policy.community-set.match-set-options. (See Match-set-options for community-sets.)
The following table lists the valid formats for elements in a hybrid community set.
| Format | Example | Meaning |
|---|---|---|
| no-export | Well-defined standard community NO-EXPORT. | |
| no-advertise | Well-defined standard community NO-ADVERTISE. | |
| no-export-subconfed | Well-defined standard community NO-EXPORT-SUBCONFED. | |
| <0-65535>:<0-65535> | Standard community matched exactly. | |
|
<regex> string must include one |
"65535:[0-9]" |
Standard communities matched by one regular expression See Supported regex symbols for hybrid community-sets. |
| <0-4294967295>:<0-4294967295>:<0-4294967295> | Large community matched exactly. | |
|
<regex>:<regex>:<regex> string must include two |
"(100)|(101):65000:4294967295" |
Large communities matched by three LEGACY style regular expressions. See Supported regex symbols for hybrid community-sets. |
| target:<0-65535>:<0-4294967295> | "target:1:100" |
type0 route-target extended community matched exactly. |
| target:<ipv4-address>:<0-65535> | "target:1.1.1.1:100" |
type1 route-target extended community matched exactly. |
| target:<0-4294967295>:<0-65535> | type2 route-target extended community matched exactly. | |
target:<regex>:<regex> string must start withtarget
and include two : and they are not part of the match |
"target:(100)|(101)" |
route-target extended communities matched by two regular expressions. See Supported regex symbols for hybrid community-sets. |
| origin:<0-65535>:<0-4294967295> | type0 route-origin extended community matched exactly. | |
| origin:<ipv4-address>:<0-65535> | type1 route-origin extended community matched exactly. | |
| origin:<0-4294967295>:<0-65535> | type2 route-origin extended community matched exactly. | |
|
origin:<regex>:<regex> string must start with |
route-origin extended community matched by two regular expressions. See Supported regex symbols for hybrid community-sets. | |
color:NN:<0-4294967295> NN=00,01,10,11 |
"color:01:100" |
color extended community matched exactly. |
| bgp-tunnel-encap:(MPLS|VXLAN) | "bgp-tunnel-encap:MPLS" |
BGP tunnel encapsulation extended community. |
The following table lists the supported regex symbols for hybrid community-sets.
| Operation | Meaning |
|---|---|
| |
Matches the term on alternate sides of the pipe. |
* |
Matches multiple occurrences of the term. |
? |
Matches 0 or 1 occurrence of the term. |
+ |
Matches 1 or more occurrence of the term. |
( ) |
Used to parenthesize so that a regular expression is considered as one term. |
[ ] |
Used to demarcate a set of elementary or range terms. |
[^ ] |
Used to demarcate a set of elementary or range terms that are explicitly non-matching. |
- |
Used between the start and end of a range. |
{m,n} |
Matches least m and at most n repetitions of
the term. |
{m} |
Matches exactly m repetitions of the term. |
{m,} |
Matches m or more repetitions of the term. |
^ |
Matches the beginning of the string. |
$ |
Matches the end of the string. |
\ |
An escape character to indicate that the following character is a match criteria and not a grouping delimiter. |
Configuring a hybrid community-set
The following example configures a hybrid community-set that consists of two member elements. The match-set-option is invert, so a route matches this community-set if neither of the elements in the community-set are matched by a community attached to the route. The community-set is specified as a match condition in a routing policy.
--{ candidate shared default }--[ ]--
# info routing-policy
routing-policy {
community-set cs1 {
match-set-options invert
member [
bgp-tunnel-encap:MPLS
target:1.1.1.1:100
]
}
policy p1 {
statement 100 {
match {
bgp {
community-set cs1
}
}
}
}
}Standard community-sets
In a routing policy, a policy statement can refer to a standard community-set by making it
the target of the leaf
routing-policy.policy.statement.match.bgp.standard-community.standard-community-set.
If the standard community-set contains multiple elements, the matching behavior is controlled
by
routing-policy.policy.statement.match.bgp.standard-community.match-set-options.
(See Match-set-options for community-sets.)
Each standard community-set consists of a leaf-list of member elements. Each member represents either a specific community value or a regex string to be evaluated. SR Linux decides whether to treat a community-set member as an exact match or regex string as follows.
| Member format1 | Interpreted as |
|---|---|
| <d>:<d> | Exact match of a standard community (not passed to regex engine). |
|
<d> <r> |
String to be passed to the regex engine. |
SR Linux supports the following operations for strings passed to the regex engine:
| Operation | Meaning |
|---|---|
| |
Matches the term on alternate sides of the pipe. |
* |
Matches 0, 1, or more occurrences of the term. |
? |
Matches 0 or 1 occurrence of the term. |
+ |
Matches 1 or more occurrence of the term. |
( ) |
Used to parenthesize so a regular expression is considered as one term. |
[ ] |
Used to demarcate a set of elementary terms, range terms, or character class. |
[^ ] |
Used to demarcate a set of elementary or range terms that are explicitly non-matching. |
- |
Used between the start and end of a range. |
{m,n} |
Matches least m and at most n repetitions of
the term. |
{m} |
Matches exactly m repetitions of the term. |
{m,} |
Matches m or more repetitions of the term. |
^ |
Matches the beginning of the string. |
$ |
Matches the end of the string. |
\ |
An escape character to indicate that the following character is match criteria and not a grouping delimiter. |
The following table shows examples of valid regex strings in standard community-sets.
| Regex string | Meaning | Communities that match | Communities that do not match |
|---|---|---|---|
".*" |
Match all standard communities. | 65200:100 | |
|
|
Match any standard community with 65100-65199 as the AS. | 65150:200 | 65200:200 |
"^65100" |
Match any standard community associated with ASN 65100. |
65100:100 65100:200 |
65101:900 |
"666$" |
Match any standard community that ends in the digits 666. |
65100:666 65100:6666 |
666:1 |
":666$""_666$" |
Match any standard community for which the administered value is exactly 666. | 65100:666 | 65100:6666 |
Configuring a standard community-set
The following example configures a community-set consisting of four member elements: one specific community and three regex strings. The community-set is specified as a match condition in a routing policy. The match-set-option any is configured in the policy statement, so a route is considered a match if its AS_PATH is matched by any of the member elements in the AS path set
--{ candidate shared default }--[ ]--
# info routing-policy
routing-policy {
standard-community-set s1 {
member [
65200:200
10*:34684
^65100
"^651[0-9][0-9]:.*$"
]
}
policy p2 {
statement 100 {
match {
bgp {
standard-community {
standard-community-set s1
match-set-options any
}
}
}
}
}
}Extended community-sets
In a routing policy, a policy statement can refer to an extended community-set by making it
the target of the leaf
routing-policy.policy.statement.match.bgp.extended-community.extended-community-set.
If the extended community-set contains multiple elements, the matching behavior is controlled
by
routing-policy.policy.statement.match.bgp.extended-community.match-set-options.
(See Match-set-options for community-sets.)
Each extended community-set consists of a leaf-list of member elements. Each member represents either a specific community value, or a regex string to be evaluated. SR Linux decides whether to treat a community-set member as an exact match or regex string as follows:
| Member format1 | Interpreted as |
|---|---|
| target:<d>:<d> | Route target extended community exact match (not passed to regex engine). |
|
target:<r>:<d> target:<d>:<r> target:<r>:<r> target target: target:<d> target<r> |
Route target extended community regex. |
| origin:<d>:<d> | Route origin extended community exact match (not passed to regex engine). |
|
origin:<r>:<d> origin:<d>:<r> origin:<r>:<r> origin origin: origin:<d> origin<r> |
Route origin extended community regex. |
| link-bandwidth:<d>:<d>[kMGT] | Link-bandwidth extended community exact match (not passed to regex engine). |
|
link-bandwidth link-bandwidth: link-bandwidth:<d> link-bandwidth<r>[kMGT] |
Link-bandwidth extended community regex. |
| color:<bits>:<d> | Color extended community exact match (not passed to regex engine). |
|
color color: color:<bits> color<r> |
Color extended community regex. |
| bgp-tunnel-encap:<a> | BGP tunnel encap extended community exact match (not passed to regex engine). |
See Supported regex operations for standard and extended community-sets for valid operations for strings passed to the regex engine.
The following table shows examples of valid regex strings for route target and route origin elements in extended community-sets.
| Regex string | Meaning | Communities that match | Communities that do not match |
|---|---|---|---|
"t.*" |
Not valid, rejected. | ||
"o.*" |
Not valid, rejected. | ||
"target" |
Match all RT ext communities. | target:65000:100 | link-bandwidth:65000:100M |
"origin" |
Match all RO ext communities. | origin:65000:100 | target:65000:100 |
"target:.*10.*" |
Match any RT ext community (any type) with two consecutive digits 10. |
target:65100:99 target:10.5.6.7:99 target:4294967295:1105 |
target:999:999 target:1.0.1.0:999 |
"target:10.1.1.1:.*" |
Match type-1 RT ext community with 10.1.1.1 address as the administrator. | target:10.1.1.1:100 | |
"target:10\..*" |
Match type-1 RT ext community with any 10/8 address as the administrator. | target:10.1.1.1:100 | target:105:100 |
target:10.* |
Match any RT ext community with leading digits 10 in the administrator part. |
target:105:999 target:100000:999 target:102.3.4.1:999 |
target:1110:999 |
"target.*_666$" |
Match any RT ext community where the administered value is exactly 666. |
target:65000:666 target:10.5.6.7:666 target:4294967295:666 |
target:65 |
The following table shows examples of valid regex strings for link-bandwidth elements in extended community-sets.
| Regex string | Meaning | Communities that match | Communities that do not match |
|---|---|---|---|
"l.*" |
Not valid, rejected. | ||
"lb.*" |
Not valid, rejected. | ||
|
|
Match all LB ext communities. | link-bandwidth:65000:40k | route-target:65000:100 |
"link-bandwidth:10.* |
Match any LB ext community with leading digits 10 in the administrator part. |
link-bandwidth:10:1T link-bandwidth:105:1200 |
link-bandwidth:11:10M |
"link-bandwidth.*_100G$" |
Match any LB ext community that encodes the bandwidth value 100Gbps. |
link-bandwidth:65000:100G link-bandwidth:3333:100G |
link-bandwidth:100:100M link-bandwidth:100:1100G |
Configuring an extended community-set
Configure an extended community-set with route target and route origin member elements
The following example configures a community-set consisting of four member elements: one specific community and three regex strings. The community-set is specified as a match condition in a routing policy. The match-set-option any is configured in the policy statement.
--{ candidate shared default }--[ ]--
# info routing-policy
routing-policy {
extended-community-set e1 {
member [
origin.*_666$
origin:.*10.*
target:1.1.1.1:100
target:1:100
]
}
policy p3 {
statement 100 {
match {
bgp {
extended-community {
extended-community-set e1
match-set-options any
}
}
}
}
}
}Configure an extended community-set with link-bandwidth member elements
The following example configures a community-set consisting of elements that match link-bandwidth extended communities. The community-set contains one specific link-bandwidth community and two regex strings.
--{ candidate shared default }--[ ]--
# info routing-policy
routing-policy {
extended-community-set e2 {
member [
link-bandwidth.*_100G$
link-bandwidth:10.*
link-bandwidth:65000:1T
]
}
policy p3 {
statement 100 {
match {
bgp {
extended-community {
extended-community-set e2
match-set-options any
}
}
}
}
}
}Prefix sets
In a routing policy, a prefix set groups one or more IPv4 and, or IPv6 prefix matching entries. A prefix matching entry has two components:
- an IPv4 or IPv6 prefix, specifying an IPv4 or IPv6 address with zeroed host bits and a prefix length; for example, 192.168.1.0/21
- a
mask-length-range, specifying eitherexactor a range in the format <a>..<b>, where <a> is the starting prefix length (0-32 for IPv4, 0-128 for IPv6), and <b> is the ending prefix length (0-32 for IPv4, 0-128 for IPv6)
A prefix set containing multiple elements matches a route based on its configured
match-set-option. For prefix sets, the default and only supported
match-set-option is any, which means that the route is
considered a match if its destination is matched by any of the prefix matching entries.
Configuring a prefix set
The following example configures a prefix set that consists of two member elements. The prefix set is specified as a match condition in a routing policy.
--{ candidate shared default }--[ ]--
# info routing-policy
routing-policy {
prefix-set pset1 {
prefix 10.10.1.0/24 mask-length-range 24..32 {
}
prefix 10.10.20.0/24 mask-length-range exact {
}
}
policy p1 {
statement 100 {
match {
prefix {
prefix-set pset1
match-set-options any
}
}
action {
policy-result accept
}
}
}
}