Routing policies
Routing policies allow detailed control of IP routes learned and advertised by routing protocols such as BGP, IS-IS, or OSPF.
Each routing policy has a sequence of rules (called entries or statements) and a default action. Each policy statement has zero or more match conditions, such as whether a route is owned by a specific protocol, and a main action, such as to accept or reject the routes; the statement may also have route-modifying actions. A route matches a statement if it meets all of the specified match conditions.
Each statement has a specified position in the policy. If a policy has multiple statements, they are processed in the order they are put in the policy. In addition, you can specify a default action that applies to routes that do not match any statement in the policy.
The first statement that matches the route determines the actions that are applied to the route. If the route is not matched by any statements, the default action of the policy is applied. If there is no default action, then a protocol- and context-specific default action is applied.
All routes match a statement with no match conditions. When a route fulfills the match conditions of a statement, the base action of the statement is applied, along with all of its route-modifying actions.
Routing policy match conditions
The following table summarizes the match conditions supported in SR Linux routing policies.
| Match condition | Description |
|---|---|
protocol |
Test if the route is owned by a specific protocol. The following options are supported:
|
family |
Test if the prefix is associated with any of the AFI/SAFI (address families) listed. The following options are supported:
|
call-policy |
Call another routing policy as a subroutine. See Routing policy subroutines. |
prefix.prefix-set |
Test if the route matches any entry in a configured prefix-set. See Prefix sets. |
internal-tags.tag-set |
Test if the route contains members of a configured tag-set. See "Configuring route internal tags" in the SR Linux VPN Services Guide. |
bgp.as-path.as-path-set |
Test if the route has an AS path that matches the regular expression in the configured AS-path set. See AS path sets. |
bgp.as-path-length |
Test if the AS-path length of the route is a specific value or in a range. |
bgp.community-set |
Test if a BGP community attached to the route matches the list of member elements and match-set-option in the BGP community-set. See BGP community-sets. |
bgp.evpn.route-type |
Test if the EVPN route type is a specific type (1-8). |
bgp.extended-community.extended-community-set |
Test if a BGP extended community attached to the route matches the list of member elements and match-set-option in the BGP extended community-set. See BGP community-sets. |
bgp.standard-community.standard-community-set |
Test if a BGP standard community attached to the route matches the list of member elements and match-set-option in the BGP standard community-set. See BGP community-sets. |
isis.level |
Test if the IS-IS route is associated with Level 1 or Level 2. |
isis.route-type |
Test if the IS-IS route is internal or external (redistributed from another protocol). An IPv4 prefix is external if it is signaled in TLV 130 or TLV135 with RFC 7794 X flag=1. An IPv6 prefix is external if TLV 236/TLV 237 external bit = 1. |
ospf.area-id |
Test if the OSPFv2 or OSPFv3 route is associated with the specified area ID. |
ospf.route-type |
Test if the OSPFv2 or OSPFV3 route is a specific route type: any of intra-area, inter-area, type-1-ext, type-2-ext, type-1-nssa, type-2-nssa, summary-aggregate, or nssa-aggregate. |
ospf.instance-id |
Test if the OSPFv2 or OSPFv3 route is associated with the specified instance ID. |
multicast.group-address.prefix-set |
Test if the multicast group address matches any entry in a configured prefix-set. See Prefix sets. |
multicast.source-address.prefix-set |
Test if the multicast source address matches any entry in a configured prefix-set. See Prefix sets. |
origin-network-instance |
The source network-instance where the route was originally learned or configured. If this match condition is omitted from a policy statement, the implied match is any network-instance. |
network-instance-leaked-route |
When set to When set to |
Specifying match conditions in a routing policy
You can specify the match conditions listed in Match conditions for routing policies in a policy statement. If a statement has no match conditions defined, all routes evaluated by the policy are considered to be matches.
Test if the route is owned by BGP
The following example specifies BGP protocol as a match condition in a policy statement:
--{ candidate shared default }--[ ]--
# info with-context routing-policy policy policy01
routing-policy {
policy policy01 {
statement 100 {
match {
protocol bgp
}
}
}
}
Test if the route prefix is associated with an address family
The following example matches routes with a prefix belonging to the IPv4 or IPv6 labeled unicast address family:
--{ candidate shared default }--[ ]--
# info with-context routing-policy policy policy02
routing-policy {
policy policy02 {
statement 100 {
match {
family [
ipv4-labeled-unicast
ipv6-labeled-unicast
]
}
}
}
}
Test if an OSPF route is a specific route type
The following example matches OSPF type 2 external routes:
--{ candidate shared default }--[ ]--
# info with-context routing-policy policy policy03
routing-policy {
policy policy03 {
statement 100 {
match {
protocol ospfv2
ospf {
route-type type-2-ext
}
}
}
}
}
Routing policy subroutines
A match condition in a routing policy can call another routing policy as a subroutine.
SR Linux supports up to three levels of policy subroutines. For example, a main policy P0 can call a P1 policy. The P1 policy can call a P2 policy, and the P2 policy can call a P3 policy.
A route that is accepted by a Pn subroutine policy matches the Pn-1 policy statement that called policy Pn.
The subroutine policies (P1-P3) can modify the attributes
of matched routes. These modifications can happen in statements with action
accept or action next-statement or where the
default-action is accept.
The subroutine policy match can be combined with other match conditions in the same statement of a policy. Logically, the subroutine is evaluated after all other match conditions in the statement.
If the subroutine policy has a statement with action next-policy or
default-action next-policy, it is considered the same as
reject.
If a route that does not match any terminating entry of a subroutine (that is, the route does
not match any statement with an action of accept or
reject or next-policy), it is considered to be
accepted by the subroutine if the default-action of the subroutine
policy is accept. Otherwise, the route is considered to be rejected by
the subroutine.
The following example shows a routing policy P1 that uses policy P2 as a subroutine.
--{ +* candidate shared default }--[ ]--
# info with-context routing-policy
routing-policy {
policy P1 {
statement 10 {
match {
call-policy [
P2
]
bgp {
as-path {
as-path-set downstream
}
}
}
action {
policy-result accept
}
}
}
policy p2 {
statement 10 {
match {
prefix {
prefix-set selected
}
}
action {
policy-result accept
}
}
}
}
Routing policy conditional statements
Routing policy conditional statements allow you to associate a conditional test with policy statements. If the condition evaluates as true, the policy statement is evaluated as normal; routes matched by the statement have the configured actions applied to them. However, if the condition evaluates as false, the policy statement is skipped; that is, policy evaluation continues to the next statement, which may also be conditional.
SR Linux supports one type of conditional test: whether a route exists in the FIB table of a specified network-instance. You can configure this conditional test by specifying the following in a routing policy statement:
- a reference to a configured
prefix-set(mandatory). The prefix set can have any mix of IPv4 and IPv6 entries. - the
match-set-optionto apply to theprefix-set(one ofany,all, orinvert; default isany - a reference to a
network-instance(mandatory). Thenetwork-instanceis not required to match the network-instance where the policy is used. For example, a BGP peer export policy applied to a BGP peer in the default network-instance can have a conditional statement that depends on the existence of routes in an unrelated IP-VRF network-instance.
If a route matching the prefix-set exists in the FIB table of the referenced
network-instance, the condition evaluates as true or false based on the
configured match-set-option.
Routing policy conditional statements are useful in situations where a route should be imported or exported by a router only if it has specific routes present or not present in its routing table.
Using conditional statements in send-default-route export-policies
For routing policies called from the
network-instance.protocols.bgp.group.send-default-route.export-policy and
network-instance.protocols.bgp.neighbor.send-default-route.export-policy
contexts, policy evaluation skips the following entries, which are considered
non-matching.
- policy entries that do not have any configuration under the
actioncontainer - policy entries that have any configuration under the
matchcontainer - policy entries that do not have a
conditionconfigured
The first matching statement with a condition that evaluates as true has its actions applied to the route; the default action is not applied. If all matching statements have conditions that evaluate as false, or there are no matching entries, the default action is applied to the route.
Specifying conditional statements in a routing policy
To configure a conditional statement in a routing policy, specify a configured prefix
set in the condition container of a routing policy statement. The
condition container also specifies the
match-set-option used to evaluate whether the statement is true
or false and a reference to a configured network-instance.
Configure a prefix set
The following example configures a prefix set. The prefix set used for a routing table conditional statement can have any mix of IPv4 and IPv6 entries.
--{ candidate shared default }--[ ]--
# info with-context routing-policy prefix-set pset1
routing-policy {
prefix-set pset1 {
prefix 10.3.192.0/21 mask-length-range 21..24 {
}
prefix 10.4.192.0/21 mask-length-range exact {
}
}
}
The mask-length-range for individual prefix list entries can be exact or can be a range in the format length1..length2. For all prefixes in the prefix-set, length1 must be greater than or equal to /16 for IPv4 prefixes, and greater than or equal to /96 for IPv6 prefixes.
Configure a conditional statement in a routing policy
The following example configures a conditional statement in a routing policy. The
conditional statement checks whether routes matched by prefix set
pset1 exist in the FIB for the network instance
black.
The match-set-option is any, so the conditional
statement evaluates to true if there is any route in prefix set
pset1 that exists in the FIB for the network instance
black. In this case, the configured action is applied to the
matched routes.
The conditional statement evaluates to false if there is no route in prefix
set pset1 that exists in the FIB for the network instance
black. In this case, the policy statement is skipped and policy
evaluation continues to the next statement.
--{ candidate shared default }--[ ]--
# info with-context routing-policy policy p2
routing-policy {
policy p2 {
statement st1 {
condition {
route-table {
network-instance black
prefix-set pset1
match-set-options any
}
}
match {
family [
ipv4-unicast
ipv6-unicast
]
}
action {
policy-result accept
}
}
statement st2 {
match {
family [
ipv4-unicast
ipv6-unicast
]
}
action {
policy-result reject
}
}
}
}
Routing policy actions
If a route matches a policy statement, the actions configured in the policy are applied to the route, including route property modifications. Depending on the configured action, the route may continue to be analyzed by further routing policy statements (if any), or the final disposition (either accept or reject) of the route is determined.
Default routing policy action
Each routing policy can optionally be configured with a
default action, which is applied to routes that do not match any policy statement. The
default action specifies a main action and optionally one or more route property
modification actions. The default action is applied to all routes evaluated by the policy
that do not match any statement or are only matched by statements that are non-terminating,
such as next-statement.
If the default action is explicitly configured as
accept or reject, evaluation ends at the current policy
even if there are further policies in the chain. If a policy does not have a configured
default action, or the default action for the policy is next-policy or
next-statement, then routes that do not match any statement in the policy
are automatically evaluated by the next policy in the chained list. See Specifying a default action for a configuration example.
Main routing policy actions
policy-result of the default action
or at the statement action level in a routing policy.| Action | Description |
|---|---|
accept |
The route is accepted, route property modifications are applied, and evaluation stops immediately; further statements and policies are not considered. |
reject |
The route is dropped and evaluation stops immediately; further statements and policies are not considered. |
next-statement |
No immediate decision is made about whether to accept or reject the route. Route policy modifications are applied, and evaluation continues automatically to the next statement. If there are no further statements in this policy, the default action of the current policy applies. |
next-policy |
No immediate decision is made about whether to accept or reject the route. Route policy modifications are applied, and evaluation skips the remainder of the statements in the current policy continuing automatically to the first statement in the next policy in the chained list. If there are no further policies, then the default action of the last policy in the chain applies. |
If no value is configured for policy-result,
the implicit default is next-statement (if not configured at the statement
action level) or next-policy (if not configured at the default-action
level).
Route property modification actions
The following table lists the route property modification actions that can be specified in a routing policy.
| Action | Description |
|---|---|
bgp.as-path.prepend |
Prepend a specific AS number one or more times to the AS path. |
bgp.as-path.remove |
Clear the AS path to make it empty. |
bgp.as-path.replace |
Clear the existing AS path and replace it with a new AS_SEQUENCE containing the listed AS numbers. |
bgp.communities.add |
Add all of the non-regex community members in the referenced community-set. Note: New communities are prepended before existing
communities, as shown in BGP RIB state information and in the advertised
UPDATE.
|
bgp.communities.remove |
Remove all communities that match any regex or non-regex member in the referenced community-set. |
bgp.communities.replace |
Delete all existing communities and add all non-regex community members in the referenced community-set. |
bgp.disable-ip-route-install |
Accept the route, allowing its re-advertisement, but do not install the route to the IP FIB. See Policy action to disable IP FIB installation. |
bgp.extended-community.method |
Indicate the method used to specify the extended communities for the action.
The only supported value is reference. |
bgp.extended-community.operation |
Add, remove, or replace extended communities in matched routes. The
The The Note that new communities are prepended before existing communities, as shown in BGP RIB state information and in the advertised UPDATE. |
bgp.extended-community.referenced-sets |
Indicate the extended community sets to perform the add, remove, or replace operation. |
bgp.standard-community.method |
Indicate the method used to specify the standard communities for the action.
The only supported value is reference. |
bgp.standard-community.operation |
Add, remove, or replace standard communities in matched routes. The
The The Note: New communities are prepended before existing communities,
as shown in BGP RIB state information and in the advertised UPDATE. |
bgp.standard-community.referenced-sets |
Indicate the standard community sets to perform the add, remove, or replace operation. |
bgp.label-allocation.prefix-sid.use-igp |
Use the programmed SR-IGP label index for the matching prefix, resulting in a stitch to the IGP segment routing tunnel. |
bgp.local-preference.operation |
Specify the operation to use when applying the configured value to the current
LOCAL_PREF; the only valid operation is set. |
bgp.local-preference.value |
Set the value of the LOCAL_PREF attribute in matching BGP routes. |
bgp.med.operation |
Set or modify the MED according to the |
bgp.med.value |
Set or modify the MED to the specified value in matching BGP routes. See Policy actions for setting MED in BGP routes. |
bgp.next-hop-resolution.set-tag-set |
Reference a tag-set to be used for controlling next-hop resolution. |
bgp.next-hop.set |
Set or modify the BGP next-hop address to a specified IPv4 or IPv6 address or
to the keyword self. |
bgp.origin.set |
Set or modify the BGP ORIGIN attribute value to the specified value. |
isis.level |
Add the redistributed route to the specified level database. Supported values are 1 or 2. |
isis.metric.set-style |
Explicitly encode the metric of the matched IS-IS route as a wide metric in the appropriate IS-IS TLV that supports wide metrics. |
isis.metric.set-value |
Set the IS-IS metric value of the redistributed route to a number between 1 and 16777215. |
internal-tags.tag-set |
Add the tags in the tag-set as internal tags. |
ospf.metric.set-value |
Set the OSPF metric value of the redistributed route to a uint16 number. |
ospf.metric.set-external-type |
Set the OSPF external metric type of the redistributed route as type-1 or type-2. |
resilient-hash.apply |
Enable resilient hashing if the accepted route becomes the best BGP path. |
resilient-hash.hash-buckets-per-path |
Set the number of times each next-hop is repeated in the fill pattern if there
are max-paths ECMP next-hops. |
resilient-hash.max-paths |
Set the maximum number of ECMP next-hops per route associated with the resilient-hash prefix. |
route-preference.set |
Overwrite the route preference with the specified value. |
Specifying actions in a routing policy
You can specify the actions listed in Routing policy actions to routes that match a policy statement.
Accept static routes
The following example configures a routing policy statement to accept static routes.
--{ +* candidate shared default }--[ ]--
# info with-context routing-policy policy policy01
routing-policy {
policy policy01 {
statement st1 {
match {
protocol static
}
action {
policy-result accept
}
}
}
}
Set origin attribute for matching BGP routes
The following example specifies a policy with two statements. If a BGP route matches the first statement, the action is to proceed to the next statement. If the route matches the second statement, the action is to specify a new value for the origin attribute of the BGP route.
--{ candidate shared default }--[ ]--
# info with-context routing-policy
routing-policy {
policy policy02 {
statement 100 {
match {
protocol bgp
}
action {
policy-result next-statement
}
}
statement 101 {
match {
prefix-set western
}
action {
bgp {
origin {
set egp
}
}
}
}
}
}
Add communities from BGP standard-community set to matched routes
The following example matches BGP routes and adds every non-regex member of standard-community set st1 to the COMMUNITIES attribute of the matched routes.
--{ candidate shared default }--[ ]--
# info with-context routing-policy
routing-policy {
standard-community-set st1 {
member [
668$
^65100
]
}
policy p1 {
statement 100 {
match {
protocol bgp
}
action {
bgp {
standard-community {
operation add
referenced-sets [
st1
]
}
}
}
}
}
}
Replace communities in matched routes with communities in a BGP extended-community set
The following example removes every existing extended community from matching BGP routes, then adds every non-regex member of extended-community set ex1 to the EXT_COMMUNITIES attribute of the matched routes.
--{ candidate shared default }--[ ]--
# info with-context routing-policy
routing-policy {
extended-community-set ex1 {
member [
target:10.1.1.1:.*
]
}
policy p2 {
statement 100 {
match {
protocol bgp
}
action {
bgp {
extended-community {
operation replace
referenced-sets [
ex1
]
}
}
}
}
}
}
Specifying a default action
You can optionally specify the policy action for routes that do not match the conditions defined in the policy statements. The default action can be set to all available action states including accept, reject, next-entry, and next-policy.
-
If a default action is defined, and no matches occur with the statements in the policy, the default action is used.
-
If no default action is specified, the default behavior of the protocol controls whether the routes match.
For BGP, the default import action is to accept all routes from BGP. For internal routes, the default export action is to advertise them to BGP peers. For external routes, the default export action is not to advertise them to BGP peers.
The following example defines a policy where the default action for non-matching routes is to reject them:
--{ candidate shared default }--[ ]--
# info with-context routing-policy
routing-policy {
policy policy01 {
default-action {
policy-result reject
}
}
}
Policy actions for setting MED in BGP routes
The following describes the supported policy actions for received BGP routes based on the contents of the MED attribute in the route (if any).
When a BGP export policy matches a non-BGP route for advertisement to neighbors:
- If the route is matched by an export policy statement that applies the action bgp med set route-table-cost, then a MED attribute is added to the BGP route and its value is the route-table metric for the non-BGP route.
- If the route is matched by an export policy statement that applies the action bgp med set <number>, then a MED attribute is added to the BGP route and its value is <number>.
- If neither case applies, no MED is added to the route.
When a BGP route is received with a MED attribute:
- If the route is matched by an import policy statement that applies the action bgp med set route-table-cost, then the MED attribute is replaced and the new value is the route-table metric of the route that resolves the BGP next-hop.
- If the route is matched by an import policy statement that applies the action bgp med set <number>, then the MED attribute is replaced and the new value is <number>.
- If neither case applies, the RIB-IN MED attribute is unmodified.
When a BGP route is received without a MED attribute:
- If the route is matched by an import policy statement that applies the action bgp med set route-table-cost, then a MED attribute is added to the BGP route and the new value is the route-table metric of the route that resolves the BGP next-hop.
- If the route is matched by an import policy statement that applies the action bgp med set <number>, then a MED attribute is added to the BGP route and its value is <number>.
- If neither case applies, no MED attribute is added to the route.
When a BGP route is received with a MED attribute from one eBGP peer, and the route must be advertised to other eBGP peers:
- If the route is matched by an export policy statement that applies the action bgp med set route-table-cost, then the MED attribute is replaced and the new value is the route-table metric of the route that resolves the BGP next-hop (0 when receiving a route from a single hop eBGP peer)
- If the route is matched by an export policy statement that applies the action bgp med set <number>, then the MED attribute is replaced and the new value is <number>.
- If neither case applies, the MED is stripped.
When a BGP route is received without a MED attribute from one eBGP peer, and the route must be advertised to other eBGP peers:
- If the route is matched by an export policy statement that applies the action bgp med set route-table-cost, then a MED attribute is added to the BGP route and its value is the route-table metric of the route that resolves the BGP next-hop (0 when receiving a route from a single hop eBGP peer).
- If the route is matched by an export policy statement that applies the action bgp med set <number>, then a MED attribute is added to the BGP route and its value is <number>.
- If neither case applies, no MED is added to the route.
When a BGP route is received with a MED attribute from one eBGP peer, and the route must be advertised to iBGP peers, or else the route was received with a MED attribute from an iBGP peer for propagation to other iBGP peers:
- If the route is matched by an export policy statement that applies the action bgp med set route-table-cost, then the MED attribute is replaced and the new value is the route-table metric of the route that resolves the BGP next-hop.
- If the route is matched by an export policy statement that applies the action bgp med set <number>, then the MED attribute is replaced and the new value is <number>.
- If neither case applies, the MED is unmodified.
When a BGP route is received with a MED attribute from one eBGP/iBGP peer, and the route must be advertised to other eBGP peers, the MED is stripped by default (if the route is not matched by a policy).
When a BGP route is received without a MED attribute from one eBGP peer, and the route must be advertised to iBGP peers, or else the route was received without a MED attribute from an iBGP peer for propagation to other eBGP or iBGP peers:
- If the route is matched by an export policy statement that applies the action bgp med set route-table-cost, then a MED attribute is added to the BGP route and its value is the route-table metric of the route that resolves the BGP next-hop.
- If the route is matched by an export policy statement that applies the action bgp med set <number>, then a MED attribute is added to the BGP route and its value is <number>.
- If neither case applies, no MED is added to the route.
Route property operation action for setting MED
The bgp.med.operation action can set or modify the MED according to
the bgp.med.value action in matching BGP routes, as described in
the following table:
| Operation | Value | Result |
|---|---|---|
set |
Unsigned 32-bit integer | Overwrite the current MED with the specified value. |
route-table-cost |
Overwrite the current MED with the metric of the resolving route. | |
add |
Unsigned 32-bit integer | Increment the current MED by the specified value. |
route-table-cost |
Increment the current MED by the metric of the resolving route. | |
subtract |
Unsigned 32-bit integer | Decrement the current MED by the specified value. |
route-table-cost |
Decrement the current MED by the metric of the resolving route. |
Policy action to disable IP FIB installation
Some data center switches have limited IP FIB capacity. It is possible these switches could receive more BGP routes than they have room for in their IP FIB tables. In such cases, you may want to suppress the IP FIB installation of some or all of the BGP routes the switch does not require for forwarding (for example, because the switch is not in the forwarding path, as in the case of a non-next-hop-self route reflector, or because the switch can fall back to less specific routes, such as a default route).
Matching and rejecting a BGP route in a BGP import policy prevents the route from being
installed in the IP FIB, but it also prevents the route from being re-advertised to
other BGP peers, which could be unacceptable. For these cases, you can configure the
disable-ip-route-install policy action. This policy action works as
follows:
For unlabeled IPv4 and IPv6 routes matched and accepted by a BGP import policy with a
disable-ip-route-install action:
- Routes are re-advertisable to other peers per normal BGP rules, even if
advertise-inactiveis not configured ornext-hop-selfis enabled. - Routes are less preferred by the BGP decision process than any installed route for
the same prefix. For these routes,
fib-install-disabledis displayed as thetie-break-reasonin state information. - Routes do not contribute toward and activate a covering aggregate route.
For unlabeled IPv4 and IPv6 routes matched and accepted by a BGP import policy with a disable-ip-route-install action:
- Host routes do not create/program tunnels.
- Re-advertisement with next-hop self does create/program ILM entries.
- Routes are re-advertisable to other peers per normal BGP rules, even if
advertise-inactiveis not configured ornext-hop-selfis enabled. - Routes are less preferred by the BGP decision process than any installed route for
the same prefix. For these routes,
fib-install-disabledis displayed as thetie-break-reasonin state information. - Routes do not contribute toward and activate a covering aggregate route.
BGP does not publish routes to fib_mgr that have been matched and accepted by a BGP
import policy with a disable-ip-route-install action. This means they
are not be re-advertisable by other protocols. In BGP RIB state information,
FIB-suppressed routes display used-route false and fib-disabled
true.
Policy action to control resilient ECMP hashing
For IP routes that are ECMP routes (multiple next-hops), the resilient ECMP hashing feature allows changes to the size of the ECMP set to be made by moving as few flows as possible. This is useful when the ECMP next-hops of an IP route correspond to network appliances or host servers that maintain state for the flows that they service, and moving flows requires state to be rebuilt. See Resilient ECMP hashing for details about how this feature works.
Enabling resilient ECMP hashing can be controlled using an action in a routing policy. Resilient hashing policy actions are supported only in peer import policies that apply to BGP routes received from BGP peers. This includes policies called from any of these contexts (or their subroutines):
-
network-instance.protocols.bgp.import-policy -
network-instance.protocols.bgp.afi-safi.import-policy -
network-instance.protocols.bgp.group.import-policy -
network-instance.protocols.bgp.group.afi-safi.import-policy -
network-instance.protocols.bgp.neighbor.import-policy -
network-instance.protocols.bgp.neighbor.afi-safi.import-policy
There is no restriction for the AFI-SAFI family of the routes matched by the above policies. If a BGP route for a specific AFI-SAFI can create an ECMP-capable IPv4 or IPv6 route in the IP FIB table, then the resilient hashing policy actions apply to that BGP route.
For a resilient hashing policy action, you configure the following parameters:
- apply: enable or disable resilient hashing if the accepted
route becomes the best BGP path; can be set to
trueorfalse. - max-paths: set the maximum number of ECMP next-hops per route
associated with the resilient-hash prefix; required if apply is
set to
true. - hash-buckets-per-path: set the number of times each next-hop is
repeated in the fill pattern if there are
max-pathsECMP next-hops; required if apply is set totrue.
Resilient hashing is enabled for an IPv4 or IPv6 prefix when either of the following are true:
-
The active route for the prefix is a BGP route, and the best BGP route for the prefix was processed by an import policy that accepted the route with a
resilient-hash.apply trueaction. -
The active route for the prefix is a non-BGP route or else a best BGP route without any import-policy resilient-hash action applied, and the route is covered by configuration of a
resilient-hash-prefixin the network-instance where it is installed.
Resilient hashing is disabled for an IPv4 or IPv6 prefix when either of the following are true:
-
The active route for the prefix is a BGP route, and the best BGP route for the prefix was processed by an import policy that accepted the route with a
resilient-hash.apply falseaction. -
The active route for the prefix is a non-BGP route or else a best BGP route without any import-policy resilient-hash action applied, and the route is not covered by configuration of a
resilient-hash-prefixin the network-instance where it is installed.
To program a route to support resilient ECMP, the system needs to know the maximum possible number of ECMP next-hops for the route, and the number of hash buckets to use for each possible ECMP next-hop. These values, configured with the max-paths and hash-buckets-per-path parameters, determine the hash bucket fill pattern.
The following example configures a routing policy statement with a resilient hashing action. Best BGP routes routes that match the import policy are provided with resilient-hash programming. The hash-buckets-per-path value is 4 and the max-paths value is 6, so the fill pattern has 24 hash buckets, offering space for 6 next-hops, each repeated 4 times.
--{ +* candidate shared default }--[ ]--
# info with-context routing-policy policy res-hash statement st1 action
routing-policy {
policy res-hash {
statement st1 {
action {
resilient-hash {
apply true
hash-buckets-per-path 4
max-paths 6
}
}
}
}
}
Applying a routing policy
Routing policies can be applied to routes received from other routers (imported routes), as well as routes advertised to other routers (exported routes). Routing policies can be applied at the network-instance level, peer-group level, and neighbor level.
Apply a routing policy to imported routes
The following example specifies that BGP in the default network-instance applies
policy01 to imported routes:
--{ candidate shared default }--[ ]--
# info with-context network-instance default protocols bgp import-policy
network-instance default {
protocols {
bgp {
import-policy [
policy01
]
}
}
}
Apply a routing policy to BGP routes exported from a peer-group
The following example applies policy02 to BGP routes exported from
the peers in peer-group headquarters1:
--{ candidate shared default }--[ ]--
# info network-instance default protocols bgp group headquarters1
network-instance default {
protocols {
bgp {
group headquarters1 {
export-policy [
policy02
]
}
}
}
}
Apply a routing policy to BGP routes exported from a BGP neighbor
The following example applies policy02 to BGP routes exported from a
specific BGP neighbor:
--{ * candidate shared default }--[ ]--
# info network-instance default protocols bgp neighbor 192.168.11.1
network-instance default {
protocols {
bgp {
neighbor 192.168.11.1 {
export-policy [
policy02
]
}
}
}
}
Applying a default policy to eBGP sessions
You can specify the action to take for routes exported to or imported from eBGP peers to which no configured policy applies. This is set with the ebgp-default-policy command and the export-reject-all and import-reject-all parameters.
-
The export-reject-all parameter, when set to true, causes all outbound routes that do not match a configured export policy to be rejected as if they had been rejected by a configured export policy. The default is true.
-
The import-reject-all parameter, when set to true, causes all inbound routes that do not match a configured import policy to be rejected as if they had been rejected by a configured import policy. The default is true.
The following example allows a BGP neighbor to export a default route even though the route is not subject to any configured policy:
--{ * candidate shared default }--[ ]--
# info with-context network-instance default
network-instance default {
protocols {
bgp {
ebgp-default-policy {
export-reject-all false
}
neighbor 2001:db8::c11 {
send-default-route {
ipv6-unicast true
}
}
}
}
}
Replacing an AS path
You can configure a routing policy where the AS path in matching routes is replaced by a list of AS numbers specified in the policy. For routes that match the policy, the current AS path is deleted and replaced with an AS_SEQ element containing the AS numbers listed in the policy in their configured sequence.
If you configure an empty AS list in the policy, then the current AS path in a matching route is deleted, and it would then have a null AS_PATH attribute.
The following is an example of a routing policy that matches BGP routes. The action for the
policy is next-policy, so routes that match the first policy are
evaluated by the second policy, whose action is to replace the AS path in matching
routes.
--{ candidate shared default }--[ ]--
# info with-context routing-policy
routing-policy {
policy policy01 {
statement 100 {
match {
protocol bgp
}
action {
policy-result next-policy
}
}
}
policy policy02 {
statement 100 {
match {
prefix-set western
}
action {
bgp {
as-path {
replace [
12
13
14
]
}
}
}
}
}
}
Resequencing statements in a routing policy
Each routing policy statement has a numerical sequence identifier that determines its order relative to other statements in that policy. When a route is analyzed by a policy, it is evaluated by each statement in sequential order.
The definition of the sequence of statements is fully flexible and can be defined as required using the insert command. If the insert command is not used, new statements are added to the end of the policy.
In the following examples, routing policy policy01 consists of three statements: red, green, and blue.
--{ +* candidate shared default }--[ ]--
# info with-context routing-policy policy policy01
routing-policy {
policy policy01 {
statement red {
match {
protocol bgp
}
action {
policy-result accept
}
}
statement green {
match {
prefix-set pset1
}
action {
policy-result reject
}
}
statement blue {
match {
family [
ipv4-unicast
ipv6-unicast
]
}
action {
policy-result next-policy
}
}
}
}
Move a statement to the end of a routing policy
The following example moves statement red to the end of the routing policy:
--{ +* candidate shared default }--[ ]--
# routing-policy policy policy01
--{ +* candidate shared default }--[ routing-policy policy policy01 ]--
# insert statement red last
--{ +* candidate shared default }--[ routing-policy policy policy01 ]--
# info with-context
statement green {
match {
prefix-set pset1
}
action {
policy-result reject
}
}
statement blue {
match {
family [
ipv4-unicast
ipv6-unicast
]
}
action {
policy-result next-policy
}
}
statement red {
match {
protocol bgp
}
action {
policy-result accept
}
}
Move a statement to the beginning of a routing policy
The following example moves statement blue to the beginning of the routing policy:
--{ +* candidate shared default }--[ ]--
# routing-policy policy policy01
--{ +* candidate shared default }--[ routing-policy policy policy01 ]--
# insert statement blue first
--{ +* candidate shared default }--[ routing-policy policy policy01 ]--
# info with-context
statement blue {
match {
family [
ipv4-unicast
ipv6-unicast
]
}
action {
policy-result next-policy
}
}
statement red {
match {
protocol bgp
}
action {
policy-result accept
}
}
statement green {
match {
prefix-set pset1
}
action {
policy-result reject
}
}
Move a statement before an existing statement
The following example moves statement blue before statement green:
--{ +* candidate shared default }--[ ]--
# routing-policy policy policy01
--{ +* candidate shared default }--[ routing-policy policy policy01 ]--
# insert statement blue before green
--{ +* candidate shared default }--[ routing-policy policy policy01 ]--
# info with-context
statement red {
match {
protocol bgp
}
action {
policy-result accept
}
}
statement blue {
match {
family [
ipv4-unicast
ipv6-unicast
]
}
action {
policy-result next-policy
}
}
statement green {
match {
prefix-set pset1
}
action {
policy-result reject
}
}
Move a statement after an existing statement
The following example moves statement red after statement green:
--{ +* candidate shared default }--[ ]--
# routing-policy policy policy01
--{ +* candidate shared default }--[ routing-policy policy policy01 ]--
# insert statement red after green
--{ +* candidate shared default }--[ routing-policy policy policy01 ]--
# info with-context
statement green {
match {
prefix-set pset1
}
action {
policy-result reject
}
}
statement red {
match {
protocol bgp
}
action {
policy-result accept
}
}
statement blue {
match {
family [
ipv4-unicast
ipv6-unicast
]
}
action {
policy-result next-policy
}
}
AS path sets
In a routing policy, an AS path set groups one or more AS paths using regular expressions. An AS path regular expression is a string consisting of AS numbers and (usually) one or more regular expression operators to be searched within the complete AS_PATH attribute. AS path sets can be referenced in match conditions and actions in routing policy statements.
An AS path set can have up to 32 member elements, each up to 255 characters in length.
Match-set-options for AS path sets
When used as a match condition in a policy statement, an AS path set containing multiple
elements matches a route based on its configured match-set-option, which
can be one of the following:
-
any: a route is considered a match if its AS_PATH is matched by any of the member strings in the AS path set; if you do not specify a match-set-option, this is the default.
- all: a route is considered a match if its AS_PATH is matched by all of the member strings in the AS path set.
- invert:a route is considered a match if its AS_PATH is matched by none of the member strings in the AS path set.
Regex modes for AS path sets
A regular expression is a sequence of symbols and characters expressing a pattern to be searched within the complete AS_PATH attribute. The symbols are operators that imply a matching logic with respect to terms that precede or follow them. The smallest term that can be matched is the elementary term. Elementary terms can be combined to create more complex terms, and these can be collated to create even more complex terms.
In SR Linux, the regex mode configured for an AS path set determines the elementary term and the set of operator symbols that are supported. SR Linux supports the following regex modes:
-
The AS path is converted to a string and the string is matched one complete AS number at a time. AS-path sets are in ASN mode by default.
-
The AS path is converted to a string and the string is matched one character at a time.
ASN mode
When an AS path set is configured in ASN mode, the string is matched by treating each AS number as an elementary term. When a route is compared to an AS path regular expression, each 4-byte AS number is extracted, one-by-one from the AS path, starting with the most recent AS and proceeding to the oldest or originating AS, and checked for a match against the regular expression. If there is any AS number that does not match the pattern, then the route is considered not a match for the AS path regular expression, and therefore not a match for the policy statement where this match condition is used.
SR Linux supports the following regex operations for strings in an AS path set configured in ASN mode:
| Operation | Meaning |
|---|---|
| null | Keyword equivalent to "^$" |
| |
Matches the term on alternate sides of the pipe. |
* |
Matches multiple occurrences of the term. |
? |
Matches 0 or 1 occurrence of the term. |
+ |
Matches 1 or more occurrence of the term. |
( ) |
Used to parenthesize so a regular expression is considered as one term. |
[ ] |
Used to demarcate a set of elementary or range terms. |
[^ ] |
Used to demarcate a set of elementary or range terms that are explicitly non-matching. |
- |
Used between the start and end of a range. |
{m,n} |
Matches at least m and at most n repetitions
of the term. |
{m} |
Matches exactly m repetitions of the term. |
{m,} |
Matches m or more repetitions of the term. |
^ |
Asserts that the following term appears at the beginning of the AS path. |
$ |
Asserts that the preceding term appears at the end of the AS path. |
_ |
Matches one or more non-word characters, beginning of string, or end of string. |
< > |
Matches any AS path numbers containing a confederation SET or SEQ. |
The following table shows examples of valid regex strings for AS path sets in ASN mode.
| Regex string | Meaning | AS_PATH examples that match | AS_PATH examples that do not match |
|---|---|---|---|
"null" |
Match empty AS path. | empty | "100" |
"< 100 >" |
Match AS path that has only ASN 100 in a confed-sequence or confed-set. | "(100)" |
"100""(100 200)" |
"100 | 200" |
Match AS path has only ASN 100 or ASN 200. |
|
empty
|
"(50 50){1,2}" |
Match any AS path with 2 or 4 repetitions of 50. |
|
|
"^[100-109]" |
Match any AS path with single AS in the range 100-109 inclusive. |
|
|
"[^100] 200$" |
Match any AS path with two ASNs – the first must not be 100 and the second must be 200. | "105 200" |
empty
|
"100
200" |
Match any AS path with ASNs 100 and 200 occurring exactly in this sequence somewhere in the AS path. |
|
empty
|
Character mode
When an AS path set is configured in character mode, the string is matched by treating each character in the string as an elementary term.
SR Linux supports the following regex operations for strings in an AS path set configured in character mode:
| Operation | Meaning |
|---|---|
| |
Matches the term on alternate sides of the pipe. |
* |
Matches 0, 1, or more occurrences of the term. |
? |
Matches 0 or 1 occurrence of the term. |
+ |
Matches 1 or more occurrence of the term. |
( ) |
Used to parenthesize so a regular expression is considered as one term. |
[ ] |
Used to demarcate a set of elementary terms, range terms, or character class. |
[^ ] |
Used to demarcate a set of elementary or range terms that are explicitly not matching. |
- |
Used between the start and end of a range. |
{m,n} |
Matches at least m and at most n repetitions
of the term. |
{m} |
Matches exactly m repetitions of the term. |
{m,} |
Matches m or more repetitions of the term. |
^ |
Matches the beginning of the string. |
$ |
Matches the end of the string. |
_ |
Match one or more non-word characters, beginning of string, or end of string. |
\[ |
Match left bracket (start of set). |
\] |
Match right brace (end of set). |
\( |
Match left parentheses (start of confed). |
\) |
Match right parentheses (end of confed). |
The following table shows examples of valid regex strings for AS path sets in character mode.
| Regex string | Meaning | AS_PATH examples that match | AS_PATH examples that do not match |
|---|---|---|---|
"^$" |
Match empty AS path. | empty | "100" |
"\(.*_100_.*\)" |
Match any AS path with an AS confed sequence that includes 100. | "50 (100 200)" |
"100" |
"(_100_)|(_200_)" |
Match any AS path that includes 100 or 200 at any location. |
|
empty
|
"^100_" |
Match any AS path that starts with 100 (most recent). | "100 500 600" |
"50 100" |
"_100$" |
Match any AS path that ends with 100 (origin). |
|
empty
|
"(_50_50_){1,2}" |
Match any AS path with 2 or 4 repetitions of 50 at any location. |
|
" |
"^10[0-9]_" |
Match any AS path with a leading AS in the range 100-109 inclusive. |
|
"200 100" |
Configuring an AS path set
Configure an AS path set in ASN mode
The following example configures an AS path set that consists of three regular expressions. The AS path set is configured in ASN mode, so when the AS_PATH attribute is converted to a string, the string is matched one complete AS number at a time. The match-set-option any is configured in the policy statement, so a route is considered a match if its AS_PATH is matched by any of the member strings in the AS path set.
--{ candidate shared default }--[ ]--
# info with-context routing-policy
routing-policy {
as-path-set asps1 {
regex-mode asn
as-path-set-member [
"(50 50){1,2}"
"100 | 200"
"[^100] 200$"
]
}
policy p1 {
statement 100 {
match {
bgp {
as-path {
as-path-set asps1
match-set-options any
}
}
}
}
}
}
Configure an AS path set in character mode
The following example configures an AS path set in character mode. When the AS_PATH attribute is converted to a string, the string is matched one character at a time. The match-set-option all is configured in the policy statement, so a route is considered a match only if its AS_PATH is matched by all of the member strings in the AS path set.
--{ candidate shared default }--[ ]--
# info routing-policy
routing-policy {
as-path-set asps2 {
regex-mode character
as-path-set-member [
"(_100_)|(_200_)"
"^10[0-9]_"
]
}
policy p2 {
statement 100 {
match {
bgp {
as-path {
as-path-set asps2
match-set-options all
}
}
}
}
}
}
BGP community-sets
A BGP community-set is a policy construct that groups one or more BGP communities into a list of member elements, each representing either a specific community value or a regular expression that is parsed one character at a time. Community-sets can be referenced in match conditions and actions in routing policy statements.
SR Linux supports the following types of community sets:
-
A hybrid community-set can contain any mix of the following:
- standard 4-byte BGP community values or regular expressions (as defined in RFC 1997)
- extended 8-byte BGP community values or regular expressions (as defined in RFC 4360)
- large 12-byte BGP community values or regular expressions (as defined in RFC 8092)
Hybrid community-sets are configured using
routing-policy.community-set. -
Standard (maps to OpenConfig)
A standard community-set can only contain standard 4-byte BGP community values or regular expressions (as defined in RFC 1997). Standard community-sets are configured using
routing-policy.standard-community-set. -
Extended (maps to OpenConfig)
An extended community-set can only contain extended 8-byte BGP community values or regular expressions (as defined in RFC 4360). Extended community-sets are configured using
routing-policy.extended-community-set.
Match-set-options for community-sets
When used as a match condition in a policy statement, a community set containing multiple elements matches a route based on its configured match-set-option, which can be one of the following:
- all: a route matches the community-set if every element in the community-set is matched by a community attached to the route. If you do not specify a match-set-option, this is the default.
-
any: a route matches the community-set if there is at least one element in the community-set that is matched by a community attached to the route.
- invert: a route matches the community-set if none of the elements in the community-set are matched by a community attached to the route.
For hybrid community sets, the match-set-option is configured as part of the community set. All policy statements that reference a hybrid community-set use the match-set-option configured for that community-set.
For standard and extended community-sets, the match-set-option is configured within the policy statement itself.
Using hybrid and standard/extended community-sets in one policy statement
The match container of a single policy statement can reference a hybrid community-set, a standard-community-set and, or an extended community-set. The policy statement does not apply to a route unless all the community-set matches return a TRUE result.
The action.bgp container of a single policy statement can reference a
hybrid community-set, a standard-community-set and, or an extended-community-set. In this
case, the hybrid community actions are applied first, before any of the processing (match or
action) of the standard community-set or extended community-set is applied. This means that
a community added by a hybrid community action can be matched by standard community-set or
extended community-set.
Hybrid community-sets
In a routing policy, a policy statement can refer to a hybrid community set by making it the
target of the leaf routing-policy.policy.statement.match.bgp.community-set.
If the hybrid community-set contains multiple elements, then the matching behavior is
controlled by routing-policy.community-set.match-set-options. (See Match-set-options for community-sets.)
The following table lists the valid formats for elements in a hybrid community set.
| Format | Example | Meaning |
|---|---|---|
| no-export | Well-defined standard community NO-EXPORT. | |
| no-advertise | Well-defined standard community NO-ADVERTISE. | |
| no-export-subconfed | Well-defined standard community NO-EXPORT-SUBCONFED. | |
| <0-65535>:<0-65535> | Standard community matched exactly. | |
|
<regex> string must include one |
"65535:[0-9]" |
Standard communities matched by one regular expression See Supported regex symbols for hybrid community-sets. |
| <0-4294967295>:<0-4294967295>:<0-4294967295> | Large community matched exactly. | |
|
<regex>:<regex>:<regex> string must include two |
"(100)|(101):65000:4294967295" |
Large communities matched by three LEGACY style regular expressions. See Supported regex symbols for hybrid community-sets. |
| target:<0-65535>:<0-4294967295> | "target:1:100" |
type0 route-target extended community matched exactly. |
| target:<ipv4-address>:<0-65535> | "target:1.1.1.1:100" |
type1 route-target extended community matched exactly. |
| target:<0-4294967295>:<0-65535> | type2 route-target extended community matched exactly. | |
target:<regex>:<regex> string must start withtarget
and include two : and they are not part of the match |
"target:(100)|(101)" |
route-target extended communities matched by two regular expressions. See Supported regex symbols for hybrid community-sets. |
| origin:<0-65535>:<0-4294967295> | type0 route-origin extended community matched exactly. | |
| origin:<ipv4-address>:<0-65535> | type1 route-origin extended community matched exactly. | |
| origin:<0-4294967295>:<0-65535> | type2 route-origin extended community matched exactly. | |
|
origin:<regex>:<regex> string must start with |
route-origin extended community matched by two regular expressions. See Supported regex symbols for hybrid community-sets. | |
color:NN:<0-4294967295> NN=00,01,10,11 |
"color:01:100" |
color extended community matched exactly. |
| bgp-tunnel-encap:(MPLS|VXLAN) | "bgp-tunnel-encap:MPLS" |
BGP tunnel encapsulation extended community. |
The following table lists the supported regex symbols for hybrid community-sets.
| Operation | Meaning |
|---|---|
| |
Matches the term on alternate sides of the pipe. |
* |
Matches multiple occurrences of the term. |
? |
Matches 0 or 1 occurrence of the term. |
+ |
Matches 1 or more occurrence of the term. |
( ) |
Used to parenthesize so that a regular expression is considered as one term. |
[ ] |
Used to demarcate a set of elementary or range terms. |
[^ ] |
Used to demarcate a set of elementary or range terms that are explicitly non-matching. |
- |
Used between the start and end of a range. |
{m,n} |
Matches least m and at most n repetitions of
the term. |
{m} |
Matches exactly m repetitions of the term. |
{m,} |
Matches m or more repetitions of the term. |
^ |
Matches the beginning of the string. |
$ |
Matches the end of the string. |
\ |
An escape character to indicate that the following character is a match criteria and not a grouping delimiter. |
Configuring a hybrid community-set
The following example configures a hybrid community-set that consists of two member elements. The match-set-option is invert, so a route matches this community-set if neither of the elements in the community-set are matched by a community attached to the route. The community-set is specified as a match condition in a routing policy.
--{ candidate shared default }--[ ]--
# info with-context routing-policy
routing-policy {
community-set cs1 {
match-set-options invert
member [
bgp-tunnel-encap:MPLS
target:1.1.1.1:100
]
}
policy p1 {
statement 100 {
match {
bgp {
community-set cs1
}
}
}
}
}
Standard community-sets
In a routing policy, a policy statement can refer to a standard community-set by making it
the target of the leaf
routing-policy.policy.statement.match.bgp.standard-community.standard-community-set.
If the standard community-set contains multiple elements, the matching behavior is controlled
by
routing-policy.policy.statement.match.bgp.standard-community.match-set-options.
(See Match-set-options for community-sets.)
Each standard community-set consists of a leaf-list of member elements. Each member represents either a specific community value or a regex string to be evaluated. SR Linux decides whether to treat a community-set member as an exact match or regex string as follows.
| Member format1 | Interpreted as |
|---|---|
| <d>:<d> | Exact match of a standard community (not passed to regex engine). |
|
<d> <r> |
String to be passed to the regex engine. |
SR Linux supports the following operations for strings passed to the regex engine:
| Operation | Meaning |
|---|---|
| |
Matches the term on alternate sides of the pipe. |
* |
Matches 0, 1, or more occurrences of the term. |
? |
Matches 0 or 1 occurrence of the term. |
+ |
Matches 1 or more occurrence of the term. |
( ) |
Used to parenthesize so a regular expression is considered as one term. |
[ ] |
Used to demarcate a set of elementary terms, range terms, or character class. |
[^ ] |
Used to demarcate a set of elementary or range terms that are explicitly non-matching. |
- |
Used between the start and end of a range. |
{m,n} |
Matches least m and at most n repetitions of
the term. |
{m} |
Matches exactly m repetitions of the term. |
{m,} |
Matches m or more repetitions of the term. |
^ |
Matches the beginning of the string. |
$ |
Matches the end of the string. |
\ |
An escape character to indicate that the following character is match criteria and not a grouping delimiter. |
The following table shows examples of valid regex strings in standard community-sets.
| Regex string | Meaning | Communities that match | Communities that do not match |
|---|---|---|---|
".*" |
Match all standard communities. | 65200:100 | |
|
|
Match any standard community with 65100-65199 as the AS. | 65150:200 | 65200:200 |
"^65100" |
Match any standard community associated with ASN 65100. |
65100:100 65100:200 |
65101:900 |
"666$" |
Match any standard community that ends in the digits 666. |
65100:666 65100:6666 |
666:1 |
":666$""_666$" |
Match any standard community for which the administered value is exactly 666. | 65100:666 | 65100:6666 |
Configuring a standard community-set
The following example configures a community-set consisting of four member elements: one specific community and three regex strings. The community-set is specified as a match condition in a routing policy. The match-set-option any is configured in the policy statement, so a route is considered a match if its AS_PATH is matched by any of the member elements in the AS path set
--{ candidate shared default }--[ ]--
# info with-context routing-policy
routing-policy {
standard-community-set s1 {
member [
65200:200
10*:34684
^65100
"^651[0-9][0-9]:.*$"
]
}
policy p2 {
statement 100 {
match {
bgp {
standard-community {
standard-community-set s1
match-set-options any
}
}
}
}
}
}
Extended community-sets
In a routing policy, a policy statement can refer to an extended community-set by making it
the target of the leaf
routing-policy.policy.statement.match.bgp.extended-community.extended-community-set.
If the extended community-set contains multiple elements, the matching behavior is controlled
by
routing-policy.policy.statement.match.bgp.extended-community.match-set-options.
(See Match-set-options for community-sets.)
Each extended community-set consists of a leaf-list of member elements. Each member represents either a specific community value, or a regex string to be evaluated. SR Linux decides whether to treat a community-set member as an exact match or regex string as follows:
| Member format1 | EC type/subtype | Interpreted as |
|---|---|---|
| ext:<4h>:<1-12h> | type = * subtype = * |
Generic extended community exact match (not passed to regex engine) |
|
ext ext: ext:<h> ext:<r> |
type = * subtype = * |
Generic extended community regex |
| gbp-tag:<d>:<d> | type = 0x03 subtype = 0x17 |
Group Policy ID extended community exact match (not passed to regex engine) |
|
gbp-tag gbp-tag: gbp-tag:<d> gbp-tag<r> |
type = 0x03 subtype = 0x17 |
Group Policy ID extended community regex |
| target:<d>:<d> |
type = 0x00, 0x01, 0x02 subtype = 0x02 |
Route target extended community exact match (not passed to regex engine) |
|
target:<r>:<d> target:<d>:<r> target:<r>:<r> target target: target:<d> target<r> |
type = 0x00, 0x01, 0x02 subtype = 0x02 |
Route target extended community regex |
| origin:<d>:<d> |
type = 0x00, 0x01, 0x02 subtype = 0x03 |
Route origin extended community exact match (not passed to regex engine) |
|
origin:<r>:<d> origin:<d>:<r> origin:<r>:<r> origin origin: origin:<d> origin<r> |
type = 0x00, 0x01, 0x02 subtype = 0x03 |
Route origin extended community regex |
| link-bandwidth:<d>:<d>[kMGT] |
type = 0x00, 0x40 subtype = 0x04 |
Link-bandwidth extended community exact match (not passed to regex engine) |
|
link-bandwidth link-bandwidth: link-bandwidth:<d> link-bandwidth<r>[kMGT] |
type = 0x00, 0x40 subtype = 0x04 |
Link-bandwidth extended community regex |
| color:<bits>:<d> |
type = 0x03 subtype = 0x0B |
Color extended community exact match (not passed to regex engine) |
|
color color: color:<bits> color<r> |
type = 0x00, 0x40 subtype = 0x04 |
Color extended community regex |
| bgp-tunnel-encap:<a> |
type = 0x03 subtype = 0x0CS |
BGP tunnel encap extended community exact match (not passed to regex engine) |
See Supported regex operations for standard and extended community-sets for valid operations for strings passed to the regex engine.
The following table shows examples of valid regex strings for route target and route origin elements in extended community-sets.
| Regex string | Meaning | Communities that match | Communities that do not match |
|---|---|---|---|
"t.*" |
Not valid, rejected. | ||
"o.*" |
Not valid, rejected. | ||
"target" |
Match all RT ext communities. | target:65000:100 | link-bandwidth:65000:100M |
"origin" |
Match all RO ext communities. | origin:65000:100 | target:65000:100 |
"target:.*10.*" |
Match any RT ext community (any type) with two consecutive digits 10. |
target:65100:99 target:10.5.6.7:99 target:4294967295:1105 |
target:999:999 target:1.0.1.0:999 |
"target:10.1.1.1:.*" |
Match type-1 RT ext community with 10.1.1.1 address as the administrator. | target:10.1.1.1:100 | |
"target:10\..*" |
Match type-1 RT ext community with any 10/8 address as the administrator. | target:10.1.1.1:100 | target:105:100 |
"target:10.*" |
Match any RT ext community with leading digits 10 in the administrator part. |
target:105:999 target:100000:999 target:102.3.4.1:999 |
target:1110:999 |
"target.*_666$" |
Match any RT ext community where the administered value is exactly 666. |
target:65000:666 target:10.5.6.7:666 target:4294967295:666 |
target:65 |
The following table shows examples of valid regex strings for link-bandwidth elements in extended community-sets.
| Regex string | Meaning | Communities that match | Communities that do not match |
|---|---|---|---|
"l.*" |
Not valid, rejected. | ||
"lb.*" |
Not valid, rejected. | ||
|
|
Match all LB ext communities. | link-bandwidth:65000:40k | route-target:65000:100 |
"link-bandwidth:10.* |
Match any LB ext community with leading digits 10 in the administrator part. |
link-bandwidth:10:1T link-bandwidth:105:1200 |
link-bandwidth:11:10M |
"link-bandwidth.*_100G$" |
Match any LB ext community that encodes the bandwidth value 100Gbps. |
link-bandwidth:65000:100G link-bandwidth:3333:100G |
link-bandwidth:100:100M link-bandwidth:100:1100G |
The following table shows examples of valid regex strings for elements in generic extended community-sets.
| Regex string | Meaning | Communities that match | Communities that do not match |
|---|---|---|---|
"e*" |
Not valid, rejected. | ||
|
|
Match all ext communities. | ext:0600:000000000001 | None |
"ext:0002.*" |
Match all 2-octet AS-specific route-target extended communities |
route-target:65000:100 |
ext:0600:000000000001 |
"^ext:0600_.*1$" |
Match all EVPN MAC Mobility extended communities with lowest bit = 1. |
ext:0600:000000000001 |
ext:0601:000000000001 |
The following table shows examples of valid regex strings for elements in Group Policy ID extended community-sets.
| Regex string | Meaning | Communities that match | Communities that do not match |
|---|---|---|---|
"gbp*" |
Not valid, rejected. | ||
|
|
Match all Group Policy ID extended communities. | gbp-tag:0:53 | route-target:65000:100 |
"gbp-tag:0:.* |
Match all Group Policy ID extended communities with scope = 0 |
gbp-tag:0:53 |
gbp-tag:1:53 |
Configuring an extended community-set
Configure an extended community-set with route target and route origin member elements
The following example configures a community-set consisting of four member elements: one specific community and three regex strings. The community-set is specified as a match condition in a routing policy. The match-set-option any is configured in the policy statement.
--{ candidate shared default }--[ ]--
# info with-context routing-policy
routing-policy {
extended-community-set e1 {
member [
origin.*_666$
origin:.*10.*
target:1.1.1.1:100
target:1:100
]
}
policy p3 {
statement 100 {
match {
bgp {
extended-community {
extended-community-set e1
match-set-options any
}
}
}
}
}
}
Configure an extended community-set with link-bandwidth member elements
The following example configures a community-set consisting of elements that match link-bandwidth extended communities. The community-set contains one specific link-bandwidth community and two regex strings.
--{ candidate shared default }--[ ]--
# info with-context routing-policy
routing-policy {
extended-community-set e2 {
member [
link-bandwidth.*_100G$
link-bandwidth:10.*
link-bandwidth:65000:1T
]
}
policy p3 {
statement 100 {
match {
bgp {
extended-community {
extended-community-set e2
match-set-options any
}
}
}
}
}
}
Configure a generic extended community-set
The following example configures a generic community-set. The community-set contains two regex strings.
--{ candidate shared default }--[ ]--
# info with-context routing-policy
routing-policy {
extended-community-set e3 {
member [
ext:.*
ext:0002.*
]
}
policy p3 {
statement 100 {
match {
bgp {
extended-community {
extended-community-set e3
match-set-options any
}
}
}
}
}
}
Prefix sets
In a routing policy, a prefix set groups one or more IPv4 and, or IPv6 prefix matching entries. A prefix matching entry has two components:
- an IPv4 or IPv6 prefix, specifying an IPv4 or IPv6 address with zeroed host bits and a prefix length; for example, 192.168.1.0/21
- a
mask-length-range, specifying eitherexactor a range in the format <a>..<b>, where <a> is the starting prefix length (0-32 for IPv4, 0-128 for IPv6), and <b> is the ending prefix length (0-32 for IPv4, 0-128 for IPv6)
Match-set-options for prefix sets
When used as a match condition in a policy statement, a prefix set matches a route based on
its configured match-set-option, which can be one of the following:
- any: a route is considered a match if its destination is matched by any of the prefix matching entries.
- invert: a route is considered a match if its destination is matched by none of the prefix matching entries.
Configuring a prefix set
The following example configures a prefix set that consists of two member elements. The prefix set is specified as a match condition in a routing policy.
--{ candidate shared default }--[ ]--
# info with-context routing-policy
routing-policy {
prefix-set pset1 {
prefix 10.10.1.0/24 mask-length-range 24..32 {
}
prefix 10.10.20.0/24 mask-length-range exact {
}
}
policy p1 {
statement 100 {
match {
prefix {
prefix-set pset1
match-set-options any
}
}
action {
policy-result accept
}
}
}
}
BGP next-hop resolution policies
A BGP next-hop resolution policy is a routing policy that evaluates whether the route or tunnel chosen to resolve each BGP next-hop is acceptable or not.
In SR Linux, when BGP needs to resolve the BGP next-hop of a BGP route to find the best route or tunnel that provides reachability to the next-hop, it considers the constraints configured under the following contexts:
network-instance.protocols.bgp-evpn.bgp-instance.mpls.next-hop-resolutionnetwork-instance.protocols.bgp-ipvpn.bgp-instance.mpls.next-hop-resolutionnetwork-instance.protocols.bgp.bgp-label.bgp-ipvpn.next-hop-resolutionnetwork-instance.protocols.bgp.afi-safi.ipv4-unicast.next-hop-resolutionnetwork-instance.protocols.bgp.afi-safi.ipv4-labeled-unicast.next-hop-resolutionnetwork-instance.protocols.bgp.afi-safi.ipv6-unicast.next-hop-resolutionnetwork-instance.protocols.bgp.afi-safi.ipv6-labeled-unicast.next-hop-resolutionnetwork-instance.protocols.bgp.afi-safi.evpn.next-hop-resolution
If there is no route or tunnel that can satisfy the constraints, the next-hop is unresolved, and this generally makes the associated BGP route invalid and unusable.
There are situations when the constraints on a valid resolving route or tunnel are complex, and there is no BGP configuration option in any of the above contexts that can express the rules. For these cases, you can configure next-hop-resolution policies. A next-hop-resolution policy is a routing policy run by BGP on the resolution selection made for each BGP route within the scope of the policy.
Depending on the context in which they are referenced, next-hop-resolution policies are applied as follows:
-
A next-hop-resolution policy referenced in the
network-instance.protocols.bgpcontext applies to all BGP routes learned from all BGP peers of the network-instance, spanning all AFI-SAFI with next-hops that need resolution, and covering both IPv4 and IPv6 next-hop addresses. The referenced next-hop-resolution policy can accept or reject resolution by any type of route (IGP, BGP, and so on) and any type of tunnel (MPLS, SRv6, and so on). -
A next-hop-resolution policy referenced in the
network-instance.protocols.bgp-vpncontext applies to all IP VPN and EVPN routes imported into the network-instance, covering both IPv4 and IPv6 next-hop addresses. The referenced next-hop-resolution policy can accept or reject resolution by any type of tunnel (MPLS, SRv6, and so on).
Next-hop-resolution policies do not replace existing next-hop-resolution configuration options. If there is a next-hop-resolution policy configured, it is evaluated after the constraint-based selection of the best resolving route or tunnel.
If the policy accepts this selection, the next-hop is resolved accordingly. If the policy rejects the selection, the next-hop is unresolved, and there is no attempt to find a less-preferred candidate that can meet the next-hop-resolution configuration options and also be accepted by the policy.
Match conditions for IPv4 or IPv6 routes
A next-hop-resolution policy matches an IPv4 or IPv6 route to accept or reject its ability to resolve BGP next-hops within the scope of the policy by matching on any combination of the following:
- subroutine match using any of the criteria in this list
- protocol X
- evaluates to true if the next-hop is resolved by a route and its route-type is X
- evaluates to false if the next-hop is resolved by any type of tunnel or any route with route-type <> X
- family X
- evaluates to true if X =
ipv4-unicastand the next-hop is resolved by a BGP route that advertised reachability to an IPv4-unicast prefix - evaluates to true if X =
ipv6-unicastand the next-hop is resolved by a BGP route that advertised reachability to an IPv6-unicast prefix - evaluates to false in all other cases (resolution by a non-BGP route, resolution by a BGP route belonging to any other AFI-SAFI, resolution by a tunnel)
- evaluates to true if X =
- prefix-set and associated match-set-options
- evaluates to true if the next-hop is resolved by a route matched by any prefix in the prefix-set (or none of the prefixes in the prefix-set)
- tag-set X
- evaluates to true if the next-hop is resolved by a route with any tag in the tag-set
- IS-IS level X
- evaluates to true if the next-hop is resolved by an IS-IS route and its level is X (note that the level is 1 for a route leaked from L2 to L1)
- IS-IS route-type
- evaluates to true if the next-hop is resolved by an IS-IS route and its route-type is X
- OSPF area ID (creates non-match with non-OSPF routes)
- OSPF route-type (creates non-match with non-OSPF routes)
- OSPF instance ID (creates non-match with non-OSPF routes)
If the policy has an accept entry with a
network-instance-leaked-route or
origin-network-instance match condition, that entry filters
out all routes that are usable for BGP next-hop resolution, because SR Linux does not
support using leaked routes to resolve BGP next-hops.
Match conditions for tunnel routes
A next-hop-resolution policy matches a BGP-LU, LDP, SR-ISIS, TE-policy (colored), TE-policy (uncolored), SRv6-ISIS, or VXLAN tunnel (to accept or reject its ability to resolve BGP next-hops within scope of the policy) by matching on any combination of the following:
- subroutine match using any of the criteria in this list
- prefix-set and associated match-set-options
- evaluates to true if the next-hop is resolved by a tunnel matched by any prefix in the prefix-set (or none of the prefixes in the prefix-set)
- tag-set
- evaluates to true if the next-hop is resolved by a tunnel with any tag in the tag-set
- IS-IS level X
- evaluates to true if the next-hop is resolved by an
sr-isisorsrv6-isistunnel, and the associated level is X (note that the level is 1 for a route leaked from L2 to L1)
- evaluates to true if the next-hop is resolved by an
- tunnel
- evaluates to true if the next-hop is resolved by any type of tunnel
- tunnel-type X
- evaluates to true if the next-hop is resolved by a tunnel and its tunnel-type is X
- evaluates to false if the next-hop is resolved by any type of route or any tunnel with tunnel-type <> X
Actions for BGP next-hop resolution policies
If the candidate resolving route or tunnel is matched by a statement in the applicable next-hop-resolution policy, the following actions are supported:
- a reject policy-result causes the route or tunnel to be disqualified
- an accept policy-result causes the route or tunnel to be used as the resolving entity
- a next-statement policy-result causes evaluation to proceed to the next statement
- a next-policy policy-result causes the
default-actionto apply (see below) - route-modifying actions are ignored
If the policy does not have a configured default-action, or the
default action is configured as next-policy, then routes or tunnels
that did not match any statement, or that were only matched by statements that were
non-terminating (next-statement) are automatically accepted.
Configuring a BGP next-hop-resolution policy
To configure a BGP next-hop-resolution policy, you configure a routing policy and
reference the policy in the network-instance.protocols.bgp or
network-instance.protocols.bgp-vpn context.
The following is an example of a next-hop-resolution policy configuration that allows BGP routes in the default network-instance to be resolved only if the best matching route or tunnel is for a /32 IPv4 prefix or a /128 IPv6 prefix.
--{ +* candidate shared default }--[ ]--
# info with-context routing-policy
routing-policy {
prefix-set host-routes {
prefix 0.0.0.0/0 mask-length-range 32..32 {
}
prefix ::/0 mask-length-range 128..128 {
}
}
policy NH-resolution {
default-action {
policy-result reject
}
statement 1 {
match {
prefix {
prefix-set host-routes
match-set-options any
}
}
action {
policy-result accept
}
}
}
}
--{ +* candidate shared default }--[ ]--
# info with-context network-instance default
network-instance default {
protocols {
bgp {
next-hop-resolution-policy NH-resolution
}
}
}
Similarly, if the routing policy is referenced in the
network-instance.protocols.bgp-vpn context as a
next-hop-resolution policy, it applies to IP VPN and EVPN routes imported into the
IP-VRF.
--{ +* candidate shared default }--[ ]--
# info with-context network-instance vrf-a
network-instance vrf-a {
type ip-vrf
protocols {
bgp-vpn {
next-hop-resolution-policy NH-resolution
}
}
}