Routing policies

Routing policies allow detailed control of IP routes learned and advertised by routing protocols such as BGP, IS-IS, or OSPF.

Each routing policy has a sequence of rules (called entries or statements) and a default action. Each policy statement has zero or more match conditions, such as whether a route is owned by a specific protocol, and a main action, such as to accept or reject the routes; the statement may also have route-modifying actions. A route matches a statement if it meets all of the specified match conditions.

Each statement has a specified position in the policy. If a policy has multiple statements, they are processed in the order they are put in the policy. In addition, you can specify a default action that applies to routes that do not match any statement in the policy.

The first statement that matches the route determines the actions that are applied to the route. If the route is not matched by any statements, the default action of the policy is applied. If there is no default action, then a protocol- and context-specific default action is applied.

All routes match a statement with no match conditions. When a route fulfills the match conditions of a statement, the base action of the statement is applied, along with all of its route-modifying actions.

Routing policy match conditions

The following table summarizes the match conditions supported in SR Linux routing policies.

Table 1. Match conditions for routing policies
Match condition Description
protocol

Test if the route is owned by a specific protocol. The following options are supported:

  • aggregate

  • arp-nd

  • bgp

  • bgp-evpn

  • bgp-evpn-ifl-host

  • bgp-ipvpn

  • bgp-label

  • dhcp

  • host

  • isis

  • local

  • ospfv2

  • ospfv3

  • static

family

Test if the prefix is associated with any of the AFI/SAFI (address families) listed. The following options are supported:

  • ipv4-unicast

  • ipv6-unicast

  • l3vpn-ipv4-unicast

  • l3vpn-ipv6-unicast

  • ipv4-labeled-unicast

  • ipv6-labeled-unicast

  • evpn

  • route-target

  • srte-policy-ipv4

  • srte-policy-ipv6

  • link-state

call-policy

Call another routing policy as a subroutine. See Routing policy subroutines.

prefix.prefix-set

Test if the route matches any entry in a configured prefix-set. See Prefix sets.

internal-tags.tag-set

Test if the route contains members of a configured tag-set. See "Configuring route internal tags" in the ​SR Linux VPN Services Guide.

bgp.as-path.as-path-set

Test if the route has an AS path that matches the regular expression in the configured AS-path set. See AS path sets.

bgp.as-path-length Test if the AS-path length of the route is a specific value or in a range.
bgp.community-set

Test if a BGP community attached to the route matches the list of member elements and match-set-option in the BGP community-set. See BGP community-sets.

bgp.evpn.route-type Test if the EVPN route type is a specific type (1-8).
bgp.extended-community.extended-community-set

Test if a BGP extended community attached to the route matches the list of member elements and match-set-option in the BGP extended community-set. See BGP community-sets.

bgp.standard-community.standard-community-set

Test if a BGP standard community attached to the route matches the list of member elements and match-set-option in the BGP standard community-set. See BGP community-sets.

isis.level Test if the IS-IS route is associated with Level 1 or Level 2.
isis.route-type

Test if the IS-IS route is internal or external (redistributed from another protocol).

An IPv4 prefix is external if it is signaled in TLV 130 or TLV135 with RFC 7794 X flag=1.

An IPv6 prefix is external if TLV 236/TLV 237 external bit = 1.

ospf.area-id Test if the OSPFv2 or OSPFv3 route is associated with the specified area ID.
ospf.route-type Test if the OSPFv2 or OSPFV3 route is a specific route type: any of intra-area, inter-area, type-1-ext, type-2-ext, type-1-nssa, type-2-nssa, summary-aggregate, or nssa-aggregate.
ospf.instance-id Test if the OSPFv2 or OSPFv3 route is associated with the specified instance ID.
multicast.group-address.prefix-set

Test if the multicast group address matches any entry in a configured prefix-set. See Prefix sets.

multicast.source-address.prefix-set

Test if the multicast source address matches any entry in a configured prefix-set. See Prefix sets.

origin-network-instance The source network-instance where the route was originally learned or configured. If this match condition is omitted from a policy statement, the implied match is any network-instance.
network-instance-leaked-route

When set to true, this condition matches all leaked routes (that is, routes with an origin network-instance different from the local-context network-instance).

When set to false, this condition matches all non-leaked routes (that is, with an origin network-instance the same as the local-context network-instance).

Specifying match conditions in a routing policy

You can specify the match conditions listed in Match conditions for routing policies in a policy statement. If a statement has no match conditions defined, all routes evaluated by the policy are considered to be matches.

Test if the route is owned by BGP

The following example specifies BGP protocol as a match condition in a policy statement:

--{ candidate shared default }--[  ]--
# info with-context routing-policy policy policy01
    routing-policy {
        policy policy01 {
            statement 100 {
                match {
                    protocol bgp
                }
            }
        }
    }

Test if the route prefix is associated with an address family

The following example matches routes with a prefix belonging to the IPv4 or IPv6 labeled unicast address family:

--{ candidate shared default }--[  ]--
# info with-context routing-policy policy policy02
    routing-policy {
        policy policy02 {
            statement 100 {
                match {
                    family [
                        ipv4-labeled-unicast
                        ipv6-labeled-unicast
                    ]
                }
            }
        }
    }

Test if an OSPF route is a specific route type

The following example matches OSPF type 2 external routes:

--{ candidate shared default }--[  ]--
# info with-context routing-policy policy policy03
    routing-policy {
        policy policy03 {
            statement 100 {
                match {
                    protocol ospfv2
                    ospf {
                        route-type type-2-ext
                    }
                }
            }
        }
    }

Routing policy subroutines

A match condition in a routing policy can call another routing policy as a subroutine.

SR Linux supports up to three levels of policy subroutines. For example, a main policy P0 can call a P1 policy. The P1 policy can call a P2 policy, and the P2 policy can call a P3 policy.

A route that is accepted by a Pn subroutine policy matches the Pn-1 policy statement that called policy Pn.

The subroutine policies (P1-P3) can modify the attributes of matched routes. These modifications can happen in statements with action accept or action next-statement or where the default-action is accept.

The subroutine policy match can be combined with other match conditions in the same statement of a policy. Logically, the subroutine is evaluated after all other match conditions in the statement.

If the subroutine policy has a statement with action next-policy or default-action next-policy, it is considered the same as reject.

If a route that does not match any terminating entry of a subroutine (that is, the route does not match any statement with an action of accept or reject or next-policy), it is considered to be accepted by the subroutine if the default-action of the subroutine policy is accept. Otherwise, the route is considered to be rejected by the subroutine.

The following example shows a routing policy P1 that uses policy P2 as a subroutine.

--{ +* candidate shared default }--[  ]--
# info with-context routing-policy
    routing-policy {
        policy P1 {
            statement 10 {
                match {
                    call-policy [
                        P2
                    ]
                    bgp {
                        as-path {
                            as-path-set downstream
                        }
                    }
                }
                action {
                    policy-result accept
                }
            }
        }
        policy p2 {
            statement 10 {
                match {
                    prefix {
                        prefix-set selected
                    }
                }
                action {
                    policy-result accept
                }
            }
        }
    }

Routing policy conditional statements

Routing policy conditional statements allow you to associate a conditional test with policy statements. If the condition evaluates as true, the policy statement is evaluated as normal; routes matched by the statement have the configured actions applied to them. However, if the condition evaluates as false, the policy statement is skipped; that is, policy evaluation continues to the next statement, which may also be conditional.

SR Linux supports one type of conditional test: whether a route exists in the FIB table of a specified network-instance. You can configure this conditional test by specifying the following in a routing policy statement:

  • a reference to a configured prefix-set (mandatory). The prefix set can have any mix of IPv4 and IPv6 entries.
  • the match-set-option to apply to the prefix-set (one of any, all, or invert; default is any
  • a reference to a network-instance (mandatory). The network-instance is not required to match the network-instance where the policy is used. For example, a BGP peer export policy applied to a BGP peer in the default network-instance can have a conditional statement that depends on the existence of routes in an unrelated IP-VRF network-instance.

If a route matching the prefix-set exists in the FIB table of the referenced network-instance, the condition evaluates as true or false based on the configured match-set-option.

Routing policy conditional statements are useful in situations where a route should be imported or exported by a router only if it has specific routes present or not present in its routing table.

Using conditional statements in send-default-route export-policies

For routing policies called from the network-instance.protocols.bgp.group.send-default-route.export-policy and network-instance.protocols.bgp.neighbor.send-default-route.export-policy contexts, policy evaluation skips the following entries, which are considered non-matching.

  • policy entries that do not have any configuration under the action container
  • policy entries that have any configuration under the match container
  • policy entries that do not have a condition configured

The first matching statement with a condition that evaluates as true has its actions applied to the route; the default action is not applied. If all matching statements have conditions that evaluate as false, or there are no matching entries, the default action is applied to the route.

Specifying conditional statements in a routing policy

To configure a conditional statement in a routing policy, specify a configured prefix set in the condition container of a routing policy statement. The condition container also specifies the match-set-option used to evaluate whether the statement is true or false and a reference to a configured network-instance.

Configure a prefix set

The following example configures a prefix set. The prefix set used for a routing table conditional statement can have any mix of IPv4 and IPv6 entries.

--{ candidate shared default }--[  ]--
# info with-context routing-policy prefix-set pset1
    routing-policy {
        prefix-set pset1 {
            prefix 10.3.192.0/21 mask-length-range 21..24 {
            }
            prefix 10.4.192.0/21 mask-length-range exact {
            }
        }
    }

The mask-length-range for individual prefix list entries can be exact or can be a range in the format length1..length2. For all prefixes in the prefix-set, length1 must be greater than or equal to /16 for IPv4 prefixes, and greater than or equal to /96 for IPv6 prefixes.

Configure a conditional statement in a routing policy

The following example configures a conditional statement in a routing policy. The conditional statement checks whether routes matched by prefix set pset1 exist in the FIB for the network instance black.

The match-set-option is any, so the conditional statement evaluates to true if there is any route in prefix set pset1 that exists in the FIB for the network instance black. In this case, the configured action is applied to the matched routes.

The conditional statement evaluates to false if there is no route in prefix set pset1 that exists in the FIB for the network instance black. In this case, the policy statement is skipped and policy evaluation continues to the next statement.

--{ candidate shared default }--[  ]--
# info with-context routing-policy policy p2
    routing-policy {
        policy p2 {
            statement st1 {
                condition {
                    route-table {
                        network-instance black
                        prefix-set pset1
                        match-set-options any
                    }
                }
                match {
                    family [
                        ipv4-unicast
                        ipv6-unicast
                    ]
                }
                action {
                    policy-result accept
                }
            }
            statement st2 {
                match {
                    family [
                        ipv4-unicast
                        ipv6-unicast
                    ]
                }
                action {
                    policy-result reject
                }
            }
        }
    }

Routing policy actions

If a route matches a policy statement, the actions configured in the policy are applied to the route, including route property modifications. Depending on the configured action, the route may continue to be analyzed by further routing policy statements (if any), or the final disposition (either accept or reject) of the route is determined.

Default routing policy action

Each routing policy can optionally be configured with a default action, which is applied to routes that do not match any policy statement. The default action specifies a main action and optionally one or more route property modification actions. The default action is applied to all routes evaluated by the policy that do not match any statement or are only matched by statements that are non-terminating, such as next-statement.

If the default action is explicitly configured as accept or reject, evaluation ends at the current policy even if there are further policies in the chain. If a policy does not have a configured default action, or the default action for the policy is next-policy or next-statement, then routes that do not match any statement in the policy are automatically evaluated by the next policy in the chained list. See Specifying a default action for a configuration example.

Main routing policy actions

The following table lists the main routing policy actions. These actions can be configured for the policy-result of the default action or at the statement action level in a routing policy.
Table 2. Main routing policy actions
Action Description
accept The route is accepted, route property modifications are applied, and evaluation stops immediately; further statements and policies are not considered.
reject The route is dropped and evaluation stops immediately; further statements and policies are not considered.
next-statement No immediate decision is made about whether to accept or reject the route. Route policy modifications are applied, and evaluation continues automatically to the next statement. If there are no further statements in this policy, the default action of the current policy applies.
next-policy No immediate decision is made about whether to accept or reject the route. Route policy modifications are applied, and evaluation skips the remainder of the statements in the current policy continuing automatically to the first statement in the next policy in the chained list. If there are no further policies, then the default action of the last policy in the chain applies.

If no value is configured for policy-result, the implicit default is next-statement (if not configured at the statement action level) or next-policy (if not configured at the default-action level).

Route property modification actions

The following table lists the route property modification actions that can be specified in a routing policy.

Table 3. Route property modification actions
Action Description
bgp.as-path.prepend Prepend a specific AS number one or more times to the AS path.
bgp.as-path.remove Clear the AS path to make it empty.
bgp.as-path.replace Clear the existing AS path and replace it with a new AS_SEQUENCE containing the listed AS numbers.
bgp.communities.add

Add all of the non-regex community members in the referenced community-set.

Note: New communities are prepended before existing communities, as shown in BGP RIB state information and in the advertised UPDATE.
bgp.communities.remove Remove all communities that match any regex or non-regex member in the referenced community-set.
bgp.communities.replace Delete all existing communities and add all non-regex community members in the referenced community-set.
bgp.disable-ip-route-install Accept the route, allowing its re-advertisement, but do not install the route to the IP FIB. See Policy action to disable IP FIB installation.
bgp.extended-community.method Indicate the method used to specify the extended communities for the action. The only supported value is reference.
bgp.extended-community.operation Add, remove, or replace extended communities in matched routes.

The add operation adds every non-regex member of every referenced set to the EXT_COMMUNITIES attribute of the matched routes (after de-duplication).

The remove operation removes every extended community that matches any regex or non-regex member in any referenced set.

The replace operation removes every existing extended community, then adds every non-regex member of every referenced set to the EXT_COMMUNITIES attribute of the matched route (after de-duplication).

Note that new communities are prepended before existing communities, as shown in BGP RIB state information and in the advertised UPDATE.

bgp.extended-community.referenced-sets Indicate the extended community sets to perform the add, remove, or replace operation.
bgp.standard-community.method Indicate the method used to specify the standard communities for the action. The only supported value is reference.
bgp.standard-community.operation Add, remove, or replace standard communities in matched routes.

The add operation adds every non-regex member of every referenced set to the COMMUNITIES attribute of the matched routes (after de-duplication).

The remove operation removes every standard community that matches any regex or non-regex member in any referenced set.

The replace operation removes every existing standard community, then adds every non-regex member of every referenced set to the COMMUNITIES attribute of the matched route (after de-duplication).

Note: New communities are prepended before existing communities, as shown in BGP RIB state information and in the advertised UPDATE.
bgp.standard-community.referenced-sets Indicate the standard community sets to perform the add, remove, or replace operation.
bgp.label-allocation.prefix-sid.use-igp Use the programmed SR-IGP label index for the matching prefix, resulting in a stitch to the IGP segment routing tunnel.
bgp.local-preference.operation Specify the operation to use when applying the configured value to the current LOCAL_PREF; the only valid operation is set.
bgp.local-preference.value Set the value of the LOCAL_PREF attribute in matching BGP routes.
bgp.med.operation

Set or modify the MED according to the bgp.med.value action in matching BGP routes. See Route property operation action for setting MED.

bgp.med.value

Set or modify the MED to the specified value in matching BGP routes. See Policy actions for setting MED in BGP routes.

bgp.next-hop-resolution.set-tag-set Reference a tag-set to be used for controlling next-hop resolution.
bgp.next-hop.set Set or modify the BGP next-hop address to a specified IPv4 or IPv6 address or to the keyword self.
bgp.origin.set Set or modify the BGP ORIGIN attribute value to the specified value.
isis.level Add the redistributed route to the specified level database. Supported values are 1 or 2.
isis.metric.set-style Explicitly encode the metric of the matched IS-IS route as a wide metric in the appropriate IS-IS TLV that supports wide metrics.
isis.metric.set-value Set the IS-IS metric value of the redistributed route to a number between 1 and 16777215.
internal-tags.tag-set Add the tags in the tag-set as internal tags.
ospf.metric.set-value Set the OSPF metric value of the redistributed route to a uint16 number.
ospf.metric.set-external-type Set the OSPF external metric type of the redistributed route as type-1 or type-2.
resilient-hash.apply Enable resilient hashing if the accepted route becomes the best BGP path.
resilient-hash.hash-buckets-per-path Set the number of times each next-hop is repeated in the fill pattern if there are max-paths ECMP next-hops.
resilient-hash.max-paths Set the maximum number of ECMP next-hops per route associated with the resilient-hash prefix.
route-preference.set Overwrite the route preference with the specified value.

Specifying actions in a routing policy

You can specify the actions listed in Routing policy actions to routes that match a policy statement.

Accept static routes

The following example configures a routing policy statement to accept static routes.

--{ +* candidate shared default }--[  ]--
# info with-context routing-policy policy policy01
    routing-policy {
        policy policy01 {
            statement st1 {
                match {
                    protocol static
                }
                action {
                    policy-result accept
                }
            }
        }
    }

Set origin attribute for matching BGP routes

The following example specifies a policy with two statements. If a BGP route matches the first statement, the action is to proceed to the next statement. If the route matches the second statement, the action is to specify a new value for the origin attribute of the BGP route.

--{ candidate shared default }--[  ]--
# info with-context routing-policy
    routing-policy {
        policy policy02 {
            statement 100 {
                match {
                    protocol bgp
                }
                action {
                    policy-result next-statement
                }
            }
            statement 101 {
                match {
                    prefix-set western
                }
                action {
                    bgp {
                        origin {
                            set egp
                        }
                    }
                }
            }
        }
    }

Add communities from BGP standard-community set to matched routes

The following example matches BGP routes and adds every non-regex member of standard-community set st1 to the COMMUNITIES attribute of the matched routes.

--{ candidate shared default }--[  ]--
# info with-context routing-policy
    routing-policy {
        standard-community-set st1 {
            member [
                668$
                ^65100
            ]
        }
        policy p1 {
            statement 100 {
                match {
                    protocol bgp
                }
                action {
                    bgp {
                        standard-community {
                            operation add
                            referenced-sets [
                                st1
                            ]
                        }
                    }
                }
            }
        }
    }

Replace communities in matched routes with communities in a BGP extended-community set

The following example removes every existing extended community from matching BGP routes, then adds every non-regex member of extended-community set ex1 to the EXT_COMMUNITIES attribute of the matched routes.

--{ candidate shared default }--[  ]--
# info with-context routing-policy
    routing-policy {
        extended-community-set ex1 {
            member [
                target:10.1.1.1:.*
            ]
        }
        policy p2 {
            statement 100 {
                match {
                    protocol bgp
                }
                action {
                    bgp {
                        extended-community {
                            operation replace
                            referenced-sets [
                                ex1
                            ]
                        }
                    }
                }
            }
        }
    }

Specifying a default action

You can optionally specify the policy action for routes that do not match the conditions defined in the policy statements. The default action can be set to all available action states including accept, reject, next-entry, and next-policy.

  • If a default action is defined, and no matches occur with the statements in the policy, the default action is used.

  • If no default action is specified, the default behavior of the protocol controls whether the routes match.

    For BGP, the default import action is to accept all routes from BGP. For internal routes, the default export action is to advertise them to BGP peers. For external routes, the default export action is not to advertise them to BGP peers.

The following example defines a policy where the default action for non-matching routes is to reject them:

--{ candidate shared default }--[  ]--
# info with-context routing-policy
    routing-policy {
        policy policy01 {
            default-action {
                policy-result reject
            }
        }
    }

Policy actions for setting MED in BGP routes

The following describes the supported policy actions for received BGP routes based on the contents of the MED attribute in the route (if any).

When a BGP export policy matches a non-BGP route for advertisement to neighbors:

  • If the route is matched by an export policy statement that applies the action bgp med set route-table-cost, then a MED attribute is added to the BGP route and its value is the route-table metric for the non-BGP route.
  • If the route is matched by an export policy statement that applies the action bgp med set <number>, then a MED attribute is added to the BGP route and its value is <number>.
  • If neither case applies, no MED is added to the route.

When a BGP route is received with a MED attribute:

  • If the route is matched by an import policy statement that applies the action bgp med set route-table-cost, then the MED attribute is replaced and the new value is the route-table metric of the route that resolves the BGP next-hop.
  • If the route is matched by an import policy statement that applies the action bgp med set <number>, then the MED attribute is replaced and the new value is <number>.
  • If neither case applies, the RIB-IN MED attribute is unmodified.

When a BGP route is received without a MED attribute:

  • If the route is matched by an import policy statement that applies the action bgp med set route-table-cost, then a MED attribute is added to the BGP route and the new value is the route-table metric of the route that resolves the BGP next-hop.
  • If the route is matched by an import policy statement that applies the action bgp med set <number>, then a MED attribute is added to the BGP route and its value is <number>.
  • If neither case applies, no MED attribute is added to the route.

When a BGP route is received with a MED attribute from one eBGP peer, and the route must be advertised to other eBGP peers:

  • If the route is matched by an export policy statement that applies the action bgp med set route-table-cost, then the MED attribute is replaced and the new value is the route-table metric of the route that resolves the BGP next-hop (0 when receiving a route from a single hop eBGP peer)
  • If the route is matched by an export policy statement that applies the action bgp med set <number>, then the MED attribute is replaced and the new value is <number>.
  • If neither case applies, the MED is stripped.

When a BGP route is received without a MED attribute from one eBGP peer, and the route must be advertised to other eBGP peers:

  • If the route is matched by an export policy statement that applies the action bgp med set route-table-cost, then a MED attribute is added to the BGP route and its value is the route-table metric of the route that resolves the BGP next-hop (0 when receiving a route from a single hop eBGP peer).
  • If the route is matched by an export policy statement that applies the action bgp med set <number>, then a MED attribute is added to the BGP route and its value is <number>.
  • If neither case applies, no MED is added to the route.

When a BGP route is received with a MED attribute from one eBGP peer, and the route must be advertised to iBGP peers, or else the route was received with a MED attribute from an iBGP peer for propagation to other iBGP peers:

  • If the route is matched by an export policy statement that applies the action bgp med set route-table-cost, then the MED attribute is replaced and the new value is the route-table metric of the route that resolves the BGP next-hop.
  • If the route is matched by an export policy statement that applies the action bgp med set <number>, then the MED attribute is replaced and the new value is <number>.
  • If neither case applies, the MED is unmodified.

When a BGP route is received with a MED attribute from one eBGP/iBGP peer, and the route must be advertised to other eBGP peers, the MED is stripped by default (if the route is not matched by a policy).

When a BGP route is received without a MED attribute from one eBGP peer, and the route must be advertised to iBGP peers, or else the route was received without a MED attribute from an iBGP peer for propagation to other eBGP or iBGP peers:

  • If the route is matched by an export policy statement that applies the action bgp med set route-table-cost, then a MED attribute is added to the BGP route and its value is the route-table metric of the route that resolves the BGP next-hop.
  • If the route is matched by an export policy statement that applies the action bgp med set <number>, then a MED attribute is added to the BGP route and its value is <number>.
  • If neither case applies, no MED is added to the route.

Route property operation action for setting MED

The bgp.med.operation action can set or modify the MED according to the bgp.med.value action in matching BGP routes, as described in the following table:

Table 4. Operations for setting BGP MED in routing policies
Operation Value Result
set Unsigned 32-bit integer Overwrite the current MED with the specified value.
route-table-cost Overwrite the current MED with the metric of the resolving route.
add Unsigned 32-bit integer Increment the current MED by the specified value.
route-table-cost Increment the current MED by the metric of the resolving route.
subtract Unsigned 32-bit integer Decrement the current MED by the specified value.
route-table-cost Decrement the current MED by the metric of the resolving route.

Policy action to disable IP FIB installation

Some data center switches have limited IP FIB capacity. It is possible these switches could receive more BGP routes than they have room for in their IP FIB tables. In such cases, you may want to suppress the IP FIB installation of some or all of the BGP routes the switch does not require for forwarding (for example, because the switch is not in the forwarding path, as in the case of a non-next-hop-self route reflector, or because the switch can fall back to less specific routes, such as a default route).

Matching and rejecting a BGP route in a BGP import policy prevents the route from being installed in the IP FIB, but it also prevents the route from being re-advertised to other BGP peers, which could be unacceptable. For these cases, you can configure the disable-ip-route-install policy action. This policy action works as follows:

For unlabeled IPv4 and IPv6 routes matched and accepted by a BGP import policy with a disable-ip-route-install action:

  • Routes are re-advertisable to other peers per normal BGP rules, even if advertise-inactive is not configured or next-hop-self is enabled.
  • Routes are less preferred by the BGP decision process than any installed route for the same prefix. For these routes, fib-install-disabled is displayed as the tie-break-reason in state information.
  • Routes do not contribute toward and activate a covering aggregate route.

For unlabeled IPv4 and IPv6 routes matched and accepted by a BGP import policy with a disable-ip-route-install action:

  • Host routes do not create/program tunnels.
  • Re-advertisement with next-hop self does create/program ILM entries.
  • Routes are re-advertisable to other peers per normal BGP rules, even if advertise-inactive is not configured or next-hop-self is enabled.
  • Routes are less preferred by the BGP decision process than any installed route for the same prefix. For these routes, fib-install-disabled is displayed as the tie-break-reason in state information.
  • Routes do not contribute toward and activate a covering aggregate route.

BGP does not publish routes to fib_mgr that have been matched and accepted by a BGP import policy with a disable-ip-route-install action. This means they are not be re-advertisable by other protocols. In BGP RIB state information, FIB-suppressed routes display used-route false and fib-disabled true.

Policy action to control resilient ECMP hashing

For IP routes that are ECMP routes (multiple next-hops), the resilient ECMP hashing feature allows changes to the size of the ECMP set to be made by moving as few flows as possible. This is useful when the ECMP next-hops of an IP route correspond to network appliances or host servers that maintain state for the flows that they service, and moving flows requires state to be rebuilt. See Resilient ECMP hashing for details about how this feature works.

Enabling resilient ECMP hashing can be controlled using an action in a routing policy. Resilient hashing policy actions are supported only in peer import policies that apply to BGP routes received from BGP peers. This includes policies called from any of these contexts (or their subroutines):

  • network-instance.protocols.bgp.import-policy

  • network-instance.protocols.bgp.afi-safi.import-policy

  • network-instance.protocols.bgp.group.import-policy

  • network-instance.protocols.bgp.group.afi-safi.import-policy

  • network-instance.protocols.bgp.neighbor.import-policy

  • network-instance.protocols.bgp.neighbor.afi-safi.import-policy

There is no restriction for the AFI-SAFI family of the routes matched by the above policies. If a BGP route for a specific AFI-SAFI can create an ECMP-capable IPv4 or IPv6 route in the IP FIB table, then the resilient hashing policy actions apply to that BGP route.

For a resilient hashing policy action, you configure the following parameters:

  • apply: enable or disable resilient hashing if the accepted route becomes the best BGP path; can be set to true or false.
  • max-paths: set the maximum number of ECMP next-hops per route associated with the resilient-hash prefix; required if apply is set to true.
  • hash-buckets-per-path: set the number of times each next-hop is repeated in the fill pattern if there are max-paths ECMP next-hops; required if apply is set to true.

Resilient hashing is enabled for an IPv4 or IPv6 prefix when either of the following are true:

  • The active route for the prefix is a BGP route, and the best BGP route for the prefix was processed by an import policy that accepted the route with a resilient-hash.apply true action.

  • The active route for the prefix is a non-BGP route or else a best BGP route without any import-policy resilient-hash action applied, and the route is covered by configuration of a resilient-hash-prefix in the network-instance where it is installed.

Resilient hashing is disabled for an IPv4 or IPv6 prefix when either of the following are true:

  • The active route for the prefix is a BGP route, and the best BGP route for the prefix was processed by an import policy that accepted the route with a resilient-hash.apply false action.

  • The active route for the prefix is a non-BGP route or else a best BGP route without any import-policy resilient-hash action applied, and the route is not covered by configuration of a resilient-hash-prefix in the network-instance where it is installed.

To program a route to support resilient ECMP, the system needs to know the maximum possible number of ECMP next-hops for the route, and the number of hash buckets to use for each possible ECMP next-hop. These values, configured with the max-paths and hash-buckets-per-path parameters, determine the hash bucket fill pattern.

The following example configures a routing policy statement with a resilient hashing action. Best BGP routes routes that match the import policy are provided with resilient-hash programming. The hash-buckets-per-path value is 4 and the max-paths value is 6, so the fill pattern has 24 hash buckets, offering space for 6 next-hops, each repeated 4 times.

--{ +* candidate shared default }--[  ]--
# info with-context routing-policy policy res-hash statement st1 action
    routing-policy {
        policy res-hash {
            statement st1 {
                action {
                    resilient-hash {
                        apply true
                        hash-buckets-per-path 4
                        max-paths 6
                    }
                }
            }
        }
    }

Applying a routing policy

Routing policies can be applied to routes received from other routers (imported routes), as well as routes advertised to other routers (exported routes). Routing policies can be applied at the network-instance level, peer-group level, and neighbor level.

Apply a routing policy to imported routes

The following example specifies that BGP in the default network-instance applies policy01 to imported routes:

--{ candidate shared default }--[  ]--
# info with-context network-instance default protocols bgp import-policy
    network-instance default {
        protocols {
            bgp {
                import-policy [
                    policy01
                ]
            }
        }
    }

Apply a routing policy to BGP routes exported from a peer-group

The following example applies policy02 to BGP routes exported from the peers in peer-group headquarters1:

--{ candidate shared default }--[  ]--
# info network-instance default protocols bgp group headquarters1
    network-instance default {
        protocols {
            bgp {
                group headquarters1 {
                    export-policy [
                        policy02
                    ]
                }
            }
        }
    }

Apply a routing policy to BGP routes exported from a BGP neighbor

The following example applies policy02 to BGP routes exported from a specific BGP neighbor:

--{ * candidate shared default }--[  ]--
# info  network-instance default protocols bgp neighbor 192.168.11.1
    network-instance default {
        protocols {
            bgp {
                neighbor 192.168.11.1 {
                    export-policy [
                        policy02
                    ]
                }
            }
        }
    }

Applying a default policy to eBGP sessions

You can specify the action to take for routes exported to or imported from eBGP peers to which no configured policy applies. This is set with the ebgp-default-policy command and the export-reject-all and import-reject-all parameters.

  • The export-reject-all parameter, when set to true, causes all outbound routes that do not match a configured export policy to be rejected as if they had been rejected by a configured export policy. The default is true.

  • The import-reject-all parameter, when set to true, causes all inbound routes that do not match a configured import policy to be rejected as if they had been rejected by a configured import policy. The default is true.

The following example allows a BGP neighbor to export a default route even though the route is not subject to any configured policy:

--{ * candidate shared default }--[  ]--
# info with-context network-instance default
    network-instance default {
        protocols {
            bgp {
                ebgp-default-policy {
                    export-reject-all false
                }
                neighbor 2001:db8::c11 {
                    send-default-route {
                        ipv6-unicast true
                    }
                }
            }
        }
    }

Replacing an AS path

You can configure a routing policy where the AS path in matching routes is replaced by a list of AS numbers specified in the policy. For routes that match the policy, the current AS path is deleted and replaced with an AS_SEQ element containing the AS numbers listed in the policy in their configured sequence.

If you configure an empty AS list in the policy, then the current AS path in a matching route is deleted, and it would then have a null AS_PATH attribute.

The following is an example of a routing policy that matches BGP routes. The action for the policy is next-policy, so routes that match the first policy are evaluated by the second policy, whose action is to replace the AS path in matching routes.

--{ candidate shared default }--[  ]--
# info with-context routing-policy
    routing-policy {
        policy policy01 {
            statement 100 {
                match {
                    protocol bgp
                }
                action {
                    policy-result next-policy
                }
            }
        }
        policy policy02 {
            statement 100 {
                match {
                    prefix-set western
                }
                action {
                    bgp {
                        as-path {
                            replace [
                                12
                                13
                                14
                            ]
                        }
                    }
                }
            }
        }
    }

Resequencing statements in a routing policy

Each routing policy statement has a numerical sequence identifier that determines its order relative to other statements in that policy. When a route is analyzed by a policy, it is evaluated by each statement in sequential order.

The definition of the sequence of statements is fully flexible and can be defined as required using the insert command. If the insert command is not used, new statements are added to the end of the policy.

In the following examples, routing policy policy01 consists of three statements: red, green, and blue.

--{ +* candidate shared default }--[  ]--
# info with-context routing-policy policy policy01
    routing-policy {
        policy policy01 {
            statement red {
                match {
                    protocol bgp
                }
                action {
                    policy-result accept
                }
            }
            statement green {
                match {
                    prefix-set pset1
                }
                action {
                    policy-result reject
                }
            }
            statement blue {
                match {
                    family [
                        ipv4-unicast
                        ipv6-unicast
                    ]
                }
                action {
                    policy-result next-policy
                }
            }
        }
    }

Move a statement to the end of a routing policy

The following example moves statement red to the end of the routing policy:

--{ +* candidate shared default }--[  ]--
# routing-policy policy policy01
--{ +* candidate shared default }--[ routing-policy policy policy01 ]--
# insert statement red last
--{ +* candidate shared default }--[ routing-policy policy policy01 ]--
# info with-context 
    statement green {
        match {
            prefix-set pset1
        }
        action {
            policy-result reject
        }
    }
    statement blue {
        match {
            family [
                ipv4-unicast
                ipv6-unicast
            ]
        }
        action {
            policy-result next-policy
        }
    }
    statement red {
        match {
            protocol bgp
        }
        action {
            policy-result accept
        }
    }

Move a statement to the beginning of a routing policy

The following example moves statement blue to the beginning of the routing policy:

--{ +* candidate shared default }--[  ]--
# routing-policy policy policy01
--{ +* candidate shared default }--[ routing-policy policy policy01 ]--
# insert statement blue first
--{ +* candidate shared default }--[ routing-policy policy policy01 ]--
# info with-context 
    statement blue {
        match {
            family [
                ipv4-unicast
                ipv6-unicast
            ]
        }
        action {
            policy-result next-policy
        }
    }
    statement red {
        match {
            protocol bgp
        }
        action {
            policy-result accept
        }
    }
    statement green {
        match {
            prefix-set pset1
        }
        action {
            policy-result reject
        }
    }

Move a statement before an existing statement

The following example moves statement blue before statement green:

--{ +* candidate shared default }--[  ]--
# routing-policy policy policy01
--{ +* candidate shared default }--[ routing-policy policy policy01 ]--
# insert statement blue before green
--{ +* candidate shared default }--[ routing-policy policy policy01 ]--
# info with-context 
    statement red {
        match {
            protocol bgp
        }
        action {
            policy-result accept
        }
    }
    statement blue {
        match {
            family [
                ipv4-unicast
                ipv6-unicast
            ]
        }
        action {
            policy-result next-policy
        }
    }
    statement green {
        match {
            prefix-set pset1
        }
        action {
            policy-result reject
        }
    }

Move a statement after an existing statement

The following example moves statement red after statement green:

--{ +* candidate shared default }--[  ]--
# routing-policy policy policy01
--{ +* candidate shared default }--[ routing-policy policy policy01 ]--
# insert statement red after green
--{ +* candidate shared default }--[ routing-policy policy policy01 ]--
# info with-context 
    statement green {
        match {
            prefix-set pset1
        }
        action {
            policy-result reject
        }
    }
    statement red {
        match {
            protocol bgp
        }
        action {
            policy-result accept
        }
    }
    statement blue {
        match {
            family [
                ipv4-unicast
                ipv6-unicast
            ]
        }
        action {
            policy-result next-policy
        }
    }

AS path sets

In a routing policy, an AS path set groups one or more AS paths using regular expressions. An AS path regular expression is a string consisting of AS numbers and (usually) one or more regular expression operators to be searched within the complete AS_PATH attribute. AS path sets can be referenced in match conditions and actions in routing policy statements.

An AS path set can have up to 32 member elements, each up to 255 characters in length.

Match-set-options for AS path sets

When used as a match condition in a policy statement, an AS path set containing multiple elements matches a route based on its configured match-set-option, which can be one of the following:

  • any: a route is considered a match if its AS_PATH is matched by any of the member strings in the AS path set; if you do not specify a match-set-option, this is the default.

  • all: a route is considered a match if its AS_PATH is matched by all of the member strings in the AS path set.
  • invert:a route is considered a match if its AS_PATH is matched by none of the member strings in the AS path set.

Regex modes for AS path sets

A regular expression is a sequence of symbols and characters expressing a pattern to be searched within the complete AS_PATH attribute. The symbols are operators that imply a matching logic with respect to terms that precede or follow them. The smallest term that can be matched is the elementary term. Elementary terms can be combined to create more complex terms, and these can be collated to create even more complex terms.

In SR Linux, the regex mode configured for an AS path set determines the elementary term and the set of operator symbols that are supported. SR Linux supports the following regex modes:

  • ASN mode

    The AS path is converted to a string and the string is matched one complete AS number at a time. AS-path sets are in ASN mode by default.

  • Character mode

    The AS path is converted to a string and the string is matched one character at a time.

ASN mode

When an AS path set is configured in ASN mode, the string is matched by treating each AS number as an elementary term. When a route is compared to an AS path regular expression, each 4-byte AS number is extracted, one-by-one from the AS path, starting with the most recent AS and proceeding to the oldest or originating AS, and checked for a match against the regular expression. If there is any AS number that does not match the pattern, then the route is considered not a match for the AS path regular expression, and therefore not a match for the policy statement where this match condition is used.

SR Linux supports the following regex operations for strings in an AS path set configured in ASN mode:

Table 5. Supported regex operations for AS path sets in ASN mode
Operation Meaning
null Keyword equivalent to "^$"
| Matches the term on alternate sides of the pipe.
* Matches multiple occurrences of the term.
? Matches 0 or 1 occurrence of the term.
+ Matches 1 or more occurrence of the term.
( ) Used to parenthesize so a regular expression is considered as one term.
[ ] Used to demarcate a set of elementary or range terms.
[^ ] Used to demarcate a set of elementary or range terms that are explicitly non-matching.
- Used between the start and end of a range.
{m,n} Matches at least m and at most n repetitions of the term.
{m} Matches exactly m repetitions of the term.
{m,} Matches m or more repetitions of the term.
^

Asserts that the following term appears at the beginning of the AS path.

$

Asserts that the preceding term appears at the end of the AS path.

_

Matches one or more non-word characters, beginning of string, or end of string.

< > Matches any AS path numbers containing a confederation SET or SEQ.

The following table shows examples of valid regex strings for AS path sets in ASN mode.

Table 6. AS path set regex examples (ASN mode)
Regex string Meaning AS_PATH examples that match AS_PATH examples that do not match
"null" Match empty AS path. empty "100"
"< 100 >" Match AS path that has only ASN 100 in a confed-sequence or confed-set. "(100)" "100""(100 200)"
"100 | 200" Match AS path has only ASN 100 or ASN 200.

"100"

"200"

empty

"100 200"

"(100)"

"(50 50){1,2}" Match any AS path with 2 or 4 repetitions of 50.

"50 50"

"50 50 50 50"

"50 50 50"

"50 50 50 50 50"

"^[100-109]" Match any AS path with single AS in the range 100-109 inclusive.

"105"

"109"

"100 200"

"110"

"[^100] 200$" Match any AS path with two ASNs – the first must not be 100 and the second must be 200. "105 200"

empty

"100 200"

"50 200 300"

"100 200" Match any AS path with ASNs 100 and 200 occurring exactly in this sequence somewhere in the AS path.

"100 200"

"3300 3501 100 200 2900"

empty

"200 100"

"100 101 200"

"3300 100 3501 200 2900"

Character mode

When an AS path set is configured in character mode, the string is matched by treating each character in the string as an elementary term.

SR Linux supports the following regex operations for strings in an AS path set configured in character mode:

Table 7. Supported regex operations for AS path sets in character mode
Operation Meaning
| Matches the term on alternate sides of the pipe.
* Matches 0, 1, or more occurrences of the term.
? Matches 0 or 1 occurrence of the term.
+ Matches 1 or more occurrence of the term.
( ) Used to parenthesize so a regular expression is considered as one term.
[ ] Used to demarcate a set of elementary terms, range terms, or character class.
[^ ] Used to demarcate a set of elementary or range terms that are explicitly not matching.
- Used between the start and end of a range.
{m,n} Matches at least m and at most n repetitions of the term.
{m} Matches exactly m repetitions of the term.
{m,} Matches m or more repetitions of the term.
^

Matches the beginning of the string.

$

Matches the end of the string.

_ Match one or more non-word characters, beginning of string, or end of string.
\[ Match left bracket (start of set).
\] Match right brace (end of set).
\( Match left parentheses (start of confed).
\) Match right parentheses (end of confed).

The following table shows examples of valid regex strings for AS path sets in character mode.

Table 8. AS path set regex examples (character mode)
Regex string Meaning AS_PATH examples that match AS_PATH examples that do not match
"^$" Match empty AS path. empty "100"
"\(.*_100_.*\)" Match any AS path with an AS confed sequence that includes 100. "50 (100 200)" "100"
"(_100_)|(_200_)" Match any AS path that includes 100 or 200 at any location.

"100"

"(100)"

"100 200"

"50 200 600"

empty

"300"

"^100_" Match any AS path that starts with 100 (most recent). "100 500 600" "50 100"
"_100$" Match any AS path that ends with 100 (origin).

"100"

"50 80 100"

empty

"300"

"(_50_50_){1,2}" Match any AS path with 2 or 4 repetitions of 50 at any location.

"30 50 50 100"

"50 50 50 50"

"50"

"100"

"^10[0-9]_" Match any AS path with a leading AS in the range 100-109 inclusive.

"105 200 400"

"109"

"200 100"

Configuring an AS path set

To use an AS path set in a routing policy, you configure one or more regular expressions for the AS path set, optionally set the regex mode and, or match-set-option, then specify the AS path set as a match condition in the routing policy.

Configure an AS path set in ASN mode

The following example configures an AS path set that consists of three regular expressions. The AS path set is configured in ASN mode, so when the AS_PATH attribute is converted to a string, the string is matched one complete AS number at a time. The match-set-option any is configured in the policy statement, so a route is considered a match if its AS_PATH is matched by any of the member strings in the AS path set.

--{ candidate shared default }--[  ]--
# info with-context routing-policy
    routing-policy {
        as-path-set asps1 {
            regex-mode asn
            as-path-set-member [
                "(50 50){1,2}"
                "100 | 200"
                "[^100] 200$"
            ]
        }
        policy p1 {
            statement 100 {
                match {
                    bgp {
                        as-path {
                            as-path-set asps1
                            match-set-options any
                        }
                    }
                }
            }
        }
    }

Configure an AS path set in character mode

The following example configures an AS path set in character mode. When the AS_PATH attribute is converted to a string, the string is matched one character at a time. The match-set-option all is configured in the policy statement, so a route is considered a match only if its AS_PATH is matched by all of the member strings in the AS path set.

--{ candidate shared default }--[  ]--
# info routing-policy
    routing-policy {
        as-path-set asps2 {
            regex-mode character
            as-path-set-member [
                "(_100_)|(_200_)"
                "^10[0-9]_"
            ]
        }
        policy p2 {
            statement 100 {
                match {
                    bgp {
                        as-path {
                            as-path-set asps2
                            match-set-options all
                        }
                    }
                }
            }
        }
    }

BGP community-sets

A BGP community-set is a policy construct that groups one or more BGP communities into a list of member elements, each representing either a specific community value or a regular expression that is parsed one character at a time. Community-sets can be referenced in match conditions and actions in routing policy statements.

SR Linux supports the following types of community sets:

  • Hybrid

    A hybrid community-set can contain any mix of the following:

    • standard 4-byte BGP community values or regular expressions (as defined in RFC 1997)
    • extended 8-byte BGP community values or regular expressions (as defined in RFC 4360)
    • large 12-byte BGP community values or regular expressions (as defined in RFC 8092)

    Hybrid community-sets are configured using routing-policy.community-set.

  • Standard (maps to OpenConfig)

    A standard community-set can only contain standard 4-byte BGP community values or regular expressions (as defined in RFC 1997). Standard community-sets are configured using routing-policy.standard-community-set.

  • Extended (maps to OpenConfig)

    An extended community-set can only contain extended 8-byte BGP community values or regular expressions (as defined in RFC 4360). Extended community-sets are configured using routing-policy.extended-community-set.

Match-set-options for community-sets

When used as a match condition in a policy statement, a community set containing multiple elements matches a route based on its configured match-set-option, which can be one of the following:

  • all: a route matches the community-set if every element in the community-set is matched by a community attached to the route. If you do not specify a match-set-option, this is the default.
  • any: a route matches the community-set if there is at least one element in the community-set that is matched by a community attached to the route.

  • invert: a route matches the community-set if none of the elements in the community-set are matched by a community attached to the route.

For hybrid community sets, the match-set-option is configured as part of the community set. All policy statements that reference a hybrid community-set use the match-set-option configured for that community-set.

For standard and extended community-sets, the match-set-option is configured within the policy statement itself.

Using hybrid and standard/extended community-sets in one policy statement

The match container of a single policy statement can reference a hybrid community-set, a standard-community-set and, or an extended community-set. The policy statement does not apply to a route unless all the community-set matches return a TRUE result.

The action.bgp container of a single policy statement can reference a hybrid community-set, a standard-community-set and, or an extended-community-set. In this case, the hybrid community actions are applied first, before any of the processing (match or action) of the standard community-set or extended community-set is applied. This means that a community added by a hybrid community action can be matched by standard community-set or extended community-set.

Hybrid community-sets

In a routing policy, a policy statement can refer to a hybrid community set by making it the target of the leaf routing-policy.policy.statement.match.bgp.community-set. If the hybrid community-set contains multiple elements, then the matching behavior is controlled by routing-policy.community-set.match-set-options. (See Match-set-options for community-sets.)

The following table lists the valid formats for elements in a hybrid community set.

Table 9. Supported formats for elements in hybrid community-sets
Format Example Meaning
no-export Well-defined standard community NO-EXPORT.
no-advertise Well-defined standard community NO-ADVERTISE.
no-export-subconfed Well-defined standard community NO-EXPORT-SUBCONFED.
<0-65535>:<0-65535> Standard community matched exactly.

<regex>

string must include one : and it is part of the match

"65535:[0-9]" Standard communities matched by one regular expression See Supported regex symbols for hybrid community-sets.
<0-4294967295>:<0-4294967295>:<0-4294967295> Large community matched exactly.

<regex>:<regex>:<regex>

string must include two : and they are not part of the match

"(100)|(101):65000:4294967295" Large communities matched by three LEGACY style regular expressions. See Supported regex symbols for hybrid community-sets.
target:<0-65535>:<0-4294967295> "target:1:100" type0 route-target extended community matched exactly.
target:<ipv4-address>:<0-65535> "target:1.1.1.1:100" type1 route-target extended community matched exactly.
target:<0-4294967295>:<0-65535> type2 route-target extended community matched exactly.

target:<regex>:<regex>

string must start with target and include two : and they are not part of the match
"target:(100)|(101)" route-target extended communities matched by two regular expressions. See Supported regex symbols for hybrid community-sets.
origin:<0-65535>:<0-4294967295> type0 route-origin extended community matched exactly.
origin:<ipv4-address>:<0-65535> type1 route-origin extended community matched exactly.
origin:<0-4294967295>:<0-65535> type2 route-origin extended community matched exactly.

origin:<regex>:<regex>

string must start with origin and include two : and they are not part of the match

route-origin extended community matched by two regular expressions. See Supported regex symbols for hybrid community-sets.

color:NN:<0-4294967295>

NN=00,01,10,11
"color:01:100" color extended community matched exactly.
bgp-tunnel-encap:(MPLS|VXLAN) "bgp-tunnel-encap:MPLS" BGP tunnel encapsulation extended community.

The following table lists the supported regex symbols for hybrid community-sets.

Table 10. Supported regex symbols for hybrid community-sets
Operation Meaning
| Matches the term on alternate sides of the pipe.
* Matches multiple occurrences of the term.
? Matches 0 or 1 occurrence of the term.
+ Matches 1 or more occurrence of the term.
( ) Used to parenthesize so that a regular expression is considered as one term.
[ ] Used to demarcate a set of elementary or range terms.
[^ ] Used to demarcate a set of elementary or range terms that are explicitly non-matching.
- Used between the start and end of a range.
{m,n} Matches least m and at most n repetitions of the term.
{m} Matches exactly m repetitions of the term.
{m,} Matches m or more repetitions of the term.
^

Matches the beginning of the string.

$

Matches the end of the string.

\

An escape character to indicate that the following character is a match criteria and not a grouping delimiter.

Configuring a hybrid community-set

To configure a hybrid community-set for a routing policy, you specify the member elements and match-set-option, then specify the community set as a match condition in the routing policy.

The following example configures a hybrid community-set that consists of two member elements. The match-set-option is invert, so a route matches this community-set if neither of the elements in the community-set are matched by a community attached to the route. The community-set is specified as a match condition in a routing policy.

--{ candidate shared default }--[  ]--
# info with-context routing-policy
    routing-policy {
        community-set cs1 {
            match-set-options invert
            member [
                bgp-tunnel-encap:MPLS
                target:1.1.1.1:100
            ]
        }
        policy p1 {
            statement 100 {
                match {
                    bgp {
                        community-set cs1
                    }
                }
            }
        }
    }

Standard community-sets

In a routing policy, a policy statement can refer to a standard community-set by making it the target of the leaf routing-policy.policy.statement.match.bgp.standard-community.standard-community-set. If the standard community-set contains multiple elements, the matching behavior is controlled by routing-policy.policy.statement.match.bgp.standard-community.match-set-options. (See Match-set-options for community-sets.)

Each standard community-set consists of a leaf-list of member elements. Each member represents either a specific community value or a regex string to be evaluated. SR Linux decides whether to treat a community-set member as an exact match or regex string as follows.

Table 11. Determining exact match or regex string for standard community-set member elements
Member format1 Interpreted as
<d>:<d> Exact match of a standard community (not passed to regex engine).

<d>

<r>

String to be passed to the regex engine.
1 where <d> is a string with digits only and no regex operation symbols, and <r> is a string with at least one regex operation symbol

SR Linux supports the following operations for strings passed to the regex engine:

Table 12. Supported regex operations for standard and extended community-sets
Operation Meaning
| Matches the term on alternate sides of the pipe.
* Matches 0, 1, or more occurrences of the term.
? Matches 0 or 1 occurrence of the term.
+ Matches 1 or more occurrence of the term.
( ) Used to parenthesize so a regular expression is considered as one term.
[ ] Used to demarcate a set of elementary terms, range terms, or character class.
[^ ] Used to demarcate a set of elementary or range terms that are explicitly non-matching.
- Used between the start and end of a range.
{m,n} Matches least m and at most n repetitions of the term.
{m} Matches exactly m repetitions of the term.
{m,} Matches m or more repetitions of the term.
^

Matches the beginning of the string.

$

Matches the end of the string.

\

An escape character to indicate that the following character is match criteria and not a grouping delimiter.

The following table shows examples of valid regex strings in standard community-sets.

Table 13. Standard community regex examples
Regex string Meaning Communities that match Communities that do not match
".*" Match all standard communities. 65200:100

"^651[0-9][0-9]:.*$"

"^651[0-9][0-9]"

Match any standard community with 65100-65199 as the AS. 65150:200 65200:200
"^65100" Match any standard community associated with ASN 65100.

65100:100

65100:200

65101:900
"666$" Match any standard community that ends in the digits 666.

65100:666

65100:6666

666:1
":666$""_666$" Match any standard community for which the administered value is exactly 666. 65100:666 65100:6666

Configuring a standard community-set

To configure a standard community-set for a routing policy, you specify the member elements, then specify the community-set as a match condition in the routing policy.

The following example configures a community-set consisting of four member elements: one specific community and three regex strings. The community-set is specified as a match condition in a routing policy. The match-set-option any is configured in the policy statement, so a route is considered a match if its AS_PATH is matched by any of the member elements in the AS path set

--{ candidate shared default }--[  ]--
# info with-context routing-policy
    routing-policy {
        standard-community-set s1 {
            member [
                65200:200
                10*:34684
                ^65100
                "^651[0-9][0-9]:.*$"
            ]
        }
        policy p2 {
            statement 100 {
                match {
                    bgp {
                        standard-community {
                            standard-community-set s1
                            match-set-options any
                        }
                    }
                }
            }
        }
    }

Extended community-sets

In a routing policy, a policy statement can refer to an extended community-set by making it the target of the leaf routing-policy.policy.statement.match.bgp.extended-community.extended-community-set. If the extended community-set contains multiple elements, the matching behavior is controlled by routing-policy.policy.statement.match.bgp.extended-community.match-set-options. (See Match-set-options for community-sets.)

Each extended community-set consists of a leaf-list of member elements. Each member represents either a specific community value, or a regex string to be evaluated. SR Linux decides whether to treat a community-set member as an exact match or regex string as follows:

Table 14. Determining exact match or regex string for extended community-set member elements
Member format1 EC type/subtype Interpreted as
ext:<4h>:<1-12h>

type = *

subtype = *
Generic extended community exact match (not passed to regex engine)

ext

ext:

ext:<h>

ext:<r>

type = *

subtype = *
Generic extended community regex
gbp-tag:<d>:<d>

type = 0x03

subtype = 0x17
Group Policy ID extended community exact match (not passed to regex engine)

gbp-tag

gbp-tag:

gbp-tag:<d>

gbp-tag<r>

type = 0x03

subtype = 0x17
Group Policy ID extended community regex
target:<d>:<d>

type = 0x00, 0x01, 0x02

subtype = 0x02

Route target extended community exact match (not passed to regex engine)

target:<r>:<d>

target:<d>:<r>

target:<r>:<r>

target

target:

target:<d>

target<r>

type = 0x00, 0x01, 0x02

subtype = 0x02

Route target extended community regex
origin:<d>:<d>

type = 0x00, 0x01, 0x02

subtype = 0x03

Route origin extended community exact match (not passed to regex engine)

origin:<r>:<d>

origin:<d>:<r>

origin:<r>:<r>

origin

origin:

origin:<d>

origin<r>

type = 0x00, 0x01, 0x02

subtype = 0x03

Route origin extended community regex
link-bandwidth:<d>:<d>[kMGT]

type = 0x00, 0x40

subtype = 0x04

Link-bandwidth extended community exact match (not passed to regex engine)

link-bandwidth

link-bandwidth:

link-bandwidth:<d>

link-bandwidth<r>[kMGT]

type = 0x00, 0x40

subtype = 0x04

Link-bandwidth extended community regex
color:<bits>:<d>

type = 0x03

subtype = 0x0B

Color extended community exact match (not passed to regex engine)

color

color:

color:<bits>

color<r>

type = 0x00, 0x40

subtype = 0x04

Color extended community regex
bgp-tunnel-encap:<a>

type = 0x03

subtype = 0x0CS

BGP tunnel encap extended community exact match (not passed to regex engine)
1 where <d> is a string with digits only and no regex operation symbols, <r> is a string with at least one regex operation symbol, and <a> is a string of alphabetic characters with no regex operation symbols

See Supported regex operations for standard and extended community-sets for valid operations for strings passed to the regex engine.

The following table shows examples of valid regex strings for route target and route origin elements in extended community-sets.

Table 15. Extended community regex examples for route target and route origin
Regex string Meaning Communities that match Communities that do not match
"t.*" Not valid, rejected.
"o.*" Not valid, rejected.
"target" Match all RT ext communities. target:65000:100 link-bandwidth:65000:100M
"origin" Match all RO ext communities. origin:65000:100 target:65000:100
"target:.*10.*" Match any RT ext community (any type) with two consecutive digits 10.

target:65100:99

target:10.5.6.7:99

target:4294967295:1105

target:999:999

target:1.0.1.0:999

"target:10.1.1.1:.*" Match type-1 RT ext community with 10.1.1.1 address as the administrator. target:10.1.1.1:100
"target:10\..*" Match type-1 RT ext community with any 10/8 address as the administrator. target:10.1.1.1:100 target:105:100
"target:10.*" Match any RT ext community with leading digits 10 in the administrator part.

target:105:999

target:100000:999

target:102.3.4.1:999

target:1110:999
"target.*_666$" Match any RT ext community where the administered value is exactly 666.

target:65000:666

target:10.5.6.7:666

target:4294967295:666

target:65

The following table shows examples of valid regex strings for link-bandwidth elements in extended community-sets.

Table 16. Extended community regex examples for link-bandwidth
Regex string Meaning Communities that match Communities that do not match
"l.*" Not valid, rejected.
"lb.*" Not valid, rejected.

"link-bandwidth"

"link-bandwidth:.*"

Match all LB ext communities. link-bandwidth:65000:40k route-target:65000:100
"link-bandwidth:10.* Match any LB ext community with leading digits 10 in the administrator part.

link-bandwidth:10:1T

link-bandwidth:105:1200

link-bandwidth:11:10M
"link-bandwidth.*_100G$" Match any LB ext community that encodes the bandwidth value 100Gbps.

link-bandwidth:65000:100G

link-bandwidth:3333:100G

link-bandwidth:100:100M

link-bandwidth:100:1100G

The following table shows examples of valid regex strings for elements in generic extended community-sets.

Table 17. Extended community regex examples for generic extended community-sets
Regex string Meaning Communities that match Communities that do not match
"e*" Not valid, rejected.

"ext"

"ext:.*"

Match all ext communities. ext:0600:000000000001 None
"ext:0002.*" Match all 2-octet AS-specific route-target extended communities

route-target:65000:100

ext:0600:000000000001
"^ext:0600_.*1$" Match all EVPN MAC Mobility extended communities with lowest bit = 1.

ext:0600:000000000001

ext:0601:000000000001

The following table shows examples of valid regex strings for elements in Group Policy ID extended community-sets.

Table 18. Extended community regex examples for generic Group Policy ID community-sets
Regex string Meaning Communities that match Communities that do not match
"gbp*" Not valid, rejected.

"gbp-tag"

"gbp-tag:.*"

Match all Group Policy ID extended communities. gbp-tag:0:53 route-target:65000:100
"gbp-tag:0:.* Match all Group Policy ID extended communities with scope = 0

gbp-tag:0:53

gbp-tag:1:53

Configuring an extended community-set

To configure an extended community-set for a routing policy, you specify the member elements, then specify the community-set as a match condition in the routing policy.
Configure an extended community-set with route target and route origin member elements

The following example configures a community-set consisting of four member elements: one specific community and three regex strings. The community-set is specified as a match condition in a routing policy. The match-set-option any is configured in the policy statement.

--{ candidate shared default }--[  ]--
# info with-context routing-policy
    routing-policy {
        extended-community-set e1 {
            member [
                origin.*_666$
                origin:.*10.*
                target:1.1.1.1:100
                target:1:100
            ]
        }
        policy p3 {
            statement 100 {
                match {
                    bgp {
                        extended-community {
                            extended-community-set e1
                            match-set-options any
                        }
                    }
                }
            }
        }
    }
Configure an extended community-set with link-bandwidth member elements

The following example configures a community-set consisting of elements that match link-bandwidth extended communities. The community-set contains one specific link-bandwidth community and two regex strings.

--{ candidate shared default }--[  ]--
# info with-context routing-policy
    routing-policy {
        extended-community-set e2 {
            member [
                link-bandwidth.*_100G$
                link-bandwidth:10.*
                link-bandwidth:65000:1T
            ]
        }
        policy p3 {
            statement 100 {
                match {
                    bgp {
                        extended-community {
                            extended-community-set e2
                            match-set-options any
                        }
                    }
                }
            }
        }
    }
Configure a generic extended community-set

The following example configures a generic community-set. The community-set contains two regex strings.

--{ candidate shared default }--[  ]--
# info with-context routing-policy
    routing-policy {
        extended-community-set e3 {
            member [
                ext:.*
                ext:0002.*
            ]
        }
        policy p3 {
            statement 100 {
                match {
                    bgp {
                        extended-community {
                            extended-community-set e3
                            match-set-options any
                        }
                    }
                }
            }
        }
    }

Prefix sets

In a routing policy, a prefix set groups one or more IPv4 and, or IPv6 prefix matching entries. A prefix matching entry has two components:

  • an IPv4 or IPv6 prefix, specifying an IPv4 or IPv6 address with zeroed host bits and a prefix length; for example, 192.168.1.0/21
  • a mask-length-range, specifying either exact or a range in the format <a>..<b>, where <a> is the starting prefix length (0-32 for IPv4, 0-128 for IPv6), and <b> is the ending prefix length (0-32 for IPv4, 0-128 for IPv6)

Match-set-options for prefix sets

When used as a match condition in a policy statement, a prefix set matches a route based on its configured match-set-option, which can be one of the following:

  • any: a route is considered a match if its destination is matched by any of the prefix matching entries.
  • invert: a route is considered a match if its destination is matched by none of the prefix matching entries.

Configuring a prefix set

To configure a prefix set for a routing policy, you specify the member elements, then specify the prefix set as a match condition in the routing policy.

The following example configures a prefix set that consists of two member elements. The prefix set is specified as a match condition in a routing policy.

--{ candidate shared default }--[  ]--
# info with-context routing-policy
    routing-policy {
        prefix-set pset1 {
            prefix 10.10.1.0/24 mask-length-range 24..32 {
            }
            prefix 10.10.20.0/24 mask-length-range exact {
            }
        }
        policy p1 {
            statement 100 {
                match {
                    prefix {
                        prefix-set pset1
                        match-set-options any
                    }
                }
                action {
                    policy-result accept
                }
            }
        }
    }

BGP next-hop resolution policies

A BGP next-hop resolution policy is a routing policy that evaluates whether the route or tunnel chosen to resolve each BGP next-hop is acceptable or not.

In SR Linux, when BGP needs to resolve the BGP next-hop of a BGP route to find the best route or tunnel that provides reachability to the next-hop, it considers the constraints configured under the following contexts:

  • network-instance.protocols.bgp-evpn.bgp-instance.mpls.next-hop-resolution
  • network-instance.protocols.bgp-ipvpn.bgp-instance.mpls.next-hop-resolution
  • network-instance.protocols.bgp.bgp-label.bgp-ipvpn.next-hop-resolution
  • network-instance.protocols.bgp.afi-safi.ipv4-unicast.next-hop-resolution
  • network-instance.protocols.bgp.afi-safi.ipv4-labeled-unicast.next-hop-resolution
  • network-instance.protocols.bgp.afi-safi.ipv6-unicast.next-hop-resolution
  • network-instance.protocols.bgp.afi-safi.ipv6-labeled-unicast.next-hop-resolution
  • network-instance.protocols.bgp.afi-safi.evpn.next-hop-resolution

If there is no route or tunnel that can satisfy the constraints, the next-hop is unresolved, and this generally makes the associated BGP route invalid and unusable.

There are situations when the constraints on a valid resolving route or tunnel are complex, and there is no BGP configuration option in any of the above contexts that can express the rules. For these cases, you can configure next-hop-resolution policies. A next-hop-resolution policy is a routing policy run by BGP on the resolution selection made for each BGP route within the scope of the policy.

Depending on the context in which they are referenced, next-hop-resolution policies are applied as follows:

  • A next-hop-resolution policy referenced in the network-instance.protocols.bgp context applies to all BGP routes learned from all BGP peers of the network-instance, spanning all AFI-SAFI with next-hops that need resolution, and covering both IPv4 and IPv6 next-hop addresses. The referenced next-hop-resolution policy can accept or reject resolution by any type of route (IGP, BGP, and so on) and any type of tunnel (MPLS, SRv6, and so on).

  • A next-hop-resolution policy referenced in the network-instance.protocols.bgp-vpn context applies to all IP VPN and EVPN routes imported into the network-instance, covering both IPv4 and IPv6 next-hop addresses. The referenced next-hop-resolution policy can accept or reject resolution by any type of tunnel (MPLS, SRv6, and so on).

Next-hop-resolution policies do not replace existing next-hop-resolution configuration options. If there is a next-hop-resolution policy configured, it is evaluated after the constraint-based selection of the best resolving route or tunnel.

If the policy accepts this selection, the next-hop is resolved accordingly. If the policy rejects the selection, the next-hop is unresolved, and there is no attempt to find a less-preferred candidate that can meet the next-hop-resolution configuration options and also be accepted by the policy.

Match conditions for IPv4 or IPv6 routes

A next-hop-resolution policy matches an IPv4 or IPv6 route to accept or reject its ability to resolve BGP next-hops within the scope of the policy by matching on any combination of the following:

  • subroutine match using any of the criteria in this list
  • protocol X
    • evaluates to true if the next-hop is resolved by a route and its route-type is X
    • evaluates to false if the next-hop is resolved by any type of tunnel or any route with route-type <> X
  • family X
    • evaluates to true if X = ipv4-unicast and the next-hop is resolved by a BGP route that advertised reachability to an IPv4-unicast prefix
    • evaluates to true if X = ipv6-unicast and the next-hop is resolved by a BGP route that advertised reachability to an IPv6-unicast prefix
    • evaluates to false in all other cases (resolution by a non-BGP route, resolution by a BGP route belonging to any other AFI-SAFI, resolution by a tunnel)
  • prefix-set and associated match-set-options
    • evaluates to true if the next-hop is resolved by a route matched by any prefix in the prefix-set (or none of the prefixes in the prefix-set)
  • tag-set X
    • evaluates to true if the next-hop is resolved by a route with any tag in the tag-set
  • IS-IS level X
    • evaluates to true if the next-hop is resolved by an IS-IS route and its level is X (note that the level is 1 for a route leaked from L2 to L1)
  • IS-IS route-type
    • evaluates to true if the next-hop is resolved by an IS-IS route and its route-type is X
  • OSPF area ID (creates non-match with non-OSPF routes)
  • OSPF route-type (creates non-match with non-OSPF routes)
  • OSPF instance ID (creates non-match with non-OSPF routes)
Note:

If the policy has an accept entry with a network-instance-leaked-route or origin-network-instance match condition, that entry filters out all routes that are usable for BGP next-hop resolution, because SR Linux does not support using leaked routes to resolve BGP next-hops.

Match conditions for tunnel routes

A next-hop-resolution policy matches a BGP-LU, LDP, SR-ISIS, TE-policy (colored), TE-policy (uncolored), SRv6-ISIS, or VXLAN tunnel (to accept or reject its ability to resolve BGP next-hops within scope of the policy) by matching on any combination of the following:

  • subroutine match using any of the criteria in this list
  • prefix-set and associated match-set-options
    • evaluates to true if the next-hop is resolved by a tunnel matched by any prefix in the prefix-set (or none of the prefixes in the prefix-set)
  • tag-set
    • evaluates to true if the next-hop is resolved by a tunnel with any tag in the tag-set
  • IS-IS level X
    • evaluates to true if the next-hop is resolved by an sr-isis or srv6-isis tunnel, and the associated level is X (note that the level is 1 for a route leaked from L2 to L1)
  • tunnel
    • evaluates to true if the next-hop is resolved by any type of tunnel
  • tunnel-type X
    • evaluates to true if the next-hop is resolved by a tunnel and its tunnel-type is X
    • evaluates to false if the next-hop is resolved by any type of route or any tunnel with tunnel-type <> X
Note: Using any match condition not listed above causes no tunnels to be matched.

Actions for BGP next-hop resolution policies

If the candidate resolving route or tunnel is matched by a statement in the applicable next-hop-resolution policy, the following actions are supported:

  • a reject policy-result causes the route or tunnel to be disqualified
  • an accept policy-result causes the route or tunnel to be used as the resolving entity
  • a next-statement policy-result causes evaluation to proceed to the next statement
  • a next-policy policy-result causes the default-action to apply (see below)
  • route-modifying actions are ignored

If the policy does not have a configured default-action, or the default action is configured as next-policy, then routes or tunnels that did not match any statement, or that were only matched by statements that were non-terminating (next-statement) are automatically accepted.

Configuring a BGP next-hop-resolution policy

To configure a BGP next-hop-resolution policy, you configure a routing policy and reference the policy in the network-instance.protocols.bgp or network-instance.protocols.bgp-vpn context.

The following is an example of a next-hop-resolution policy configuration that allows BGP routes in the default network-instance to be resolved only if the best matching route or tunnel is for a /32 IPv4 prefix or a /128 IPv6 prefix.

--{ +* candidate shared default }--[  ]--
# info with-context routing-policy
    routing-policy {
        prefix-set host-routes {
            prefix 0.0.0.0/0 mask-length-range 32..32 {
            }
            prefix ::/0 mask-length-range 128..128 {
            }
        }
        policy NH-resolution {
            default-action {
                policy-result reject
            }
            statement 1 {
                match {
                    prefix {
                        prefix-set host-routes
                        match-set-options any
                    }
                }
                action {
                    policy-result accept
                }
            }
        }
    }
--{ +* candidate shared default }--[  ]--
# info with-context network-instance default
    network-instance default {
        protocols {
            bgp {
                next-hop-resolution-policy NH-resolution
            }
        }
    }

Similarly, if the routing policy is referenced in the network-instance.protocols.bgp-vpn context as a next-hop-resolution policy, it applies to IP VPN and EVPN routes imported into the IP-VRF.

--{ +* candidate shared default }--[  ]--
# info with-context network-instance vrf-a
    network-instance vrf-a {
        type ip-vrf
        protocols {
            bgp-vpn {
                next-hop-resolution-policy NH-resolution
            }
        }
    }